Search This Blog

Showing posts with label Firewall. Show all posts

Python Libraries Hacked AWS Data and Keys  

 

Sonatype researchers have found malicious Python packages that post your AWS credentials and user characteristics to a publicly accessible endpoint rather than just exploiting sensitive data. Some malicious packages with the Sonatypes are as follows:
  • loglib-modules — seems targeted at coders who are familiar with the authentic "loglib library."
  • pyg-modules — seems aimed at coders who are familiar with the basic "pyg" library.
  • Pygrata:Unknown target, pygrata-utils contains identically noxious code to that found in "loglib-modules." 
  • hkg-sol-utils: Unknown goal 

The anti-ransomware detection technology provided by Sonatype as part of Nexus platform products, such as Nexus Firewall, found these packages. Researchers found these packages to be harmful after further analysis, thus, out of precaution, they reported this to the PyPI security team, so these packages were withdrawn. "This kind of package either has code that reads and phishes your secrets or employs a dependency that does it”, according to an analysis by   Sonatype security researchers Jorge Cardona and Carlos Fernández. 

For instance, the malicious software in the packages "loglib-modules" and "pygrata-utils" enables the programs to gather AWS credentials, network interface data, and environment variables and ship them to a remote location. IAM role details for an EC2 cloud instance are reported to be returned using the URL 'hxxp:/169.254.169[.]254/latest/meta-data/iam/security-credentials/'. 

Unsettlingly, there are hundreds of endpoints holding this data. Since TXT files were not encrypted by any security measures, anyone with access to the internet could essentially access these credentials. It's vital to know that packages like "pygrata" depend on one of the two aforementioned modules rather than containing the code themselves. It is still unknown who the malicious actors are and what propels them. 
 
Users of Nexus Firewall are shielded 

If the stolen credentials posted online on purpose or as a result of bad opsec procedures? There isn't enough information available right now to rule out the possibility that this action is suspect, even if it is valid security testing as per researchers. This finding comes after the report last week of several malicious vendors, including the npm package "flame-vali," which repeatedly tried to disable Windows Defender before releasing a trojan.

The software supply chain will be safeguarded from the start thanks to Nexus Firewall instances that immediately quarantine any suspect components found by automated malware detection systems while a subjective evaluation by a researcher is being prepared.

Chinese Attackers Abused Sophos Firewall Zero-Day Bug to Target South Asian Organizations

 

Chinese hackers exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate multiple organizations in the South Asia region. 

The security bug has been patched in the meantime but multiple hackers continued to exploit it to bypass authentication and run arbitrary code remotely on several organizations. 

On March 25, Sophos issued a security patch about CVE-2022-1040, an authentication bypass flaw that affects the User Portal and Webadmin of Sophos Firewall and could be weaponized to implement arbitrary code remotely. 

Earlier this week, Volexity researchers detailed an assault from a Chinese APT group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a webshell backdoor and target the customer’s staff. 

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads a blog post published by Volexity researchers. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.” 

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall. Volexity spotted the breach while investigating suspicious traffic generated from the Sophos Firewall to key systems in its customer’s networks. The examination of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp). 

Further investigation disclosed that the hackers were using the Behinder framework, which was employed by other Chinese APT groups in assaults abusing the recently disclosed CVE-2022-26134 vulnerability in Confluence servers. 

The exploitation of the Sophos Firewall was the first stage of the attack chain, APT group later launched man-in-the-middle (MitM) assaults to steal data and use them to exploit additional systems outside of the network where the firewall resided. Once secured access to the target webservers, the hackers installed multiple open-source malware, including PupyRAT, Pantegana, and Sliver.

Zyxel: Firewalls, Access Points, and Controllers are Vulnerable

 

Zyxel has issued a cybersecurity advisory alerting administrators about various vulnerabilities impacting a variety of firewall, access point, and access point controller products. 

While the flaws are yet not ascribed a high severity rating, the potential damage they can cause is something to be taken seriously as these flaws could be exploited by malicious attackers as an aspect of exploit chains. Moreover, Zyxel goods are used by large enterprises, and any exploitable faults in them attract threat actors right away. 

