Search This Blog

Showing posts with label Flaws. Show all posts

CISA Alerts on Serious Flaws in Industrial Equipment & Infrastructure

 

According to the US government's CISA and private security researchers, 56 vulnerabilities have been discovered in industrial operational technology (OT) systems from ten global manufacturers, including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk. 

Some of these flaws obtained CVSS severity ratings as high as 9.8 out of 10. This is especially unfortunate given that these devices are employed in vital infrastructure throughout the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and construction and automation industries. 

Remote code execution (RCE) and firmware vulnerabilities are the most serious security problems. If exploited, these flaws might allow criminals to shut down electricity and water infrastructure and damage the food supply. This is not to claim that all or any of these situations are practically achievable; rather, these are the kind of devices and processes involved. 

Forescout's Vedere Labs uncovered the flaws in devices produced by 10 vendors and used by the security firm's customers and termed them OT:ICEFALL. As per the researchers, the vulnerabilities affect at least 324 enterprises worldwide – a figure that is likely to be far higher in reality because Forescout only has access to its own clients' OT devices. In addition to the previously mentioned firms, the researchers discovered weaknesses in Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa devices.

OT Devices are insecure by design

The majority of issues are found in level 1 and level 2 OT devices. Physical processes are controlled by level 1 devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs), whereas level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.

In addition to the 56 highlighted in a Vedere report today, the threat-hunting team uncovered four more that are still being kept under wraps owing to responsible disclosure. One of the four allows an attacker to compromise credentials, two let an attacker to change the firmware of OT systems, and the fourth is an RCE through memory write flaw. 

Many of these flaws are the consequence of OT products' "insecure-by-design" build, according to Forescout's head of security research Daniel dos Santos. Several OT devices lack fundamental security protections, making them simpler for criminals to exploit, he said. 

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in Ukraine in 2016, or Triton in the Middle East in 2017. One instance of insecure-by-design is unauthenticated protocols. So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password," dos Santos stated.

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. 

The majority of these may be used to download and run firmware and logic on other people's devices, resulting in RCEs, or shutdowns and reboots that can create a denial of service circumstances. In an ideal world, equipment employing these protocols is not linked to computers and other systems in such a way that a network intruder may abuse them. 

Credential compromise: Most common issue

Five of the flaws were noted more than once by Vedere Labs because they had various possible consequences. More than a third of the 56 vulnerabilities (38%) can be exploited to compromise user login credentials, while 21% might allow a criminal to change the firmware if exploited, and 14% are RCEs. 

Other vulnerability categories include denial of service and configuration manipulation (eight percent), authentication bypass (six percent), file manipulation (three percent), and logic manipulation (two percent). 

Fixing these security flaws will be difficult, according to the researchers, since they are the consequence of OT products being vulnerable by design, or because they need modifications in device firmware and supported protocols. 

As a result, they did not reveal all of the technical information for the faulty OT devices, which explains the lack of depth. They did, however, advise users to read each vendor's security advisory, which is expected to be released today or soon. Furthermore, where possible, the security shop suggests disconnecting OT and industrial control system networks from corporate networks and the internet.

Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature

Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. 

Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability. Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” 

There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical. The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. 

The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key. This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. 

Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library. Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. 

If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt. The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. 

If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success. Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. 

Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. 

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.

Hardware Bugs Provide Bluetooth Chipsets Unique Traceable Fingerprints

 

A recent study from the University of California, San Diego, has proven for the first time that Bluetooth signals may be fingerprinted to track devices (and therefore, individuals). At its root, the identification is based on flaws in the Bluetooth chipset hardware established during the manufacturing process, leading to a "unique physical-layer fingerprint."

The researchers said in a new paper titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices, "To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals." 

The assault is made feasible by the pervasiveness of Bluetooth Low Energy (BLE) beacons, which are constantly delivered by current smartphones to allow critical tasks such as contact tracking during public health situations. 

The hardware flaws come from the fact that both Wi-Fi and BLE components are frequently incorporated into a specialised "combo chip," effectively subjecting Bluetooth to the same set of metrics that may be utilized to uniquely fingerprint Wi-Fi devices: carrier frequency offset and IQ imbalance. 

Fingerprinting and monitoring a device, therefore, includes calculating the Mahalanobis distance for each packet to ascertain how similar the characteristics of the new packet are to its previously registered hardware defect fingerprint. 

"Also, since BLE devices have temporarily stable identifiers in their packets [i.e., MAC address], we can identify a device based on the average over multiple packets, increasing identification accuracy," the researchers stated. 

