Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SQL. Show all posts
Vulnerabilities and Exploits
EMS Platform Fortinet FortiClient SQL Vulnerabilities and Exploits

Critical Fortinet FortiClient EMS Flaw Now Actively Exploited in Cyberattacks

 

A critical vulnerability in Fortinet’s FortiClient EMS platform is now being actively exploited in real‑world attacks, according to threat‑intelligence firm Defused. Tracked as CVE‑2026‑21643, this SQL injection bug affects FortiClient EMS version 7.4.4 and allows unauthenticated attackers to run arbitrary code or commands through the platform’s web interface. The flaw can be triggered by specially crafted HTTP requests that smuggle malicious SQL statements via the Site header, giving an attacker a powerful foothold on unpatched systems. 

Modus operandi 

The vulnerability lives in the FortiClient EMS GUI, which organizations use to manage and deploy Forticlient endpoints across their networks. By manipulating the Site header in an HTTP request, an attacker can inject SQL code into the back‑end database, bypassing authentication entirely. This “low‑complexity” attack vector means that even unsophisticated adversaries can weaponize the bug if they can reach the exposed web interface. Because the flaw is critical, it can lead to full system compromise, data theft, or a springboard into a broader corporate network. 

Defused reported that it observed the first exploitation of CVE‑2026‑21643 just four days after the initial vulnerability disclosures. The firm noted that over 900 FortiClient EMS instances are publicly exposed on the internet according to Shodan data, giving attackers a large pool of potential targets. Meanwhile, Internet‑security watchdog Shadowserver is tracking more than 2,000 exposed FortiClient EMS web interfaces, with over 1,400 IPs located in the United States and Europe. Despite this, Fortinet has not yet updated its advisory to mark the bug as “exploited in the wild,” even though a local media outlet reached out to confirm active attacks. 

Fortinet vulnerabilities have repeatedly been abused in ransomware and cyber‑espionage campaigns, often as zero‑days while patches are still rolling out. In the case of FortiClient EMS, prior SQL injection flaws were exploited in ransomware attacks and by state‑sponsored groups such as China’s “Salt Typhoon” to breach telecom providers. CISA has already flagged 24 Fortinet vulnerabilities as known‑exploited, 13 of which were tied directly to ransomware. That history makes this new FortiClient EMS bug a high‑priority item for organizations relying on Fortinet for endpoint security.

Mitigation tips 

Fortinet recommends upgrading affected FortiClient EMS systems to version 7.4.5 or later to close the CVE‑2026‑21643 vulnerability. Organizations should also review their internet‑exposed EMS interfaces and, where possible, restrict access behind VPNs or firewalls instead of leaving the GUI wide open online. In parallel, IT and security teams should hunt for anomalous database or system‑level activity that might indicate prior exploitation, such as unexpected command execution or lateral movement from the EMS server. Given Fortinet’s track record as a prime target for ransomware actors, patching this flaw quickly and validating exposure can significantly reduce the risk of a major breach.
Read more »
United Kingdom
AI prompt injection attack Artificial Intelligence Cyber Security NCSC SQL United Kingdom

UK Cyber Agency says AI Prompt-injection Attacks May Persist for Years

 



The United Kingdom’s National Cyber Security Centre has issued a strong warning about a spreading weakness in artificial intelligence systems, stating that prompt-injection attacks may never be fully solved. The agency explained that this risk is tied to the basic design of large language models, which read all text as part of a prediction sequence rather than separating instructions from ordinary content. Because of this, malicious actors can insert hidden text that causes a system to break its own rules or execute unintended actions.

The NCSC noted that this is not a theoretical concern. Several demonstrations have already shown how attackers can force AI models to reveal internal instructions or sensitive prompts, and other tests have suggested that tools used for coding, search, or even résumé screening can be manipulated by embedding concealed commands inside user-supplied text.

David C, a technical director at the NCSC, cautioned that treating prompt injection as a familiar software flaw is a mistake. He observed that many security professionals compare it to SQL injection, an older type of vulnerability that allowed criminals to send harmful instructions to databases by placing commands where data was expected. According to him, this comparison is dangerous because it encourages the belief that both problems can be fixed in similar ways, even though the underlying issues are completely different.

