Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Flaws. Show all posts
Vulnerability
attacks Flaws Openfire Servers Risk Vulnerabilities and Exploits Vulnerability

Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack

More than 3,000 instances of Openfire servers have not undergone patching to address a recent vulnerability, leaving them susceptible to potential attacks exploiting a newly discovered exploit, according to a report by VulnCheck, a firm specializing in vulnerability intelligence.

Openfire, developed by Ignite Realtime, functions as a cross-platform real-time collaboration server written in Java. Operating on the XMPP protocol, it allows web interface administration.

The vulnerability, identified as CVE-2023-32315, is classified as high-severity and pertains to Openfire's administration console. It is characterized as a path traversal flaw within the setup environment, enabling unauthorized attackers to gain entry to restricted sections of the admin console.

The root of the problem stems from Openfire's inadequate protection against specific non-standard URL encoding for UTF-16 characters. The webserver's lack of support for these characters allowed the inclusion of the new encoding without an accompanying update to the protection measures.

All iterations of Openfire, starting from version 3.10.0 launched in April 2015 up to versions 4.7.5 and 4.6.8 issued in May 2023 for vulnerability remediation, are impacted by this flaw.

Exploitations of this vulnerability have been observed over a span of more than two months. Cyber threat actors have been establishing fresh user accounts in the admin console to introduce a new plugin. This plugin houses a remote web shell, affording the attackers the ability to execute arbitrary commands and infiltrate server data.

Publicly available exploits targeting CVE-2023-32315 adhere to a uniform pattern. However, VulnCheck asserts the identification of a novel exploit path that doesn't necessitate the creation of an administrative user account.

VulnCheck has identified a total of over 6,300 accessible Openfire servers on the internet. Of these, around half have either been patched against the vulnerability, run non-vulnerable older versions, or are divergent forks that might remain unaffected.

The firm highlights that approximately 50% of externally facing Openfire servers operate on the impacted versions. Despite their relatively small number, the firm underscores the significance of this issue due to the trusted role these servers hold in connection with chat clients.

The vulnerability's implications allow an attacker lacking authentication to access the plugin administration endpoint. This provides the attacker with the capability to directly upload the plugin and subsequently access the web shell, all without authentication.

VulnCheck clarifies that this strategy avoids triggering login notifications in the security audit log, ensuring a discreet operation. The absence of a security audit log entry is notable, as it eliminates evidence of the breach. 

While signs of malicious activity might be present in the openfire.log file, the attacker can exploit the path traversal to eliminate the log through the web shell. This leaves the plugin as the sole compromise indicator, an aspect of the situation that VulnCheck warns about.

“This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future,” VulnCheck concludes.

Read more »
Vulnerabilities and Exploits
Bugs Flaws Hackers Proof of concept Safety Security Vulnerabilities and Exploits

New Exploit Unleashed for Cisco AnyConnect Bug Granting SYSTEM Privileges

Proof-of-concept (PoC) exploit code has been released for a significant vulnerability found in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw allows attackers to elevate their privileges to the SYSTEM level. Cisco Secure Client is a VPN software that enables employees to work remotely while ensuring a secure connection and providing network administrators with telemetry and endpoint management capabilities.

The vulnerability, identified as CVE-2023-20178, enables authenticated threat actors to escalate their privileges to the SYSTEM account without requiring complex attacks or user interaction. Exploiting this flaw involves manipulating a specific function within the Windows installer process.

To address this security issue, Cisco issued security updates on the previous Tuesday. The company's Product Security Incident Response Team (PSIRT) stated that there was no evidence of any malicious activities or public exploit code targeting the vulnerability at that time.

The fix for CVE-2023-20178 was included in the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

Recently, security researcher Filip Dragović discovered and reported the Arbitrary File Delete vulnerability to Cisco. This week, Dragović published a PoC exploit code, which was tested against Cisco Secure Client (version 5.0.01242) and Cisco AnyConnect (version 4.10.06079).

Dragović explains that when a user establishes a VPN connection, the vpndownloader.exe process starts in the background and creates a directory in the format "<random numbers>.tmp" within the c:\windows\temp directory. By taking advantage of default permissions, an attacker can abuse this behavior to perform arbitrary file deletion using the NT Authority\SYSTEM account.

The attacker can further leverage this Windows installer behavior and the fact that a client update process is executed after each successful VPN connection to spawn a SYSTEM shell, thus escalating their privileges. The technique for privilege escalation is described in detail.

It's worth noting that in October, Cisco urged customers to patch two additional security flaws in AnyConnect, which had public exploit code available and had been fixed three years earlier due to active exploitation. Furthermore, in May 2021, Cisco patched an AnyConnect zero-day vulnerability with public exploit code, following its initial disclosure in November 2020.