However, carrying out such an attack in an adversarial situation has numerous obstacles, the most significant of which is that the ability to uniquely identify a device is dependent on the BLE chipset employed as well as the chipsets of other devices in close physical distance to the target. Other key aspects that may influence the readings include device temperature, variations in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio utilised by the malicious actor to carry out the fingerprinting assaults. 

The researchers concluded, "By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified. BLE does present a location tracking threat for mobile devices. However, an attacker's ability to track a particular target is essentially a matter of luck."

PDF Smuggles Microsoft Word Doc to Deliever Snake Keylogger Malware

 

Threat researchers have found a new malware distribution campaign that uses PDF attachments to transport infected Word documents into users' computers. Most phishing emails today include DOCX or XLS attachments loaded with malware-loading macro code, thus the use of PDFs is unusual. Threat actors are switching to different methods to install harmful macros and escape identification as users grow more aware of opening fraudulent Microsoft Office attachments. 

In a new report by HP Wolf Security, researchers show how PDFs are being exploited as a transport for documents containing malicious macros that download and install information-stealing malware on victims' devices. The PDF arriving through email in a campaign seen by HP Wolf Security is called "Remittance Invoice," and the guess is that the email body contains vague assurances of payment to the recipient. 

When the PDF is accessed, Adobe Reader prompts the user to open a DOCX file contained therein, which is unusual and may cause the victim to become confused. "The file 'has been verified," says the Open File prompt, because the threat actors named the embedded document "has been verified." This message may lead recipients to believe that Adobe has authenticated the file and that it is safe to open. While malware investigators can use parsers and scripts to investigate embedded files in PDFs, most average users wouldn't go that far or even know where to begin. 

As a result, many people will open the DOCX in Microsoft Word and, if macros are allowed, will download and open an RTF (rich text format) file from a remote location. The command is inserted in the Word file, coupled with the hardcoded URL "vtaurl[.]com/IHytw," which is where the payload is hosted, to download the RTF. 

Attacking old RCE

The RTF file is called "f_document_shp.doc" and contains faulty OLE objects that are likely to elude detection. HP's experts discovered that it attempts to exploit an outdated Microsoft Equation Editor vulnerability to execute arbitrary code. The shellcode used in the attack targets CVE-2017-11882, a remote code execution flaw in Equation Editor that was addressed in November 2017 but is still exploitable in the wild. 

When the flaw was revealed, hackers were quick to notice it, and the sluggish patching that followed led to it becoming one of the most abused vulnerabilities in 2018. The RTF shellcode downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defence evasion, credential access, data harvesting, and data exfiltration capabilities, by exploiting CVE-2017-11882.

Jupiter Plugin Flaws Enable Hackers to Hijack Websites

 

According to WordPress security researchers, the Jupiter Theme and JupiterX Core plugins for the WordPress content management system have a variety of vulnerabilities. A major privilege escalation issue is one of these vulnerabilities. 

Privilege escalation is a malicious method that involves acquiring control of a user's account that would otherwise be inaccessible to the present user by exploiting an app or OS flaw or configuration error. By obtaining these rights, a hostile actor can do a variety of actions on the operating system or server, such as executing instructions or assisting malware infection within the network, which can result in business disruption, sensitive data exposure, or system takeover. This is a violation of privilege. 

As per the source, "This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme. The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks."

"On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner. On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template." 

Jupiter is a powerful and high-quality WordPress theme builder. More than 90,000 well-known blogs, online magazines, and platforms with a high volume of user traffic use it. The vulnerability, which has been issued the tracking number CVE-2022-1654 and a CVSS score of 9.9, allows any authorised user on a website that employs vulnerable plugins to get administrator access (critical). 

After successfully exploiting the flaw, attackers have complete control over the website and may do whatever they want with it. This can include altering the site's content, installing dangerous programmes, or completely deleting the site. The attacker only has to be a simple subscriber or client on the website to exploit this vulnerability; thus, it could be said that the attack does not have strict requirements. 

CVE-2022-1654 affects Jupiter Theme 6.10.1 and older (fixed in 6.10.2), JupiterX Theme 2.0.6 and older (fixed in 2.0.7), and JupiterX Core Plugin 2.0.7 and older (fixed in 2.0.8). To improve the security vulnerabilities, one needs to either update to the latest version or disable the plugin and change the site's theme.

Researchers: Tesla Cars, Bluetooth Locks, Vulnerable to Hackers

 

Hackers can remotely unlock millions of digital locks around the world, including those on Tesla cars, due to a flaw in Bluetooth technology, according to a cybersecurity firm. 

NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device tied to a laptop, which spanned a wide gap between the Tesla and the Tesla owner's phone, according to a video shared with Reuters.

"This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world," the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol - technology used in millions of cars and smart locks which automatically open when in close proximity to an authorised device. 

Although Khan demonstrated the hack on a Tesla Model Y from 2021, NCC NSE 0.23 percent Group claims that any smart lock that uses BLE technology, including residential smart locks, may be unlocked in the same way. A request for comment from Tesla was not immediately returned. 

"In effect, systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware," the firm stated. "This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved". 

According to the NCC Group, such a vulnerability is not the same as a traditional bug that can be repaired with a software patch, and BLE-based authentication was not intended for usage in locking mechanisms.

SonicWall Urges Admins to Fix SSLVPN SMA1000 Flaws

 

SonicWall is urging customers to fix multiple high-risk security vulnerabilities in its Secure Mobile Access (SMA) 1000 Series line of products, which might allow attackers to evade authorization and compromise unpatched devices. 

Enterprises utilise SonicWall SMA 1000 SSLVPN solutions to ease end-to-end secure remote access to business resources in on-premises, cloud, and hybrid data centre environments. The first bug (a high-severity unauthenticated access control bypass) has been assigned CVE-2022-22282, however, the other two (a hard-coded cryptographic key and an open redirect, both of medium severity) are currently awaiting a CVE ID. 

"SonicWall strongly urges that organizations using the SMA 1000 series products upgrade to the latest patch," the company says in a security advisory published this week. 

SonicWall, on the other hand, stated that no evidence of these vulnerabilities being exploited in the field was discovered. The vulnerabilities do not affect SMA 1000 series devices running versions prior to 12.4.0, SMA 100 series products, CMS, or remote access clients, according to the company. The following SMA 1000 Series models are affected by security flaws: 6200, 6210, 7200, 7210, and 8000v (ESX, KVM, Hyper-V, AWS, Azure). 

The most serious of the three flaws is CVE-2022-22282, which allows unauthenticated attackers to bypass access control and obtain access to internal resources. This vulnerability can be remotely exploited in low-complexity attacks that don't involve any user input. If left unpatched and abused by attackers, the hard-coded cryptographic key flaw can have catastrophic repercussions, allowing them to get access to encrypted passwords. 

According to MITRE's CWE database, "The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question." 

Threat actors would most likely seek ways to compromise SMA 1000 series VPN appliances because they are utilised to protect remote connections into corporate networks. SonicWall also warned in July 2021 that end-of-life SMA 100 series and Secure Remote Access systems will be more vulnerable to ransomware assaults. 

SonicWall's products are used by over 500,000 commercial clients in 215 countries and territories across the world, with many of them deployed on the networks of government agencies and the world's major corporations.

Conti, REvil, LockBit Ransomware Flaws Exploited to Block Encryption

 

A researcher has demonstrated how a flaw common to numerous ransomware families can be used to control and eliminate the malware before it encrypts files on vulnerable systems. Malvuln is a project created by researcher John Page (aka hyp3rlinx) that lists vulnerabilities uncovered in various types of malware. 

Early in 2021, the Malvuln project was launched. SecurityWeek covered it in January 2021, when there were only a few dozen entries, and again in June 2021, when there were 260. Malvuln had almost 600 malware vulnerabilities as of May 4, 2022. Page added ten new entries in the first several days of May, detailing vulnerabilities in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families. 

The researcher discovered that DLL hijacking flaws affect these and other ransomware families. By inserting a carefully designed file in a location where it will be run before the legal DLL, these vulnerabilities can often be exploited for arbitrary code execution and privilege escalation. When it comes to ransomware, a "attacker" can build a DLL file with the same name as a DLL that the malware looks for and loads. 

The new DLL will be executed instead of the ransomware executable if it is placed next to it. This can be used to stop malware from encrypting data by intercepting it and terminating it. The DLLs can be hidden, according to the researcher, who uses the Windows "attrib +s +h" command in his PoC videos. 

Page explained, “Endpoint protection systems and/or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill — the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.” 

Page told SecurityWeek that while some of the ransomware versions he tested were new, the strategy works against practically all ransomware, comparing it to a "Pandora's box of vulnerabilities." The researcher has also made videos showing how to exploit the ransomware's flaws. The videos demonstrate how a specially constructed DLL file installed in the same folder as the ransomware executable prevents the malware from encrypting files. 

