Search This Blog

Showing posts with label Flaws. Show all posts

This Twitter Bug is Making Users Secret Circle Tweets Public


Twitter launched Circle in August 2022, allowing you to limit your tweets to a chosen group of users without making your account private. While the function was designed to limit the visibility of your tweets to a group smaller than your number of followers, a recent issue has reportedly exposed your private tweets to many others outside your Circle, even if they do not follow you.

Many users have observed that tweets intended for Twitter Circles are reaching all followers rather than just those in the Circle. Amanda Silberling of TechCrunch, who saw another person's ostensibly private tweet, notes that personal posts display under Twitter's newly launched "For You" area.

Because the feature is intended to allow users to tweet secretly, many people use it to express sensitive thoughts and sentiments, as well as restricted media such as naked photographs, and the flaw poses a significant privacy risk to the account that posts all of those private tweets.

For months, Twitter Circle has been buggy. Certain users have reported that their tweets from the Circle have reached other followers outside of it. Meanwhile, some users claim that the tweets are available to anyone other than followers. Affected users discovered the flawed nature of the service when a few strangers responded with tweets intended for the inner circle.

While it's difficult to pinpoint a specific cause for the glitch, it could be related to recent changes to Twitter's recommendation algorithm, which divided the feed into "For You" and "Following" timelines. As the names suggest, For You also displays tweets from users you don't follow.

Elon Musk's private jet was made public on Twitter in October. Musk compared the incident to "doxing" and responded by suspending the @ElonJet account as well as the accounts of journalists who reported on it. 

However, when it comes to users' privacy — despite using a mechanism that ostensibly guarantees it — Musk does not appear to be concerned. Twitter Circle has allegedly been plagued by bugs for several months. These difficulties have not piqued Twitter's interest, despite the digital titan persistently promoting the platform's paid tier, Twitter Blue.

This could be considered a violation of users' permission and a data breach under EU legislation. Any monetary punishment, however, may be subject to interference by US authorities and legislators.

Hackers can Open Smart Garage Doors From Anywhere in the World


According to findings from a security researcher, hackers can remotely tap into a specific brand of smart garage door opener controllers and open them all over the world due to a number of security weaknesses that the firm, Nexx, has refused to repair. 

The flaws represent a major risk to Nexx users, who have access to wi-fi-connected garage door opener controllers among other things. As per a copy of an email obtained with Motherboard, the researcher who discovered the vulnerability claims that Nexx has not reacted to their attempts to responsibly report the vulnerabilities for months.

“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher, told Motherboard, describing the hack.

Nexx describes its goods as "easy-to-use products that work with things you already own." Its garage product links to a person's existing garage door opener and allows them to remotely activate it via a smartphone app. “Life is complicated enough. Remembering whether or not you left your garage door open should be the least of your worries: Get peace of mind,” the company advertises on its website. Nexx has run campaigns on Kickstarter.

Sabtean demonstrated the hack in a video proof-of-concept. It shows his fist unlocking his own garage door with the Nexx app, as promised. He then accesses a tool that allows him to read communications sent by the Nexx device. Sabetan uses the app to close the door and records the data that the device sends to Nexx's server during this activity.

Sabetan not only receives information on his own device but also messages from 558 other gadgets. According to the video, he can now see the device ID, email address, and name associated with each. He then sends an order to the garage via software rather than the app, and his door opens once more. Sabetan only tested this on his own garage door, but he could have used this technique to open other users' garage doors as well.

Sabetan told Motherboard he could open doors “for any customer.” “That’s the craziest bug. But the disabling alarm and turning on [and] off smart plugs is pretty neat too,” he added, referring to another Nexx product that allows users to control power outlets in their home.

The repercussions of someone weaponizing these vulnerabilities are far-reaching, and might pose a serious security risk to Nexx's clients. A hacker might randomly open Nexx doors all across the world, exposing their garage contents and possibly their homes to opportunistic robbers. Pets could flee. Customers may become irritated if they see someone opening and closing their property without knowing why. In more extreme circumstances, a hacker could exploit the flaws as part of a targeted assault against the particular garage that used Nexx’s security system.