Read more »
Vulnerabilities and Exploits
Bugs Flaws Safety Security Twitter Vulnerabilities and Exploits

This Twitter Bug is Making Users Secret Circle Tweets Public

 

Twitter launched Circle in August 2022, allowing you to limit your tweets to a chosen group of users without making your account private. While the function was designed to limit the visibility of your tweets to a group smaller than your number of followers, a recent issue has reportedly exposed your private tweets to many others outside your Circle, even if they do not follow you.

Many users have observed that tweets intended for Twitter Circles are reaching all followers rather than just those in the Circle. Amanda Silberling of TechCrunch, who saw another person's ostensibly private tweet, notes that personal posts display under Twitter's newly launched "For You" area.

Because the feature is intended to allow users to tweet secretly, many people use it to express sensitive thoughts and sentiments, as well as restricted media such as naked photographs, and the flaw poses a significant privacy risk to the account that posts all of those private tweets.

For months, Twitter Circle has been buggy. Certain users have reported that their tweets from the Circle have reached other followers outside of it. Meanwhile, some users claim that the tweets are available to anyone other than followers. Affected users discovered the flawed nature of the service when a few strangers responded with tweets intended for the inner circle.

While it's difficult to pinpoint a specific cause for the glitch, it could be related to recent changes to Twitter's recommendation algorithm, which divided the feed into "For You" and "Following" timelines. As the names suggest, For You also displays tweets from users you don't follow.

Elon Musk's private jet was made public on Twitter in October. Musk compared the incident to "doxing" and responded by suspending the @ElonJet account as well as the accounts of journalists who reported on it. 

However, when it comes to users' privacy — despite using a mechanism that ostensibly guarantees it — Musk does not appear to be concerned. Twitter Circle has allegedly been plagued by bugs for several months. These difficulties have not piqued Twitter's interest, despite the digital titan persistently promoting the platform's paid tier, Twitter Blue.

This could be considered a violation of users' permission and a data breach under EU legislation. Any monetary punishment, however, may be subject to interference by US authorities and legislators.


Read more »
Vulnerabilities and Exploits
attacks Bugs Flaws Hackers Safety Security Vulnerabilities and Exploits

Hackers can Open Smart Garage Doors From Anywhere in the World

 

According to findings from a security researcher, hackers can remotely tap into a specific brand of smart garage door opener controllers and open them all over the world due to a number of security weaknesses that the firm, Nexx, has refused to repair. 

The flaws represent a major risk to Nexx users, who have access to wi-fi-connected garage door opener controllers among other things. As per a copy of an email obtained with Motherboard, the researcher who discovered the vulnerability claims that Nexx has not reacted to their attempts to responsibly report the vulnerabilities for months.

“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher, told Motherboard, describing the hack.

Nexx describes its goods as "easy-to-use products that work with things you already own." Its garage product links to a person's existing garage door opener and allows them to remotely activate it via a smartphone app. “Life is complicated enough. Remembering whether or not you left your garage door open should be the least of your worries: Get peace of mind,” the company advertises on its website. Nexx has run campaigns on Kickstarter.

Sabtean demonstrated the hack in a video proof-of-concept. It shows his fist unlocking his own garage door with the Nexx app, as promised. He then accesses a tool that allows him to read communications sent by the Nexx device. Sabetan uses the app to close the door and records the data that the device sends to Nexx's server during this activity.

Sabetan not only receives information on his own device but also messages from 558 other gadgets. According to the video, he can now see the device ID, email address, and name associated with each. He then sends an order to the garage via software rather than the app, and his door opens once more. Sabetan only tested this on his own garage door, but he could have used this technique to open other users' garage doors as well.

Sabetan told Motherboard he could open doors “for any customer.” “That’s the craziest bug. But the disabling alarm and turning on [and] off smart plugs is pretty neat too,” he added, referring to another Nexx product that allows users to control power outlets in their home.

The repercussions of someone weaponizing these vulnerabilities are far-reaching, and might pose a serious security risk to Nexx's clients. A hacker might randomly open Nexx doors all across the world, exposing their garage contents and possibly their homes to opportunistic robbers. Pets could flee. Customers may become irritated if they see someone opening and closing their property without knowing why. In more extreme circumstances, a hacker could exploit the flaws as part of a targeted assault against the particular garage that used Nexx’s security system.

