Search This Blog

Showing posts with label Security Bug. Show all posts

Rozena Backdoor Deployed by Abusing the Follina Vulnerability

 

A newly discovered phishing campaign is exploiting the Follina security vulnerability to deploy a private backdoor, named Rozena on the Windows systems. 

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Cara Lin, a researcher at Fortinet FortiGuard Labs stated in a report published this week. 

Tracked as CVE-2022-30190, the security bug is related to the Microsoft Support Diagnostic Tool (MSDT) that impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The vulnerability came to light in late May 2022 but the root cause of the flaw has been known for at least a couple of years. 

The latest attack chain is a weaponized Office document that, when opened, links to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, triggers the diagnostic utility employing a PowerShell command to download next-stage payloads from the same CDN attachment space. 

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy. 

The primary function of the Rozena backdoor is to inject a shellcode that launches a reverse shell to the hacker’s device (“microsofto.duckdns[.]org”), in this way the malicious actor can secure full control of the system. 

The exploitation of the Follina security bug is done by distributing the malware via malicious word documents. The word documents act as a dropper and are distributed through emails that contains a password-encrypted ZIP as an attachment, an HTML file, and a link to download, in the body of the email. Multiple malware such as Emotet, QBot, IcedID, and Bumblebee are then injected into the victim’s device. 

According to researchers, the assaults discovered in early April primarily featured Excel files with XLM macros. Microsoft's decision to block macros by default around the same time is said to have forced the hackers to shift to alternative techniques like HTML smuggling as well as .LNK and .ISO files. 

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware through an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog, we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat,” the researcher concluded.

Microsoft Warns of '8220 Group' Targeting Linux Servers

 

Microsoft Security Intelligence experts have issued a new warning against a known cloud threat actor (TA) group, dubbed 8220, targeting Linux servers to install crypto miners. 

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a crypto miner and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a series of tweets. 

According to Cisco's Talos Intelligence group, the 8220 gang has been operating since at least 2017, and primarily focuses on crypto mining campaigns. The threat actors are Chinese-speaking, the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers. 

Over the past year, the group has actively upgraded its methodologies and payloads. In a recent campaign, the hacking group targeted i686 and x86_64 Linux systems and employed RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (Oracle WebLogic) for initial access, Microsoft researchers stated. 

Once secured access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools. 

Subsequently, the loader downloads the pwnRig crypto miner and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by designing either a cron job or a script running every 60 seconds as nohup. 

“The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.” 

To guard networks against this threat, Microsoft urged organizations to secure systems and servers, apply updates, and use good credential hygiene. “Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.” 

The findings come after Akamai disclosed that the Atlassian Confluence vulnerability is experiencing a steady 20,000 exploitation attempts per day that are executed from nearly 6,000 IPs. However, these figures represent a substantial decline when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02, 2022.

Gitlab Patches a Critical RCE Flaw in Latest Security Advisory

 

Security researchers at Gitlab have issued a patch for a critical vulnerability that allows hackers to execute code remotely. 

The security bug tracked as CVE-2022-2185, impacts all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorized user could import a maliciously designed project to launch remote code execution. 

GitLab is a web-based DevOps life cycle platform offering an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have manufactured the program.

 Multiple security flaws 

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs. The vulnerabilities impacted both GitLab Community Edition and Enterprise Edition. Security researchers have recommended users upgrade to the latest version. 

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected,” an advisory from GitLab reads. 

Last year in July, Gitlab patched multiple vulnerabilities — including two high-impact online security flaws by updating its software development infrastructure. In GitLab's GraphQL API, a cross-site request forgery (CSRF) developed a mechanism for a hacker to call modifications while impersonating their victims. The Gitlab Webhook feature was exploited for denial- of service (DoS) assaults because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash. 'Afewgoats' researchers identified DoS vulnerability and reported it via a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification was not assigned. "The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. 

"It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." To mitigate the risks, Gitlab patched 15 medium severity and two low-impact issues. These add-on vulnerabilities also included a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.

CISA Issues Warning Regarding Active Exploitation of 'PwnKit' Linux Security Bug

 

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added a Linux vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalog and issued a warning regarding active exploitation of the flaw in cyber attacks. 

The vulnerability tracked as CVE-2021-4034 (CVSS score: 7.8), first identified earlier this year in January by the American company Qualys, impacts Polkit, a feature designed for managing system-wide privileges in Unix-like operating systems. Polkit is manufactured by Red Hat, but it’s also employed by other Linux distributions. 