He illustrated this difference with a practical scenario. If a recruiter uses an AI system to filter applications, a job seeker could hide a message in the document that tells the model to ignore existing rules and approve the résumé. Since the model does not distinguish between what it should follow and what it should simply read, it may carry out the hidden instruction.

Researchers are trying to design protective techniques, including systems that attempt to detect suspicious text or training methods that help models recognise the difference between instructions and information. However, the agency emphasised that all these strategies are trying to impose a separation that the technology does not naturally have. Traditional solutions for similar problems, such as Confused Deputy vulnerabilities, do not translate well to language models, leaving large gaps in protection.

The agency also stressed upon a security idea recently shared on social media that attempted to restrict model behaviour. Even the creator of that proposal admitted that it would sharply reduce the abilities of AI systems, showing how complex and limiting effective safeguards may become.

The NCSC stated that prompt-injection threats are likely to remain a lasting challenge rather than a fixable flaw. The most realistic path is to reduce the chances of an attack or limit the damage it can cause through strict system design, thoughtful deployment, and careful day-to-day operation. The agency pointed to the history of SQL injection, which once caused widespread breaches until better security standards were adopted. With AI now being integrated into many applications, they warned that a similar wave of compromises could occur if organisations do not treat prompt injection as a serious and ongoing risk.


Read more »
Technology
AI/ML vulnerabilities Artificial Intelligence Cybersecurity SQL Technology

How Security Teams Can Turn AI Into a Practical Advantage

 



Artificial intelligence is now built into many cybersecurity tools, yet its presence is often hidden. Systems that sort alerts, scan emails, highlight unusual activity, or prioritise vulnerabilities rely on machine learning beneath the surface. These features make work faster, but they rarely explain how their decisions are formed. This creates a challenge for security teams that must rely on the output while still bearing responsibility for the outcome.

Automated systems can recognise patterns, group events, and summarise information, but they cannot understand an organisation’s mission, risk appetite, or ethical guidelines. A model may present a result that is statistically correct yet disconnected from real operational context. This gap between automated reasoning and practical decision-making is why human oversight remains essential.

To manage this, many teams are starting to build or refine small AI-assisted workflows of their own. These lightweight tools do not replace commercial products. Instead, they give analysts a clearer view of how data is processed, what is considered risky, and why certain results appear. Custom workflows also allow professionals to decide what information the system should learn from and how its recommendations should be interpreted. This restores a degree of control in environments where AI often operates silently.

AI can also help remove friction in routine tasks. Analysts often lose time translating a simple question into complex SQL statements, regular expressions, or detailed log queries. AI-based utilities can convert plain language instructions into the correct technical commands, extract relevant logs, and organise the results. When repetitive translation work is reduced, investigators can focus on evaluating evidence and drawing meaningful conclusions.

However, using AI responsibly requires a basic level of technical fluency. Many AI-driven tools rely on Python for integration, automation, and data handling. What once felt intimidating is now more accessible because models can draft most of the code when given a clear instruction. Professionals still need enough understanding to read, adjust, and verify what the model generates. They also need awareness of how AI interprets instructions and where its logic might fail, especially when dealing with vague or incomplete information.

A practical starting point involves a few structured steps. Teams can begin by reviewing their existing tools to see where AI is already active and what decisions it is influencing. Treating AI outputs as suggestions rather than final answers helps reinforce accountability. Choosing one recurring task each week and experimenting with partial automation builds confidence and reduces workload over time. Developing a basic understanding of machine learning concepts makes it easier to anticipate errors and keep automated behaviours aligned with organisational priorities. Finally, engaging with professional communities exposes teams to shared tools, workflows, and insights that accelerate safe adoption.

As AI becomes more common, the goal is not to replace human expertise but to support it. Automated tools can process large datasets and reduce repetitive work, but they cannot interpret context, weigh consequences, or understand the nuance behind security decisions. Cybersecurity remains a field where judgment, experience, and critical thinking matter. When organisations use AI with intention and oversight, it becomes a powerful companion that strengthens investigative speed without compromising professional responsibility.



