Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Bug. Show all posts

Netwrix Auditor RCE Bug Abused in Truebot Malware Campaign

 

A severe remote code execution (RCE) vulnerability in the Netwrix Auditor software was used in attacks against organisations across the United States and Canada, according to a warning issued today by CISA and the FBI. These assaults targeted organisations in the United States and Canada. 

Unauthorised attackers can run malicious code with the privileges of the SYSTEM user thanks to a security flaw that affects the Netwrix Auditor server and the agents installed on monitored network systems (tagged as CVE-2022-31199). 

Since December 2022, TA505 hackers (connected with the FIN11 organisation) have exploited TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to install Clop ransomware on compromised networks. 

After installing TrueBot on compromised networks, the hackers install the FlawedGrace Remote Access Trojan (RAT), which is likewise affiliated with the TA505 group and allows them to escalate privileges and establish persistence on the compromised systems. 

Hackers will also deploy Cobalt Strike beacons hours after the initial breach, which might potentially be exploited to perform various post-exploitation tasks such as data theft and delivering other malware payloads such as ransomware. 

"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies explained in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.

"As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organisations in the U.S. and Canada."

Based on the nature of Truebot operations documented thus far, the primary purpose of attackers behind Truebot is to acquire confidential data from compromised systems for monetary gain.

Following the guidelines laid out in joint advisory, security teams are advised to search for evidence of malicious activity pointing to a Truebot infection.

If they find any indicators of compromise (IOCs) within their organization's network, they should immediately implement the mitigation and incident response steps suggested in the advisory and report the incident to CISA or the FBI.

Security Expert's Tweet Prompts Significant Modification to Google Email Authentication

 

Google stated last month that Gmail users would start noticing blue tick marks next to brand logos for senders taking part in the program's Brand Indicators for Message Identification. BIMI and its blue tick mark were intended to take a stand against email impersonation and phishing by giving clients further assurance that branded senders are who they say they are.

Less than a month after the launch of BIMI, scammers managed to get beyond its security measures and successfully impersonate companies, sending emails to Google users that claimed to be from the logistics firm UPS. 

Now Google claims that it is tightening its BIMI verification procedure and is blaming an unknown "third-party" for enabling the usage of its services in ways that evaded its security protections and sent faked messages to inboxes. The eye-watering intricacy of the contemporary email environment is demonstrated by the fact that experts claim email providers, including Microsoft, may still be facilitating this kind of behaviour and are not doing enough to solve it. 

Security researchers argue that the way BIMI is being used makes it possible for bad actors to use the system to more effectively spoof well-known businesses, increasing the likelihood that end users may click on a malicious link or open a dubious attachment as part of a phishing assault. 

 
According to the 2023 Verizon Data Breach Investigations Report, phishing accounts for about half of all social engineering attacks and causes tens of millions of dollars in losses each year. A number of protocols, including SPF, DKIM, and others, have been implemented over time to solve email sender verification, but these protocols are insufficient answers that deal with diverse facets of a complicated issue.

By displaying in Gmail the "validated logos" of participating brands and "increasing confidence in the source of emails for recipients," BIMI was developed by an industry working group in 2018 and first adopted by Google in July 2021. The company stated this in its roll-out. The concept was that by requiring the DMARC, SPF, or DKIM email authentication standards, BIMI would provide brand senders an extra level of recognition and confidence. 

It's not surprising that scammers are targeting BIMI, according to Alex Liu, a cybersecurity expert and PhD candidate at the University of California, San Diego, who has investigated the flaws in email verification systems. According to Liu, historically, con artists have been the first to adopt new protocols. She added that it is now the responsibility of companies like Microsoft to secure their mail servers and make sure that BIMI isn't misused.

The controversy over how BIMI is being implemented started with a series of tweets from Chris Plummer, a cybersecurity expert from New Hampshire, who called Google's BIMI implementation potentially "catastrophic" and warned that it could increase the likelihood that users will act on the contents of a message that has been incorrectly verified.

“It was clear in the headers of the message I received that there was some obvious subversion, and Google was not looking far enough back in the delivery chain to see that,” Plummer stated. 

In a study released earlier this year, Liu and a group of co-authors described how mechanisms designed to stop the spoofing of sender domains struggle when confronted with emails that have been forwarded, a technique frequently used by major organisations that rely on BIMI to send bulk emails. 