Sabetan and Motherboard have made numerous attempts to contact Nexx about the problems. Sabetan claimed that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) had tried to contact him. The corporation has not responded or fixed the issues. This means that security flaws are still available to hackers who desire to exploit them. As a result, Motherboard will not go to great lengths on them, instead focusing on their influence on customers. On Tuesday, CISA issued its own advisory regarding security issues.

Nexx appears to be purposefully disregarding at least some inquiries attempting to alert them to the vulnerabilities. Sabetan contacted Nexx's support again because Nexx's support email did not react to his vulnerability report, this time stating that he needed assistance with his own Nexx product. According to a copy of the email Sabetan shared with Motherboard, Nexx's support personnel responded at the time.

“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.


Read more »
Windows
Bug Flaws Privacy Bug Vulnerabilities and Exploits Windows

A Privacy Flaw in Windows 11's Snipping Tool Exposes Cropped Image Content

 

A serious privacy vulnerability known as 'acropalypse' has also been discovered in the Windows Snipping Tool, enabling people to partially restore content that was photoshopped out of an image. 

Security researchers David Buchanan and Simon Aarons discovered last week that a bug in Google Pixel's Markup Tool caused the original image data to be retained even when it was edited or cropped out. This flaw poses a significant privacy risk because it may be possible to partially recover the original photo if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed.

To demonstrate the bug, the researchers created an online acropalypse screenshot recovery tool that attempted to recover edited images created on Google Pixel.

The Windows 11 Snipping Tool was also affected

Today, Chris Blume, a software engineer, confirmed that the 'acropalypse' privacy flaw also affects the Windows 11 Snipping Tool. Instead of truncating any unused data when opening a file in the Windows 11 Snipping Tool and overwriting an existing file, it leaves the unused data behind, allowing it to be partially recovered.

Will Dormann, a vulnerability expert, also confirmed the Windows 11 Snipping Tool flaw, and BleepingComputer confirmed the issue with Dormann's assistance. To put this to the test, Bleeping Computer opened an existing PNG file in Windows 11 Snipping Tool, cropped it (you can also edit or mark it up), and saved the changes to the original file. 

While the cropped image comprises far less data than the original, the file sizes for the original image (office-screenshot-original.png) and cropped image (office-screenshot.png) are identical. According to the PNG file specification, a PNG image file must always end with a 'IEND' data chunk, with any data added after that being ignored by image editors and viewers.

However, when used the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the programme did not properly truncate the unused data, and it is still present after the IEND data chunk.

When you open the file in an image viewer, you'll only see the cropped image because anything after the first IEND is ignored. This untruncated data, on the other hand, can be used to partially recreate the original image, potentially revealing sensitive portions.

While the researcher's online acropalypse screenshot recovery app does not currently support Windows files, Buchanan did share with BleepingComputer a Python script that can be used to recover Windows files.

BleepingComputer successfully recovered a portion of the image using this script. This was not a complete recovery of the original image, which may leave you wondering why this poses a privacy risk.

Consider taking a screenshot of a sensitive spreadsheet, confidential documents, or even a naked picture and cropping out sensitive information or portions of the image. Even if you are unable to fully recover the original image, someone may be able to recover sensitive information that you do not want made public. It should also be noted that this flaw does not affect all PNG files, such as optimised PNGs.

"Your original PNG was saved with a single zlib block (common for "optimised" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer.

BleepingComputer also discovered that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end is stripped away, rendering it unrecoverable.

Finally, the Windows 11 Snipping Tool behaves similarly to the above with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs but that it might in the future. Microsoft confirmed to BleepingComputer that they are aware of the reports and are investigating them.

"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.

Read more »
Vulnerabilities and Exploits
Data Flaws Intercm Security spying Vulnerabilities and Exploits

Unpatched Akuvox Smart Intercom Flaws Can Be Exploited for Spying

 

The E11, a popular smart intercom and videophone from Chinese company Akuvox, contains more than a dozen flaws, including a critical bug that allows unauthenticated remote code execution (RCE). Malicious actors could use these to gain access to an organization's network, steal photos or video captured by the device, control the camera and microphone, and even lock and unlock doors. 

The flaws were discovered and highlighted by Claroty's Team82, a security firm that became aware of the device's flaws when they moved into an office where the E11 was already installed. Team82 members' interest in the device grew into a full-fledged investigation as they discovered 13 vulnerabilities, which they classified into three categories based on the attack vector used.

The first two types can occur via RCE within a local area network or through remote activation of the E11's camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector focuses on gaining access to an external, insecure file transfer protocol (FTP) server, which allows the actor to download stored images and data.

