Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label JavaScript exploit. Show all posts
PowerShell
Cobalt Strike GootLoader JavaScript exploit malware PowerShell

Novel GootLoader Malware Strain Bypasses Detection and Spreads Quickly

 

GootBot, a new variant of the GootLoader malware, has been detected to enable lateral movement on compromised systems and avoid detection.

Golo Mühr and Ole Villadsen of IBM X-Force said that the GootLoader group introduced their own custom bot into the final stages of their attack chain in an effort to evade detection while employing commercial C2 tools like CobaltStrike or RDP.

"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads," the researchers explained. 

As its name suggests, GootLoader is a malware that can lure in potential victims by employing search engine optimisation (SEO) poisoning techniques, and once inside, it can download more sophisticated malware. It is linked to a threat actor known as UNC2565, also tracked as Hive0127. 

The use of GootBot suggests a change in strategy from post-exploitation frameworks like CobaltStrike, with the implant being downloaded as a payload following a Gootloader infection.

GootBot, which is described as an obfuscated PowerShell script, is designed to connect to a WordPress website that has been compromised in order to take control of it and issue commands. The use of an alternate hard-coded C2 server for every deposited GootBot sample complicates matters even more and makes it challenging to block malicious traffic. 

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers added.

An obfuscated JavaScript file included in the archive file is executed by a scheduled task to retrieve another JavaScript file for persistence. 

The second stage involves the engineering of JavaScript to execute a PowerShell script that collects system information and exfiltrates it to a remote server. The server then responds with another PowerShell script that runs indefinitely and gives the threat actor the ability to disperse different payloads. 

Among them is GootBot, which sends out beacons to its C2 server once every 60 seconds to retrieve PowerShell tasks to be executed and sends back HTTP POST requests to the server with the results of the execution. GootBot's other skills include reconnaissance and lateral movement, which let it effectively increase the attack's range.
Read more »
Vulnerabilities and Exploits
Class Pollution Dos Attacks JavaScript JavaScript exploit Prototype Pollution python Vulnerabilities and Exploits

Prototype Pollution-like Bug Variant Found in Python


Prototype Pollution

Prototype pollution is a severe vulnerability class associated with prototype-based languages, the most popular among them being JavaScript. 

However, a researcher has discovered Python-specific variants of prototype pollution, and other class-based programming languages may also be exposed to similar threats. 

With prototype pollution, a threat actor may access and control the default values of an object’s properties. In addition to allowing the attacker to alter the application's logic, this can also result in denial-of-service attacks or, in severe cases, remote code execution. 

From Prototype Pollution to Class Pollution 

In JavaScript, each object inherits the ‘prototype’ of the parent object, which includes all the functions and characteristics of that object. JavaScript objects can access the functionality of their parents by traversing their prototypes. 

In the course of runtime, the prototype could as well be modified, making JavaScript dynamic and flexible but also dangerous. Prototype pollution attacks utilize and exploit this characteristic in order to modify the behavior of JavaScript applications and to conduct malicious activities. It is claimed that class-based languages like Python are resistant to such manipulations. 

However, security researcher Abdulraheem Khaled has come across a coding scheme that can enable threat actors to conduct prototype pollution-like attacks on Python programs. He has labeled it as ‘class pollution’ in a blog post documenting his findings. 

In regards to the findings, he told The Daily Swig that he discovered the attack while attempting to translate the concepts of JavaScript prototype pollution to Python. 

Manipulating Python Classes 

In order to exploit Python objects, the attacker is required to have an entry point that utilizes the user input to set the attributes of an object. If the user input succeeds in determining both the attribute name and value, the attacker can then exploit it to alter the program’s behavior. 

“The key factor to look for is whether the application uses unsanitized user-controllable input to set attributes of an object (controlling the attribute name to be set and its value) or not,” states Khaled to The Daily Swig. 

Attackers may be able to access parent classes, global variables, and more if the target method employs recursive loops to traverse over the object's characteristics. This merge is deemed "unsafe" by Khaled. 

An attacker could, for instance, alter command strings that the system executes, manipulate the value of important variables, or start denial of service (DoS) attacks by rendering crucial classes dysfunctional.

All Python Applications are Vulnerable 

According to the security researcher, all types of Python applications are vulnerable to these exploits as long as they continue accepting contaminated user input and implement a form of object attribute assignment that is ‘unsafe’. 

In his investigation, he came across various instances where popular Python libraries had an unsafe merge function, which then exposed them to class pollution attacks.

The simplest of all impacts of class pollution would be DoS. Although, these attacks may have much greater and more severe impacts on Python online apps. 

“Prototype pollution is definitely one of the topics that deserve more attention from the community, and we started to see more focus on it recently […] Class pollution might be a new vulnerability that has just come to light, [but] I expect to see it in other programming languages soon,” Khaled concluded.  

Read more »
Vulnerabilities and Exploits.
Access Tokens CVE vulnerability CVS JavaScript exploit Palo Alto Networks' Unit 42 Phishing Attacks Vulnerabilities and Exploits.

JsonWebToken Library Security Flaw: Used in 20,000+ Projects

In the widely-used open-source project, JavaScript library JsonWebToken researchers from Palo Alto Networks unit 42 found a new high-severity vulnerability   CVE-2022-23529. 

Palo Alto Networks released a security advisory on Monday highlighting how the weakness could be used by an attacker to execute code remotely on a server that was verifying a maliciously constructed JSON web token (JWT) request. 

The JSON web token JavaScript module, designed and maintained by Okta's Auth0, enables users to decode, validate, and create JSON web tokens as a way of securely communicating information among two entities enabling authorization and authentication. The npm software registry receives more than 10 million downloads per week and is used in more than 22,000 projects.

Therefore, the capability of running malicious code on a server could violate confidentiality and integrity guarantees, enabling a bad actor to alter any files on the host and carry out any operation of its choice using a contaminated private key. However, Unit 42 cautions that to exploit it, malicious actors would need to first breach the secret management procedure with an app and a JsonWebToken server, dropping the severity level to 7.6/10.

Researchers discovered that after verifying a maliciously constructed JWS token, threat actors might use JsonWebToken to execute remote malware on servers. This is aided by a bug in JsonWebToken's verify() method, which checks a JWT and returns the decoded data. The token, the secretOrPublicKey, and options are the three inputs that this method accepts.

Artur Oleyarsh of Palo Alto Networks Unit 42 said, "An attacker will need to leverage a fault within the secret management mechanism to exploit the vulnerability mentioned in this post and manipulate the secretOrPublicKey value."

The security researcher claims that the Auth0 technical team released a patch for the vulnerability in December 2022. "We appreciate the Auth0 team's competent handling of the disclosure procedure and the provision of a patch for the reported vulnerability," said Oleyarsh.

In summary, the cybersecurity analyst stressed the importance of security awareness when utilizing open-source software. It is critical that downstream users proactively identify, mitigate, and patch vulnerabilities in such products as open-source software often appears as a lucrative first entry pathway for threat actors to stage supply chain attacks. The fact that hackers are now considerably faster at exploiting recently discovered flaws, substantially reducing the time between a patch release and exploit availability, simply makes matters difficult.

Read more »
WordPress
Command and Control(C2) Doctor Web JavaScript exploit malware Vulnerabilities and Exploits WordPress

WordPress: New Linux Malware Exploits Over Two Dozen CMS Vulnerabilities


Recently, WordPress websites are being attacked by a previously unidentified Linux malware strain that compromises vulnerable systems by taking advantage of vulnerabilities in over twenty plugins and themes. 

In the attacks, a list of 19 different plugins and themes with known security flaws are weaponized and used to launch an implant that can target a specific website in order to increase the network's reach. 

"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts […] As a result, when users click on any area of an attacked page, they are redirected to other sites," says Russian security vendor Doctor Web, in a report published last week. 

Additionally, Doctor Web says that it has identified a new version of the backdoor, that apparently uses a new command-and-control (C2) domain, along with an updated list of vulnerabilities over 11 additional plugins, taking this total to 30. 

While it is still unclear if the second version is a remnant from the earlier version or a functionality that is yet to be enabled, both variants includes an unimplemented method for brute-forcing WordPress administrator accounts. 

"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said. 

Moreover, WordPress users are advised to keep all the components of the platforms updated, along with third-party add-ons and themes. It is recommended to use robust and unique logins and passwords in order to protect their accounts.  

Read more »
User Data
CVE vulnerability JavaScript exploit Microsoft Phishing Attacks Privacy TikTok User Data

TikTok Android Vulnerability Identified by Microsoft 

 

In the TikTok Android app, Microsoft has described a high-severity weakness that might have enabled a hacker to take over an account by luring users into clicking on a link.

The bug's current identification is CVE-2022-28799. According to Microsoft, the flaw has not yet been exploited by the public, despite the app having an estimated 1.5 billion downloads on the Play Store. Microsoft advises all TikTok users on Android to upgrade the app to the most recent version while it is being patched.

In fact, Microsoft detected over 70 vulnerable JavaScript methods that, when combined with a bug to take control of WebView, might be exploited to provide the attacker's capability.

Threat actors could execute authenticated HTTP queries or access or modify the private information of TikTok users using the ways that were publicly disclosed.

In essence, attackers who would have been successful in exploiting this vulnerability might have easily:
  • Retrieved the users' authentication tokens by triggering a request to a server under their control and logging the cookie and the request headers.
  • Retrieved or modified the users' TikTok account data, including private videos and profile settings by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
"The TikTok Android app was revealed to have a WebView Hijacking vulnerability due to an unvalidated deep link on an invalid argument. Through a JavaScript interface, this may have led to account hijacking, " The HackerOne  explained in an article.

Only about a month after Microsoft first revealed the security flaw, TikTok version 23.7.3 was launched with a patch to address the CVE-2022-28799 tracking number.

Microsoft further said that "Once the targeted TikTok user clicks the hacker's specially constructed malicious link, the attacker's server is granted total access to the JavaScript bridge and can activate any accessible functionality."

The server of the attacker sends back an HTML page with JavaScript code that modifies the user's profile biography and sends video upload tokens back to the attacker.

Attackers with complete access to users' accounts could modify their profile information, send messages, upload movies, and even post private videos.

Tiktok has also fixed further security vulnerabilities that might have let hackers steal customers' personal details or take over their accounts to tamper with footage.
Read more »
XHTML Code
JavaScript exploit Malicious actor Office Docs Phishing emails Privacy Security Flaws XHTML Code

Horde Webmail Software has a 9-year-old Unsecure Email Theft Risk

 

A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment. Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively. 

According to Simon Scannell, a vulnerability researcher at SonarSource, "it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization's internal services." 

SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw. 
"An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview." the report continues "When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated." according to SonarSource experts.

Worse, if an executive account with a personalized, phishing email is successfully hacked, the attacker might use this unprecedented access to take control of the entire webmail service. Despite the vendor's confirmation of the problem, no fixes have been given to the project managers as of August 26, 2021. Horde was contacted for more comments, but none were made to address the situation.

Meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the 'disable' => true configuration option to the OpenOffice mime handler in the config/mime drivers.php file.
Read more »
Tor project
Bug Cyber Security IP addresses JavaScript exploit Security Software Tor project

Tor Browser Bug Executes Uncalled for JavaScript Codes!


The well-known Tor is allegedly experiencing some kind of bug in its mechanism. It has hence warned the users to stay vigilant as regards to the “Tor Browser Bug”, which runs JavaScript codes on various unexpected sites.

Tor (originally Team Onion Router) is a free and open-source software which chiefly works on allowing anonymous communication to users.

Reportedly, the team has been working on a solution and would roll it out as soon as it is done, but there isn’t a particular time to expect it.

One of the most critical features for the security of the Tor Browser Bundle (TBB) happens to be the ability to block the code execution of the JavaScript, mention sources.

TBB is a browser that has a set of superior privacy features majorly for concealing real IP addresses to maintain the anonymity of online users and their devices’ locations.

Owing to these features, the browser has become a go-to for the working people, especially the journalists, citizens of repressive countries and people with political agendas because after all, it is a great instrument to dodge online censorship and firewalls.

People who are against the anonymity of the users and just can’t let things be, have in the past tried several times to expose Tor Browser users’ actual IP addresses via exploits that functioned on JavaScript code.

Sources cite that while few attempts of the better nature have been successfully employed to track down criminals, others were pretty strangely executed.

And then recently, a bug was discovered in the much appreciated TBB’s security mechanism. When the browser was set to allow the use of the most supreme security level and still permitted the execution of the JavaScript code when instead it should have barred it.

It is a relief that the team of Tor is well aware of the bug and is, with dedication working towards developing a patch for it. Per sources, they also mentioned that if a user requires to “Block JavaScript” they could always disable it entirely.

As per reports, the procedure for doing the above-mentioned is to open the “about config” and search for “javascript.enabled”. If here the “Value” column mentions “false” it means that the JavaScript is disabled and if it mentions “true” then right-click to select “Toggle” or double click on the row to disable it.

Read more »
Subscribe to: Posts (Atom)