Sabetan and Motherboard have made numerous attempts to contact Nexx about the problems. Sabetan claimed that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) had tried to contact him. The corporation has not responded or fixed the issues. This means that security flaws are still available to hackers who desire to exploit them. As a result, Motherboard will not go to great lengths on them, instead focusing on their influence on customers. On Tuesday, CISA issued its own advisory regarding security issues.

Nexx appears to be purposefully disregarding at least some inquiries attempting to alert them to the vulnerabilities. Sabetan contacted Nexx's support again because Nexx's support email did not react to his vulnerability report, this time stating that he needed assistance with his own Nexx product. According to a copy of the email Sabetan shared with Motherboard, Nexx's support personnel responded at the time.

“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.

A Privacy Flaw in Windows 11's Snipping Tool Exposes Cropped Image Content


A serious privacy vulnerability known as 'acropalypse' has also been discovered in the Windows Snipping Tool, enabling people to partially restore content that was photoshopped out of an image. 

Security researchers David Buchanan and Simon Aarons discovered last week that a bug in Google Pixel's Markup Tool caused the original image data to be retained even when it was edited or cropped out. This flaw poses a significant privacy risk because it may be possible to partially recover the original photo if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed.

To demonstrate the bug, the researchers created an online acropalypse screenshot recovery tool that attempted to recover edited images created on Google Pixel.

The Windows 11 Snipping Tool was also affected

Today, Chris Blume, a software engineer, confirmed that the 'acropalypse' privacy flaw also affects the Windows 11 Snipping Tool. Instead of truncating any unused data when opening a file in the Windows 11 Snipping Tool and overwriting an existing file, it leaves the unused data behind, allowing it to be partially recovered.

Will Dormann, a vulnerability expert, also confirmed the Windows 11 Snipping Tool flaw, and BleepingComputer confirmed the issue with Dormann's assistance. To put this to the test, Bleeping Computer opened an existing PNG file in Windows 11 Snipping Tool, cropped it (you can also edit or mark it up), and saved the changes to the original file. 

While the cropped image comprises far less data than the original, the file sizes for the original image (office-screenshot-original.png) and cropped image (office-screenshot.png) are identical. According to the PNG file specification, a PNG image file must always end with a 'IEND' data chunk, with any data added after that being ignored by image editors and viewers.

However, when used the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the programme did not properly truncate the unused data, and it is still present after the IEND data chunk.

When you open the file in an image viewer, you'll only see the cropped image because anything after the first IEND is ignored. This untruncated data, on the other hand, can be used to partially recreate the original image, potentially revealing sensitive portions.

While the researcher's online acropalypse screenshot recovery app does not currently support Windows files, Buchanan did share with BleepingComputer a Python script that can be used to recover Windows files.

BleepingComputer successfully recovered a portion of the image using this script. This was not a complete recovery of the original image, which may leave you wondering why this poses a privacy risk.

Consider taking a screenshot of a sensitive spreadsheet, confidential documents, or even a naked picture and cropping out sensitive information or portions of the image. Even if you are unable to fully recover the original image, someone may be able to recover sensitive information that you do not want made public. It should also be noted that this flaw does not affect all PNG files, such as optimised PNGs.

"Your original PNG was saved with a single zlib block (common for "optimised" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer.

BleepingComputer also discovered that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end is stripped away, rendering it unrecoverable.

Finally, the Windows 11 Snipping Tool behaves similarly to the above with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs but that it might in the future. Microsoft confirmed to BleepingComputer that they are aware of the reports and are investigating them.

"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.

Unpatched Akuvox Smart Intercom Flaws Can Be Exploited for Spying


The E11, a popular smart intercom and videophone from Chinese company Akuvox, contains more than a dozen flaws, including a critical bug that allows unauthenticated remote code execution (RCE). Malicious actors could use these to gain access to an organization's network, steal photos or video captured by the device, control the camera and microphone, and even lock and unlock doors. 

The flaws were discovered and highlighted by Claroty's Team82, a security firm that became aware of the device's flaws when they moved into an office where the E11 was already installed. Team82 members' interest in the device grew into a full-fledged investigation as they discovered 13 vulnerabilities, which they classified into three categories based on the attack vector used.