The Akuvox 311 contains a critical RCE bug

One critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

"The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another notable vulnerability (CVE-2023-0348, with a CVSS score of 7.5) affects the SmartPlus mobile app, which iOS and Android users can use to interact with the E11. The main problem is that the app uses the open-source Session Initiation Protocol (SIP) to allow communication between two or more participants over IP networks. The SIP server does not validate SmartPlus users' authorization to connect to a specific E11, which means that anyone with the app installed can connect to any E11 connected to the Internet, including those behind a firewall.

"We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."

Unpatched Akuvox Security Vulnerabilities

Beginning in January 2022, Team82 detailed their efforts to bring the vulnerabilities to the attention of Akuvox, but after several outreach attempts, Claroty's account with the vendor was blocked. Following that, Team82 published a technical blog detailing the zero-day vulnerabilities and enlisted the help of the CERT Coordination Center (CERT/CC) and CISA.

Organizations that use the E11 should disconnect it from the Internet until the vulnerabilities are fixed, or ensure that the camera is not capable of recording sensitive information. According to the Claroty report, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network" within the local area network. 

"Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."

A world of increasingly connected devices has provided sophisticated adversaries with a vast attack surface.As per Juniper Research, the number of industrial internet of things (IoT) connections alone — a measure of total IoT device deployment — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020.

And, despite the fact that the National Institute of Standards and Technology (NIST) has agreed on a standard for encrypting IoT communications, many devices remain vulnerable and unpatched. Akuvox is the latest in a long line of these that have been found to be severely lacking in device security. Last year, for example, a critical RCE vulnerability in Hikvision IP video cameras was disclosed.
Read more »
Vulnerabilities and Exploits
Data Safety Flaws Rasnomware Research Security Vulnerabilities and Exploits

Rapid7 Report: Attackers are Launching Exploits Faster Than Ever Before

 

Rapid7 has released its latest Vulnerability Intelligence Report, which examines 50 of the most significant security vulnerabilities and high-impact cyberattacks in 2022. The report examines attacker use cases and highlights exploitation trends, as well as provides a framework for understanding new security threats as they emerge. 

According to the report, attackers are developing and deploying exploits faster than ever before. The report includes 45 vulnerabilities that were exploited in the wild, 44% of which were caused by zero-day exploits. In contrast, 56% of the vulnerabilities in the report were exploited within seven days of their public disclosure, a 12% increase over 2021 and an 87% increase over 2020. 

Furthermore, the median time for exploitation in 2022 was only one day. As per the Rapid7 report, only 14 of the vulnerabilities have been exploited to carry out ransomware attacks. Despite ongoing ransomware activity, it is a 33% decrease from 2021.

The decline could imply that ransomware operations have become less reliant on security flaws, but it could also be due to other factors, such as lower reporting of ransomware incidents. Other vulnerability and exploit trends covered in this report include ransomware ecosystem complexity, network perimeter privilege escalation, and the long tail of exploitation across older vulnerabilities.

Caitlin Condon, Rapid7 vulnerability research manager and lead author of the Vulnerability Intelligence Report stated, “Rapid7’s team of vulnerability researchers work around the clock to thoroughly investigate and provide critical context into emergent threats. We produce the annual Vulnerability Intelligence Report to help organizations understand attack trends and proactively address the unique and shared threats they face. The ransomware ecosystem and the cybercrime economy have continued to mature and evolve. As a result, we saw many more ransomware families actively compromising organizations in 2022, which naturally creates challenges for threat tracking and reporting."

Security, IT, and other teams tasked with vulnerability management and risk reduction work in high-pressure, high-stakes environments where separating signal from noise is critical. When a new potential threat arises, information security professionals often need to translate vague descriptions and unproven research artefacts into actionable intelligence for their particular risk models.

Condon further concluded, “Rapid7 is known for its ongoing research initiatives that keep its customers and the broader business community safer. The company is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 10,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. The Rapid7 Insight Platform collects data from across your environment, making it easy for teams to manage vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate your operations.”
Read more »
Vulnerabilities and Exploits
Bugs Flaws Safety SMB Protocol Vulnerabilities and Exploits

How SMB Protocol Functions and its Susceptibility to Vulnerabilities

 

The SMB protocol enables computers connected to the same network to share files and hardware such as printers and external hard drives. However, the protocol's popularity has also led to an increase in malicious attacks, as older versions of SMB do not use encryption and can be exploited by hackers to access sensitive data. It is crucial to understand the different types of SMB and how to stay protected from associated risks. 

The Server Message Block (SMB) is a network protocol used for sharing data between devices on a local or wide area network. Originally developed by IBM in the mid-1980s for file sharing in DOS, it has since been adopted by other operating systems including Microsoft's Windows, Linux, and macOS.

