Search This Blog

Showing posts with label Flaws. Show all posts

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.

Several Flaws Affect the Juniper Junos OS

 

Multiple high-severity security flaws in Juniper Networks devices have been discovered. The most serious is a CVSS score of 8.1 for a remote pre-authenticated PHP archive file deserialization vulnerability tracked as CVE-2022-22241. The vulnerability was found in Junos OS's J-Web component. An attacker can exploit the flaw by sending a specially crafted POST request, causing deserialization that could result in unauthorized local file access or arbitrary code execution. 

“Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.” reads the advisory published by the vendor. 

“Phar files (PHP Archive) files contain metadata in serialized format, which when parsed by a PHP file operation function leads to the metadata getting deserialized. An attacker can abuse this behavior to exploit an object instantiation vulnerability inside the Juniper codebase.” reads the analysis published by Octagon Networks. 

“This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution (RCE) vulnerability.” 

Other vulnerabilities discovered by the experts are:
  • CVE-2022-22242: pre-authenticated reflected XSS on the error page. 
  • CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
  • CVE-2022-22244: XPATH Injection in send_raw() method.
  • CVE-2022-22245: Path traversal during file upload leads to RCE.
  • CVE-2022-22246: PHP file include /jrest.php.  
To address the flaws,  the vendor released patches for Junos OS versions 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R3-S9, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S2, 21.3R3, 21.4R3, 22.1R2, 22.2R1, and more.

Fortinet Alerts: Active Exploitation of Newly Discovered Critical Auth Bypass Bug

 

Fortinet revealed on Monday that a recently patched critical security vulnerability affecting its firewall and proxy products is being actively exploited in the wild. 
The flaw, identified as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorised operations on the administrative interface via specially crafted HTTP(S) requests. 

"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company noted in an advisory.

The list of impacted devices is below -
  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0, and
  • FortiSwitchManager version 7.0.0
Updates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.

The security firm has released updates for FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1. The announcement comes just days after Fortinet sent "confidential advance customer communications" to its customers, urging them to install patches to prevent potential attacks exploiting the flaw. If updating to the latest version is not an option, users should disable the  HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.

GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Attackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

 

Hackers are actively attempting to exploit an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a popular web client and email server. 

The CVE-2022-41352 zero-day security flaw is rated critical (CVSS v3 score: 9.8) and enables an attacker to upload arbitrary files via "Amavis" (email security system). An attacker who successfully exploits the vulnerability can overwrite the Zimbra webroot, insert a shellcode, and gain access to other users' accounts. 

The zero-day vulnerability was discovered at the beginning of September when administrators posted details about attacks on Zimbra forums.

Due to  insecure cpio usage

The vulnerability is caused by Amavis' use of the 'cpio' file archiving utility to extract archives when scanning a file for viruses. An exploitable flaw in the cpio component enables an attacker to create archives that can be extracted anywhere on a Zimbra-accessible filesystem.

When an email is sent to a Zimbra server, the Amavis security system extracts the archive and scans its contents for viruses. If it extracts a specially crafted.cpio,.tar, or.rpm archive, the contents may be extracted to the Zimbra webroot. An attacker could exploit this vulnerability to deploy web shells to the Zimbra root, effectively giving them shell access to the server.

On September 14, Zimbra issued a security advisory advising system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace the vulnerable component, cpio.
Installing Pax solves the problem because Amavis prefers it over cpio by default, so no further configuration is required.

"If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot," warned the September security advisory.

"For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed."

Vulnerability is being actively exploited

While the vulnerability has been actively exploited since September, a new Rapid7 report sheds new light on its active exploitation and includes a proof-of-concept exploit that allows attackers to easily create malicious archives.

Worse, Rapid7 tests show that many Linux distributions officially supported by Zimbra still do not install Pax by default, leaving these installations vulnerable to the bug.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 are among these distributions. Pax was included in earlier LTS releases of Ubuntu, 18.04 and 20.04, but it was removed in 22.04. Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.

Since proof-of-concept (PoC) exploits have been publicly available for some time, the risk of failing to implement the workaround is severe. Zimbra intends to address this issue decisively by deprecating cpio and making Pax a requirement for Zimbra Collaboration Suite, thereby mandating its use. 

"In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers," further warn the researchers.

However, the risks persist for existing installations, so administrators must act quickly to protect their ZCS servers.