The most serious of the four flaws is a command injection problem in various CLI commands, which is classified as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability has been discovered in the CGI, which could allow a malicious script to access information stored in the user's browser, such as cookies. 
  • CVE-2022-26531: A locally authenticated attacker might utilize a system crash by exploiting several erroneous input validation issues in various CLI commands of some firewall, AP controller, and AP versions. 
  • CVE-2022-26532: A command injection vulnerability in some firewall, AP controller, and AP versions' "packet-trace" CLI command might enable a local authorized attacker to execute arbitrary OS instructions by passing crafted parameters to the command. 
  • CVE-2022-0910: An attacker might use an IPsec VPN client to downgrade from two-factor authentication to one-factor authentication. 

While Zyxel has released software updates for firewalls and access points, the only way to get a hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 is to contact the local Zyxel support teams. 

The news comes as a major command injection hole in select Zyxel firewalls; CVE-2022-30525, CVSS score: 9.8) has been actively exploited, forcing the US Cybersecurity and Infrastructure Security Agency to add the vulnerability to its Recorded Exploited Vulnerabilities Database.

Several Palo Alto Devices Affected by OpenSSL Flaw

 

In April 2022, Palo Alto Networks aims to patch the CVE-2022-0778 OpenSSL flaw in several of its firewall, VPN, and XDR devices. 

OpenSSL published fixes in mid-March to address a high-severity denial-of-service (DoS) vulnerability impacting the BN mod sqrt() function used in certificate parsing, which is tracked as CVE-2022-0778. Tavis Ormandy, a well-known Google Project Zero researcher, uncovered the issue. An attacker can exploit the flaw by creating a certificate with invalid explicit curve parameters. 

The advisory for this flaw read, “The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” 

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.” 

The bug affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and the project's maintainers fixed it with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. When parsing an invalid certificate, an attacker can cause the OpenSSL library to enter an infinite loop, resulting in a DoS condition, according to Palo Alto Networks. 

“All PAN-OS software updates for this issue are expected to be released in April 2022. The full fixed versions for PAN-OS hotfixes will be updated in this advisory as soon as they are available.” as per Palo Alto Network. 

During the week of April 18, the company is expected to provide security remedies for the above vulnerability. PAN-OS, GlobalProtect app, and Cortex XDR agent software, according to Palo Alto, have a faulty version of the OpenSSL library, whereas Prisma Cloud and Cortex XSOAR solutions are unaffected. 

“We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available during the week of April 18, 2022.” continues the advisory. 

Customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to limit the risk of exploitation for this issue while waiting for PAN-OS security upgrades, according to the company.

PCI DSS Launches New Version to Tackle Cyber Security Threats

A new variant of the PCI Data Security Standard (PCI DSS) has been posted today by the PCI Security Standards Council (PCI SSC), the global payment security forum. The standard version is 4.0, it offers a baseline of operational and technical needs designed to improve payment security, replacing version 3.2.1 to assist combat surfacing threats and technologies. Besides this, the updates are built for enabling innovative methods to tackle these new threats. 

PCI SCC says these changes were motivated by feedback from the global payments industry over the past three years, including more than 6000 items from over 200 organizations. The latest changes in the PCI DSS v4.0 include the Expansion of Requirement 8 to apply multi-factor authentication (MFA) for all access to the cardholder data scenario. Up-to-date firewall terminology to network security controls, supporting a wider range of tech used to reach the security objectives earlier fulfilled by firewalls. 

 Improved flexibility for enterprises to show how they are incorporating different techniques to meet security objectives. Adding targeted threat analysis enables organizations to decide how frequently they do certain actions best suited for their organization's risk exposure and needs. The present version, v3.2.1, will remain online for two years until March 31, 2024. This will give associated organizations some time to know v4.0 and implement these updates. PCI SCC has also released some supporting documents besides the updated standard in the PCI SSC Document Library. 

It includes the summary of changes from PCI DSS v3.2.1 to v4.0, v4.0 Report on Compliance (ROC) Template, ROC FAQs, and ROC Attestations of Compliance (AOC). Additionally, Self-Assessment Questionnaires (SAQs) will be posted in the future. “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard,” said Lance Johnson, executive director of PCI SSC.

This Linux Flaw in Netfilter Firewall Module Enables Attackers Gain Root Access

 

A local adversary might use a newly reported security vulnerability in the Linux kernel to acquire higher privileges on affected systems and execute arbitrary code, escape containers, or cause a kernel panic. 

Nick Gregory, a senior threat researcher at Sophos, uncovered the flaw. The vulnerability, identified as CVE-2022-25636 (CVSS score: 7.8), affects Linux kernel versions 5.4 through 5.6.10 and is caused by a heap of out-of-bounds written in the kernel's netfilter subcomponent. 