The SMB protocol plays a crucial role in the regular activities of various businesses and groups by providing a convenient means of retrieving files and accessing resources from other computers connected to the network.

Consider a scenario where you are part of a team whose members operate from distinct locations. In such situations, the SMB protocol is an excellent tool for swiftly and effortlessly exchanging files. It enables every team member to retrieve identical data and collaborate on assignments. Several individuals can remotely view or modify the same file as if it were stored on their personal computers.

How Does the SMB Protocol Function?

To establish a connection between the client and server, the SMB protocol employs the request and response method. Here are the steps to make it work:

Step 1: Client request: The client (the device making the request) sends an SMB packet to the server. The packet includes the complete path to the requested file or resource.

Step 2: Server response: The server (the device that has access to the requested file or resource) evaluates the request and, if successful, responds with an SMB packet containing additional information on how to access the data.

Step 3: Client Process: The client receives the response and then processes the data or resource as needed.

SMB Protocol Types

The SMB protocol has seen a few upgrades as technology has advanced. There are several types of SMB protocols available today, including:
  • SMB Version 1: This is the original version of the SMB protocol, released by IBM in 1984 for file exchange on DOS. It was later modified by Microsoft for use on Windows.
  • CIFS: The Common Internet File System (CIFS) is a modified version of SMBv1 that was designed to allow for the sharing of larger files. It was first included in Windows 95.
  • SMB Version 2: SMB v2 was released by Microsoft in 2006 with Windows Vista as a more secure and efficient alternative to previous versions. This protocol added features like improved authentication, larger packet sizes, and fewer commands.
  • SMB Version 3: SMB v3 was released by Microsoft with Windows 8. It was created to boost performance while also adding support for end-to-end encryption and improved authentication methods.
  • Version 3.1.1 of SMB: The most recent version of the SMB protocol was released with Windows 10 in 2015, and it is fully compatible with all previous versions. It adds new security features such as AES-128 encryption and enhanced security features to combat malicious attacks.
What Are the SMB Protocol's Risks?

Although the SMB protocol has been a valuable asset to many businesses, it also poses some security risks. This protocol has been used by hackers to gain access to corporate systems and networks. It has evolved into one of the most popular attack vectors used by cyber criminals to breach systems.

Worse, despite the availability of upgraded versions of SMB, many Windows devices continue to use the older, less secure versions 1 or 2. This increases the likelihood that malicious actors will exploit these devices and gain access to sensitive data.

The following are the most common SMB exploits.
  • Brute Force Attacks
  • Man-in-the-Middle Attacks
  • Buffer Overflow Attacks
  • Ransomware Attacks
  • Remote Code Execution
Maintain Your Safety While Employing the SMB Protocol

Despite the risks associated with the SMB protocol, it remains an important component of Windows. As a result, it is critical to ensure that all business systems and networks are protected from malicious attacks.

To stay safe, only use the most recent version of the SMB protocol, keep your security software up to date, and keep an eye on your network for unusual activity. It is also critical to train your staff on cybersecurity best practices and to ensure that all users use strong passwords. By taking these precautions, you can keep your company safe from malicious attacks.

Read more »
Vulnerabilities and Exploits
Data Safety Fake Sites Flaws Vulnerabilities and Exploits

Attackers Use a Poisoned Google Search to Target Chinese-speaking Individuals

A new nefarious campaign has been discovered that promotes malicious websites and fake installers by using tainted Google Search results. FatalRAT is primarily targeting Chinese people in East and Southeast Asia. The IOCs of the threat activities did not correspond to any previously identified threat group. 

According to telemetry data collected by ESET researchers, the campaign began in May 2022 and lasted until January 2023. The most targeted victims were found in China, Hong Kong, and Taiwan, with attacks also occurring in Thailand, Singapore, Indonesia, the Philippines, Japan, Malaysia, and Myanmar. Attackers promoted their rogue websites hosting trojanized installers via Google paid advertisements. These advertisements have now been removed.
 
To host the malicious websites, attackers enrolled several equivalents to legitimate typosquatting domains (such as telegraem[.]org) from (telegram[.]org). These bogus domains host websites that look exactly like the real ones, and they all point to the same IP address. This IP address is associated with a server that hosts multiple fake websites and tainted installers, as well as actual installers and the FatalRAT loader.

Since Chinese language versions of genuine software applications are not available in China, the websites and installers are disguised. Telegram, LINE, WhatsApp, Signal, Skype, Google Chrome, Mozilla Firefox, WPS Office, Electrum, Sogou Pinyin Method, and Youda are among the spoof apps.