Researchers Recently Made the World's Websites Less Vulnerable to Hacking and Cyberattacks

 

An international team of researchers has created a scanning tool to reduce the vulnerability of websites to hacking and cyberattacks. The black box security assessment prototype, which was tested by engineers in Australia, Pakistan, and the UAE, outperforms existing web scanners, which collectively fail to detect the top ten weaknesses in web applications. 

Dr Yousef Amer, a mechanical and systems engineer at UniSA, is one of the co-authors of a new international paper that describes the tool's development in the wake of increasing global cyberattacks. Cybercrime cost the globe $6 trillion in 2021, representing a 300 percent increase in online criminal activity over the previous two years. 

Remote working, cloud-based platforms, malware, and phishing scams have resulted in massive data breaches, while the implementation of5G and Internet of Things (IoT) devices has made us more connected – and vulnerable – than ever. Dr. Yousef Amer and colleagues from Pakistan, the United Arab Emirates, and Western Sydney University highlight numerous security flaws in website applications that are costing organisations badly.

Because of the pervasive use of eCommerce, iBanking, and eGovernment sites, web applications have become a prime target for cybercriminals looking to steal personal and corporate information and disrupt business operations. Despite an anticipated $170 billion global outlay on internet security in 2022 against a backdrop of escalating and more severe cyberattacks, existing web scanners, according to Dr. Amer, fall far short of evaluating vulnerabilities.

“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” he says.

Almost 72% of businesses have experienced at least one serious security breach on their website, with vulnerabilities tripling since 2017. According to WhiteHat Security, a world leader in web application security, 86% of scanned web pages have on average 56% vulnerabilities. At least one of these is classified as critical. The researchers compared the top ten vulnerabilities to 11 publicly available web application scanners.

“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges. It’s basically a one-stop guide to ensure 100 per cent website security. There’s a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars,”Dr Amer stated.

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

A Matrix Update Patches Serious End-to-End Encryption Flaws

Recently the open source Matrix messenger protocol published security warnings on its platform about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). 

As per the warning statement, the groups of malicious actors are exploiting these vulnerabilities that could break the confidentiality of Matrix communications. The vulnerabilities also allow the threat actors to run man-in-the-middle attacks that expose message contents in a readable form. 

According to the technical data, the users who were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, like Element, Cinny, SchildiChat, Beeper, Circuli, and Synod.im have been hit by the bugs. However, the platform clarified that clients using a different encryption implementation such as Hydrogen, Nheko, ElementX, FluffyChat, Timmy, Syphon, Gomuks, Pantalaimon) are safe from the attacks. 

The vulnerabilities were reported to Matrix by the researchers of Brave Software, the University of Sheffield, and the Royal Holloway University in London. The group published the technical details of the research findings. 

List of the critical severity flaws discovered by the team

 
  • CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients). 
  • CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, possibly impersonating a trusted sender. 

The same flaw makes it possible for malicious home server admins to add backup keys to the target's account. 

  • CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
  • CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
  • CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients). 
  • CVE-2022-39249: Semi-trusted impersonation problem in matrix-js-sdk leading to accepting keys forwarded without request, making impersonation of other users in the server possible. Clients mark these messages as suspicious on the recipient's end,  thus dropping the severity of the bug. 
  • CVE-2022-39246: Same as CVE-2022-39249 but impacting matrix-android-sdk2 (Android clients). 
Furthermore, the report detailing listed two problems that are yet to receive an identification number. One of these problems allows malicious actors access to the home server and the second refers to using AES-CTR. 

'Witchetty’ Group Targeted Middle Eastern Gov, Stock Exchange of African Nation

 

A cyber-espionage group is targeting the governments of several Middle Eastern countries and has previously attacked an African country's stock exchange, stealing massive amounts of data with malware. 

The Symantec Threat Hunter Team named the espionage group "Witchetty" in a report published Thursday, but it has also been known as "LookingFrog." Witchetty attacks are distinguished by the use of two pieces of malware: X4 and a second-stage payload known as LookBack. 

“From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team.

In recent months, the group has been updating its tools to use steganography, a technique in which hackers hide malicious code within an image. In Witchetty's case, the malware is disguised as a Microsoft Windows logo.

Symantec tracked the group's attacks from February to September, noting that the attackers used ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to obtain access in three incidents.

According to several national cybersecurity agencies, ProxyShell and ProxyLogon are among the most commonly exploited vulnerabilities by threat groups. They stole credentials, moved laterally across the network, and installed malware on other computers from there.