"This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat stated in an advisory published on February 22, 2022. Similar warnings have been released by Debian, Oracle Linux, SUSE, and Ubuntu. 

Netfilter is a Linux kernel framework that allows for packet filtering, network address translation, and port translation, among other networking-related tasks. CVE-2022-25636 is a vulnerability in the framework's handling of the hardware offload function, which might be exploited by a local attacker to cause a denial-of-service (DoS) or execute arbitrary code. 

Gregory said, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails. Additionally, while nftables requires CAP_NET_ADMIN, we can unshare into a new network namespace to get this as a (normally) unprivileged user." 

"This can be turned into kernel [return-oriented programming]/local privilege escalation without too much difficulty, as one of the values that are written out of bounds is conveniently a pointer to a net_device structure," Gregory added.

SonicWall's Email Security and Firewall Products Were Hit by the Y2K22 Bug

 

SonicWall acknowledged on January 7th that the Y2K22 bug had affected some of its Email Security and firewall solutions, causing message log updates and junk box failures beginning January 1st, 2022. According to the organization, email users and administrators on affected systems would no longer be able to access the junk box or un-junk newly received emails. They will also be unable to trace incoming/outgoing emails using the message logs because they will no longer be updated.

SonicWall, a private firm based in Silicon Valley that was a Dell subsidiary from 2012 to 2016, produces a variety of Internet equipment aimed largely at content restriction and network security. These include network firewalls, unified threat management (UTM), virtual private networks (VPNs), and email anti-spam devices. 

SonicWall issued updates to North American and European instances of Hosted Email Security, the company's cloud email security service, on January 2nd. It also issued updates for its on-premises Email Security Appliance (ES 10.0.15) for customers that use firewalls with the Anti-Spam Junk Store feature enabled (Junk Store 7.6.9). 

The server administration community has dubbed this bug "Y2K22" because to its resemblance to the infamous Y2K bug, a date-related bug that was feared to cause numerous computer systems, and possibly the whole world economy, to crash at the turn of the century. FIP-FS is a malware-scanning engine built into Microsoft Exchange 2016 and 2019 servers. This engine employs a signature file that holds dates as 32-bit integers. The most significant integer that can be stored in 32 bits is 2147483647. 

Everything was acceptable for the dates in 2021 because it was stamped as 211231XXXX (for 31st December). However, as of the start of the next year, January 1st, 2022, it was converted to 2201010001. When attempting to format in 32 bits, which is greater than the maximum number allowed. As a result, date/time validations on the server software would fail, resulting in emails not being sent and stacking up on servers.

Despite the fact that SonicWall has not explained what is causing the Y2K22 bug in its devices, they are not the only company affected by this problem. Honda and Acura owners began claiming that their in-car navigation systems' clocks were automatically set back 20 years, to January 1st, 2002, beginning on January 1st. According to sources, the Y2K22 bug affects nearly all older vehicle models, including the Honda Pilot, Odyssey, CRV, Ridgeline, Odyssey, and Acura MDX, RDX, CSX, and TL.

Cisco Vulnerability Damages the Firewall

 

Positive Technologies threat experts have warned that a defect identified this week in Cisco's Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls could potentially contribute to denial-of-service (DoS) attacks. 

As per Positive Technologies expert Nikita Abramov, the high-severity bug (CVE-2021-34704) does not demand elevated privileges or specific access to attack. An attacker only needs to create a demand wherein one of the portions is larger than the device expects. 

According to Cisco, the flaw is the consequence of poor input validation while parsing HTTPS queries. The problem, if abused, might allow an attacker to compel the device to restart, culminating in a DoS circumstance, according to the vendor. 

This has the potential to have a significant effect on the business., noted Abramov. “If attackers disrupt the operation of Cisco ASA and Cisco FTD, a company will be left without a firewall and remote access,” he wrote in a research note. 

“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from outside will be restricted. At the same time, firewall failure will reduce the protection of the company.” 

Cisco has already fixed the flaw in the most recent versions of its ASA and FTD firmware. 

Positive Technologies further advises concerned clients to use security information and event management (SIEM) solutions to prevent and identify breaches.

The vendor addressed a bug in its Firepower Devices Manager (FDM) and On-Box software in August, allowing the researcher to take complete control of the company's Firepower next-generation firewalls. 