Plummer discovered the BIMI vulnerability after receiving an email appearing to be from UPS in his Gmail inbox. Something didn't feel right, he told a local news source, and Plummer confirmed that the email was not from UPS. On May 31, he filed a bug complaint with Google, but the firm "lazily" closed it as "won't fix - intended behaviour," Plummer tweeted. "How is a scammer impersonating @UPS in such a convincing way 'intended,'" Plummer wrote in the tweet, which has since been viewed almost 155,000 times.

“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer explained in a subsequent tweet. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly.”

The next day, after Plummer filed an appeal, Google switched direction and informed him that it was reviewing his report again. "Thank you so much for pressing on for us to take a closer look at this!" a company wrote in a note, designating the bug a "P1" priority. 

“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are,” a Google spokesperson told CyberScoop, a cybersecurity news portal, in an email Monday. “To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.” 

According to a Google representative, the DKIM requirement should be fully implemented by the end of the week. This is a change from the previous policy, which demanded either DKIM or a different standard called the Sender Policy Framework. Both of these standards are used by email providers, among other things, to determine whether incoming email is likely to be spam and to theoretically authenticate that a sender is who they claim to be. Google appreciates Plummer's efforts to draw their notice to the issue, the spokeswoman continued. 

Jonathan Rudenberg, a security researcher, reproduced the BIMI problem using Microsoft 365 by sending counterfeit emails from a Microsoft email system to a Gmail account after Plummer first brought it to their attention on Twitter. Rudenberg then filed a bug report with Microsoft. 

Microsoft, meanwhile, maintains that it is Google's obligation to resolve the issue, not its own. In response to Rudenberg's bug report, Microsoft's Security Response Centre informed Rudenberg that the problem did not pose an immediate threat that requires urgent attention and that the "burden" of guaranteeing security rests with the end-user's email provider, in this case, Google.

Users' Private Info Accidentally Made Public by ChatGPT Bug

 

After taking ChatGPT offline on Monday, OpenAI has revealed additional information, including the possibility that some users' financial information may have been compromised. 

A redis-py bug, which led to a caching problem, caused certain active users to potentially see the last four numbers and expiration date of another user's credit card, along with their first and last name, email address, and payment address, the business claims in a post. Users might have also viewed tidbits of other people's communication histories. 

It's not the first time that cache problems have allowed users to view each other's data; in a famous instance, on Christmas Day in 2015, Steam users were sent pages containing data from other users' accounts. It is quite ironic that OpenAI devotes a lot of attention and research to determining the potential security and safety repercussions of its AI, yet it was taken by surprise by a fairly well-known security flaw. 

The firm claimed that 1.2 percent of ChatGPT Plus subscribers who used the service on March 20 between 4AM and 1PM ET may have been impacted by the payment information leak. 

According to OpenAI, there are two situations in which payment information might have been exposed to an unauthorised user. During that time, if a user visited the My account > Manage subscription page, they might have seen information about another ChatGPT Plus customer who was actively utilising the service. Additionally, the business claims that certain membership confirmation emails sent during the event were sent to the incorrect recipient and contained the final four digits of a user's credit card information. 

The corporation claims it has no proof that either of these events actually occurred before January 20th, though it is plausible that both of them did. Users who may have had their payment information compromised have been contacted by OpenAI. 

It appears that caching had a role in how this whole thing came about. The short version is that the company uses a programme called Redis to cache user information. In some cases, a Redis request cancellation would result in damaged data being delivered for a subsequent request, which wasn't supposed to happen. The programme would typically get the data, declare that it was not what it had requested, and then raise an error.

Yet, the software determined everything was good and presented it to them if the other user was requesting for the same type of data — for example, if they were trying to view their account page and the data was someone else's account information. 

Users were being fed cache material that was originally intended to go to someone else but didn't because of a cancelled request, which is why they could see other users' payment information and conversation history. It also only affected individuals who were actively using the system for that reason. The software wouldn't cache any data for users who weren't actively using it. 

What made matters worse was that, on the morning of March 20, OpenAI made a change to their server that unintentionally increased the amount of Redis queries that were aborted, increasing the likelihood that the issue would return an irrelevant cache to someone.

As per OpenAI, the fault that only affected a very specific version of Redis has been addressed, and the team members have been "great collaborators." It also claims that it is changing its own software and procedures to ensure that something similar doesn't occur again. Changes include adding "redundant checks" to ensure that the data being served actually belongs to the user making the request and decreasing the likelihood that its Redis cluster will experience errors when under heavy load.