The attackers used the ProxyShell vulnerability to launch an attack on a Middle Eastern government agency on February 27. The hackers moved around the network for several months, exfiltrating data and stealing other information. The hackers' most recent actions occurred on September 1, when they downloaded several remote files.

O'Brien told The Record that they do not have enough information to make an attribution at this time, but that Witchetty was first discovered in April by ESET researchers, who stated it was part of a larger cyber-espionage operation linked to the Chinese state-backed advanced persistent threat (APT) group Cicada or APT10. According to ESET, the group has specifically targeted governments, diplomatic missions, charities, and industrial/manufacturing organisations.

Symantec previously linked the group to a VLC Media Player attack campaign, prompting the Indian government to outright ban the popular programme earlier this year. The group was accused in February of carrying out a months-long attack on Taiwan's financial sector.

APT10, according to the anonymous research group IntrusionTruth, was based in Tianjin, China, and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security. In the summer of 2018, Rapid7 and Recorded Future implicated the group in another attack on Norwegian cloud service provider Visma AG.

Watchdog Finds, Over Half of Operating Systems at VA Medical Center in Texas are Outdated

 

According to an IT security assessment released on Tuesday by the Department of Veterans Affairs' Office of Inspector General, more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, were running outdated operating systems and did not meet the department's baseline configurations. 

The audit was conducted to evaluate whether Harlingen was complying with the Federal Information Security Management Act, or FISMA, information security safeguards. The OIG stated that it chose Harlingen for an assessment because it had not previously been reviewed during the annual FISMA audit. 

Harlingen is part of the Texas Valley Coastal Bend Healthcare System, which receives approximately 300,000 outpatient visits per year. The OIG discovered flaws in three of the four security control areas at Harlingen, including configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.

OIG discovered flaws in three of Harlingen's four security control areas, including configuration management, contingency planning, and access controls. The OIG inspection team found no problems with the centre's security management.

The audit found significant flaws in Harlingen's configuration management controls, which were used to identify and track the centre's hardware and software components. These flaws included an inaccurate component inventory list, unaddressed security flaws, and an inability to identify all critical and high-risk vulnerabilities across the centre's network.

Most concerning was OIG’s finding that “almost 53 per cent of the Harlingen centre’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems." 

“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”

Despite VA's use of an automated inventory system, the OIG assessment revealed varying tallies of IT components at Harlingen. The VA discovered 1,568 devices at the centre, while the OIG assessment team discovered 1,544 devices on the Harlingen network. However, according to the audit, VA's Enterprise Mission Assurance Support Services system, or eMASS, which "allows for FISMA systems inventory tracking and reporting activities," only identified 942 devices.

“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said. 

OIG's inspection team also compared on-site vulnerability scans from Jan. 10 to Jan. 13, 2022, with those conducted remotely by VA's Office of Information and Technology, and discovered 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA's established timeframe for addressing vulnerabilities. These included "five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities."

The OIG's inspection team also discovered that database managers were not adequately maintaining log data; that computer rooms and communications closets throughout the facility lacked fire detection systems; and that the computer room housing the center's police servers lacked a visitor access log. Furthermore, the OIG discovered that Harlingen's contingency plan "did not fully address reconstituting all systems to restore IT operations to a fully operational state following a disaster."

The OIG made four recommendations to the VA's assistant secretary for information and technology and chief information officer "due to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews." The OIG also made another recommendation to Harlingen's director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations. 

VA has long struggled to meet FISMA requirements, with the Government Accountability Office stating in a November 2019 report that VA was one of the federal agencies with inadequate information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.

On Sept. 22, the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana, documenting deficiencies in three of the facility's four security control areas and discovering "critical and high-risk vulnerabilities on 37% of the devices."

The FISMA audit of VA's agencywide compliance for fiscal year 2021, released in April, found that the department as a whole "continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”

BIND Updates Patch High-Severity Flaws

The Internet Systems Consortium (ISC) announced this week the availability of patches for six remotely exploitable vulnerabilities in the widely used BIND DNS software. 

Four of the fixed security vulnerabilities have a severity rating of 'high.' All four have the potential to cause a denial-of-service (DoS) condition. The first of these is CVE-2022-2906, which affects "key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions," according to ISC's advisory. 

A remote attacker could use the flaw to gradually deplete available memory, resulting in a crash. Because the attacker could exploit the vulnerability again after restarting, "there is the potential for service denial," according to ISC.

The second flaw, tracked as CVE-2022-3080, may cause the BIND 9 resolver to crash under certain conditions when crafted queries are sent to the resolver. According to ISC, CVE-2022-38177 is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm that can be triggered by a signature length mismatch.