The tainted installers were hosted on an Alibaba Cloud Object Storage Service, which isolated them from the server where websites are hosted. Advanced Installer is used to create and digitally sign the installers, which are MSI files.

When run, these installers would drop and execute a genuine installer, a malicious loader, an updater, and, eventually, the FatalRAT payload. When infected, the malware gives the attacker complete control of the victimized device, allowing them to remotely execute commands, harvest data from web browsers, run files, and capture keystrokes.

According to researchers, the tactics used in this attack are not highly sophisticated; however, attackers have made several attempts to make it appear to be one by using paid Google ads, fake domain names, and tainted installers carrying genuine software. When clicking on links promoted as advertisements, users must be mindful and perform multiple mental checks.
Read more »
Vulnerability
Bug Clop Ransomware Cyber Security Flaws Ransomware Vulnerability

Clop Ransomware Flaw Permitted Linux Victims to Restore Files for Months

 

The first Linux version of the Clop ransomware has been discovered in the wild, but with a flawed encryption algorithm that enables the process to be reverse-engineered. 

"The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.

The cybersecurity firm, which has created a decryptor available, stated that it discovered the ELF version on December 26, 2022, while also mentioning similarities to the Windows flavor in terms of employing the same encryption method. Around the same time, the detected sample is said to be a component of a larger attack targeting educational institutions in Colombia, including La Salle University. As per FalconFeedsio, the university was added to the criminal group's leak site in early January 2023.

The Clop (stylized as Cl0p) ransomware operation, which has been active since 2019, dealt a major blow in June 2021 when six members of the group were arrested by police as part of an international law enforcement operation codenamed Operation Cyclone.

However, the cybercrime group made a "explosive and unexpected" comeback in early 2022, claiming dozens of victims from the industrial and technology sectors. SentinelOne classified the Linux version as an early-stage version due to the absence of some functions found in the Windows counterpart.

This lack of feature parity is also explained by the malware authors' decision to create a custom Linux payload rather than simply porting over the Windows version, implying that future Clop variants may close the gap.

"A reason for this could be that the threat actor has not needed to dedicate time and resources to improve obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal," Terefos explained.

The Linux version is intended to encrypt specific folders and file types, with the ransomware containing a hard-coded master key that can be used to recover the original files without paying the threat actors. If anything, the development indicates a growing trend of threat actors branching out beyond Windows to target other platforms.

Terefos concluded, "While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward," 
Read more »
Vulnerabilities and Exploits
Bugs data security Flaws Safety Software Vulnerabilities and Exploits

ISC Issues Security Updates to Address New BIND DNS Software Bugs

 

The Internet Systems Consortium (ISC) has issued updates to address multiple security flaws in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite, which could result in a denial-of-service (DoS) condition. 

According to its website, the open-source software is utilized by major financial institutions, national and international carriers, internet service providers (ISPs), retailers, manufacturers, educational institutions, and government entities. 

All four flaws are found in name, a BIND9 service that acts as an authoritative nameserver for a predefined set of DNS zones or as a recursive resolver for local network clients. The following are the bugs that have been rated 7.5 on the CVSS scoring system:
  • CVE-2022-3094 - An UPDATE message flood may cause named to exhaust all available memory
  • CVE-2022-3488 - BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries
  • CVE-2022-3736 - named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries
  • CVE-2022-3924 - named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
Exploiting the vulnerabilities successfully could cause the named service to crash or exhaust available memory on a target server.

Versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1 are affected. CVE-2022-3488 affects BIND Supported Preview Edition 9.11.4-S1 through 9.11.37-S1. They've been fixed in 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1.

Although there is no evidence that any of these vulnerabilities are actively exploited, users are advised to upgrade to the most recent version as soon as possible in order to reduce potential threats.
Read more »
Vulnerability
Apple data security Flaws Government iPhone Mobile Phones Safety User Vulnerability

Government Issues High-risk Warning for iPhone Users

 

Apple iPhones are known for their strength and security features. The Cupertino-based tech behemoth releases security updates for its devices on a regular basis. Although Apple recommends that people install the most recent builds of iOS on their iPhones in order to have a more protected and feature-rich operating system, older iPhone models are incapable to deploy the most recent updates due to hardware limitations. 

Some users prefer to run older versions of iOS for simplicity of use, but it's important to note that older iOS versions are easier to exploit. One such flaw has been discovered in Apple's iOS, and the Indian government has issued a warning to iPhone users.