Most Ransomware Attacks in 2022 Took Advantage of Outdated Bugs

 

In the 2022 attacks, ransomware operators took advantage of a number of outdated vulnerabilities that allowed the attackers to become persistent and migrate laterally to complete their objectives. 

A report from Ivanti released last week stated that the flaws, which are prevalent in products from Microsoft, Oracle, VMware, F5, SonicWall, and several more companies, pose a clear and present danger to organisations who haven't yet remedied them. 

Old bugs are still popular

Ivanti's study is based on data analysis from teams at Securin, Cyber Security Works, and Cyware as well as from its own threat intelligence team. It provides a thorough examination of the flaws that criminals frequently used in ransomware attacks in 2022. 

In attacks last year, ransomware operators used a total of 344 different vulnerabilities, up 56 from 2021, according to Ivanti's analysis. A stunning 76% of these bugs were from 2019 or before. Three remote code execution (RCE) defects from 2012 in Oracle's products, CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment, were the oldest flaws in the group. 

Ivanti's chief product officer, Srinivas Mukkamala, claims that while the data indicates that ransomware operators leveraged new vulnerabilities quicker than ever last year, many still relied on older vulnerabilities that are still present on enterprise systems.

"Older flaws being exploited is a byproduct of the complexity and time-consuming nature of patches," Mukkamala stated. "This is why organisations need to take a risk-based vulnerability management approach to prioritise patches so that they can remediate vulnerabilities that pose the most risk to their organisation." 

Critical flaws 

Ivanti identified 57 vulnerabilities as affording threat actors the ability to complete their whole goal, making them among the vulnerabilities that pose the most risk. These flaws gave an attacker the ability to acquire initial access, maintain persistence, elevate privileges, get around security measures, access credentials, find resources they might be looking for, move laterally, gather information, and carry out the intended task. 

There were 25 vulnerabilities in this category that were dated 2019 or earlier, including the three Oracle flaws from 2012. Scanners are not presently picking up exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products made by ConnectWise, Zyxel, and QNAP, respectively. 

Inadequate input validation was the cause of the majority (11) of the vulnerabilities in the list that presented a full attack chain. Path traversal flaws, OS command injection, out-of-bounds write errors, and SQL injection were some more frequent causes of vulnerabilities. 

The most common flaws are broadly prevalent 

Moreover, ransomware authors have a tendency to favour defects that affect a variety of items. CVE-2018-3639, a form of speculative side-channel vulnerability that Intel disclosed in 2018, was one of the most well-known of them. According to Mukkamala, the flaw affects 345 goods from 26 vendors. Other instances include the famed Log4Shell hole, CVE-2021-4428, which at least six ransomware gangs are presently using as an attack vector. The weakness was one of many that Ivanti discovered threat actors were using as recently as December 2022. At least 176 products from 21 different manufacturers, including Oracle, Red Hat, Apache, Novell, and Amazon, contain it. 

The Linux kernel vulnerability CVE-2018-5391 and the critical elevation of privilege hole in Microsoft Netlogon CVE-2020-1472 are two further flaws that ransomware developers like to exploit because of their widespread availability. The vulnerability has been utilised by at least nine ransomware gangs, including those responsible for Babuk, CryptoMix, Conti, DarkSide, and Ryuk, and it is growing in popularity with other groups as well, according to Ivanti. 

A total of 118 vulnerabilities that were leveraged in ransomware attacks last year were discovered, according to the security research.

According to Mukkamala, "threat actors are particularly interested in defects that are present in most products." 

The closely watched Known Exploited Vulnerabilities (KEV) database maintained by the US Cybersecurity and Infrastructure Security Agency does not contain 131 of the 344 weaknesses that ransomware attackers exploited last year. The database includes information on software weaknesses that threat actors are actively exploiting and that CISA deems to be particularly hazardous. According to CISA, federal entities must prioritise and usually respond to vulnerabilities listed in the database within two weeks. 

Because many businesses use the KEV to prioritise patches, Mukkamala argues it's crucial that these aren't in the CISA KEV. This demonstrates that, although being a reliable resource, KEV does not give a comprehensive overview of all the vulnerabilities that are employed in ransomware attacks. 