“By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources,” ISC explains.

CVE-2022-38178, a memory leak affecting the DNSSEC verification code for the EdDSA algorithm that can be triggered by malformed ECDSA signatures, is the fourth high-severity bug addressed in BIND 9. BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 all received updates (Extended Support Version). As per ISC, no public exploits targeting these vulnerabilities are known.

The US Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators on Thursday to review ISC's advisories for these four security holes and apply the available patches as soon as possible.

Unpatched 15-year Old Python Flaw Allows Code Execution in 350k Projects

 

As many as 350,000 open-source projects are potentially vulnerable to exploitation due to a 15-year-old security vulnerability in a Python module. The open-source repositories cover a wide range of industries, including software development, artificial intelligence/machine learning, web development, media, security, and information technology management. 

The flaw, designated CVE-2007-4559 (CVSS score: 6.8), is deeply embedded in the tarfile module, and successful exploitation could result in code execution from an arbitrary file write. 

"The vulnerability is a path traversal attack in the extract and extract all functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz said in a writeup.

The bug, first reported in August 2007, relates to how a specially crafted tar archive can be used to overwrite arbitrary files on a target machine simply by opening the file.

Simply put, a threat actor can exploit the flaw by uploading a malicious tarfile in a way that allows the adversary to escape the directory that a file is intended to be extracted to and achieve code execution, potentially allowing the adversary to seize control of a target device.

"Never extract archives from untrusted sources without prior inspection," the Python documentation for tarfile reads. "It is possible that files are created outside of path, e.g. members that have absolute filenames starting with '/' or filenames with two dots '..'."

The flaw is similar to a recently disclosed security flaw in RARlab's UnRAR utility (CVE-2022-30333), which could result in remote code execution. Trellix has also released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, revealing the vulnerability in both the Spyder Python IDE and Polemarch.

"Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," Douglas McKee noted.

A 15-Year-Old Bug Affected Over 350,000 Open-Source Projects

 

Trellix, an advanced research centre rediscovered a 15-year-old vulnerability in Python programming language that is still being exploited and has affected over 350,000 projects. 

The threat researchers at Trellix considered claimed to have found a zero-day vulnerability, it is a 15-year-old security flaw in the Python module, that has remained unpatched, and is now exposing around 350,000 open as well as closed source projects to the risk of supply chain cyberattacks. 

The Trellix estimate indicates that many of the affected repositories are used by machine learning tools that help developers to complete the project as soon as possible. 

In of one of the articles, Kasimir Schulz mentioned that the vulnerability was a form of routed traversal attack in the “extract and extractall functions of the tarfile module,” which is contained within the TAR file module itself. These open-source projects cover a wide range of areas including web development, media, IT management, software development, artificial intelligence, machine learning, and security. 

The vulnerability, tracked as “CVE-2007-4559”, permits the threat actor linked with a user, to execute the code and overlap the arbitrary files by using filenames with dedicated sequenced filenames in the TAR archive. This allows the attacker to acquire control of the targeted device. 

It is similar to the vulnerability named, CVE-2022-30333, which was recently found in RARIab’s UnRAR, which also allows the attacker to execute the code remotely. 

The CVE-2007-4559 was first discovered in 2007 when it was declared as a vulnerability of low importance by Red Hat, one of the world’s leading solution providers of enterprise open-source software. 

The bug can be leveraged on Linux as well. It includes the specially crafted TAR archive used to overwrite or overlap the existing arbitrary files on the targeted device by just opening the file. It is through this simple overlap that the attacker is able to inject the malicious tarfile in a way that allows him to execute the code by intending that the file be extracted after crossing the directory boundary. 

Reportedly, the patches have been introduced by Trellix for the aforesaid vulnerability. Initially, they are made available for about 11000 projects, but within the next week, they will be available for about 7000 projects.

New vulnerabilities in Dataprobe are Invading The Devices Remotely

 

Researchers from Team82 uncovered critical flaws in Dataprobe’s iBoot power distribution unit. As a result of the flaws, the threat actors were able to control and cut off the electric power to the systems or other connected devices, potentially impacting the targeted firms.
 
Team82 is the research division of Claroty, an industrial cybersecurity firm, that found seven vulnerabilities. One of these vulnerabilities is responsible for granting access to malicious actors invading systems to execute some malicious source codes.
 
The iboot power distribution unit is a cloud service that allows its users real-time control of the outlets from any location through web interfaces, Telnet, and SNMP.
 