The first two types can occur via RCE within a local area network or through remote activation of the E11's camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector focuses on gaining access to an external, insecure file transfer protocol (FTP) server, which allows the actor to download stored images and data.

The Akuvox 311 contains a critical RCE bug

One critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

"The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another notable vulnerability (CVE-2023-0348, with a CVSS score of 7.5) affects the SmartPlus mobile app, which iOS and Android users can use to interact with the E11. The main problem is that the app uses the open-source Session Initiation Protocol (SIP) to allow communication between two or more participants over IP networks. The SIP server does not validate SmartPlus users' authorization to connect to a specific E11, which means that anyone with the app installed can connect to any E11 connected to the Internet, including those behind a firewall.

"We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."

Unpatched Akuvox Security Vulnerabilities

Beginning in January 2022, Team82 detailed their efforts to bring the vulnerabilities to the attention of Akuvox, but after several outreach attempts, Claroty's account with the vendor was blocked. Following that, Team82 published a technical blog detailing the zero-day vulnerabilities and enlisted the help of the CERT Coordination Center (CERT/CC) and CISA.

Organizations that use the E11 should disconnect it from the Internet until the vulnerabilities are fixed, or ensure that the camera is not capable of recording sensitive information. According to the Claroty report, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network" within the local area network. 

"Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."

A world of increasingly connected devices has provided sophisticated adversaries with a vast attack surface.As per Juniper Research, the number of industrial internet of things (IoT) connections alone — a measure of total IoT device deployment — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020.

And, despite the fact that the National Institute of Standards and Technology (NIST) has agreed on a standard for encrypting IoT communications, many devices remain vulnerable and unpatched. Akuvox is the latest in a long line of these that have been found to be severely lacking in device security. Last year, for example, a critical RCE vulnerability in Hikvision IP video cameras was disclosed.

Rapid7 Report: Attackers are Launching Exploits Faster Than Ever Before


Rapid7 has released its latest Vulnerability Intelligence Report, which examines 50 of the most significant security vulnerabilities and high-impact cyberattacks in 2022. The report examines attacker use cases and highlights exploitation trends, as well as provides a framework for understanding new security threats as they emerge. 

According to the report, attackers are developing and deploying exploits faster than ever before. The report includes 45 vulnerabilities that were exploited in the wild, 44% of which were caused by zero-day exploits. In contrast, 56% of the vulnerabilities in the report were exploited within seven days of their public disclosure, a 12% increase over 2021 and an 87% increase over 2020. 

Furthermore, the median time for exploitation in 2022 was only one day. As per the Rapid7 report, only 14 of the vulnerabilities have been exploited to carry out ransomware attacks. Despite ongoing ransomware activity, it is a 33% decrease from 2021.

The decline could imply that ransomware operations have become less reliant on security flaws, but it could also be due to other factors, such as lower reporting of ransomware incidents. Other vulnerability and exploit trends covered in this report include ransomware ecosystem complexity, network perimeter privilege escalation, and the long tail of exploitation across older vulnerabilities.

Caitlin Condon, Rapid7 vulnerability research manager and lead author of the Vulnerability Intelligence Report stated, “Rapid7’s team of vulnerability researchers work around the clock to thoroughly investigate and provide critical context into emergent threats. We produce the annual Vulnerability Intelligence Report to help organizations understand attack trends and proactively address the unique and shared threats they face. The ransomware ecosystem and the cybercrime economy have continued to mature and evolve. As a result, we saw many more ransomware families actively compromising organizations in 2022, which naturally creates challenges for threat tracking and reporting."

Security, IT, and other teams tasked with vulnerability management and risk reduction work in high-pressure, high-stakes environments where separating signal from noise is critical. When a new potential threat arises, information security professionals often need to translate vague descriptions and unproven research artefacts into actionable intelligence for their particular risk models.

Condon further concluded, “Rapid7 is known for its ongoing research initiatives that keep its customers and the broader business community safer. The company is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 10,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. The Rapid7 Insight Platform collects data from across your environment, making it easy for teams to manage vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate your operations.”