57 vulnerabilities that were leveraged in ransomware attacks last year by organisations including LockBit, Conti, and BlackCat have low- and medium-severity rankings in the national vulnerability database, according to Ivanti. The risk, according to the security provider, is that enterprises who utilise the score to prioritise patching may get complacent as a result.

Eurostar: Users Forced Into Resetting Passwords, Then Fails and Locks Them Out


Eurostar, the International high-speed rail operator has recently been emailing its customers this week, enticing them into resetting their account passwords in a bid to “upgrade” security. 

But, when users click the password reset link, "technical issues" are apparently keeping them from changing their passwords or logging into their accounts. 

Eurostar Password Reset Bug is Locking Passengers Out 

The company, renowned for linking countries like the UK to France, Belgium, and the Netherlands with most of its trains crossing the Channel Tunnel, has been emailing customers where the railway operator would claim to be “busy” upgrading the account security for its customers. 

Apparently, the email would read “Dear customer, we’ve been busy upgrading our security to protect your account and your personal details. To continue using your Eurostar account, you’ll need to reset your password. If you also use the Eurostar mobile app, you’ll need to update it to the latest version.” 

Nevertheless, clicking the "reset password" link and following the navigation is ineffective. Users instead encounter the following error message: "Sorry, we're having a few technical problems so we can't send the email at the moment. Please try again a little later." 

That bug has caused immense frustration among Eurostar passengers and users around the globe who are now effectively locked out of their accounts. 

Users are shown the password reset interstitial after each successful login attempt, which prevents them from accessing their accounts until they reset their passwords. However, owing to the aforementioned technical problem, the password reset never occurs. 

In regards to the issue, a user tweets “@Eurostar how to tell your customers you hate them without saying it: lock everyone’s account and make it impossible to reset their password.” Moreover, it was observed that the perplexed users, were mistaking Eurostar’s legitimate email for a phishing attempt. 

Ongoing Maintenance to Blame? 

In a lengthy Twitter thread on Friday, Eurostar acknowledged that users were experiencing problems accessing their Club Eurostar accounts and attributed this to ongoing maintenance. Yet, this was before the business started sending out emails for password resets. 

Among many instances, customers have complained that their reservations and data were "lost" from their accounts. 

The railway operator, at the time, advised users to clear their browser cookies or re-attempt registration with the same email address. Although, nobody seems to benefit from this as a solution. 

The last time a comprehensive password reset was implemented by Eurostar was in 2018 following a data breach, as The Telegraph at the time reported. 

It is still unclear whether the forced password reset is really Eurostar's attempt to increase account security or if it is a response to a cybersecurity issue like system compromise or data breach. 

In regards to the situation, a Eurostar spokesperson addresses the issue with the statement, “our customers were contacted to reset their password following an update to our customer authentication system. The sudden volume of customers who attempted to do this caused some technical difficulties and we are working to resolve this as soon as possible. We apologize for any inconvenience this has caused.”  

Google Patched the Eighth Actively Abused Chrome Zero Day This Year

 

The eighth zero-day vulnerability affecting the Chrome browser on Windows, Mac, Linux, and Android platforms has been acknowledged by Google. You can force-update your browser right away, but an urgent remedy for this one problem is currently being rolled out. There will shortly be upgrades for other Chromium-powered browser clients as well. 

When a Google Chrome update fixed a single security issue, it used to happen very infrequently and only when a vulnerability was actively being utilized by attackers in the wild before a fix was ready. Updates covering a total of eight of these zero days were released in 2022. 

The most recent is CVE-2022-4135, a high-severity heap buffer overflow flaw in the Chromium GPU. The National Institute of Standards and Technology (NIST) national vulnerability database entry states that the zero-day, which was disclosed by Clement Lecigne of Google's own Threat Analysis Group, could allow an attacker to circumvent the security sandbox (using a malicious HTML website). 

The zero-day has not received any additional information from Google. This is not uncommon with such a vulnerability so as to enable a majority of users to install the update and gain protection before other attackers try their hands. All Google has said is that it is "aware that an exploit for CVE-2022-4135 exists in the wild." 

Update Your Google Chrome Browser Immediately 

Google has already started rolling out security updates will continue in the coming days. However, users are recommended to force the update process, given that malicious hackers are known to have exploited code already. This is particularly important for those users who maintain large numbers of open tabs and rarely restart the browser, as the update is only effective following a restart. 