PwnKit, a memory corruption issue, if successfully exploited, might cause pkexec to run arbitrary code, and allow an unprivileged hacker administrative right on the target device to exploit the host. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, nearly 13 years. 

The security bug has been identified to impact the products of multiple major firms. Juniper Networks, Moxa, IBM, VMware, Siemens, and others have published advisories to elaborate on the impact of CVE-2021-4034. 

Security researchers have been warned that the threat of malicious exploitation of PwnKit is high since proof-of-concept (PoC) exploits have been available and exploitation is not difficult. 

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog — also known as the agency’s “Must Patch” list — and ordered federal agencies to remediate all the newly listed vulnerabilities by July 18, while private firms have been requested to leverage the flaw catalog to improve their patching and vulnerability management processes.

Security experts noted that while exploitation of CVE-2021-4034 should leave traces in log files, it’s also possible to abuse the vulnerability without leaving such traces. 

In addition to the PwnKit vulnerability, CISA has added seven other flaws to its catalog, including an exploited Mitel VoIP zero-day flaw in ransomware assaults (CVE-2022-29499) and five iOS vulnerabilities (CVE-2020-3837, CVE-2019-8605, CVE-2018-4344, CVE-2020-9907 and CVE-2021-30983) that were recently unearthed as having been exploited by the Italian spyware firm RCS Lab.

CVE-2021-30533, a security vulnerability in web browsers based on Chromium, is also listed in the catalog. This flaw was exploited by a malvertising hacker going by the moniker Yosec in order to deploy malicious payloads.

PayPal Bug Enables Attackers to Exfiltrate Cash from Users’ Account

 

Malicious actors could exploit a new unpatched security vulnerability in PayPal's money transfer, a security researcher, named h4x0r_dz, claimed. The security flaw enables attackers to trick victims into unintentionally completing transactions directed by the attacker with a single click, also known as Clickjacking. 

Clickjacking, also called UI redressing, refers to a methodology wherein an unsuspecting user is deceived into clicking seemingly harmless webpage elements like buttons with the motive of installing malware, redirecting to malicious websites, or revealing private information. 

This kind of assault leverages an invisible overlay page or HTML element displayed on top of the visible page. Upon clicking on the legitimate page, victims are clicking the element controlled by the attackers that overlay the legitimate content. 

"Thus, the attacker is 'hijacking' clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both," a security researcher explained in a blog post documenting the findings. 

h4x0r_dz reported the bug to the PayPal bug bounty program seven months ago in October 2021, demonstrating that malicious actors can steal users’ money by exploiting Clickjacking. The researcher identified the security flaw on the “www.paypal[.]com/agreements/approve” endpoint, which was designed for the Billing Agreements. 

The endpoint should only receive billingAgreementToken, according to the expert, however, this is not the case. 

"This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken," the researcher stated. "But during my deep testing, I found that we can pass another token type, which leads to stealing money from [a] victim's PayPal account." 

This indicates that an attacker could embed the aforementioned endpoint inside an iframe, causing a victim already logged in to a web browser to switch funds to an attacker-controlled PayPal account merely at the press of a button. Even more alarming is the possibility that the assault may have resulted in disastrous consequences in online portals that link with PayPal for checkouts, enabling the threat actor to steal arbitrary amounts from customers' PayPal accounts.

"There are online services that let you add balance using PayPal to your account," the researcher added. "I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!"

ExtraReplica: Microsoft Patches Cross-Tenant Bug in Azure PostgreSQL

 

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.

Unit 42 Publishes New Techniques to Mitigate Vulnerabilities in GKE Autopilot

 

Last year in June, the Unit 42 threat research team discovered multiple bugs in Google Kubernetes Engine (GKE). The vulnerabilities primarily impacted GKE Autopilot, and the latest offering by Google Cloud for managing Kubernetes clusters.

Earlier this week, Unit 42 researchers published details regarding these vulnerabilities and attack techniques to help organizations understand potential threats in securing Kubernetes and how they can be patched.

Kubernetes also known as K8s, is an open-source system for automating deployment, managing, and scaling of containerized applications. The yearly survey conducted by the Cloud Native Computing Foundation highlighted that the majority of firms (83% percent) run Kubernetes in production.