How SMB Protocol Functions and its Susceptibility to Vulnerabilities


The SMB protocol enables computers connected to the same network to share files and hardware such as printers and external hard drives. However, the protocol's popularity has also led to an increase in malicious attacks, as older versions of SMB do not use encryption and can be exploited by hackers to access sensitive data. It is crucial to understand the different types of SMB and how to stay protected from associated risks. 

The Server Message Block (SMB) is a network protocol used for sharing data between devices on a local or wide area network. Originally developed by IBM in the mid-1980s for file sharing in DOS, it has since been adopted by other operating systems including Microsoft's Windows, Linux, and macOS.

The SMB protocol plays a crucial role in the regular activities of various businesses and groups by providing a convenient means of retrieving files and accessing resources from other computers connected to the network.

Consider a scenario where you are part of a team whose members operate from distinct locations. In such situations, the SMB protocol is an excellent tool for swiftly and effortlessly exchanging files. It enables every team member to retrieve identical data and collaborate on assignments. Several individuals can remotely view or modify the same file as if it were stored on their personal computers.

How Does the SMB Protocol Function?

To establish a connection between the client and server, the SMB protocol employs the request and response method. Here are the steps to make it work:

Step 1: Client request: The client (the device making the request) sends an SMB packet to the server. The packet includes the complete path to the requested file or resource.

Step 2: Server response: The server (the device that has access to the requested file or resource) evaluates the request and, if successful, responds with an SMB packet containing additional information on how to access the data.

Step 3: Client Process: The client receives the response and then processes the data or resource as needed.

SMB Protocol Types

The SMB protocol has seen a few upgrades as technology has advanced. There are several types of SMB protocols available today, including:
  • SMB Version 1: This is the original version of the SMB protocol, released by IBM in 1984 for file exchange on DOS. It was later modified by Microsoft for use on Windows.
  • CIFS: The Common Internet File System (CIFS) is a modified version of SMBv1 that was designed to allow for the sharing of larger files. It was first included in Windows 95.
  • SMB Version 2: SMB v2 was released by Microsoft in 2006 with Windows Vista as a more secure and efficient alternative to previous versions. This protocol added features like improved authentication, larger packet sizes, and fewer commands.
  • SMB Version 3: SMB v3 was released by Microsoft with Windows 8. It was created to boost performance while also adding support for end-to-end encryption and improved authentication methods.
  • Version 3.1.1 of SMB: The most recent version of the SMB protocol was released with Windows 10 in 2015, and it is fully compatible with all previous versions. It adds new security features such as AES-128 encryption and enhanced security features to combat malicious attacks.
What Are the SMB Protocol's Risks?

Although the SMB protocol has been a valuable asset to many businesses, it also poses some security risks. This protocol has been used by hackers to gain access to corporate systems and networks. It has evolved into one of the most popular attack vectors used by cyber criminals to breach systems.

Worse, despite the availability of upgraded versions of SMB, many Windows devices continue to use the older, less secure versions 1 or 2. This increases the likelihood that malicious actors will exploit these devices and gain access to sensitive data.

The following are the most common SMB exploits.
  • Brute Force Attacks
  • Man-in-the-Middle Attacks
  • Buffer Overflow Attacks
  • Ransomware Attacks
  • Remote Code Execution
Maintain Your Safety While Employing the SMB Protocol

Despite the risks associated with the SMB protocol, it remains an important component of Windows. As a result, it is critical to ensure that all business systems and networks are protected from malicious attacks.

To stay safe, only use the most recent version of the SMB protocol, keep your security software up to date, and keep an eye on your network for unusual activity. It is also critical to train your staff on cybersecurity best practices and to ensure that all users use strong passwords. By taking these precautions, you can keep your company safe from malicious attacks.

Attackers Use a Poisoned Google Search to Target Chinese-speaking Individuals

A new nefarious campaign has been discovered that promotes malicious websites and fake installers by using tainted Google Search results. FatalRAT is primarily targeting Chinese people in East and Southeast Asia. The IOCs of the threat activities did not correspond to any previously identified threat group. 