Head for settings in the chrome browser and scan if you have the latest version and if not, then a download and installation will start automatically. The security update takes Chrome to version 107.0.5304.121 or.122 for Windows, version 107.0.5304.121 for Mac and Linux, and version 107.0.5304.141 for Android.

Rapid7 Researchers are Closely Monitoring Critical Bug in Apache Commons Text

 

A remote code execution vulnerability in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ flaw that surfaced in the widely used open-source component Log4j last year.

Tracked as CVE-2022-42889, the Commons Text bug centers on an unsafe execution of the library’s variable interpolation functionality. The hacker can exploit the bug to trigger code execution when processing malicious input in the library’s default configuration. 

The Rapid7 researchers who discovered and reported the Commons Text flaw in March have downplayed its comparative effect. 

The susceptible StringSubstitutor interpolator is comparatively less utilized than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely communicating with such a well-designed string as in Log4Shell. 

“The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison.” reads the technical published by Rapid7 researchers. “The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.” 

Apache’s security team also confirmed that the scope of the flaw is not as serious as Log4Shell, explaining that the string interpolation is a documented feature. 

“The vulnerability is indeed very similar. The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allow script lookups – both could lead to RCE. The impact is, therefore, very high," the researchers explained. 

Preventive measures 

The Apache Commons Text versions are 1.5 through 1.9, and all JDK versions, and has been fixed in version 1.10. However, it is still recommended that users should upgrade Apache Commons Text to 1.10.0, which disables the problematic interpolators by default. 

The users should install these patches as soon they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable.

Rozena Backdoor Deployed by Abusing the Follina Vulnerability

 

A newly discovered phishing campaign is exploiting the Follina security vulnerability to deploy a private backdoor, named Rozena on the Windows systems. 

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Cara Lin, a researcher at Fortinet FortiGuard Labs stated in a report published this week. 

Tracked as CVE-2022-30190, the security bug is related to the Microsoft Support Diagnostic Tool (MSDT) that impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The vulnerability came to light in late May 2022 but the root cause of the flaw has been known for at least a couple of years. 

The latest attack chain is a weaponized Office document that, when opened, links to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, triggers the diagnostic utility employing a PowerShell command to download next-stage payloads from the same CDN attachment space. 

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy. 

The primary function of the Rozena backdoor is to inject a shellcode that launches a reverse shell to the hacker’s device (“microsofto.duckdns[.]org”), in this way the malicious actor can secure full control of the system. 

The exploitation of the Follina security bug is done by distributing the malware via malicious word documents. The word documents act as a dropper and are distributed through emails that contains a password-encrypted ZIP as an attachment, an HTML file, and a link to download, in the body of the email. Multiple malware such as Emotet, QBot, IcedID, and Bumblebee are then injected into the victim’s device. 

According to researchers, the assaults discovered in early April primarily featured Excel files with XLM macros. Microsoft's decision to block macros by default around the same time is said to have forced the hackers to shift to alternative techniques like HTML smuggling as well as .LNK and .ISO files. 

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware through an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog, we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat,” the researcher concluded.

Microsoft Warns of '8220 Group' Targeting Linux Servers

 

Microsoft Security Intelligence experts have issued a new warning against a known cloud threat actor (TA) group, dubbed 8220, targeting Linux servers to install crypto miners. 

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a crypto miner and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a series of tweets. 

According to Cisco's Talos Intelligence group, the 8220 gang has been operating since at least 2017, and primarily focuses on crypto mining campaigns. The threat actors are Chinese-speaking, the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers. 

Over the past year, the group has actively upgraded its methodologies and payloads. In a recent campaign, the hacking group targeted i686 and x86_64 Linux systems and employed RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (Oracle WebLogic) for initial access, Microsoft researchers stated. 

Once secured access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools. 

Subsequently, the loader downloads the pwnRig crypto miner and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by designing either a cron job or a script running every 60 seconds as nohup. 

“The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.” 

To guard networks against this threat, Microsoft urged organizations to secure systems and servers, apply updates, and use good credential hygiene. “Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.” 

The findings come after Akamai disclosed that the Atlassian Confluence vulnerability is experiencing a steady 20,000 exploitation attempts per day that are executed from nearly 6,000 IPs. However, these figures represent a substantial decline when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02, 2022.

Gitlab Patches a Critical RCE Flaw in Latest Security Advisory

 

Security researchers at Gitlab have issued a patch for a critical vulnerability that allows hackers to execute code remotely. 