The vulnerability, identified by Abramov and threat researcher Mikhail Klyuchnikov, received a severity score of 6.3 on the standard vulnerability ranking methodology. 

The vulnerability exploited another flaw in Cisco's FDM On-Box representational state transfer (REST) API, allowing intruders to execute arbitrary code on a compromised device's operating system.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” Abramov wrote. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”

Hackers Exploit Windows BITS Feature To Launch Malware Attack

Microsoft released the BITS (Background Intelligent Transfer Service) in Windows XP to coordinate and ease uploading and downloading files with large size. Systems and applications component, specifically update in Windows, use this BITS feature to provide application updates and OS so that they can work in minimal user disruption. BITS interact with applications to make jobs with one or more application to download or upload. The BITS feature operates in service and it can make transfers happen at any time. A local database stores file, state and job info.  

How the hackers exploit BITS?

The BITS, like every other technology, is used by applications and exploited by hackers. When harmful apps make BITS jobs, the files are uploaded and downloaded in the service host process context. This helps hackers to avoid firewall detection that may stop suspicious or unusual activities, allowing the attacker to hide the application that requests the transfer. Besides this, the transfers in BITS can be scheduled for later, which allows them to happen at given times, saving the hacker from depending on task-scheduler or long-running processes. 

Transfers in BITS are asynchronous, resulting in a situation where the apps that made jobs may not be working after the transfers that are requested are complete. Addressing this situation, these jobs in BITS can be made through a notification command that is user-specific. The command can be used in case of errors or after a job is complete. The BITS jobs linked with this notification command may authorize any command or executable to run. The hackers have exploited this feature and used it as a technique for continuously launching harmful applications.  

For BITS jobs, the command data is stored in a database rather than the traditional directory register, this helps hackers as the tools that are used to identify persistent executables or commands by unknown actors may overlook it. The jobs in BITS can be made using the BITS-admin command lines tool or via API functions.  Cybersecurity firm FireEye reports, "the Background Intelligent Transfer Service continues to provide utility to applications and attackers alike. The BITS QMGR database can present a useful source of data in an investigation or hunting operation. BitsParser may be utilized with other forensic tools to develop a detailed view of attacker activity." 

SonicWall Breached via Zero-Day Flaw

 

SonicWall revealed on Friday night that, highly sophisticated threat actors assaulted its internal systems by abusing a probable zero-day flaw on the organization's secure remote access products. 

The Milpitas, Calif.- based platform security vendor said the undermined NetExtender VPN customer and SMB-situated Secure Mobile Access (SMA) 100 series items are utilized to give workers and clients remote access to internal resources. The SMA 1000 series is not susceptible to this assault and uses customers different from NetExtender, as indicated by SonicWall. 

SonicWall declined to respond to questions concerning whether the assault on its internal systems was done by the same threat actor who for quite a long time infused pernicious code into the SolarWinds Orion network monitoring tool. 

The organization, notwithstanding, noticed that it's seen a “dramatic surge” in cyberattacks against firms that give basic infrastructure and security controls to governments and organizations. The organization said it is giving relief suggestions to its channel accomplices and clients. Multi-factor authentication should be enabled on all SonicWall SMA, firewall and MySonicWall accounts, as indicated by SonicWall. 

Products compromised in the SonicWall break include: the NetExtender VPN customer variant 10.x (released in 2020) used to associate with SMA 100 series appliances and SonicWall firewalls; as well as SonicWall's SMA rendition 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance. SonicWall accomplices and clients utilizing the SMA 100 series ought to either utilize a firewall to just permit SSL-VPN connections with the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA straightforwardly itself, as per the organization. 

For firewalls with SSN-VPN access utilizing the undermined variant of the NetExtender VPN customer, accomplices and clients ought to either impair NetExtender access to the firewalls or limit access to clients and administrators through an allow list/whitelist for their public IPs, as per SonicWall. 

The networking gadget creator, whose items are regularly used to secure access to corporate networks, presently turns into the fourth security vendor to disclose a security breach in the course of recent months after FireEye, Microsoft, and Malwarebytes. Each of the three previous organizations was breached during the SolarWinds production network assault. CrowdStrike said it was targeted in the SolarWinds hack also, however, the assault didn't succeed.