According to telemetry data collected by ESET researchers, the campaign began in May 2022 and lasted until January 2023. The most targeted victims were found in China, Hong Kong, and Taiwan, with attacks also occurring in Thailand, Singapore, Indonesia, the Philippines, Japan, Malaysia, and Myanmar. Attackers promoted their rogue websites hosting trojanized installers via Google paid advertisements. These advertisements have now been removed.
To host the malicious websites, attackers enrolled several equivalents to legitimate typosquatting domains (such as telegraem[.]org) from (telegram[.]org). These bogus domains host websites that look exactly like the real ones, and they all point to the same IP address. This IP address is associated with a server that hosts multiple fake websites and tainted installers, as well as actual installers and the FatalRAT loader.

Since Chinese language versions of genuine software applications are not available in China, the websites and installers are disguised. Telegram, LINE, WhatsApp, Signal, Skype, Google Chrome, Mozilla Firefox, WPS Office, Electrum, Sogou Pinyin Method, and Youda are among the spoof apps.

The tainted installers were hosted on an Alibaba Cloud Object Storage Service, which isolated them from the server where websites are hosted. Advanced Installer is used to create and digitally sign the installers, which are MSI files.

When run, these installers would drop and execute a genuine installer, a malicious loader, an updater, and, eventually, the FatalRAT payload. When infected, the malware gives the attacker complete control of the victimized device, allowing them to remotely execute commands, harvest data from web browsers, run files, and capture keystrokes.

According to researchers, the tactics used in this attack are not highly sophisticated; however, attackers have made several attempts to make it appear to be one by using paid Google ads, fake domain names, and tainted installers carrying genuine software. When clicking on links promoted as advertisements, users must be mindful and perform multiple mental checks.

Clop Ransomware Flaw Permitted Linux Victims to Restore Files for Months


The first Linux version of the Clop ransomware has been discovered in the wild, but with a flawed encryption algorithm that enables the process to be reverse-engineered. 

"The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.

The cybersecurity firm, which has created a decryptor available, stated that it discovered the ELF version on December 26, 2022, while also mentioning similarities to the Windows flavor in terms of employing the same encryption method. Around the same time, the detected sample is said to be a component of a larger attack targeting educational institutions in Colombia, including La Salle University. As per FalconFeedsio, the university was added to the criminal group's leak site in early January 2023.

The Clop (stylized as Cl0p) ransomware operation, which has been active since 2019, dealt a major blow in June 2021 when six members of the group were arrested by police as part of an international law enforcement operation codenamed Operation Cyclone.

However, the cybercrime group made a "explosive and unexpected" comeback in early 2022, claiming dozens of victims from the industrial and technology sectors. SentinelOne classified the Linux version as an early-stage version due to the absence of some functions found in the Windows counterpart.

This lack of feature parity is also explained by the malware authors' decision to create a custom Linux payload rather than simply porting over the Windows version, implying that future Clop variants may close the gap.

"A reason for this could be that the threat actor has not needed to dedicate time and resources to improve obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal," Terefos explained.

The Linux version is intended to encrypt specific folders and file types, with the ransomware containing a hard-coded master key that can be used to recover the original files without paying the threat actors. If anything, the development indicates a growing trend of threat actors branching out beyond Windows to target other platforms.

Terefos concluded, "While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward," 

ISC Issues Security Updates to Address New BIND DNS Software Bugs


The Internet Systems Consortium (ISC) has issued updates to address multiple security flaws in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite, which could result in a denial-of-service (DoS) condition. 

According to its website, the open-source software is utilized by major financial institutions, national and international carriers, internet service providers (ISPs), retailers, manufacturers, educational institutions, and government entities. 

All four flaws are found in name, a BIND9 service that acts as an authoritative nameserver for a predefined set of DNS zones or as a recursive resolver for local network clients. The following are the bugs that have been rated 7.5 on the CVSS scoring system:
  • CVE-2022-3094 - An UPDATE message flood may cause named to exhaust all available memory
  • CVE-2022-3488 - BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries
  • CVE-2022-3736 - named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries
  • CVE-2022-3924 - named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
Exploiting the vulnerabilities successfully could cause the named service to crash or exhaust available memory on a target server.

Versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1 are affected. CVE-2022-3488 affects BIND Supported Preview Edition 9.11.4-S1 through 9.11.37-S1. They've been fixed in 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1.