The security bug tracked as CVE-2022-2185, impacts all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorized user could import a maliciously designed project to launch remote code execution. 

GitLab is a web-based DevOps life cycle platform offering an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have manufactured the program.

 Multiple security flaws 

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs. The vulnerabilities impacted both GitLab Community Edition and Enterprise Edition. Security researchers have recommended users upgrade to the latest version. 

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected,” an advisory from GitLab reads. 

Last year in July, Gitlab patched multiple vulnerabilities — including two high-impact online security flaws by updating its software development infrastructure. In GitLab's GraphQL API, a cross-site request forgery (CSRF) developed a mechanism for a hacker to call modifications while impersonating their victims. The Gitlab Webhook feature was exploited for denial- of service (DoS) assaults because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash. 'Afewgoats' researchers identified DoS vulnerability and reported it via a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification was not assigned. "The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. 

"It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." To mitigate the risks, Gitlab patched 15 medium severity and two low-impact issues. These add-on vulnerabilities also included a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.

CISA Issues Warning Regarding Active Exploitation of 'PwnKit' Linux Security Bug

 

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added a Linux vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalog and issued a warning regarding active exploitation of the flaw in cyber attacks. 

The vulnerability tracked as CVE-2021-4034 (CVSS score: 7.8), first identified earlier this year in January by the American company Qualys, impacts Polkit, a feature designed for managing system-wide privileges in Unix-like operating systems. Polkit is manufactured by Red Hat, but it’s also employed by other Linux distributions. 

PwnKit, a memory corruption issue, if successfully exploited, might cause pkexec to run arbitrary code, and allow an unprivileged hacker administrative right on the target device to exploit the host. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, nearly 13 years. 

The security bug has been identified to impact the products of multiple major firms. Juniper Networks, Moxa, IBM, VMware, Siemens, and others have published advisories to elaborate on the impact of CVE-2021-4034. 

Security researchers have been warned that the threat of malicious exploitation of PwnKit is high since proof-of-concept (PoC) exploits have been available and exploitation is not difficult. 

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog — also known as the agency’s “Must Patch” list — and ordered federal agencies to remediate all the newly listed vulnerabilities by July 18, while private firms have been requested to leverage the flaw catalog to improve their patching and vulnerability management processes.

Security experts noted that while exploitation of CVE-2021-4034 should leave traces in log files, it’s also possible to abuse the vulnerability without leaving such traces. 

In addition to the PwnKit vulnerability, CISA has added seven other flaws to its catalog, including an exploited Mitel VoIP zero-day flaw in ransomware assaults (CVE-2022-29499) and five iOS vulnerabilities (CVE-2020-3837, CVE-2019-8605, CVE-2018-4344, CVE-2020-9907 and CVE-2021-30983) that were recently unearthed as having been exploited by the Italian spyware firm RCS Lab.

CVE-2021-30533, a security vulnerability in web browsers based on Chromium, is also listed in the catalog. This flaw was exploited by a malvertising hacker going by the moniker Yosec in order to deploy malicious payloads.

PayPal Bug Enables Attackers to Exfiltrate Cash from Users’ Account

 

Malicious actors could exploit a new unpatched security vulnerability in PayPal's money transfer, a security researcher, named h4x0r_dz, claimed. The security flaw enables attackers to trick victims into unintentionally completing transactions directed by the attacker with a single click, also known as Clickjacking. 

Clickjacking, also called UI redressing, refers to a methodology wherein an unsuspecting user is deceived into clicking seemingly harmless webpage elements like buttons with the motive of installing malware, redirecting to malicious websites, or revealing private information. 

This kind of assault leverages an invisible overlay page or HTML element displayed on top of the visible page. Upon clicking on the legitimate page, victims are clicking the element controlled by the attackers that overlay the legitimate content. 

"Thus, the attacker is 'hijacking' clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both," a security researcher explained in a blog post documenting the findings. 

h4x0r_dz reported the bug to the PayPal bug bounty program seven months ago in October 2021, demonstrating that malicious actors can steal users’ money by exploiting Clickjacking. The researcher identified the security flaw on the “www.paypal[.]com/agreements/approve” endpoint, which was designed for the Billing Agreements. 

The endpoint should only receive billingAgreementToken, according to the expert, however, this is not the case. 

"This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken," the researcher stated. "But during my deep testing, I found that we can pass another token type, which leads to stealing money from [a] victim's PayPal account." 