According to the Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology, a vulnerability in iOS has been disclosed that could permit an attacker to implement arbitrary code on the targeted device. Apple iOS versions prior to 12.5.7 are vulnerable for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

This vulnerability exists in Apple IOS due to a type of confusion flaw in the WebKit component, according to CERT-In. An attacker could utilize this vulnerability by luring the victim to a maliciously crafted website. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code on the targeted system. 

The security flaw is actively being exploited against iOS versions prior to iOS 15.1. To avoid being duped, install the new iOS 12.5.7 patch, which Apple released earlier this week.
Read more »
Vulnerabilities and Exploits
Customer Data data security Flaws Hacker Security Security flaw Vulnerabilities and Exploits

Major Experian Security Vulnerability Exploited, Attackers Access Customer Credit Reports

 

As per experts, the website of consumer credit reporting giant Experian comprised a major privacy vulnerability that allowed hackers to obtain customer credit reports with just a little identity data and a small change to the address displayed in the URL bar. 

Jenya Kushnir, a cybersecurity researcher, discovered the vulnerability on Telegram after monitoring hackers selling stolen reports and collaborated with KrebsOnSecurity to investigate it further. The concept was straightforward: if you had the victim's name, address, birthday, and Social Security number (all of which could be obtained from a previous incident), you could go to one of the websites offering free credit reports and submit the information to request one.

The website would then redirect you to the Experian website, where you would be asked to provide more personally identifiable information, such as questions about previous addresses of living and such.
And this is where the flaw can be exploited. 

There is no need to answer any of those questions; simply change the address displayed in the URL bar from "/acr/oow/" to "/acr/report," and you will be presented with the report. While testing the concept, Krebs discovered that changing the address first redirects to "/acr/OcwError," but changing it again worked: "Experian's website then displayed my entire credit file," according to the report.

The good news (if it can be called that) is that Experian's reports are riddled with errors. In the case of Krebs, it contained a number of phone numbers, only one of which was previously owned by the author.

Experian has remained silent on the matter, but the issue appears to have been resolved in the meantime. It's unknownfor how long the flaw was active on the site or how many fraudulent reports were generated during that time.
Read more »
Vulnerabilities and Exploits
Bugs Code Data data security Flaws GitHub Safety Security Supply Chain Vulnerabilities and Exploits

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.
Read more »
Vulnerabilities and Exploits
Bugs Flaws Juniper Junos Security Vulnerabilities and Exploits

Several Flaws Affect the Juniper Junos OS

 

Multiple high-severity security flaws in Juniper Networks devices have been discovered. The most serious is a CVSS score of 8.1 for a remote pre-authenticated PHP archive file deserialization vulnerability tracked as CVE-2022-22241. The vulnerability was found in Junos OS's J-Web component. An attacker can exploit the flaw by sending a specially crafted POST request, causing deserialization that could result in unauthorized local file access or arbitrary code execution. 

“Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.” reads the advisory published by the vendor. 

“Phar files (PHP Archive) files contain metadata in serialized format, which when parsed by a PHP file operation function leads to the metadata getting deserialized. An attacker can abuse this behavior to exploit an object instantiation vulnerability inside the Juniper codebase.” reads the analysis published by Octagon Networks. 

“This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution (RCE) vulnerability.” 

Other vulnerabilities discovered by the experts are:
  • CVE-2022-22242: pre-authenticated reflected XSS on the error page. 
  • CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
  • CVE-2022-22244: XPATH Injection in send_raw() method.
  • CVE-2022-22245: Path traversal during file upload leads to RCE.
  • CVE-2022-22246: PHP file include /jrest.php.  
To address the flaws,  the vendor released patches for Junos OS versions 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R3-S9, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S2, 21.3R3, 21.4R3, 22.1R2, 22.2R1, and more.
Read more »
Vulnerabilties and Exploits
Bugs Data Flaws Safety Security Vulnerabilties and Exploits

Fortinet Alerts: Active Exploitation of Newly Discovered Critical Auth Bypass Bug

 

Fortinet revealed on Monday that a recently patched critical security vulnerability affecting its firewall and proxy products is being actively exploited in the wild. 
The flaw, identified as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorised operations on the administrative interface via specially crafted HTTP(S) requests. 

"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company noted in an advisory.

The list of impacted devices is below -
  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0, and
  • FortiSwitchManager version 7.0.0
Updates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.

The security firm has released updates for FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1. The announcement comes just days after Fortinet sent "confidential advance customer communications" to its customers, urging them to install patches to prevent potential attacks exploiting the flaw. If updating to the latest version is not an option, users should disable the  HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.
Read more »
Vulnerabilities and Exploits
Exploit Flaws GitHub Microsoft Microsoft Exchange Microsoft Exchange Server ProxyShell Vulnerabilities Repository Vulnerabilities and Exploits

GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Read more »
Vulnerabilities and Exploits
Bugs Data Flaws Linux Safety Security Vulnerabilities and Exploits

Attackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

 

Hackers are actively attempting to exploit an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a popular web client and email server. 