According to Census Report 2021, over 2000 power distributing units were connected to the internet, with Dataprobe devices accounting for 31% of the total.
 
The iBoot power distribution unit was mentioned in the report by Team82, which can be managed remotely through web interfaces if the device is not connected directly to the internet, or through a cloud-based infrastructure that allows access to the device's management page if the device is not directly connected to the internet.
 
Cyber attackers exploited this feature and gained access to platforms such as web connections and the cloud to remotely exploit vulnerabilities. Such exploitation of the vulnerabilities also permitted the attackers to bypass Network Address Translation (NAT) and firewalls and invade businesses through smart connectivity channels.
 
The CISA, U.S.-based cybersecurity and infrastructure security agency, circulated an advisory to the organization, which included information about these seven vulnerabilities, such as the deployment of these critical flaws all across the world, including in the manufacturing sector. 
 
The CVE identifier assigned to the seven vulnerabilities is CVE-2022-3183 through CVE-2022-3189. The issue involves OS command injection, path traversal, sensitive information exposure, improper access control, incorrect authorization, and server-side request forgery (SSRF).
 
A new firmware version of the issue has been released by the vendors, 1.42.06162022, to describe the problem. There was a recommendation from Dataprobe for all users to update the firmware to the latest version and also to disable the Simple Network Management Protocol (SNMP), which is used to monitor the network.

TeamTNT is Back & Targets Servers to Run Bitcoin Encryption Solvers

 

AquaSec threat analysts have detected TeamTNT activity on their honeypots since early September, leading them to believe the infamously hacking group is back in business. 

TeamTNT announced its retirement in November 2021, and most associated observations since then have involved remnants of previous infections, such as automated scripts, but no new payloads. The recent attacks, however, bear various signatures associated with TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.  The researchers observed three attack types utilized in the reportedly new TeamTNT attacks, the most intriguing being the use of hijacked servers' computational power to run Bitcoin encryption solvers.

The attack, dubbed "the Kangaroo attack" because it employs Pollard's Kangaroo WIF solver, scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script ("k.sh"), and eventually retrieves the solver from GitHub. Pollard's Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm attempts to decipher the SECP256K1 encryption used in Bitcoin's public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it is thought to be impossible to achieve with current machines, TeamTNT appears willing to test the theory anyway, using other people's resources.

Perhaps the threat actors are simply experimenting with new attack pathways, payload deployment, and evasion while performing intensive operations on captured systems, with the Kangaroo attack ticking all of the boxes.

Other Attacks

Other attacks detected by AquaSec are similar to previous TeamTNT operations but have some new characteristics.

The "Cronb Attack" employs well-documented rootkits, cron jobs for persistence, cryptominers for profit, and lateral movement tools. The appearance of new C2 infrastructure addresses and more elaborate data exchange is the novel element.

The "What Will Be" attack targets Docker Daemons with shell-file dropping Alpine images once more, taking advantage of a vulnerability to escape from the container to the host. The attackers then download and execute additional scripts, rootkits, and a cryptominer, as well as add cronjobs and perform network SSH scans.

These scripts introduce a new trick in this attack, allowing threat actors to optimise crypto mining performance by modifying CPU model-specific registers. Whether it is TeamTNT or someone else carrying out these attacks, organisations should strengthen their cloud security, strengthen Docker configuration, and implement all available security updates before it is too late.

CISA Expands Flaws Catalog With Old, Exploited Vulnerabilities

 

On September 15, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added six critical vulnerabilities to its Known Exploited Vulnerabilities Catalog. 

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” the Agency wrote.

Three of the six issues involve the Linux kernel, one the Code Aurora ACDB audio driver (found in third-party products such as Qualcomm and Android), and one a remote code execution risk in Microsoft Windows. While CISA's Vulnerability Catalog is regularly updated, the newly added flaws are noticeable because some of them are quite old. 

“What is concerning me is that four of the CVEs posted [yesterday] are from 2013, and one is from 2010,” Paul Baird, chief technical security officer UK at Qualys, told Infosecurity Magazine.

Only one of the newly exploited vulnerabilities is a 2022 CVE. According to the executive, this demonstrates that many businesses struggle to fully understand their information technology (IT) infrastructure, keep those IT assets up to date, or adequately mitigate issues so that there is no risk of exploitation.

“Patching known vulnerabilities is one of the best ways to prevent attacks, but many companies are finding it hard to keep up,” Baird added. “Similarly, end-of-life systems should be replaced or migrated if they are still needed for businesses.”