Authentication bypass, command/code execution, hardcoded credentials, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related, and other forms of attacks are all stored in the Malvuln database. Page also recently released Adversary3, an open-source malware vulnerability intelligence tool for third-party attackers. The Python-based application is intended to make it easier to access data from the Malvuln database, allowing users to search for vulnerabilities by attack category. 

According to the researcher, the tool could be valuable in red teaming activities. For instance, the tester could seek for devices hosting malware and exploit vulnerabilities in that malware to gain elevated access. When the project was first announced, certain members of the cybersecurity community expressed concern that the data could be beneficial to malware makers, assisting them in fixing vulnerabilities, some of which may have been exploited for threat intelligence reasons without their knowledge. The ransomware vulnerabilities and the Adversary3 tool, on the other hand, illustrate that the project can also benefit the cybersecurity community.

11 High-Severity Flaws in Security Products Patched by Cisco

 

This week, Cisco released its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). 

The semiannual bundled advisories include a total of 19 flaws in Cisco security products, with 11 of them being classified as "high severity." 

CVE-2022-20746 (CVSS score of 8.8) is the most serious of these, an FTD security vulnerability that occurs because TCP flows aren't appropriately handled and might be exploited remotely without authentication to generate a denial of service (DoS) condition. 

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. 

With the introduction of FDT versions 6.6.5.2 and 7.1.0.1, the IT giant has addressed the problem. Fixes will also be included in FDT releases 6.4.0.15 and 7.0.2, which will be released next month. Several more DoS vulnerabilities, all rated "high severity," were fixed with the same FDT releases, including ones that affect ASA as well. They were addressed in ASA releases 9.12.4.38, 9.14.4, 9.15.1.21, 9.16.2.14, and 9.17.1.7. Other problems fixed by these software upgrades could result in privilege escalation or data manipulation when using an IPsec IKEv2 VPN channel.

Cisco also fixed an ASA-specific flaw that allowed an attacker to access sensitive information from process memory. Firepower Management Center (FMC) releases 6.6.5.2 and 7.1.0.1, as well as the future releases 6.4.0.15 and 7.0.2, resolve a remotely exploitable security protection bypass flaw, as per the tech giant. 

Cisco stated, “An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."

Fixes for eight medium-severity vulnerabilities in these security products are included in the company's semiannual bundled publishing of security advisories. Cisco is not aware of any attacks that take advantage of these flaws.

Critical Chipset Flaws Enable Remote Spying on Millions of Android Devices

 

Three security flaws in Qualcomm and MediaTek audio decoders have been discovered, if left unpatched which might permit an adversary to remotely access media and audio chats from compromised mobile devices. According to Israeli cybersecurity firm Check Point, the flaws might be exploited to execute remote code execution (RCE) attacks by delivering a carefully prepared audio file. 

The researchers said in a report shared with The Hacker News, "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera. In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." 

The flaws, termed ALHACK, are based on an audio coding system that Apple created and made open-source in 2011. The Apple Lossless Audio Codec (ALAC) or Apple Lossless audio codec format is used to compress digital music in a lossless manner. Since then, other third-party suppliers have used Apple's reference audio codec implementation as the basis for their own audio decoders, including Qualcomm and MediaTek. While Apple has constantly patched and fixed security problems in their proprietary version of ALAC, the open-source version of the codec has not gotten a single update since it was first uploaded to GitHub on October 27, 2011. 

Check Point revealed three vulnerabilities in this ported ALAC code, two of which were found in MediaTek CPUs and one in Qualcomm chipsets. – 
• CVE-2021-0674 (CVSS score: 5.5, MediaTek) - A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction 
• CVE-2021-0675 (CVSS score: 7.8, MediaTek) - A local privilege escalation flaw in the ALAC decoder stemming from out-of-bounds write 
• CVE-2021-30351 (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of a number of frames being passed during music playback 

The vulnerabilities allowed Check Point to "grab the phone's camera feed" in a proof-of-concept exploit, according to security researcher Slava Makkaveev, who discovered the issues alongside Netanel Ben Simon. All three vulnerabilities were addressed by the individual chipset manufacturers in December 2021, following responsible disclosure. 

"The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone," Makkaveev explained.

Several Palo Alto Devices Affected by OpenSSL Flaw

 

In April 2022, Palo Alto Networks aims to patch the CVE-2022-0778 OpenSSL flaw in several of its firewall, VPN, and XDR devices. 