Although there is no evidence that any of these vulnerabilities are actively exploited, users are advised to upgrade to the most recent version as soon as possible in order to reduce potential threats.

Government Issues High-risk Warning for iPhone Users


Apple iPhones are known for their strength and security features. The Cupertino-based tech behemoth releases security updates for its devices on a regular basis. Although Apple recommends that people install the most recent builds of iOS on their iPhones in order to have a more protected and feature-rich operating system, older iPhone models are incapable to deploy the most recent updates due to hardware limitations. 

Some users prefer to run older versions of iOS for simplicity of use, but it's important to note that older iOS versions are easier to exploit. One such flaw has been discovered in Apple's iOS, and the Indian government has issued a warning to iPhone users.

According to the Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology, a vulnerability in iOS has been disclosed that could permit an attacker to implement arbitrary code on the targeted device. Apple iOS versions prior to 12.5.7 are vulnerable for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

This vulnerability exists in Apple IOS due to a type of confusion flaw in the WebKit component, according to CERT-In. An attacker could utilize this vulnerability by luring the victim to a maliciously crafted website. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code on the targeted system. 

The security flaw is actively being exploited against iOS versions prior to iOS 15.1. To avoid being duped, install the new iOS 12.5.7 patch, which Apple released earlier this week.

Major Experian Security Vulnerability Exploited, Attackers Access Customer Credit Reports


As per experts, the website of consumer credit reporting giant Experian comprised a major privacy vulnerability that allowed hackers to obtain customer credit reports with just a little identity data and a small change to the address displayed in the URL bar. 

Jenya Kushnir, a cybersecurity researcher, discovered the vulnerability on Telegram after monitoring hackers selling stolen reports and collaborated with KrebsOnSecurity to investigate it further. The concept was straightforward: if you had the victim's name, address, birthday, and Social Security number (all of which could be obtained from a previous incident), you could go to one of the websites offering free credit reports and submit the information to request one.

The website would then redirect you to the Experian website, where you would be asked to provide more personally identifiable information, such as questions about previous addresses of living and such.
And this is where the flaw can be exploited. 

There is no need to answer any of those questions; simply change the address displayed in the URL bar from "/acr/oow/" to "/acr/report," and you will be presented with the report. While testing the concept, Krebs discovered that changing the address first redirects to "/acr/OcwError," but changing it again worked: "Experian's website then displayed my entire credit file," according to the report.

The good news (if it can be called that) is that Experian's reports are riddled with errors. In the case of Krebs, it contained a number of phone numbers, only one of which was previously owned by the author.

Experian has remained silent on the matter, but the issue appears to have been resolved in the meantime. It's unknownfor how long the flaw was active on the site or how many fraudulent reports were generated during that time.

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain


GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.

Several Flaws Affect the Juniper Junos OS


Multiple high-severity security flaws in Juniper Networks devices have been discovered. The most serious is a CVSS score of 8.1 for a remote pre-authenticated PHP archive file deserialization vulnerability tracked as CVE-2022-22241. The vulnerability was found in Junos OS's J-Web component. An attacker can exploit the flaw by sending a specially crafted POST request, causing deserialization that could result in unauthorized local file access or arbitrary code execution. 

“Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.” reads the advisory published by the vendor. 

“Phar files (PHP Archive) files contain metadata in serialized format, which when parsed by a PHP file operation function leads to the metadata getting deserialized. An attacker can abuse this behavior to exploit an object instantiation vulnerability inside the Juniper codebase.” reads the analysis published by Octagon Networks. 

“This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution (RCE) vulnerability.” 

Other vulnerabilities discovered by the experts are:
  • CVE-2022-22242: pre-authenticated reflected XSS on the error page. 
  • CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
  • CVE-2022-22244: XPATH Injection in send_raw() method.
  • CVE-2022-22245: Path traversal during file upload leads to RCE.
  • CVE-2022-22246: PHP file include /jrest.php.  
To address the flaws,  the vendor released patches for Junos OS versions 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R3-S9, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S2, 21.3R3, 21.4R3, 22.1R2, 22.2R1, and more.

Fortinet Alerts: Active Exploitation of Newly Discovered Critical Auth Bypass Bug


Fortinet revealed on Monday that a recently patched critical security vulnerability affecting its firewall and proxy products is being actively exploited in the wild. 
The flaw, identified as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorised operations on the administrative interface via specially crafted HTTP(S) requests. 

"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company noted in an advisory.

The list of impacted devices is below -
  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0, and
  • FortiSwitchManager version 7.0.0
Updates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.

The security firm has released updates for FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1. The announcement comes just days after Fortinet sent "confidential advance customer communications" to its customers, urging them to install patches to prevent potential attacks exploiting the flaw. If updating to the latest version is not an option, users should disable the  HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.

GitHub: Repositories Selling Fake Microsoft Exchange Exploits


Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Attackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite


Hackers are actively attempting to exploit an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a popular web client and email server. 

The CVE-2022-41352 zero-day security flaw is rated critical (CVSS v3 score: 9.8) and enables an attacker to upload arbitrary files via "Amavis" (email security system). An attacker who successfully exploits the vulnerability can overwrite the Zimbra webroot, insert a shellcode, and gain access to other users' accounts. 

The zero-day vulnerability was discovered at the beginning of September when administrators posted details about attacks on Zimbra forums.

Due to  insecure cpio usage

The vulnerability is caused by Amavis' use of the 'cpio' file archiving utility to extract archives when scanning a file for viruses. An exploitable flaw in the cpio component enables an attacker to create archives that can be extracted anywhere on a Zimbra-accessible filesystem.

When an email is sent to a Zimbra server, the Amavis security system extracts the archive and scans its contents for viruses. If it extracts a specially crafted.cpio,.tar, or.rpm archive, the contents may be extracted to the Zimbra webroot. An attacker could exploit this vulnerability to deploy web shells to the Zimbra root, effectively giving them shell access to the server.

On September 14, Zimbra issued a security advisory advising system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace the vulnerable component, cpio.
Installing Pax solves the problem because Amavis prefers it over cpio by default, so no further configuration is required.

"If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot," warned the September security advisory.

"For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed."

Vulnerability is being actively exploited

While the vulnerability has been actively exploited since September, a new Rapid7 report sheds new light on its active exploitation and includes a proof-of-concept exploit that allows attackers to easily create malicious archives.

Worse, Rapid7 tests show that many Linux distributions officially supported by Zimbra still do not install Pax by default, leaving these installations vulnerable to the bug.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 are among these distributions. Pax was included in earlier LTS releases of Ubuntu, 18.04 and 20.04, but it was removed in 22.04. Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.

Since proof-of-concept (PoC) exploits have been publicly available for some time, the risk of failing to implement the workaround is severe. Zimbra intends to address this issue decisively by deprecating cpio and making Pax a requirement for Zimbra Collaboration Suite, thereby mandating its use. 

"In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers," further warn the researchers.

However, the risks persist for existing installations, so administrators must act quickly to protect their ZCS servers.

Researchers Recently Made the World's Websites Less Vulnerable to Hacking and Cyberattacks


An international team of researchers has created a scanning tool to reduce the vulnerability of websites to hacking and cyberattacks. The black box security assessment prototype, which was tested by engineers in Australia, Pakistan, and the UAE, outperforms existing web scanners, which collectively fail to detect the top ten weaknesses in web applications. 

Dr Yousef Amer, a mechanical and systems engineer at UniSA, is one of the co-authors of a new international paper that describes the tool's development in the wake of increasing global cyberattacks. Cybercrime cost the globe $6 trillion in 2021, representing a 300 percent increase in online criminal activity over the previous two years. 

Remote working, cloud-based platforms, malware, and phishing scams have resulted in massive data breaches, while the implementation of5G and Internet of Things (IoT) devices has made us more connected – and vulnerable – than ever. Dr. Yousef Amer and colleagues from Pakistan, the United Arab Emirates, and Western Sydney University highlight numerous security flaws in website applications that are costing organisations badly.

Because of the pervasive use of eCommerce, iBanking, and eGovernment sites, web applications have become a prime target for cybercriminals looking to steal personal and corporate information and disrupt business operations. Despite an anticipated $170 billion global outlay on internet security in 2022 against a backdrop of escalating and more severe cyberattacks, existing web scanners, according to Dr. Amer, fall far short of evaluating vulnerabilities.