The shift to the cloud benefited multiple organizations but also attracted threat actors. Researchers at Unit 42 discovered several pieces of malware designed to attack Kubernetes. Therefore, it is vital that organizations, cloud security vendors, and the cybersecurity industry continue to work together to address issues like vulnerabilities and misconfigurations in order to help secure work in the cloud. 

The bugs in GKE Autopilot permitted malicious attackers with a restricted initial foothold to escalate privileges and gain access to an entire cluster. This allowed threat actors to covertly exfiltrate secrets, install malware and cryptominers, or disrupt workloads, while the victim remains unknown of the attacker’s activity.

As the adoption of Kubernetes continues to rise, simple misconfigurations and flaws are becoming less common, forcing attackers to launch more sophisticated assaults. According to Unit 42, even a small bug in Kubernetes can amount to very impactful attacks. Only a comprehensive cloud-native security platform can empower defenders and protect clusters against similar threats. 

How to mitigate the risks? 

Following the discovery of vulnerabilities and attack techniques in Google Kubernetes Engine, Google automatically pushed patches across GKE to Autopilot clusters. No customer action is needed. Researchers encourage Kubernetes administrators to enable policy and audit engines that monitor for, detect and prevent suspicious activity and privilege escalation in their clusters.

Powerful pods are still common in production clusters and are usually installed by the underlying Kubernetes platform or introduced through popular open-source add-ons. Unit 42 researchers recommend using Taints, NodeAffinity, or PodAntiAffinity rules to separate powerful pods from untrusted or publicly exposed ones, ensuring they do not run on the same node. 

Trend Micro Patches Critical Bugs in its Security Products

 

Trend Micro has addressed two high-severity bugs impacting its hybrid cloud security devices. The researchers responsible for identifying the flaws have released the details and proof-of-concept (PoC) exploits. 

The flaws tracked as CVE-2022-23119 and CVE-2022-23120, affect Deep Security and Cloud One workload security solutions, specifically the Linux agent feature. 

The security loopholes were unearthed by researchers at Swiss-German cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security patches i.e., on January 19. The researchers first reported the vulnerabilities to Trend Micro in September and patches were released between October and December. 

The researchers at Modzero identified that the Deep Security Agent for Linux is impacted by a directory traversal bug that could be exploited by malicious actors to read arbitrary files and a code injection issue that could be abused to escalate privileges and implement code as root. However, a threat actor requires to have access to the targeted system and exploitation is only possible if the agent has not been activated or configured. 

Additionally, Modzero’s researchers noticed that a hardcoded default X.509 certificate and a corresponding private key are shipped with the agent software. The certificate is used to establish communication with the server before the agent is activated. 

“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/dsa_core.so The agent software uses a certificate authority (CA) to establish the server’s identity,” researchers explained.

“When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key, it is possible for an attacker to create and sign their own server certificate, imitate a server and to send commands to the client software.”

Last week, Trend Micro informed users regarding an information disclosure bug impacting its Worry-Free Business Security small business product. However, that flaw was assigned a “low severity” rating.

Linux System Service Bug Allows You to Gain Root Access

 

An authentication bypass vulnerability in the polkit auth system service, which is installed by default on many recent Linux distributions, allows unprivileged attackers to gain a root shell. On June 3, 2021, the polkit local privilege escalation flaw (CVE-2021-3560) was officially identified, and a fix was released. Polkit is used by systemd, hence it's included in any Linux distribution that uses systemd. 

Kevin Backhouse, a GitHub security researcher, detailed how he discovered the bug (CVE-2021-3560) in a systemd service called polkit in a blog post on Thursday. The problem, which was first introduced in commit bfa5036 seven years ago and first shipped in polkit version 0.113, took various pathways in different Linux distributions. Despite the fact that many Linux distributions did not ship with the vulnerable polkit version until recently, any Linux machine with polkit 0.113 or later installed is vulnerable to attacks. 

Polkit, formerly known as PolicyKit, is a service that determines whether certain Linux tasks require more privileges than there are currently available. It comes into play when you want to establish a new user account, for example. According to Backhouse, exploiting the issue is shockingly simple, needing only a few commands utilizing common terminal tools such as bash, kill, and dbus-send. 

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse. Polkit asks for the UID of a connection that no longer exists, therefore killing dbus-send — an interprocess communication command – in the middle of an authentication request creates an error (because the connection was killed). 

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times throughout different code paths, this doesn't happen all of the time. According to Backhouse, those code pathways usually handle the error correctly, but one is vulnerable, and if the disconnection occurs while that code path is running, privilege escalation occurs. It's all about timing, which varies in unanticipated ways due to the involvement of various processes. Backhouse believes the bug's intermittent nature is why it went unnoticed for seven years.

GitHub Informed Clients of “Potentially Serious” Security Bug

 

GitHub on Monday informed clients that it had found what it described as an “extremely rare, but potentially serious” security bug identified with how some authenticated sessions were handled. On 8th March GitHub signed out all clients that were signed in before March 8th. The precautionary measure was taken seven days after the organization had gotten an underlying report of dubious conduct, from an external party. 

The Microsoft-owned software development platform said the bug was found on March 2 and an underlying patch was carried out on March 5. A subsequent fix was delivered on March 8 and on the evening of that very day the organization chose to invalidate all authenticated sessions to completely eliminate the possibility of exploitation. On Friday, the GitHub team has remediated the security flaw and kept on analyzing the situation over the weekend. The vulnerability being referred to, could be misused in extremely rare circumstances, when a rare condition would happen during the backend request handling process, permitting the session cookie of a logged-in GitHub client to be sent to the software of another client, giving the latter access to the former user’s account.

“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” says Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.” 

The organization declared that the bug existed on GitHub.com for less than two weeks and it doesn't resemble some other GitHub.com assets or products were impacted as a result of this bug. "We believe that this session misrouting occurred in less than 0.001% of authenticated sessions on GitHub.com. For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance,” continues Hanley in the announcement. 

The organization is still analyzing if any project repositories or source code were messed with because of this vulnerability as this kind of authentication vulnerabilities could pave the way for software supply-chain attacks.

Google Chrome Receives Second Patch for Serious Zero-Day Bug in Two Weeks

Google has recently introduced a fix for another zero-day bug in its Chrome browser and has also released a new security update for desktops. The bug (CVE-2020-16009) that affected the V8 component of the Chrome browser was discovered by Clement Lecigne and Samuel Groß of Google's Threat Analysis Group (TAG) and Google Project Zero respectively. 


 
While addressing the abovementioned flaw for the machines running on Mac, Windows, and Linux, Google released the Google Chrome security patch version 86.0.4240.183. The tech giant further told that the bug when exploited allowed the threat actors to bypass and escape the Chrome security sandbox on Android smartphones and run code on the underlying operating system. 

Google denied disclosing any details of the bug that had been exploited actively in the wild, as a lot of users have not updated yet; it's a part of Google's privacy policy. It prevents attackers from developing exploits alongside and gives users more time to get the updates installed. While Google's TAG hasn't confirmed if the threat actors behind the two bugs were the same, it assured that the acts were not motivated by the ongoing US presidential elections. 
 
Furthermore, a critical memory corruption flaw under active exploitation in the Google Chrome browser (CVE-2020-15999) was identified by the researchers at Google's TAG, who also told that this zero-day vulnerability was under attack in combination with CVE-2020-17087, windows zero-day. The zero-day vulnerability identified as CVE-2020-15999 affected the FreeType font rendering library, thereby demanding attention from all services making use of this library. 
 
Additionally, the latest security update will also allow users to experience a more stable and improved Chrome browser in terms of performance. 
 
In a blog post published on 2nd November, Google said, "The stable channel has been updated to 86.0.4240.183 for Windows, Mac, and Linux which will roll out over the coming days/weeks. A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues." 

"Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," the blog further stated.

Facebook Messenger Kids ‘Technical Error’ exposed kids unauthorized users.







A technical error in Facebook’s messaging app for kids, has exposed thousands of children to join chats with unauthorized users.

The Messenger Kids was launched in 2017 for kids under 13 years, the app gives a private” chat space for kids to talk with contacts that are approved by their parents.

According to a report from The Verge, the flaw allowed a  friend of a child to create a group chat in the app which  invited one or more of the second child’s parent-approved friends — that means a a friend can add secondary contacts to the chat without the approval by the parents of the first child. 

However, the company did not make a public disclosure of the safety issue. 

'We recently notified some parents of Messenger Kids account users about a technical error that we detected affecting a small number of group chats,' a Facebook representative said in a statement. 

'We turned off the affected chats and provided parents with additional resources on Messenger Kids and online safety.'