OpenSSL published fixes in mid-March to address a high-severity denial-of-service (DoS) vulnerability impacting the BN mod sqrt() function used in certificate parsing, which is tracked as CVE-2022-0778. Tavis Ormandy, a well-known Google Project Zero researcher, uncovered the issue. An attacker can exploit the flaw by creating a certificate with invalid explicit curve parameters. 

The advisory for this flaw read, “The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” 

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.” 

The bug affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and the project's maintainers fixed it with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. When parsing an invalid certificate, an attacker can cause the OpenSSL library to enter an infinite loop, resulting in a DoS condition, according to Palo Alto Networks. 

“All PAN-OS software updates for this issue are expected to be released in April 2022. The full fixed versions for PAN-OS hotfixes will be updated in this advisory as soon as they are available.” as per Palo Alto Network. 

During the week of April 18, the company is expected to provide security remedies for the above vulnerability. PAN-OS, GlobalProtect app, and Cortex XDR agent software, according to Palo Alto, have a faulty version of the OpenSSL library, whereas Prisma Cloud and Cortex XSOAR solutions are unaffected. 

“We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available during the week of April 18, 2022.” continues the advisory. 

Customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to limit the risk of exploitation for this issue while waiting for PAN-OS security upgrades, according to the company.

SpringShell Attacks Target About One in Six Vulnerable Orgs

 

According to figures from one cybersecurity firm, about one out of every six firms affected by the Spring4Shell zero-day vulnerability has already been targeted by threat actors. 

The exploitation attempts occurred within the first four days of the severe remote code execution (RCE) issue, CVE-2022-22965, and the associated attack code was publicly disclosed. 37,000 Spring4Shell attacks were discovered over the weekend alone, according to Check Point, which generated the statistics based on their telemetry data. Software vendors appear to be the most hit industry, accounting for 28% of the total, possibly due to their high vulnerability to supply chain threats. 

Based on their visibility, Check Point ranks Europe #1 in terms of the most targeted region, with 20%. This suggests that the malicious effort to exploit existing RCE possibilities against vulnerable systems is well underway, and threat actors seem to be turning to Spring4Shell while unpatched systems are still exposed. North America accounts for 11% of Check Point's detected Spring4Shell attacks, while other entities have confirmed active exploitation in the United States. 

Spring4Shell was one of four flaws posted to the US Cybersecurity & Infrastructure Security Agency's (CISA) inventory of vulnerabilities known to be used in actual attacks yesterday. The agency has uncovered evidence of attacks on VMware products, in which the software vendor published security upgrades and alerts. 

Microsoft also released guidelines for detecting and preventing Spring4Shell attacks, as well as a statement that they are already analyzing exploitation attempts. Spring MVC and Spring WebFlux apps operating on JDK 9+ are affected by CVE-2022-22965, hence all Java Spring installations should be considered potential attack vectors. Spring Framework versions 5.3.18 and 5.2.2, as well as Spring Boot 2.5.12, were published by the vendor to address the RCE issue. 

As a result, upgrading to these versions or later is strongly advised. System administrators should also be aware of the remote code execution vulnerabilities in the CVE-2022-22963 and CVE-2022-22947 remote code execution flaws in the Spring Cloud Function and Spring Cloud Gateway. These flaws already have proof-of-concept exploits that are publicly available.

Severe Flaws in Rockwell PLC Could Allow Attackers to Implant Malicious Code

 

Rockwell Automation's programmable logic controllers (PLCs) and engineering workstation software have two new security flaws that might be exploited by an intruder to introduce malicious code into affected systems and silently manipulate automation operations. 

In a way similar to Stuxnet and the Rogue7 assaults, the vulnerabilities have the ability to impair industrial operations and cause physical damage to factories. 

Claroty's Sharon Brizinov noted in a write-up published, "Programmable logic and predefined variables drive these [automation] processes, and changes to either will alter the normal operation of the PLC and the process it manages." 

The following is a list of two flaws – 
  • CVE-2022- (CVSS score: 10.0) — A remotely exploited weakness that allows a hostile actor to write user-readable "textual" computer code to a memory location independent from the compiled code that is being executed (aka bytecode). The problem is in Rockwell's ControlLogix, CompactLogix, and GuardLogix control systems' PLC firmware. 
  • CVE-2022-1159 =This vulnerability has a CVSS score of 7.7. Without the user's knowledge, an attacker with administrative access to a workstation running the Studio 5000 Logix Designer application can disrupt the compilation process and inject code into the user programme. 