City of Cornelia Witnessed Fourth Ransomware Attack

                   

It seems like now the city of Cornelia has gotten quite used to the horrors of ransomware attacks as on Saturday, they witnessed their 4th ransomware attack within the last 2 years, the City Manager Donald Anderson on Tuesday. A day after Christmas eve, on the pleasant morning of the 26th of December 2020 the city of Cornelia got their Christmas gift as a malware attack. Experts say that this may not be the last incident but it is a part of the aggravated trend that the city may witness in the near future. 

Though the city has spent almost $ 30,000 for the upgradation of the firewall after the last attack that happened in September 2019 for better shielding of the system, still the hackers were able to take over the state’s administration and the data system offline.  

In a statement, the city’s manager said that they have “anticipated such situations in and out with abundance of caution”, moreover they have also “taken down our network while we investigate the situation and restore our data.” The aforementioned situation, owing to its gravity, is not only being monitored by officials from the state, but experts from outside have also stepped in to investigate the matter. 

According to Anderson the local services of the city like the emergency phone lines, garbage pickups and the utility work, etc, are not disturbed at all and are functioning properly. The email services and the city hall phones are also operating under normal conditions. However, since the city’s software data system is down, the employees and the natives are in a stalemate condition as they can neither lookup for the bill balances nor can accept any sort of credit card payments for the city services.  

Though the majority of the city functionalities are unaffected by this attack, still the operators behind the ransomware attack were able to incapacitate the newly installed water treatment plant of the city of Cornelia.  

“According to them the business model of those behind the ransomware is typically NOT to profit off of selling the personal information of the city employees or our citizens on the internet – it is to extract a payment from the city .” Anderson further added. Meanwhile, the city officials denied disclosing any further information and asked for cooperation and support from the city natives, telling them to stay patient and keep their calm until things are being resolved. 

The Cowlitz County PUD fall prey to a cyber attack in the United States


According to a recent inquiry conducted by the Wall Street Journal last week, the Cowlitz County PUD is amid more than 12 businesses that fell prey to a fresh cyber attack in the United States. Alice Dietz, spokesperson, Cowlitz County PUD, on Wednesday, authenticated that the company's firewall prevented the only corrupt e-mail that attackers transmitted. "We have pride in our Cybersecurity staff. We remain to achieve effective cyber safety standards. This is a classic instance of how serious Cowlitz County PUD is for its security," said Dietz in a statement.


No customer complaints regarding the attacks have appeared yet. The attackers that are still unidentified tried to download viruses on business networks across America using fraud e-mails. When the receivers open these phishing emails, the malware gets entry into the user's computer. The virus that was sent to businesses is called "Lookback." This malware lets attackers seize charge of target’s networks and take data. Very rare users at each business were attacked. The hackers checked the utility firms before launching the attack.

"We are unaware of the employee that was targeted nor do we know the contents of the emails," says Dietz. "Experts recognized a couple of times in July and August when attackers had sent phishing e-mails," reports the Washington Journal. Dietz further continues that their company only got a mail in August. The malicious email was blocked by the company's firewall protection. "Our staff was not aware of the "Lookback," it only surfaced when the FBI looked into the issue. However, the FBI research didn't find any malicious emails in the company's data system," Cowlitz County PUD GM Gary Huhta told the Washington Journal.

"The hackers forgot classifying data on victims shortly revealed on in a Hong Kong server," cyber-security experts described to the Washington Journal. "The company's safety mode itself obstructs e-mails from abroad," Dietz reported to The Daily News Businesses across the United States were attacked. "Another Washington business that was attacked was Klickitat County PUD, says the Washington Journal." The cyberattack was initially discovered by experts at Proofpoint, a Silicon Valley cyber safety firm.

Imperva Firewall Breached: Users API keys, SSL Certificates Exposed



Imperva, a leading security vendor, disclosed a security breach which exposed API keys, SSL certificates, scrambled passwords and email addresses for a subset of its customers using the Cloud Web Application Firewall (WAF) product.

Previously known as, Incapsula, the Cloud WAF examines the incoming requests into applications and obstructs any kind of malicious activity.

The breach was made known to the California based firm by a third party on August 20 and the details of the disclosure are yet to be made public.

In conversation with the Threatpost, Chris Morales, Head of Security Analytics at Vectra, said, “Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection, and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI,”

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks,” He further told.

Referencing from the writings of CEO, Chris Hylen, “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017, were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”

Assuring the users, he told, “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

As a remedial measure, Imperva brought into force password resets and 90-day password expiration for the product which notably is a key component of the company's leading application security solution.