Read more »
Vulnerability Exploit
Clop Group Cybersecurity Breach Data Breach Enterprise security GlobalLogic Incident response Oracle Zero-Day Ransomware attack SQL Threat Intelligence Vulnerability Exploit

GlobalLogic Moves to Protect Workforce After Oracle-related Data Theft

 


A new disclosure that underscores the increasing sophistication of enterprise-level cyberattacks underscores the need to take proactive measures against them. GlobalLogic has begun notifying more than ten thousand of its current and former employees that their personal information was compromised as a result of a security breach connected to an Oracle E-Business Suite zero-day flaw. 

An engineering services firm headquartered in the United States, owned by Hitachi, announced the breach to regulators after determining that an unknown attacker exploited an unpatched vulnerability in the Oracle platform, the core platform used to manage finance, human resources, and operational processes at the company, so that sensitive data belonging to 10,000 employees was stolen. 

The Maine Attorney General's office reported to the Maine State Attorney General that attackers had infiltrated GlobalLogic's environment with an advanced SQL-injection chain mapped to MITRE techniques T1190 and T1040, deploying a persistent backdoor through an Oracle Forms vulnerability, obtaining extensive employee data, including identification, contact information, passport information, tax and salary data, and bank account numbers, as well as extensive employee records. 

The signs of compromise point to a coordinated data-extortion campaign in which privilege-escalation events were used to maintain prolonged access to data. Indicators like malicious IP ranges and rogue domains indicate that the attack was coordinated. In the aftermath of Oracle's security patches being released, GlobalLogic announced that an immediate investigation had been conducted, and the company is now urging the rapid implementation of vendor updates, enhanced logging, and temporary hardening measures in order to mitigate further risk. 

With Hitachi's acquisition of the company in 2021, it has now served more than 600 enterprise clients around the world, and the company has officially reported the breach to California and Maine regulators, who confirmed that more than 10,500 current and former employees' personal information was exposed in the attack. 

During GlobalLogic's investigation, it was discovered that the intrusion was a part of a larger campaign that was coordinated by the Clop ransomware group, which has been exploiting a zero-day flaw in Oracle's E-Business Suite since at least July in order to snare huge amounts of corporate information. There have been reports that several companies have been caught in this wave of attacks, and many are only aware of their compromise after they receive extortion emails from extortionists. Analysts are claiming that dozens of companies have been compromised.

It is reported by GlobalLogic that the company discovered the breach on October 9 but it was later discovered that the attackers gained access to the server on July 10, with the most recent malicious activity occurring on August 20 according to GlobalLogic's filings. Despite the fact that the incident was contained to the Oracle platform, the sheer amount of sensitive and high-level data stolen—from contact information to internal identifiers to passports to tax records to salary information to bank account numbers—does not make it easy for the severity of the attack to be noted. 

A spokesperson for the company said that they immediately activated their incident response protocols, notified the law enforcement, and consulted external forensic experts after the zero-day exploit was discovered (CVE-2025-61882) was discovered, and that Oracle's patch for the vulnerability (CVE-2025-61882) was applied once it was released. 

Security researchers later confirmed that Clop hacked numerous victims over a period of several months by exploiting multiple vulnerabilities within the same platform, demanding ransoms that often reached eight-figure sums. It has been reported that nearly 30 organizations are currently listed on Clop's website after a breach of their systems was discovered last week. If these organizations do not pay the restitution, they will face public exposure. The kind of information exposed in the GlobalLogic breach highlights how sophisticated the attackers were. 

According to the company's disclosure, the stolen data was representative of a wide range of personal information that is typically kept in human resources systems, such as names, home addresses, telephone numbers, addresses for emergency contacts, and identifiers for internal employees.

There were a variety of individuals whose exposure to cyber attacks was far more in-depth and involved email addresses, dates and countries of birth, nationalities, passports, tax and national identification numbers such as Social Security details, salary information, and full banking credentials for their online banking accounts. 

A ransomware group known as Clop has been associated with several high-profile Oracle EBS data theft operations, as well as adding major companies to its Tor-based leak site, including Harvard University, Envoy Air, and The Washington Post, whose stolen data is already available via torrent downloads from a number of sources. Despite the fact that GlobalLogic's information has not yet appeared on the leak portal, security analysts have said that the omission may be indicative of ongoing negotiations, or that a ransom has already been paid by the company. 

The company spokesperson refused to comment on whether any demands were being addressed, but confirmed Clop has publicly claimed responsibility for the breach. Now that the gang is being questioned more closely by the U.S. authorities after previously exploiting Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer in mass-scale data breaches, they are under greater scrutiny than ever before. 