Successfully exploiting the flaws could enable an attacker to change user programmes and download malicious code to the controller, effectively changing the PLC's normal operation and allowing rogue commands to be sent to the industrial system's physical devices. 

Brizinov explained, "The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC." 

Because of the severity of the weaknesses, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning outlining mitigation actions that users of the affected hardware and software can take as part of a "comprehensive defence-in-depth strategy."

Microweber Creators Patched XSS Flaw in CMS Software

 

Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.

This Linux Flaw in Netfilter Firewall Module Enables Attackers Gain Root Access

 

A local adversary might use a newly reported security vulnerability in the Linux kernel to acquire higher privileges on affected systems and execute arbitrary code, escape containers, or cause a kernel panic. 

Nick Gregory, a senior threat researcher at Sophos, uncovered the flaw. The vulnerability, identified as CVE-2022-25636 (CVSS score: 7.8), affects Linux kernel versions 5.4 through 5.6.10 and is caused by a heap of out-of-bounds written in the kernel's netfilter subcomponent. 

"This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat stated in an advisory published on February 22, 2022. Similar warnings have been released by Debian, Oracle Linux, SUSE, and Ubuntu. 

Netfilter is a Linux kernel framework that allows for packet filtering, network address translation, and port translation, among other networking-related tasks. CVE-2022-25636 is a vulnerability in the framework's handling of the hardware offload function, which might be exploited by a local attacker to cause a denial-of-service (DoS) or execute arbitrary code. 

Gregory said, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails. Additionally, while nftables requires CAP_NET_ADMIN, we can unshare into a new network namespace to get this as a (normally) unprivileged user." 

"This can be turned into kernel [return-oriented programming]/local privilege escalation without too much difficulty, as one of the values that are written out of bounds is conveniently a pointer to a net_device structure," Gregory added.

CISA: High-Severity Flaws in Schneider & GE Digital's SCADA Software

 

Schneider Electric's Easergy medium voltage protection relays are vulnerable to several vulnerabilities, according to the advisory by US Cybersecurity and Infrastructure Security Agency (CISA). 

The agency said in a bulletin on February 24, 2022, "Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay. This could result in loss of protection to your electrical network."

Easergy P3 versions prior to v30.205 and Easergy P5 versions before v01.401.101 are affected by the two high-severity flaws. The following are the weaknesses in detail: 
  • CVE-2022-22722 (CVSS score: 7.5) - Use of hardcoded credentials that could be used to monitor and alter device traffic with the device.
  • CVE-2022-22723 and CVE-2022-22725 (CVSS score: 8.8) – A buffer overflow vulnerability that could lead to programme crashes and execution of arbitrary code by sending specially crafted packets to the relay over the network. 

Schneider Electric patched the weaknesses detected and reported by Red Balloon Security researchers Timothée Chauvin, Paul Noalhyt, and Yuanshe Wu as part of updates released on January 11, 2022. The alert comes less than ten days after CISA released another alert warning of several key vulnerabilities in Schneider Electric's Interactive Graphical SCADA System (IGSS) that, if exploited, could lead to data disclosure and loss of control of the SCADA system with IGSS running in production mode. 
 
In similar news, the US Federal Bureau of Investigation has issued a security alert for General Electric's Proficy CIMPLICITY SCADA software, alerting of two security flaws that might be exploited to expose sensitive information, gain code execution, and escalate local privileges. 

The advisories follow a report from industrial cybersecurity firm Dragos that discovered that 24 per cent of the total 1,703 ICS/OT vulnerabilities reported in 2021 had no fixes available, with 19 per cent having no mitigation, restricting operators from taking any steps to protect their systems from potential threats. 

Dragos also discovered malicious activity from three new groups that were discovered attacking ICS systems last year, including Kostovite, Erythrite, and Petrovite. Each of which targeted the OT environments of renewable energy, electrical utility, and mining and energy firms in Canada, Kazakhstan, and the United States.

Phishing Attack Emerges as a Primary Threat Vector in X-Force Threat Intelligence Index 2022

 

IBM published its tenth X-Force Threat Intelligence Index last week unveiling phishing attacks as the primary threat vector in the past year, with manufacturing emerging as the most targeted sector. IBM security analysts spotted a 33% surge in attacks caused by vulnerability exploitation of Log4Shell, a point of entry that malicious actors relied on more than any other to launch their assaults in 2021, representing the cause of 44% of ransomware attacks. 