“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” he says.

Almost 72% of businesses have experienced at least one serious security breach on their website, with vulnerabilities tripling since 2017. According to WhiteHat Security, a world leader in web application security, 86% of scanned web pages have on average 56% vulnerabilities. At least one of these is classified as critical. The researchers compared the top ten vulnerabilities to 11 publicly available web application scanners.

“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges. It’s basically a one-stop guide to ensure 100 per cent website security. There’s a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars,”Dr Amer stated.

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

A Matrix Update Patches Serious End-to-End Encryption Flaws

Recently the open source Matrix messenger protocol published security warnings on its platform about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). 

As per the warning statement, the groups of malicious actors are exploiting these vulnerabilities that could break the confidentiality of Matrix communications. The vulnerabilities also allow the threat actors to run man-in-the-middle attacks that expose message contents in a readable form. 

According to the technical data, the users who were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, like Element, Cinny, SchildiChat, Beeper, Circuli, and have been hit by the bugs. However, the platform clarified that clients using a different encryption implementation such as Hydrogen, Nheko, ElementX, FluffyChat, Timmy, Syphon, Gomuks, Pantalaimon) are safe from the attacks. 

The vulnerabilities were reported to Matrix by the researchers of Brave Software, the University of Sheffield, and the Royal Holloway University in London. The group published the technical details of the research findings. 

List of the critical severity flaws discovered by the team

  • CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients). 
  • CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, possibly impersonating a trusted sender. 

The same flaw makes it possible for malicious home server admins to add backup keys to the target's account. 

  • CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
  • CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
  • CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients). 
  • CVE-2022-39249: Semi-trusted impersonation problem in matrix-js-sdk leading to accepting keys forwarded without request, making impersonation of other users in the server possible. Clients mark these messages as suspicious on the recipient's end,  thus dropping the severity of the bug. 
  • CVE-2022-39246: Same as CVE-2022-39249 but impacting matrix-android-sdk2 (Android clients). 
Furthermore, the report detailing listed two problems that are yet to receive an identification number. One of these problems allows malicious actors access to the home server and the second refers to using AES-CTR. 

'Witchetty’ Group Targeted Middle Eastern Gov, Stock Exchange of African Nation


A cyber-espionage group is targeting the governments of several Middle Eastern countries and has previously attacked an African country's stock exchange, stealing massive amounts of data with malware. 

The Symantec Threat Hunter Team named the espionage group "Witchetty" in a report published Thursday, but it has also been known as "LookingFrog." Witchetty attacks are distinguished by the use of two pieces of malware: X4 and a second-stage payload known as LookBack. 

“From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team.

In recent months, the group has been updating its tools to use steganography, a technique in which hackers hide malicious code within an image. In Witchetty's case, the malware is disguised as a Microsoft Windows logo.

Symantec tracked the group's attacks from February to September, noting that the attackers used ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to obtain access in three incidents.

According to several national cybersecurity agencies, ProxyShell and ProxyLogon are among the most commonly exploited vulnerabilities by threat groups. They stole credentials, moved laterally across the network, and installed malware on other computers from there.

The attackers used the ProxyShell vulnerability to launch an attack on a Middle Eastern government agency on February 27. The hackers moved around the network for several months, exfiltrating data and stealing other information. The hackers' most recent actions occurred on September 1, when they downloaded several remote files.

O'Brien told The Record that they do not have enough information to make an attribution at this time, but that Witchetty was first discovered in April by ESET researchers, who stated it was part of a larger cyber-espionage operation linked to the Chinese state-backed advanced persistent threat (APT) group Cicada or APT10. According to ESET, the group has specifically targeted governments, diplomatic missions, charities, and industrial/manufacturing organisations.

Symantec previously linked the group to a VLC Media Player attack campaign, prompting the Indian government to outright ban the popular programme earlier this year. The group was accused in February of carrying out a months-long attack on Taiwan's financial sector.

APT10, according to the anonymous research group IntrusionTruth, was based in Tianjin, China, and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security. In the summer of 2018, Rapid7 and Recorded Future implicated the group in another attack on Norwegian cloud service provider Visma AG.