According to the State Department, there is a reward for intelligence that can be provided tying the group's operations to a foreign government worth up to $10 million. In light of this incident, industry officials are calling for improved patch management, proactive threat hunting, and tighter oversight of third-party platforms supporting critical business operations that are used by critical business units. 

According to GlobalLogic's analyst, the company's experience shows just how quickly a single vulnerability can lead to widespread damage when exploited by highly coordinated ransomware groups, particularly if the vulnerability has not yet been patched. 

Despite continuing to investigate Clop's broader campaign, experts urge organizations to adopt continuous monitoring, strengthen vendor risk controls, and prepare for the likelihood that they will be the victim of future zero day exploits in the following years, as the modern enterprise threat landscape is now characterized by zero-day threats.
Read more »
XE Group
CVSS CyberCrime Cyberhackers CyberThreat Microsoft Software SQL Vulnerabilities and Exploits XE Group

XE Group Rebrands Its Cybercrime Strategy by Targeting Supply Chains

 


Over the past decade, there has been a rise in the number of cyber threats targeting the country, including the XE Group, a hacker collective with Vietnamese connections. According to recent investigations, the group was responsible for exploiting two zero-day vulnerabilities in VeraCore's warehouse management platform, CVE-2025-25181 and CVE-2025-57968 known to be zero-day vulnerabilities. 

A suite of reverse shells and web shells that exploit these vulnerabilities were deployed by the adversaries, allowing them to gain remote access to targeted systems in covert ways. This development is an indication of the group's sophisticated cyber-attack techniques. Identified as CVE-2024-57968, the vulnerability is a critical upload validation vulnerability with a CVSS score of 9.9, affecting versions before 2024.4.2.1, and can allow adversaries to upload files into non-intended directories, which could result in unauthorized access to the files. 

Adventure VeraCore up to version 2025.1.0 is vulnerable to SQL injection flaw CVE-2025-25181, which could be exploited remotely to execute arbitrary SQL commands through the remote execution of SQL commands. In addition to the XE Group's past association with credit card fraud, their focus has now switched to targeted data theft, particularly within manufacturing and distribution organizations. 

Several recent attacks have been perpetrated by threat actors who exploited VeraCore security issues to install Web Shells, which allowed them to execute various malicious activities and remain persistent within compromised environments while they executed their malicious activities. The group's continued sophistication and adaptability in the cyber threat landscape is reflected in this recent report, which details a compromise of a Microsoft Internet Information Services (IIS) server where VeraCore's warehouse management system software is hosted, and it indicates the company's growing sophistication. 

Upon further analysis of this incident, it was discovered that the initial breach occurred in January 2020 as a result of a zero-day vulnerability in SQL injection. It is speculated that As a result of this exploitation, The XE Group deployed customized web shells, which researchers have described as very versatile tools that are designed to maintain persistent access inside victim environments as well as run SQL queries regarding those environments.

As an example, in the case of the compromised IIS server, the attackers reactivated a web shell that was planted four years earlier, showing that they have retained a foothold in the infrastructure targeted by them for many years. Security vendors have been warning that the XE Group is actively targeting supply chains in the manufacturing and distribution sectors. Though the group has historically been associated with extensive credit card skimming operations, it has recently gained a reputation for exploiting zero-day vulnerabilities to do more damage. 

According to researchers, the group's continued ability to adapt and increase sophistication underscores the group's ability to remain agile and sophisticated over the years. The reactivation of an older web shell indicates the group's strategic focus on achieving long-term operational objectives by maintaining long-term access to compromised systems. 

To enhance the threat investigation process, the rules have been designed to be compatible with several SIEM (Security Information and Event Management) systems, Endpoint Detection and Response systems (EDR), and Data Lake solutions aligned with the MITRE ATT&CK framework. There is a variety of metadata that is accessible in each rule, including references to cyber threat intelligence, attack timelines, triage recommendations, and audit configurations, guaranteeing that security analysis has a structured approach. 

Additionally, SOC Prime's Uncoder AI (Artificial Intelligence) capabilities enable the quick development of custom IOC-based queries that will be seamlessly integrated with SIEM and EDR platforms, thus eliminating the need for security professionals to manually search for indicators of compromise (IOCs). Intezer's analysis of XE Group activity and SOC Prime's Uncoder AI were used to achieve this.