The 2022 Threat Intelligence Index was compiled from billions of data points, ranging from network and endpoint detection devices, incident response engagements, phishing kits, and domain name tracking. It was revealed that threat actors employed phishing in 41% of attacks, surging from 2020 when it was responsible for 33% of attacks. Interestingly, click rates for the average targeted phishing campaign surged nearly three-fold, from 18% to 53% when phone phishing (vishing) was also employed by malicious actors. 

The X-Force report highlights the record-high number of vulnerabilities unearthed in 2021, including a vulnerability in the Kaseya monitoring software that was exploited by REvil in July, and the Log4j (or Log4Shell) vulnerability in Apache’s popular logging library. Cybercriminals from across the globe were so quick to exploit Log4j that it occupied the number two spot on the X-Force top 10 lists of most exploited vulnerabilities in 2021, despite only being discovered in December last year. The top vulnerability was a flaw in Microsoft Exchange that allowed attackers to bypass authentication to impersonate an administrator. 

Additionally in the UK, nearly 80% of users received a malicious call or text last year. To counter the threat, regulator Ofcom published new guidelines this week which will require more proactive work from operators to root out the use of spoofed numbers. 

“X-Force observed actors leveraging multiple known vulnerabilities, such as CVE-2021-35464 (a Java deserialization vulnerability) and CVE-2019-19781 (a Citrix path traversal flaw), to gain initial access to networks of interest. In addition, we observed threat actors leverage zero-day vulnerabilities in major attacks like the Kaseya ransomware attack and Microsoft Exchange Server incidents to access victim networks and devices,” researchers explained. 

To mitigate the risks, researchers advised organizations to update their vulnerability management system, identify security loopholes, and prioritize vulnerabilities based on the likelihood they will be abused.

US Defense Contractors Struck by SockDetour Windows backdoor

 

SockDetour, a new custom malware discovered on US defence contractor computers, has been utilised as a backup backdoor to sustain access to hijacked networks. 

The malicious payload was discovered by Unit 42 security researchers, who believe its administrators kept it hidden for a long time because it has been utilised in the open since at least July 2019. The fact that SockDetour "operates filelessly and socketlessly" on compromised Windows servers by hijacking network connections explains its stealthiness, making it much difficult to identify at the host and network levels. 

The connection hijacking is carried out with the help of the official Microsoft Detours library package, which is used for monitoring and instrumenting Windows API calls.

Unit 42 explained, “With such implementation, SockDetour [..] serves as a backup backdoor in case the primary backdoor is detected and removed by defenders." 

The threat actors utilised a very precise delivery server in one of the attacks, QNAP network-attached storage (NAS) device commonly used by small businesses that had earlier been infected with QLocker ransomware — they most likely utilised the same security vulnerability (the CVE-2021-28799 remote code execution bug) to acquire access to the server. 

On July 27, 2021, the researchers discovered the malware on the Windows server of at least one US defence contractor, which led to the identification of three additional defence organisations being attacked by the same group with the same backdoor. 

"Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defence contractors using the tools. Unit 42 has evidence of at least four defence contractors being targeted by this campaign, with a compromise of at least one contractor," researchers explained. 

What is SockDetour?

The SockDetour backdoor was earlier linked to attacks exploiting various vulnerabilities in Zoho products, including ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077), by an APT activity cluster tracked by Unit 42 as TiltedTemple. While Unit 42 analysts suspected in November that the TiltedTemple campaign was the work of a Chinese-sponsored threat group known as APT27, the firm did not link the SockDetour malware to a specific hacking group. 

The partial attribution is based on techniques and harmful tools that match APT27's earlier activities, as well as similar cyber espionage targeting of the same industries (e.g., defence, technology, energy, aerospace, government, and manufacturing). TiltedTemple attacks targeting Zoho vulnerabilities resulted in the compromise of critical infrastructure organisations' networks. 

In three separate campaigns in 2021, TiltedTemple assaults targeting Zoho vulnerabilities resulted in the penetration of networks belonging to critical infrastructure organisations around the world, using: 
• an ADSelfService zero-day exploit between early-August and mid-September, 
• an n-day AdSelfService exploit until late October, 
• and a ServiceDesk one starting with October 25.

Mitigating Software Security Flaws with Automation

 

A group of UTSA researchers is investigating how a new automated approach could be used to prevent software security vulnerabilities. The team intended to create a deep learning model that could train the software on how to automatically extract security policies. 

Unlike traditional software development models, the agile software development process is intended to deliver software more quickly, eradicating the requirement for lengthy paperwork and changing software requirements. The only required documentation is user stories, which are specifications that define the software's requirements. However, the fundamental practises of this method, such as frequent code changes, restrict the capacity to perform security assurance evaluations.