The six known vulnerabilities were added to CISA's catalogue just days after the Agency added two zero-day attacks affecting Microsoft Windows Common Log File System Driver and Apple iOS / iPadOS / macOS Monterey and Big Sur, respectively.

In addition, CISA has recently published new guidelines to assist developers in improving the security of the software supply chain. CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence collaborated on the document (ODNI).

Lazarus Hackers are Using Log4j to Hack US Energy Companies

 

A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.

Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year. 

According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access. 

Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.

However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.

Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.

Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.

The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.

New Zero-day Flaw in BackupBuddy Plugin Leaves WordPress Users at Risk

 

Wordfence, a WordPress security company, has disclosed that a zero-day vulnerability in the BackupBuddy plugin is being actively exploited. 

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it stated.

Users can back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among other things. The flaw (CVE-2022-31474, CVSS score: 7.5) affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has an estimated 140,000 active installations. It was fixed in version 8.7.5, which was released on September 2, 2022. 

The problem stems from the "Local Directory Copy" function, which is intended to keep a local copy of the backups. The vulnerability, according to Wordfence, is the consequence of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server. Additional information about the vulnerability has been withheld due to active in-the-wild abuse and the ease with which it can be exploited.

The plugin's developer, iThemes, said, "This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence reported that the targeting of CVE-2022-31474 began on August 26, 2022, and that it has blocked nearly five million attacks since then. The majority of the intrusions attempted to read the files listed below -
  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash
Users of the BackupBuddy plugin are encouraged to update to the most recent version. They should determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

Hackers Repeatedly Targeting Financial Services in French-Speaking African Countries

 

Over the last two years, a persistent cyber-attack campaign targeting major financial institutions in French-speaking African countries has surfaced. Check Point Research (CPR) discovered the campaign and termed it 'DangerousSavanna.' To start infection chains, it used spear phishing techniques. 

The threat actors allegedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo, using a variety of file types to entice victims, including PDF, Word, ZIP, and ISO files. DangerousSavanna hackers also used lookalike domains to impersonate other African financial institutions such as Tunisian Foreign Bank and Nedbank.

Sergey Shykevich, threat intelligence group manager at CPR explained, "Our suspicion is that this is a financially motivated cybercriminal, but we don't have conclusive evidence yet. Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims, and right now, we are aware of at least three major financial corporations that operate in these countries that have been affected."

Furthermore, the cybersecurity expert stated that Check Point's assessment indicates that this actor will continue to try to break into its targeted companies until vulnerabilities are discovered or employees make a mistake.

"Usually, when a hacker targets financial institutions directly, their main goal is to secure access to core banking systems such as payment card issuing systems, SWIFT transfers and ATM control systems," Shykevich added.

In general, the Check Point executive stated that cyber-criminals believe that the fragile economies of some African countries are linked to a lack of cybersecurity investment.

"But the finance and banking sector is actually one of the most impacted industries worldwide, experiencing 1144 weekly cyber–attacks on average," Shykevich explained.

CPR provided companies with advice on preventing spear phishing attacks in an advisory detailing some of DangerousSavanna's recent attacks. These methods include keeping systems up to date, implementing multi-factor authentication (MFA), confirming suspicious email activity before interacting, educating employees, and testing their cybersecurity knowledge on a regular basis.

The DangerousSavanna warning comes just weeks after cybersecurity firm Vade revealed that banks around the world received the majority of phishing attacks in the first half of 2022.

Mirai Variant MooBot Botnet Exploiting D-Link Router Flaws

 

MooBot, a Mirai botnet variant, is transforming vulnerable D-Link devices into an army of denial-of-service bots by exploiting multiple vulnerabilities. 

Palo Alto Networks Unit 42 said in a Tuesday report, "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks."
 
MooBot, which was first revealed in September 2019 by Qihoo 360's Netlab team, has previously aimed at LILIN digital video recorders and Hikvision video surveillance products to broaden its network. As many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples in the most recent wave of attacks discovered by Unit 42 in early August 2022. These are some examples:
  • CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability, and
  • CVE-2022-28958 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
Exploiting the aforementioned flaws successfully could result in remote code execution and the retrieval of a MooBot payload from a remote host, which then decodes instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.

Customers with D-Link appliances are strongly advised to implement the company's patches and upgrades to mitigate potential threats.

The researchers stated, "The vulnerabilities [...] have low attack complexity but critical security impact that can lead to remote code execution.n Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS."