Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label RCE. Show all posts
RCE
Black Cat Data Breach Encryption Microsoft Phishing Attacks Python Maintainers Ransomware Attacks. RCE

Microsoft Discovers BlackCat's Sphynx Ransomware Exploiting Impacket & RemCom

A new strain of ransomware known as BlackCat's Sphynx has recently been discovered by cybersecurity researchers at Microsoft. It has gained notice because it incorporates advanced hacking tools like Impacket and RemCom. This finding highlights the increasing sophistication and power of current ransomware attacks, creating concerns for both individuals and companies.

A new strain of ransomware known as BlackCat's Sphynx has recently been discovered by cybersecurity researchers at Microsoft. It has gained notice because it incorporates advanced hacking tools like Impacket and RemCom. This finding highlights the increasing sophistication and power of current ransomware attacks, creating concerns for both individuals and companies.

Impacket, an open-source collection of Python classes, enables the manipulation of network protocols and facilitates the creation of network-aware tools. It has legitimate uses in areas like network testing and penetration testing but can be weaponized by threat actors to infiltrate systems. RemCom, on the other hand, is a tool that grants remote access and control over compromised systems, allowing hackers to execute arbitrary commands.

Microsoft's analysis reveals that BlackCat's Sphynx leverages these tools to infiltrate networks, escalate privileges, and finally deploy ransomware to encrypt victims' data. The combination of these powerful tools amplifies the threat potential, as it grants attackers multiple avenues to compromise systems and ensure the success of their ransom demands.

The implications of this discovery extend beyond the immediate threat posed by BlackCat's Sphynx ransomware. The integration of well-established tools like Impacket and RemCom indicates an evolution in the tactics and techniques employed by ransomware operators. This also highlights the importance of organizations and individuals staying updated on the latest cybersecurity threats and fortifying their defenses against emerging attack vectors.

As ransomware attacks continue to surge and become increasingly sophisticated, cybersecurity experts stress the significance of a multi-layered defense strategy. Regularly updating software, educating users about phishing and social engineering tactics, and implementing robust network segmentation are among the recommended measures to minimize the risk of falling victim to such attacks.


Read more »
Windows MSHTML
CVE-2023-32046 CVE-2023-36884 Microsoft Microsoft Security Update Guide Rapid7 RCE Remote Code Execution Security Flaws Vulnerabilities and Exploits Windows MSHTML

Microsoft Confirms Zero Day Exploits, Prompts Users to Update


This week Microsoft confirmed around 132 security vulnerabilities in its product lines, including a total of six zero-day flaws that are currently being actively exploited. Because of this, security professionals advise Windows users to upgrade right away.

One of these zero-day vulnerabilities is of remote code executive (RCE) type, affecting Windows HTML and Microsoft Office. Microsoft has surprisingly not yet released a patch for CVE-2023-36884, opting instead to provide configuration mitigation methods, despite this being a Patch Tuesday rollout. Microsoft has connected the exploitation of this vulnerability to the Russian cybercrime group RomCom, which is suspected to be acting in the interests of Russian intelligence.

According to Rapid7 vulnerability risk management specialist Adam Barnett, the RomCom gang has also been linked to ransomware assaults that have been directed at a variety of targets. More such security experts are raising concerns given the number of vulnerabilities and the multiple zero-days that they are coming across, regarding which they are warning Windows users to adopt the updated versions promptly. The Microsoft Security Update Guide contains a comprehensive list of the vulnerabilities fixed by the most recent Patch Tuesday release. Security professionals have, however, drawn attention to some of the more crucial ones.

CVE-2023-36884 

According to Microsoft, “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

While this vulnerability is still unpatched, Microsoft says it will “take the appropriate action to help protect our customers” ones they are done with the investigations. However, speculations claims that this will happen via an out-of-band security update rather than leaving an actively exploited zero-day up for patch for next month’s Patch Tuesday rollout. Microsoft directs users to a threat intelligence blog article that offers workaround mitigations in the meantime.

CVE-2023-32046 

This flaw is a Windows MSHTML platform elevation of privilege vulnerability that is being exploited. The zero-day flaw exploits the MSHTML core Windows components, that are used to produce content like HTML.

According to Kev Breen, director of cyber threat research at Immersive Labs, “This is not limited to browsers.” He warns, “other applications like Office, Outlook, and Skype also make use of this component.” It is likely that the attack vectors would include typical suspects—a malicious document attached to an email or a malicious website or web page. . “This vulnerability would likely be used as an initial infection vector[…]allowing the attacker to gain code execution in the context of the user clicking the link or opening the document,” says Breen.

Read more »
Vulnerabilities and Exploits
CISA Netwrix Auditor RCE Security Bug Vulnerabilities and Exploits

Netwrix Auditor RCE Bug Abused in Truebot Malware Campaign

 

A severe remote code execution (RCE) vulnerability in the Netwrix Auditor software was used in attacks against organisations across the United States and Canada, according to a warning issued today by CISA and the FBI. These assaults targeted organisations in the United States and Canada. 

Unauthorised attackers can run malicious code with the privileges of the SYSTEM user thanks to a security flaw that affects the Netwrix Auditor server and the agents installed on monitored network systems (tagged as CVE-2022-31199). 

Since December 2022, TA505 hackers (connected with the FIN11 organisation) have exploited TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to install Clop ransomware on compromised networks. 

After installing TrueBot on compromised networks, the hackers install the FlawedGrace Remote Access Trojan (RAT), which is likewise affiliated with the TA505 group and allows them to escalate privileges and establish persistence on the compromised systems. 

Hackers will also deploy Cobalt Strike beacons hours after the initial breach, which might potentially be exploited to perform various post-exploitation tasks such as data theft and delivering other malware payloads such as ransomware. 

"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies explained in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.

"As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organisations in the U.S. and Canada."

Based on the nature of Truebot operations documented thus far, the primary purpose of attackers behind Truebot is to acquire confidential data from compromised systems for monetary gain.

Following the guidelines laid out in joint advisory, security teams are advised to search for evidence of malicious activity pointing to a Truebot infection.

If they find any indicators of compromise (IOCs) within their organization's network, they should immediately implement the mitigation and incident response steps suggested in the advisory and report the incident to CISA or the FBI.
Read more »
Vulnerabilities and Exploits
Operational Technology RCE Remote Code Execution Security research Vulnerabilities and Exploits

Several RCE Bugs Making Industrial IoT Devices Vulnerable to Cyberattacks


Eleven vulnerabilities in the cloud-management platforms of three industrial cellular router vendors put operational technology (OT) networks at risk for remote code execution, even when the platform is not actively set up for cloud management.

Eran Jacob, team leader of the security research team at Otorio, and Roni Gavrilov, security researcher, warn that the vulnerabilities are critical as they can be used to exploit thousands of industrial Internet of Things (IIoT) devices and networks in a variety of sectors, even though they affect devices from only three vendors, namely Sierra Wireless AirLink, Teltonika Networks RUT, and InHand Networks InRouter. 

"Breaching of these devices can bypass all of the security layers in common deployments, as IIoT devices are commonly connected both to the Internet and the internal OT network[…]It also raises additional risk for propagation to additional sites through the built-in VPN," the researchers said.

The researchers added that in case the attackers acquire a direct connection to the internet OT environment, it may further impact production and pose safety risks for users in their virtual environment.

Attackers can also use a variety of vectors to take advantage of the flaws, according to the researchers, including compromising devices in the production network to enable unauthorized access and control with root privileges, gaining root access through a reverse shell, and using compromised devices to exfiltrate sensitive data and carry out actions like shutdown.

Where the Issues Lie 

Multiple devices can connect to the Internet using a cellular network thanks to an industrial cellular router. According to the researchers, these routers are frequently utilized in industrial environments like factories or oil rigs where typical wired Internet connections would not be viable or dependable.

"Industrial cellular routers and gateways have become one of the most prevalent components in the IIoT landscape[…]They offer extensive connectivity features and can be seamlessly integrated into existing environments and solutions with minimal modifications," Gavrilov wrote in the report.

In order to give clients remote management, scalability, analytics, and security across their OT networks, vendors of these devices use cloud platforms. The researchers further noted that they discovered a number of vulnerabilities that "pertain to the connection between IIoT devices and cloud-based management platforms," which is, in some cases, enabled by default.

"These vulnerabilities can be exploited in various scenarios, affecting devices that are both registered and unregistered with remote management platforms[…]Essentially, it means that there are security weaknesses in the default settings of certain devices' connectivity to cloud-based management platforms, and these weaknesses can be targeted by attackers," they said.

Mitigation Strategies

Researchers have provided vendors of these devices as well as OT network administrators with a number of mitigation measures. They recommended that OT network managers uninstall any inactive cloud features if they are not actively using the router for cloud management in order to avoid device takeovers and minimize the attack surface.

Administrators can also restrict direct connection from IIoT devices to routers because built-in security mechanisms like firewalls and VPN tunnels lose their effectiveness after being compromised, according to the researchers.

"Adding separate firewall and VPN layers can assist with delimitering and reduce risks from exposed IIoT devices used for remote connectivity," Gavrilov added in the report.  

Read more »
Vulnerabilities and Exploits
ConnectWise Cybersecurity Hackers IT RCE Software Vulnerabilities and Exploits

The RCE Vulnerability in ConnectWise Has Been Resolved

 


As part of the ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions, ConnectWise has released security updates that address a critical vulnerability within those products. 

In an advisory published by the company today, the company describes the security flaw as being due to an injection vulnerability. This occurs when special elements in output are not adequately neutralized before entering a downstream component. 

Among the affected software, versions are ConnectWise Recover, earlier versions of the product, and R1Soft SBM versions 6.16.3 and earlier versions. 

Several security researchers have reported that this is a critical vulnerability that could expose confidential information or allow attackers to execute code remotely using the vulnerability.

Additionally, it categorized this as a high-priority issue, meaning that it may be exploited in attacks or at a high risk of being targeted in the wild if it is not addressed immediately. 

In a report released by Huntress Labs CEO Kyle Hanslovan, security researchers have discovered, rediscovered, and expanded on the vulnerability discovered by Code White security researcher Florian Hauser. According to Huntress Labs CEO Kyle Hanslovan, the vulnerability can be exploited to spread ransomware to thousands of R1Soft servers exposed to the Internet. This is done via R1Soft servers exposed to the Internet. 

Approximately 4,800 R1Soft servers that are exposed to the Internet may be vulnerable to attacks as a result of this RCE bug. According to a Shodan scan, these servers may not be patched since ConnectWise has released patches for this issue. 

There have been automatic updates applied to ConnectWise Recover SBMs that have been impacted by the vulnerability (v2.9.9), ConnectWise announced. 

It should be noted that Cryptree users are being advised to upgrade their R1Soft backup manager to the latest release, SBM v6.16.4, released on October 28, 2022, by following the steps detailed in the R1Soft upgrade wiki.

As part of the company's recommendation, all R1Soft backup servers that are impacted should be patched as soon as possible. 

Even though patching critical vulnerabilities is always something that cybersecurity professionals are strongly encouraged to do, they do not think it is wise to do it on a Friday evening, as it can be a potentially disastrous timing decision. 

As a result, all Internet-exposed servers such as websites will be compromised to the fullest extent by malicious actors as soon as they discover a vulnerability. 

There is also a tendency for hackers to be especially active on weekends since most IT teams and security teams are away from their computers during these busy times. 

As a result of an end-of-the-week release, it is also more difficult to patch any vulnerable servers before the weekend, potentially exposing more systems for a few days to attack, especially if the release takes place along with a holiday weekend. 

There is a concern that not patching the R1Soft SBM backup solution quickly may lead to a significant security incident. This is because the R1Soft SBM backup solution is a popular tool among managed service providers and cloud hosting providers.
Read more »
Zero Day Attack
Firewall RCE Vulnerabilities and Exploits Web Admin Zero Day Attack

Malicious Actors Exploit Zero-Day RCE Bug in Sophos Firewall

 

Sophos, security software and hardware vendor published a patch update for its firewall product after it identified that hackers were exploiting a new critical zero-day vulnerability to target its users' network. 

The vulnerability tracked as CVE-2022-3236 was spotted in the User Portal and Webadmin of Sophos Firewall, its exploitation can lead to code execution (RCE). 

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed,” the company stated. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” 

The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default. 

The firm fixed the vulnerability with the released Firewall v19.0 MR1 (19.0.1) and older, and also offered a solution by advising customers not to expose User Portal, and Webadmin to WAN and to disable WAN access to the User Portal and Webadmin. The company also recommended employing VPN and/or Sophos Central (preferred) for remote access and management.

"Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management," the company added. 

Earlier this year in March, Sophos fixed an identical critical vulnerability, tracked as CVE-2022-1040, identified in the User Portal and Webadmin areas of Sophos Firewall. The vulnerability received a CVSS score of 9.8 and affected Firewall versions 18.5 MR3 (18.5.3) and older. The security bug was reported to the security firm by an anonymous threat analyst via its bug bounty program. 

A remote hacker with access to the Firewall’s User Portal or Webadmin interface can exploit the vulnerability to circumvent authentication and execute arbitrary code to target multiple organizations.

Volexity researchers investigated the security vulnerability and disclosed that a Chinese APT group they track as DriftingCloud, exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a web shell backdoor and target the customer’s staff.
Read more »
Vulnerabilities and Exploits
API Data Sever Node.js RCE Vulnerabilities and Exploits

Prototype Bug in Blitz.js. Allows RCE on Node.js Servers

 

Blitz.js, a JavaScript web online framework, has issued a patch for a critical prototype pollution bug to prevent remote code execution (RCE) on Node.js servers. 

Prototype pollution is a specific kind of JavaScript vulnerability that allows hackers to manipulate the structure of the programming language and exploit it in multiple ways, Paul Gerste, security researcher at Sonar explained. It also allowed hackers to exploit the code in the Blitz.js app to design a reverse shell and run arbitrary commands on the server. 

Blitz is designed on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform. One of the popular components of Blitz.js is its ‘Zero-API’ layer, which allows the customer to employ specific functions to call server-side business logic without having to design API code. 

Additionally, it makes an RPC call to the server in the background and returns the response to the client function call. Gerste identified a chain of exploits that could be exploited via the prototype pollution bug and lead to RCE. 

The attackers target Node.js by sending a JSON request, a browser service that enables two-way data exchange with any JSON data server without exposing users’ data, to the server, which triggers the routing function of Blitz.js to load a JavaScript file with the polluted prototype. This allows the hacker to employ the malicious JavaScript object to implement arbitrary code. 

In an ideal scenario, the hacker would design and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s spawn() function to launch a new process. 

The attacker could use this function to launch a CLI process and run an arbitrary command on the server. The vulnerability can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.  

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste explained. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.” 

In his blog post, the researcher mentioned some general recommendations to safeguard JavaScript apps against prototype pollution, including freezing 'object.prototype or using the --disable-proto=delete flag in Node.js

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste added. “I don’t see developers often use the patterns that we recommended in our article. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”
Read more »
XSS
DevOps RCE Security Bug Vulnerabilities and Exploits XSS

Gitlab Patches a Critical RCE Flaw in Latest Security Advisory

 

Security researchers at Gitlab have issued a patch for a critical vulnerability that allows hackers to execute code remotely. 

The security bug tracked as CVE-2022-2185, impacts all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorized user could import a maliciously designed project to launch remote code execution. 

GitLab is a web-based DevOps life cycle platform offering an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have manufactured the program.

 Multiple security flaws 

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs. The vulnerabilities impacted both GitLab Community Edition and Enterprise Edition. Security researchers have recommended users upgrade to the latest version. 

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected,” an advisory from GitLab reads. 

Last year in July, Gitlab patched multiple vulnerabilities — including two high-impact online security flaws by updating its software development infrastructure. In GitLab's GraphQL API, a cross-site request forgery (CSRF) developed a mechanism for a hacker to call modifications while impersonating their victims. The Gitlab Webhook feature was exploited for denial- of service (DoS) assaults because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash. 'Afewgoats' researchers identified DoS vulnerability and reported it via a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification was not assigned. "The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. 

"It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." To mitigate the risks, Gitlab patched 15 medium severity and two low-impact issues. These add-on vulnerabilities also included a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.
Read more »
Vulnerabilities and Exploits
Cobalt Strike cryptomining malware RCE Security Risk Vulnerabilities and Exploits

Attackers Exploit Telerik Vulnerabilities to Deploy Cobalt Strike

 

A hacker called ‘Blue Mockingbird’ is exploiting Telerik UI flaws to breach servers, install Cobalt Strike beacons, and deploy cryptomining malware. 

The vulnerability tracked as CVE-2019-18935 with a critical severity score (CVSS v3.1: 9.8), impacts the Telerik UI library for ASP.NET AJAX and is a high-risk deserialization security bug that can lead to remote code execution. 

Blue Mockingbird was also identified in May 2020 targeting susceptible Microsoft IIS servers that employed Telerik UI, even though it had been a year after the vendor had published security patches. Earlier this week, Sophos researchers revealed that Blue Mockingbird is leveraging the same flaw to launch new cyberattacks. 

To exploit CVE-2019-18935, the hackers must secure the encryption keys that guard Telerik UI’s serialization on the target. This may be done by using CVE-2017-11317 and CVE-2017-11357 or abusing another vulnerability in the target web app. 

Since multiple web apps were used as projects that embedded the Telerik UI framework version at the time of development and later were discontinued, they are still legitimate targets accessible for exploitation. Once the keys are acquired, the hackers can compile a malicious DLL containing the code to be executed during deserialization and launch it in the context of the ‘w3wp.exe’ process. 

According to the researchers, in recent assaults, Blue Mockingbird employed a readily available proof-of-concept (PoC) vulnerability to manage the encryption logic and automate the DLL compilation. The payload used in the recent assaults is a Cobalt Strike beacon, a stealthy, legitimate penetration testing tool hacker exploits for executing encoded PowerShell commands. 

Persistence is achieved by Active Directory Group Policy Objects (GPOs), which manufacture scheduled tasks in a new registry entry that contains base64-encoded PowerShell. To mitigate Windows Defender detection, the script employs typical AMSI-bypassing methodologies to download and load a Cobalt Strike DLL into memory. 

The second-stage program (‘crby26td.exe’) is an XMRig Miner, a common open-source cryptocurrency miner for Monero, one of the least detected cryptocurrencies. Notably, this was the primary goal of the threat actor’s 2020 campaign; therefore, the attack chain, methodologies, and goals haven’t altered significantly. 

On the other hand, Cobalt Strike allows for simple lateral movement within an exploited network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware. It remains unclear whether Blue Mockingbird is interested in investigating these possibilities; for the time being, or they’re only focused on Monero mining.
Read more »
Vulnerabilities and Exploits
RCE Security Patch Software Vendor Vulnerabilities and Exploits

Software Vendor VMware Patches Critical Bug Exploited in the Wild

 

Malicious actors are actively exploiting a critical bug, tracked as CVE-2022-22954, in VMware Workspace ONE Access and Identity Manager recently addressed by the vendor. The vulnerability is used in active attacks that infect servers with coin miners. 

Earlier this month, VMWare rolled out an update to resolve a critical security flaw (CVSS: 9.8) in several of their products, including VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products.

The software vendor also warned regarding the possibility of an attacker with network access triggering a server-side template injection that results in RCE. The vulnerability is not unprecedented: in late September 2022, CVE-2021-22005 enabled malicious actors to strike vulnerable systems with RCE attacks, achieving root privileges and reaching the vCenter Server over the network. 

“VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the security advisory. “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” the software vendor said while urging its customers to address the vulnerabilities immediately to prevent its exploitation. 

In the past two weeks, multiple security researchers designed working exploits for CVE-2022-22954, with at least one proof-of-concept exploit released on Twitter. While publishing public exploits raises the risks that threat actors will use them in attacks, they are also meant to help secure systems through testing and serve as validators of existing fixes/patches. 

According to cybersecurity intelligence firm Bad Packets, malicious actors are actively scanning for vulnerable hosts to exploit the flaw in the wild. The IP address, 106.246.224.219, used in the payload, was recently seen dropping the Linux Tsunami backdoor in other attacks. However, it remains unclear what the 'one' executable is, as it is no longer accessible. Security researcher Daniel Card also joined the queue by releasing proof-of-concept exploits on Twitter and stated that the vulnerability was being exploited to deploy coinminer payloads.
Read more »
Vulnerabilities and Exploits
Bug Cybersecurity Firms Exploits Flaws RCE Vulnerabilities and Exploits

SpringShell Attacks Target About One in Six Vulnerable Orgs

 

According to figures from one cybersecurity firm, about one out of every six firms affected by the Spring4Shell zero-day vulnerability has already been targeted by threat actors. 

The exploitation attempts occurred within the first four days of the severe remote code execution (RCE) issue, CVE-2022-22965, and the associated attack code was publicly disclosed. 37,000 Spring4Shell attacks were discovered over the weekend alone, according to Check Point, which generated the statistics based on their telemetry data. Software vendors appear to be the most hit industry, accounting for 28% of the total, possibly due to their high vulnerability to supply chain threats. 

Based on their visibility, Check Point ranks Europe #1 in terms of the most targeted region, with 20%. This suggests that the malicious effort to exploit existing RCE possibilities against vulnerable systems is well underway, and threat actors seem to be turning to Spring4Shell while unpatched systems are still exposed. North America accounts for 11% of Check Point's detected Spring4Shell attacks, while other entities have confirmed active exploitation in the United States. 

Spring4Shell was one of four flaws posted to the US Cybersecurity & Infrastructure Security Agency's (CISA) inventory of vulnerabilities known to be used in actual attacks yesterday. The agency has uncovered evidence of attacks on VMware products, in which the software vendor published security upgrades and alerts. 

Microsoft also released guidelines for detecting and preventing Spring4Shell attacks, as well as a statement that they are already analyzing exploitation attempts. Spring MVC and Spring WebFlux apps operating on JDK 9+ are affected by CVE-2022-22965, hence all Java Spring installations should be considered potential attack vectors. Spring Framework versions 5.3.18 and 5.2.2, as well as Spring Boot 2.5.12, were published by the vendor to address the RCE issue. 

As a result, upgrading to these versions or later is strongly advised. System administrators should also be aware of the remote code execution vulnerabilities in the CVE-2022-22963 and CVE-2022-22947 remote code execution flaws in the Spring Cloud Function and Spring Cloud Gateway. These flaws already have proof-of-concept exploits that are publicly available.
Read more »
Web Apps
API Cyber Attacks Hackers RCE Security Researchers Web Apps

Web Applications Attacks are on the Rise

 

Imperva Research Labs discovered that attacks are increasing by 22% per quarter in a survey of approximately 4.7 million web application-related cyber security incidents. Worryingly, the pace of increase in such attacks has continued to rise, with a 67.9% increase from Q2 2021 to Q3. One of the most noticeable rises was in Remote Code Execution (RCE) / Remote File Inclusion (RFI) assaults, which increased by 271%. RCE / RFI attacks are used by hackers to steal information, compromise servers, or even take over websites and manipulate their content. 

“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” said Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems. “The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones, and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.” 

As a result of the growth in web app attacks, there has been a significant increase in data breaches. Imperva Research Labs discovered earlier this year that online applications are the source of 50% of all data breaches. With the frequency of breaches increasing by 30% each year and the number of records stolen increasing by an astounding 224%, it is anticipated that 40 billion records will be compromised by the end of 2021, with web application vulnerabilities expected to be responsible for roughly 20 billion. 

“The pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible, and that is almost certainly a driving factor behind this surge in attacks,” says Peter Klimek, Director of Technology at Imperva. 

The changing nature of application development is also extremely important. Developments such as the rapid growth of APIs and the shift to cloud-native computing are advantageous to DevOps, but these changes in application architecture and the accompanying increased attack surface are making security teams' tasks much harder, according to Peter. 

During the pandemic, losses from fraud and cybercrime have spiraled out of control, with the National Fraud Intelligence Bureau estimating that over £1.3 billion was lost in the first half of 2021 alone, more than three times the amount lost in the same period in 2020. These estimates indicate that the problem will increase during 2022.

The usual approach of the security team identifying vulnerabilities and the development team correcting them will not work; Dzihanau said that the feedback cycle must be swift and collaborative.
Read more »
Vulnerabilities and Exploits
Arbitrary code execution RCE Russian Hackers Vulnerabilities and Exploits

An Attacker Could Take Advantage of a Flaw in WinRAR to Execute Arbitrary Code

 

A new security flaw in the WinRAR trialware file archiver programme for Windows has been discovered, which might be exploited by a remote attacker to execute arbitrary code on targeted systems, highlighting how software flaws can serve as a gateway for a variety of assaults. 

The bug, tracked as CVE-2021-35052, affects the trial version of the software running version 5.70. In a technical write-up, Positive Technologies' Igor Sak-Sakovskiy stated, "This vulnerability allows an attacker to intercept and change requests sent to the user of the application. This can be used to get remote code execution (RCE) on the PC of a victim." 

Before gently urging customers to acquire a license, WinRAR offers a free trial license. The .rar archive, with which it is most closely connected, is not opened by Windows Explorer, hence WinRAR is popular among individuals who need to work with the format, or who just had to download a .rar archive once and required software to open it. 

An investigation into WinRAR began after Sak-Sakovskiy noticed a JavaScript error rendered by MSHTML, a proprietary browser engine for the now-defunct Internet Explorer that is used in Office to render web content inside Word, Excel, and PowerPoint documents, leading to the discovery that the error window is displayed once every three times when the application is launched after the trial period has expired. 

Positive Technologies discovered that by intercepting the response code sent when WinRAR notifies the user about the end of the free trial period via "notifier.rarlab[.]com" and changing it to a "301 Moved Permanently" redirect message, the redirection to an attacker-controlled malicious domain could be cached for all subsequent requests.

An almost two-decades-old flaw was discovered in WinRAR a few years ago, impacting an older file compression format initially developed in the 1990s. Positive Technologies was sanctioned by the US government earlier this year after the US claimed the company had transferred vulnerabilities to Russian state hackers rather than revealing them. The company has categorically disputed these allegations and continues to publish security research. 

Application security expert Sean Wright said of the vulnerability, "Remote Code Execution vulnerabilities should always be taken seriously and handled with a sense of urgency, as the risk they pose is significant. Even so, in the case of WinRAR's vulnerable trial, the likelihood of an attacker being able to successfully exploit the vulnerability in question seems fairly limited, as there are a number of conditions and stages that the victim would need to fulfill before the attacker could achieve RCE."
Read more »
Vulnerabilities and Exploits
Hijacking RCE Root Shell Vulnerabilities and Exploits

Severe Remote Code Execution Flaws Discovered in Motorola Halo+ Baby Monitors

 

On Tuesday, Randy Westergren, a cybersecurity expert, published his study on the Motorola Halo+, a popular baby monitor. He revealed two severe flaws in the protocol and remote code execution (RCE) of the Motorola Halo+ that would allow threat actors to hijack the device. 

The Motorola Halo+ comprises an over-the-crib monitor, a handheld unit for parents, and a Wi-Fi-connected mobile application to monitor children that works in Full HD. 

Westergren, engineering director of US financial services company Marlette Funding discovered the flaws when he and his wife were hunting for a suitable monitor for their first child and selected the Motorola Halo+ as their preferred option. 

After securing the device, Westergren started examining its listening services and discovered a pre-authentication RCE security flaw (CVE-2021-3577) and the tools to obtain a full root shell. Examining system logs made it possible to identify the app’s API requests that gather information regarding its usage. 

The researcher also analyzed HTTP-based communication and how the app’s local API operated. Westergren was able to use local API commands to identify GET and SET lists, as well as “value” parameters that would accept user input, “potentially leading to RCE if not properly sanitized”.

Westergren then injected a reboot payload and used the device to perform the ‘set_city_timezone’ process. His action initiated a reboot, which granted the device shell access. He also discovered a flaw in the execution of MQTT (CVE-2021-3787) – an IoT messaging standard. 

Westergren identified that the client was set up to subscribe to #and $SYS/# by default, lowering Hubble device access control security. “A number of commands result from various devices. Though I did not attempt this, I think it was very likely that a client could easily control the entire device fleet by publishing arbitrary commands,” the researcher noted. 

While the product belongs to Motorola Mobility, its manufacturing unit was acquired by Lenovo in 2014. According to Westergren, after receiving the initial report, Lenovo’s security team has immediately started working on resolving the issues in Motorola Halo.

According to the latest updates from the tech giant, the first set of patches is incomplete, and as a result, the product would be delayed further. Both the RCE and MQTT problems have been fixed in firmware versions 3.50.06 and 3.50.14.
Read more »
Vulnerabilities and Exploits
cybercriminals JavaScript Node.js RCE Vulnerabilities and Exploits

Node.js Pushes Out Immediate Fixes for the Severe HTTP Bug

 

Node.js has released patches for a high-severity vulnerability that could be used by attackers to corrupt the process and cause unexpected behaviour including application crashes and possibly remote code execution (RCE). The CVE-2021-22930 use-after-free vulnerability affects the way HTTP2 streams are handled in the language. 

Node.js is a back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside of a browser. Node.js allows developers to utilise JavaScript to create command-line tools and server-side scripting, which involves running scripts on the server before sending the page to the user's browser. This week, Node.js released patches for CVE-2021-22930, a high-severity use-after-free vulnerability. 

When a programme tries to access a resource at a memory address that has already been freed and no longer holds the resource, it is called a use-after-free vulnerability. In some situations, this might result in data corruption, unexpected behaviours including programme crashes, or even remote code execution (RCE). The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS). This flaw was discovered by Eran Levin, who is credited with reporting it. 

"We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned," announced Red Hat principal software engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius. 

When Node.js read incoming RST_STREAM frames with no error code or cancel code, the vulnerability was exploited. In HTTP/2 applications, the RST_STREAM frame is issued by the host when it wants to close a connection. In a client-server architecture, for example, a client programme would send a RST_STREAM frame to the server to terminate the connection. When the server receives the frame, it will stop replying to the client and terminate the connection. The server might then discard any "DATA" frames it was about to send to the client.

When a RST_STREAM frame was received by the server with a "cancel" code (nghttp2_cancel) in vulnerable Node.js versions, the receiver would try to "force purge" any data received. After that, an automatic call-back would perform the "close" function a second time, aiming to free up the memory that had already been freed in the previous phase. 

And, as a result of the double-free error, the application might crash or behave erratically. On June 8th, 2021, Matthew Douglass posted a public thread about this issue, which was previously considered of as a "bug" rather than an exploitable vulnerability.
Read more »
Telecom
Cyber Security Dos Attacks Internet Service Providers RCE Telecom

Juniper Bug Allows RCE and DoS Against Carrier Networks

 

Juniper Networks' Steel-Belted Radius (SBR) Carrier Edition has a severe remote code-execution vulnerability that leaves wireless carrier and fixed operator networks vulnerable to tampering. By centralizing user authentication, giving the proper level of access, and verifying compliance with security standards, telecom carriers utilize the SBR Carrier server to manage policies for how subscribers use their networks. It enables carriers to distinguish service tiers, diversify revenue models, and manage network resources. 

Juniper Networks, Inc. is a multinational technology company based in Sunnyvale, California. Routers, switches, network management software, network security solutions, and software-defined networking technology are among the networking products developed and sold by the company. Pradeep Sindhu started the company in 1996, with Scott Kriens serving as the original CEO until September 2008. Juniper Networks began by specializing in core routers, which are used by internet service providers (ISPs) to execute IP address lookups and route internet traffic. 

SBR Carrier versions 8.4.1, 8.5.0, and 8.6.0 that use the extensible authentication protocol are affected by the bug (CVE-2021-0276). It was on Wednesday, Juniper released a patch. On the CVSS vulnerability-severity rating scale, it gets a 9.8 out of 10. According to Juniper's advisory, it's a stack-based buffer-overflow vulnerability that an attacker can exploit by sending specially designed packets to the platform, causing the RADIUS daemon to crash. This can cause RCE as well as denial-of-service (DoS), which prevents phone subscribers from having a network connection. 

The flaw is one of the dozens that the networking giant patched this week across its carrier and corporate product lines, including multiple high-severity flaws that could be used to launch DoS assaults. Juniper claims that one of these can also be used for RCE. CVE-2021-0277 is an out-of-bounds read vulnerability that affects Junos OS (versions 12.3, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3 and 20.4), as well as Junos OS Evolved (all versions). 

The problem occurs when the Layer 2 Control Protocol Daemon (l2cpd) processes specially designed LLDP frames (l2cpd). On a local area network (usually over wired Ethernet), network devices utilize LLDP to advertise their identification, capabilities, and neighbors. “Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper said in its advisory, issued on Thursday.
Read more »
Vulnerabilities and Exploits
cybercriminals DoS Vulnerabilities RCE Vulnerabilities and Exploits

Critical RCE can Compromise Juniper Networks Devices

 

A critical vulnerability fixed as of late by networking and cybersecurity solutions supplier Juniper Networks could permit an attacker to remotely hijack or disrupt affected devices. The security hole, followed as CVE-2021-0254 and affecting the Junos operating system, was found by Nguyá»…n Hoàng Thạch, otherwise known as d4rkn3ss, a researcher with Singapore-based cybersecurity organization STAR Labs. 

The researcher disclosed to SecurityWeek that the vulnerability, which he says is the most serious bug he has ever distinguished in a Juniper product, was reported to the vendor more than half a year ago.

“A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS.” reads the security advisory published by the company. “The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789. This issue results from improper buffer size validation, which can lead to a buffer overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability, resulting in possible remote code execution.” 

As per Nguyá»…n, an attacker who effectively exploits this vulnerability can acquire root admittance to the targeted system and afterward install a backdoor or configure the device “in any way they want.” The flaw can be exploited on its own and an assailant would not have to chain it with different vulnerabilities. 

Assaults from the internet are conceivable in theory, however, the vulnerable gadgets are normally not exposed to the web. The researcher believes that if such a system can be reached from the internet, it is likely misconfigured. 

The organization noticed that the overlays daemon runs naturally on MX and ACX series routers and QFX series switches. Different platforms are vulnerable if a Virtual Extensible LAN (VXLAN) overlay network is configured. Juniper said it had not known about any vindictive assaults exploiting this vulnerability, yet noticed that an assault can be dispatched against default configurations.
Read more »
SQL Injection
Cyber Security Open Source Software RCE SQL Injection

Open Source Software Vulnerabilities Leads to RCE

 

Various vulnerabilities in open source video platforms YouPHPTube and AVideo could be utilized to accomplish remote code execution (RCE) on a client's gadget. It can take an average of more than four years for vulnerabilities in open-source software to be detected, an area in the security community that needs to be addressed, researchers say. Experts from Synacktiv found various vulnerabilities in the source code-shared by the ventures that were because of an absence of client input sanitization, a related write-up reads. The issues incorporate an unauthenticated SQL injection vulnerability, multiple cross-site scripting (XSS) flaws, and a file write vulnerability. 

SQL injection is a code injection technique, used to assault information-driven applications, in which vindictive SQL articulations are embedded into an entry field for execution (for example to dump the database contents to the assailant). 

SQL injection should abuse a security vulnerability in an application's product. SQL injection assaults permit attackers to spoof identity, alter existing information, cause repudiation issues, for example, voiding transactions or changing balances, permit the total divulgence of all information on the system, destroy the information or make it in any case inaccessible, and become administrators of the database server.

Numerous reflected XSS vulnerabilities could be utilized to steal administrators' session cookies and perform actions as an administrator. A file write flaw could permit an administrator to execute malevolent code on the server. 

Synacktiv said there is no official workaround right now, but added that clients ought to purify $catName input information appropriately prior to processing SQL queries to avoid SQL injection. “Removing simple quotes is not a sufficient process,” researchers added. The vulnerabilities influence AVideo variants 10.0 and below, and YouPHPTube renditions 7.8 and below. 

The open-source community now plays a critical part in the improvement of software, but similarly, as with any other industry, vulnerabilities will exist. GitHub says that project developers, maintainers, and clients should check their dependencies for vulnerabilities consistently and ought to consider implementing automated alerts to remedy security issues in a more efficient and fast manner. 

"Open source is critical infrastructure, and we should all contribute to the security of open-source software," GitHub added. "Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit."
Read more »
Vulnerabilities and Exploits
Bug Captain Freak Node.js RCE Vulnerabilities and Exploits

Node.js Detected with Vulnerability encountered by Captain Freak

 

Node.js is a cross-platform, open-source, JavaScript back-end operating environment running on Chrome V8 and running JavaScript programming from outside a Web browser. Recently a vulnerability in Node.js could have been used to exploit the framework and achieve remote code execution (RCE). 

A report published on January 23, by Shoeb 'Captain Freak' Patel a self-described 'want to be' security researcher, says that the analysis indicates that Express.js might be prone to read local file errors. In conjunction with an old version of the Handlebars engine (Handlebars is a popular templating engine for web applications.), the malicious code may be run remotely. “If you are using Express.Js with Handlebars as templating engine invoked via hubs view engine, for Server Side Rendering, you are likely vulnerable to Local File Read (LFR) and potential Remote Code Execution (RCE),” stated Captain Freak. 

Further Captain Freak has claimed that because of his experience with the developer's code he wanted to search for flaws in Node.js, Express.js, and Handlebars. He said that he "stumbled" last week over a vital local security file that demanded a payload of fewer than 10 lines of code for the RCE exploit, and “To be honest, I should not have been that surprised.” 

“The betrayal by in-built modules, dependencies, and packages have been the reason to introduce numerous security bugs. This is a recurring theme in software security,” added Captain Freak. 

He elucidated that if the target user is responding with X-Powered-By: Express and there is HTML in responses, it’s highly likely that Node.js with server-side templating is being used. For which the user can attach a layout to the discovery for the GET or POST body parameter in their wordlist. If the arbitrary value of layout parameter added is resulting in 500 Internal Server Error with ENOENT: no such file or directory in body, then the user has hit the LFR. 

The treason of built-in modules, dependencies, and applications has contributed to various security vulnerabilities. In software safety, this is still a recurrent issue. Captain Freak created a CTF challenge to verify whether or not this was understood, and he shared it with several of his talented friends from different Network security, Node, Backend Tech, CTF, and Bug Bounty internet forums. 

Later this turned out to be a not known vulnerability, only 4 people (all CTFers) were able to solve this problem even after providing the whole source code. Captain Freak discovered, strange code at Node.js, that any file with an extension could be read from the root view directory, + layout and forwarded to handlebars; Compilation of which lets us use the HTML file that we fully monitor after compiling the file. RCE will then be triggered with particular specifications, requiring the use of versions 4.0.3 and below. This issue has been patched in Handlebars versions 4.1.2, 4.0.14, and later. 

“I wrote about it so that the whole Node.js and web development community [would] know about this quirky behavior in this stack,” stated Captain Freak.
Read more »
Subscribe to: Posts (Atom)