As an alternative to the corporate-only service offered previously by Uncoder AI, customers can now benefit from Uncoder AI's full suite of capabilities, which enhances accessibility for independent risk analysis performed by individual researchers. As a consequence of the XE Group's adoption of zero-day exploits as part of their attack strategy, it became increasingly clear that adversarial techniques are becoming more sophisticated and adaptable, making it necessary to enter into proactive defence measures as soon as possible.

SOC Prime Platform is a scalable tool designed to assist organizations in enhancing their security posture, countering evolving threats effectively, and mitigating risks associated with adding more attack surfaces in an increasingly complex cyber landscape by utilizing the tools provided by the platform. The XE Group has exploited two zero-day VeraCore vulnerabilities, CVE-2025-25181 and CVE-2025-50308, in recent attacks in an attempt to deploy one or more web shells on compromised systems. 

These two vulnerabilities are critical upload validation flaws (CVSS 9.9) and SQL injection flaws (CVSS 5.7), respectively. In a report published jointly by Solis and Intezer, the researchers reported that the group exploited one of these vulnerabilities as early as January 2020 and maintained persistent access to the victim's environment for several years afterwards. There was an attempt in 2024 by some threat actors to reactivate a previously deployed web shell, demonstrating their ability to avoid detection while maintaining long-term access to compromised systems as they remain undetected. 

XE Group's evolving tactics come as part of a broader trend that threats are exploring the software supply chain as a way to achieve their goals. Some notable precedents include the SolarWinds attack, breaches into Progress Software's MOVEit file transfer product, an Okta intrusion that affected all customers, and an Accellion breach that enabled ransomware to be deployed on an organization's network.
Read more »
SQL
Cyber Attacks Data Security Tiktok Election Security Elections Infrastructure Romania Russia Security Breaches SQL

Romania Annuls Elections After TikTok Campaign and Cyberattacks Linked to Russia

 


Romania’s Constitutional Court (CCR) has annulled the first round of its recent presidential elections after intelligence reports revealed extensive foreign interference. Cyberattacks and influence campaigns have raised serious concerns, prompting authorities to reschedule elections while addressing security vulnerabilities. 
  
Cyberattacks on Election Infrastructure

The Romanian Intelligence Service (SRI) uncovered relentless cyberattacks targeting key election systems between November 19th and November 25th. Attackers exploited vulnerabilities to compromise platforms such as:
  • Bec.ro: Central Election Bureau system.
  • Registrulelectoral.ro: Voter registration platform.
Key findings include:
  • Methods Used: SQL injection and cross-site scripting (XSS) exploited to infiltrate systems.
  • Leaked Credentials: Stolen login details shared on Russian cybercrime forums.
  • Server Breach: A compromised server linked to mapping data allowed access to sensitive election infrastructure.
  • Origin: Attacks traced to devices in over 33 countries, suggesting state-level backing.
While the SRI has not explicitly named Russia, the attack methods strongly indicate state-level involvement. TikTok Influence Campaign Beyond cyberattacks, a coordinated TikTok influence campaign sought to sway public opinion in favor of presidential candidate Calin Georgescu:
  • Influencers: Over 100 influencers with a combined 8 million followers participated.
  • Payments: Ranged from $100 for smaller influencers to substantial sums for those with larger followings.
  • Impact: Pro-Georgescu content peaked on November 26th, ranking 9th among TikTok’s top trending videos.
  • Activity Pattern: Many accounts involved were dormant since 2016 but became active weeks before the election.
Romania’s Ministry of Internal Affairs (MAI) noted parallels between Georgescu’s messaging and narratives supporting pro-Russian candidates in Moldova, further tying the campaign to Russian influence efforts. Geopolitical Implications Romania’s Foreign Intelligence Service (SIE) linked these actions to a broader Russian strategy to destabilize NATO-aligned countries:

Goals: Undermine democratic processes and promote eurosceptic narratives.

Target: Romania’s significant NATO presence makes it a critical focus of Russian propaganda and disinformation campaigns.