The CVE-2022-41352 zero-day security flaw is rated critical (CVSS v3 score: 9.8) and enables an attacker to upload arbitrary files via "Amavis" (email security system). An attacker who successfully exploits the vulnerability can overwrite the Zimbra webroot, insert a shellcode, and gain access to other users' accounts. 

The zero-day vulnerability was discovered at the beginning of September when administrators posted details about attacks on Zimbra forums.

Due to  insecure cpio usage

The vulnerability is caused by Amavis' use of the 'cpio' file archiving utility to extract archives when scanning a file for viruses. An exploitable flaw in the cpio component enables an attacker to create archives that can be extracted anywhere on a Zimbra-accessible filesystem.

When an email is sent to a Zimbra server, the Amavis security system extracts the archive and scans its contents for viruses. If it extracts a specially crafted.cpio,.tar, or.rpm archive, the contents may be extracted to the Zimbra webroot. An attacker could exploit this vulnerability to deploy web shells to the Zimbra root, effectively giving them shell access to the server.

On September 14, Zimbra issued a security advisory advising system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace the vulnerable component, cpio.
Installing Pax solves the problem because Amavis prefers it over cpio by default, so no further configuration is required.

"If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot," warned the September security advisory.

"For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed."

Vulnerability is being actively exploited

While the vulnerability has been actively exploited since September, a new Rapid7 report sheds new light on its active exploitation and includes a proof-of-concept exploit that allows attackers to easily create malicious archives.

Worse, Rapid7 tests show that many Linux distributions officially supported by Zimbra still do not install Pax by default, leaving these installations vulnerable to the bug.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 are among these distributions. Pax was included in earlier LTS releases of Ubuntu, 18.04 and 20.04, but it was removed in 22.04. Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.

Since proof-of-concept (PoC) exploits have been publicly available for some time, the risk of failing to implement the workaround is severe. Zimbra intends to address this issue decisively by deprecating cpio and making Pax a requirement for Zimbra Collaboration Suite, thereby mandating its use. 

"In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers," further warn the researchers.

However, the risks persist for existing installations, so administrators must act quickly to protect their ZCS servers.
Read more »
Websites
attacks Bugs Flaws Hacking Vulnerabilities and Exploits Websites

Researchers Recently Made the World's Websites Less Vulnerable to Hacking and Cyberattacks

 

An international team of researchers has created a scanning tool to reduce the vulnerability of websites to hacking and cyberattacks. The black box security assessment prototype, which was tested by engineers in Australia, Pakistan, and the UAE, outperforms existing web scanners, which collectively fail to detect the top ten weaknesses in web applications. 

Dr Yousef Amer, a mechanical and systems engineer at UniSA, is one of the co-authors of a new international paper that describes the tool's development in the wake of increasing global cyberattacks. Cybercrime cost the globe $6 trillion in 2021, representing a 300 percent increase in online criminal activity over the previous two years. 

Remote working, cloud-based platforms, malware, and phishing scams have resulted in massive data breaches, while the implementation of5G and Internet of Things (IoT) devices has made us more connected – and vulnerable – than ever. Dr. Yousef Amer and colleagues from Pakistan, the United Arab Emirates, and Western Sydney University highlight numerous security flaws in website applications that are costing organisations badly.

Because of the pervasive use of eCommerce, iBanking, and eGovernment sites, web applications have become a prime target for cybercriminals looking to steal personal and corporate information and disrupt business operations. Despite an anticipated $170 billion global outlay on internet security in 2022 against a backdrop of escalating and more severe cyberattacks, existing web scanners, according to Dr. Amer, fall far short of evaluating vulnerabilities.

“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” he says.

Almost 72% of businesses have experienced at least one serious security breach on their website, with vulnerabilities tripling since 2017. According to WhiteHat Security, a world leader in web application security, 86% of scanned web pages have on average 56% vulnerabilities. At least one of these is classified as critical. The researchers compared the top ten vulnerabilities to 11 publicly available web application scanners.

“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges. It’s basically a one-stop guide to ensure 100 per cent website security. There’s a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars,”Dr Amer stated.
Read more »
Zero Day
Atlassian CISA Critical Flaw Exploits Flaws Microsoft Exchange Microsoft Exchange Server Vulnerabilities and Exploits Zero Day

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”
Read more »
Subscribe to: Posts (Atom)