Ram Krishnan, associate professor in the UTSA Department of Electrical and Computer Engineering stated, “The basic idea of addressing this disconnect between security policies and agile software development came from happenstance conversation with software leaders in the industry.” 

Before arriving on a deep learning strategy that can handle several formats of user stories, the researchers looked at various machine learning approaches. To conduct the prediction, the model is composed of three parts: access control classifications, named entity recognition, and access type classification. The software uses access control classification to determine whether or not user stories contain access control information. The actors and data objects in the storey are identified by a named entity. The link between the two is determined by the access type classification. To evaluate their approach, the researchers used a data collection of 21 online applications, each with 50-130 user stories (a total of 1,600). 

Krishnan stated, “With a dataset of 1,600 user stories, we developed a learning model based on transformers, a powerful machine learning technique. We were able to extract security policies with good accuracy and visualize the results to help stakeholders better refine user stories and maintain an overview of the system’s access control.” 

According to Krishnan, this unique new method will be a valuable tool in the modern agile software development life cycle. A manual method of extracting security policies would be error-prone and costly because agile software development focuses on incremental modifications to code. It is just another area where machine learning and artificial intelligence have proven to be effective. 

He further added, “We recognize that there is little additional information about access control that can be extracted or determined directly from user stories in a fully automated approach. That means it is difficult, or impossible, to determine a software’s exact access control from user stories without human involvement. We plan to extend our approach to make it interactive with stakeholders so that they can help refine the access control information.”

Live XSS Flaw Exists in DMCA-dot-com

 

The user interface of the takedowns website DMCA-dot-com has an active cross-site scripting (XSS) vulnerability. It's been there for almost a year and has not been addressed. 

After more than a year of attempting and failing to convince DMCA-dot-com to take the XSS seriously, Infosec researcher Joel Ossi, founder of Dutch security firm Websec, disclosed his findings. "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface that allowed him to create an XSS. 

A copyright takedown service is DMCA-dot-com. Users pay the site to conduct the time-consuming task of obtaining an alleged copyright infringer's work to be removed from the Internet utilising the infamous US Digital Millennium Copyright Act. The cost of a takedown could be as high as $199. 

On a video conference with The Register, Ossi shared his findings in real-time. The typical XSS tell-tale — a popup with a personalized message – displayed every time he navigated to a new webpage in the DMCA-dot-com user area. The script for doing so was actually fairly straightforward: When he originally discovered the flaw in late 2020, he spent a year attempting and failed to obtain the attention of the operators of DMCA-dot-com. 

DMCA-dot-last com's message to Ossi stated, "Our development team will be reaching out if / when they need to. Our support department cannot help you on this," as he tried to persuade helpdesk staff to forward his vulnerability report. When he asked for a bug bounty, El Reg confirmed that Ossi had made complete confidential disclosure of his discoveries before addressing the issue of payment.

Both Ossi and The Register attempted to contact DMCA-dot-com several times and in The Register's instance, the company didn't even respond to the attempts to reach them. While Ossi was the first to discover the XSS flaws in DMCA-dot-com, he isn't the only one. Two different entries on the Open Bug Bounty site, one from April and the other from June, indicate XSS vulnerabilities in DMCA. 

Cross-site scripting vulnerabilities, let a malicious person run scripts on another person's website. The problem often exists because free text entry forms do not sanitize user inputs, as per MITRE. An attacker could gain access to a DMCA-dot-com account by extracting active login tokens from cookies. According to Ossi, it wouldn't take much to falsely bill for services, remove DMCA-dot-com's security features from a webpage, or delete an account. 

Jake Moore, a global cybersecurity advisor to infosec firm ESET, told The Register: "Cross-site scripting vulnerabilities can allow an attacker to masquerade as a standard user and carry out any actions that the user is able to perform such as access the user's data. User accounts can then ultimately be compromised and credentials or other information could be stolen with great ease." 

Immersive Labs' app security specialist Sean Wright further added: "Despite the fact they have been a part of the attacker toolkit for some time, many still underestimate the risks from XSS vulnerabilities. However, they are effectively client-side remote code execution vulnerabilities. In the right circumstances, and combined with tools such as the Browser Exploitation Framework, XSS vulnerabilities give an attacker almost complete control of a browser. Ultimately, this could lead to redirects to malicious sites and even performing actions on behalf of the user."

It's anticipated that someone at DMCA-dot-com pays attention to the flaw disclosure from a year and a half ago.