Election Annulment and Future Challenges 
 
On November 6th, the CCR annulled the election’s first round, citing security breaches and highlighting vulnerabilities in Romania’s electoral infrastructure. Moving forward:
  • Cybersecurity Enhancements: Authorities face mounting pressure to strengthen defenses against similar attacks.
  • Disinformation Countermeasures: Efforts to combat influence campaigns are essential to safeguarding future elections.
  • Warning from SRI: Election system vulnerabilities remain exploitable, raising concerns about upcoming elections.
The incidents in Romania underscore the rising threat of cyberattacks and influence operations on democratic processes worldwide, emphasizing the urgent need for robust security measures to protect electoral integrity.
Read more »
SQL
2FA CVE CVE vulnerability CVEs Cyber Security E-Commerce Websites Patchstack PII Plugin Plugin Flaws SQL

Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes 100K+ Sites to SQL Attacks

 

A critical vulnerability in the widely-used TI WooCommerce Wishlist plugin has been discovered, affecting over 100,000 WordPress sites. The flaw, labeled CVE-2024-43917, allows unauthenticated users to execute arbitrary SQL queries, potentially taking over the entire website. With a severity score of 9.3, the vulnerability stems from a SQL injection flaw in the plugin’s code, which lets attackers manipulate the website’s database. This could result in data breaches, defacement, or a full takeover of the site. As of now, the plugin remains unpatched in its latest version, 2.8.2, leaving site administrators vulnerable. 

Cybersecurity experts, including Ananda Dhakal from Patchstack, have highlighted the urgency of addressing this flaw. Dhakal has released technical details of the vulnerability to warn administrators of the potential risk and has recommended immediate actions for website owners. To mitigate the risk of an attack, website owners using the TI WooCommerce Wishlist plugin are urged to deactivate and delete the plugin as soon as possible. Until the plugin is patched, leaving it active can expose websites to unauthorized access and malicious data manipulation. If a website is compromised through this flaw, attackers could gain access to sensitive information, including customer details, order histories, and payment data. 

This could lead to unauthorized financial transactions, stolen identities, and significant reputational damage to the business. Preventing such attacks requires several steps beyond removing the vulnerable plugin. Website administrators should maintain an updated security system, including regular patching of plugins, themes, and the WordPress core itself. Using a Web Application Firewall (WAF) can help detect and block SQL injection attempts before they reach the website. It’s also advisable to back up databases regularly and ensure that backups are stored in secure, off-site locations. Other methods of safeguarding include limiting access to sensitive data and implementing proper data encryption, particularly for personally identifiable information (PII). 

Website administrators should also audit user roles and permissions to ensure that unauthorized users do not have access to critical parts of the site. Implementing two-factor authentication (2FA) for site logins can add an extra layer of protection against unauthorized access. The repercussions of failing to address this vulnerability could be severe. Aside from the immediate risk of site takeovers or data breaches, businesses could face financial loss, including costly recovery processes and potential fines for not adequately protecting user data. Furthermore, compromised sites could suffer from prolonged downtime, leading to lost revenue and a decrease in user trust. Rebuilding a website and restoring customer confidence after a breach can be both time-consuming and costly, impacting long-term growth and sustainability.  

In conclusion, to safeguard against the CVE-2024-43917 vulnerability, it is critical for website owners to deactivate the TI WooCommerce Wishlist plugin until a patch is released. Administrators should remain vigilant by implementing strong security practices and regularly auditing their sites for vulnerabilities. The consequences of neglecting these steps could lead to serious financial and reputational damage, as well as the potential for legal consequences in cases of compromised customer data. Proactive protection is essential to maintaining business continuity in the face of ever-evolving cybersecurity threats.
Read more »
SQL
Cyberattacks Cybersecurity MOVEitm Vulnerabilities and Exploits SQL

Patch Now or Peril: MOVEit Transfer Customers Urged to Address Critical Vulnerability

 


MOVEit Transfer software has been identified as vulnerable to a critical vulnerability. This prompts customers to patch their systems urgently to prevent vulnerability spread. The flaw, identified as CVE-2023-36934, allows an attacker to gain elevated privileges without the user being prompted to authenticate. It also allows an attacker to execute arbitrary commands on an affected system without the user being required to do so. 

The unfixable nature of this vulnerability can result in unauthorized access to information, data breaches, and disruptions to critical business functions. This is if the problem is not addressed. It is recommended that Barracuda MSP users apply the latest vendor patch as soon as possible to mitigate the risk in MOVEit Transfer.

An SQL injection vulnerability lets attackers execute code to gain access to a database or tamper with it by triggering a special query that causes the database to be compromised. There must be a lack of adequate input/output data sanitization in the target application to make these attacks possible.

In the past few months, Progress, the company that developed MOVEit Transfer, has discovered multiple SQL injection vulnerabilities, including one that can be exploited without authentication credentials in the application, named CVE-2023-36934. 

There are several security flaws known as SQL Injection vulnerabilities. If exploited, attackers could manipulate databases and run any code they wanted. Some attacks are used to change or expose sensitive data in a database. This is done when the attackers send specially designed payloads to certain endpoints of the application that is affected. 

Is There a Threat? 

An unauthenticated remote attacker could exploit the CVE-2023-36934 vulnerability to execute arbitrary commands on vulnerable MOVEit Transfer systems without requiring authentication. An attacker can exploit this vulnerability by gaining access to the system without authorization, compromising sensitive data, or being able to perform malicious activities on the system with elevated privileges. The vulnerability can be exploited without any user interaction and authentication, which makes it extremely dangerous due to the lack of user interaction or authentication required. 

A second vulnerability is referred to as CVE-2023-36932, while the third vulnerability is designated as CVE-2023-36933. Even though the CVE-2023-36932 vulnerability exists, attackers can exploit it while logged in to gain unauthorized access to the MOVEit Transfer database through the SQL injection flaw. MOVEit Transfer is vulnerable to a vulnerability called CVE-2023-36933, which is a vulnerability that can allow attackers to shut down the program unexpectedly in case they exploit it.

These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and previous versions. 


Are There Any Risks or Exposures? 

There is a potential for further compromise of the system as a result of this vulnerability. Using the MOVEit Transfer software to gain unauthorized access to the affected system can then allow the attacker to exploit the compromised system and move laterally across the network as soon as they have gained access. There is a possibility that they will elevate privileges and compromise additional systems or resources as a result. There is a possibility of a massive breach to occur, as well as the exfiltration of sensitive information, or the disruption of interconnected systems within an organization as a result. 

To exploit this vulnerability, there is no need for users to interact with it or provide authentication. Thus, this poses a significant risk to any organization that is using the affected software. In a wide range of industries, such as finance, healthcare, government, and manufacturing, companies say that secure file transfers are essential to the smooth operation of their organizations.

Depending on the severity of the damage caused, organizations handling sensitive or regulated forms of data, such as personally identifiable information (PII) or protected health information (PHI), may face severe consequences if this vulnerability leads to the compromise of this data. HackerOne and Trend Micro's Zero Day Initiative report that they have responsibly reported these vulnerabilities to Progress Software. 

There are multiple vulnerabilities in the MOVEit Transfer product which affect the following versions: 12.1.10 and older, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, as well as 15.0.3 and older. Several important updates have been made available by Progress Software to make MOVEit Transfer compatible with all major versions of the program.

To reduce the risks posed by these vulnerabilities, it is strongly recommended that users update their versions of MOVEit Transfer to the latest versions.
Read more »
zero Day vulnerability
File Transfer Tool Security Advisory SQL Unpatched Flaws Vulnerabilities and Exploits zero Day vulnerability

Progress Software Advises MOVEit Customers to Patch Third Severe Vulnerability

 

Customers of MOVEit are being urged by Progress Software to update their software in less than a month to address a third severe vulnerability. 

According to the most recent vulnerability, identified as CVE-2023-35708, an unauthenticated attacker may be able acquire escalated privileges and gain entry to the MOVEit Transfer database through a SQL injection bug.

In a warning, Progress states that, “an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

Versions of MOVEit Transfer prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) are affected by the vulnerability.

On June 15, proof-of-concept (PoC) code aimed at exploiting the flaw was made available. Progress quickly responded, noting that the flaw was made public "in a way that did not follow normal industry standards." 

After a zero-day vulnerability was discovered on May 31 and a second severe bug was patched a week later, Progress has now fixed three critical SQL injection flaws in its MOVEit products in around three weeks. CVE-2023-35708 is the most recent of these. 

Security experts discovered evidence indicating that exploitation may have begun two years prior to the initial flaw, CVE-2023-34362, which only began to be widely exploited in late May.

Attacks on the MOVEit zero-day have affected more than 100 organisations. The Cl0p ransomware gang is responsible for the most recent campaign, and it has begun naming some of the victims in public.

The British Broadcasting Corporation, British Airways, Aer Lingus, the Nova Scotia government, the U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE) are just a few of the organisations that have been identified as victims to date. 

Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the United Kingdom, and the United States all have victims. Malwarebytes adds that the majority of the victims are in the US. 

On June 9, CVE-2023-35036, the second vulnerability, was made public; however, it does not seem to have been used in the wild. Even though Progress claims to be unaware of any exploits for CVE-2023-35708, it advises users to install the most recent updates as soon as feasible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company added. 

Customers should stop HTTP and HTTPS traffic, limiting access to localhost only, apply the updates that are available (the June 15th patch also fixes the prior vulnerabilities), and then re-enable HTTP and HTTPS traffic to prevent unauthorised access to the MOVEit Transfer environment. 

To fix the issues, Progress has published both DLL drop-in fixes and entire MOVEit Transfer installers. The company's advisory provides more details on how to apply the updates.
Read more »
SQL
Botnet Cloud Security Command and Control(C2) cryptomining DNS Flaw Hackers malware SQL

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


Read more »
Zimbra
Chinese Actors CVE Cyber Security Email Attacks IMAP Microsoft Exchange SQL XSS Flaw Zimbra

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.
Read more »
SQL
Avast Backdoor Chinese Actors Cyber Security Linux Kernel Linux RootKit Shellcode SQL

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected

 

Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.
Read more »
Vulnerability and Exploits
APT actors C&C Chinese Actors CISA & FBI CVE vulnerability NSA SQL Vulnerabilities and Exploits Vulnerability and Exploits

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.
Read more »
SQL
Chinese Hackers Cobalt Strike Google Microsoft Internet Explorer keylogger malware MySQL RAT SQL

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.
Read more »
WordPress
Acunetix vulnerability Cyber Attacks Cyber flaws FBI Iranian hackers Ransomware Threat SQL VPNS WordPress

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.
Read more »
SQL
CMS Data Breach database MySQL SQL

SQL Triggers Used by Hackers to Compromise User Database

 

Over the past year, a broader pattern of WordPress malware with SQL triggers has occurred within infected databases to mask intrusive SQL queries. Whenever the trigger condition is fulfilled, these queries insert an admin-level user into a contaminated database. Users can use a MySQL database to store essential data, including CMS settings and a common CMS is used on their website (such as WordPress). Something that might change the MySQL database is whether injecting harmful code or removing the content of your Website, could also do severe harm to the website. 

Potential for protection is one factor why the MySQL database has its own unique username and password, which will deter someone from checking the MySQL database manually without the required login details. Unfortunately, if attackers have unauthenticated access, they can also read a wp-config.php file to understand the website's database authentication credentials — which can then be used to connect to the database using code from the attacker and malicious adjustments. 

An intruder with unwanted access to a website, who would like to create a permanent loophole if the files of the Website are washed, is indeed an example from real life.

An intruder's approach is to set an admin user in the CMS database of the website. Usually, these can be conveniently found in the administrative dashboard or SQL client. The unauthorized admin account is a loophole outside of the website and in the directory of the webserver. This knowledge is critical since owners of a compromised website will also forget the index. However, the exclusion of suspected users from the database of the website does not entail the removal of any potential backdoors. 

A SQL trigger is an automatically stored process that runs when certain database modifications are introduced. While there have been several useful implementations, that bad actors use SQL triggers to retain unwanted access after a compromise. To achieve this, attackers are placing a SQL trigger in a compromised website database and malicious activity is performed if specific conditions have been reached or an incident happens.

If attackers breach a site, they will bet on any database passwords that are stored in wp-config or other CMS configuration files — and once the hacker has obtained the data at any post-infection period, it can be extremely hard to identify if the hacker has harvested any valuable information. Users must change passwords, including the databases if a breach occurs. Failure to pursue this post-hack phase will allow an attacker to enter and change the website even after the user has assumed the infection was removed.
Read more »
Subscribe to: Comments (Atom)