This indicates that an attacker could embed the aforementioned endpoint inside an iframe, causing a victim already logged in to a web browser to switch funds to an attacker-controlled PayPal account merely at the press of a button. Even more alarming is the possibility that the assault may have resulted in disastrous consequences in online portals that link with PayPal for checkouts, enabling the threat actor to steal arbitrary amounts from customers' PayPal accounts.

"There are online services that let you add balance using PayPal to your account," the researcher added. "I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!"

ExtraReplica: Microsoft Patches Cross-Tenant Bug in Azure PostgreSQL

 

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.

Unit 42 Publishes New Techniques to Mitigate Vulnerabilities in GKE Autopilot

 

Last year in June, the Unit 42 threat research team discovered multiple bugs in Google Kubernetes Engine (GKE). The vulnerabilities primarily impacted GKE Autopilot, and the latest offering by Google Cloud for managing Kubernetes clusters.

Earlier this week, Unit 42 researchers published details regarding these vulnerabilities and attack techniques to help organizations understand potential threats in securing Kubernetes and how they can be patched.

Kubernetes also known as K8s, is an open-source system for automating deployment, managing, and scaling of containerized applications. The yearly survey conducted by the Cloud Native Computing Foundation highlighted that the majority of firms (83% percent) run Kubernetes in production.

The shift to the cloud benefited multiple organizations but also attracted threat actors. Researchers at Unit 42 discovered several pieces of malware designed to attack Kubernetes. Therefore, it is vital that organizations, cloud security vendors, and the cybersecurity industry continue to work together to address issues like vulnerabilities and misconfigurations in order to help secure work in the cloud. 

The bugs in GKE Autopilot permitted malicious attackers with a restricted initial foothold to escalate privileges and gain access to an entire cluster. This allowed threat actors to covertly exfiltrate secrets, install malware and cryptominers, or disrupt workloads, while the victim remains unknown of the attacker’s activity.

As the adoption of Kubernetes continues to rise, simple misconfigurations and flaws are becoming less common, forcing attackers to launch more sophisticated assaults. According to Unit 42, even a small bug in Kubernetes can amount to very impactful attacks. Only a comprehensive cloud-native security platform can empower defenders and protect clusters against similar threats. 

How to mitigate the risks? 

Following the discovery of vulnerabilities and attack techniques in Google Kubernetes Engine, Google automatically pushed patches across GKE to Autopilot clusters. No customer action is needed. Researchers encourage Kubernetes administrators to enable policy and audit engines that monitor for, detect and prevent suspicious activity and privilege escalation in their clusters.

Powerful pods are still common in production clusters and are usually installed by the underlying Kubernetes platform or introduced through popular open-source add-ons. Unit 42 researchers recommend using Taints, NodeAffinity, or PodAntiAffinity rules to separate powerful pods from untrusted or publicly exposed ones, ensuring they do not run on the same node. 

Trend Micro Patches Critical Bugs in its Security Products

 

Trend Micro has addressed two high-severity bugs impacting its hybrid cloud security devices. The researchers responsible for identifying the flaws have released the details and proof-of-concept (PoC) exploits. 

The flaws tracked as CVE-2022-23119 and CVE-2022-23120, affect Deep Security and Cloud One workload security solutions, specifically the Linux agent feature. 

The security loopholes were unearthed by researchers at Swiss-German cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security patches i.e., on January 19. The researchers first reported the vulnerabilities to Trend Micro in September and patches were released between October and December. 

The researchers at Modzero identified that the Deep Security Agent for Linux is impacted by a directory traversal bug that could be exploited by malicious actors to read arbitrary files and a code injection issue that could be abused to escalate privileges and implement code as root. However, a threat actor requires to have access to the targeted system and exploitation is only possible if the agent has not been activated or configured. 

Additionally, Modzero’s researchers noticed that a hardcoded default X.509 certificate and a corresponding private key are shipped with the agent software. The certificate is used to establish communication with the server before the agent is activated. 

“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/dsa_core.so The agent software uses a certificate authority (CA) to establish the server’s identity,” researchers explained.

“When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key, it is possible for an attacker to create and sign their own server certificate, imitate a server and to send commands to the client software.”

Last week, Trend Micro informed users regarding an information disclosure bug impacting its Worry-Free Business Security small business product. However, that flaw was assigned a “low severity” rating.

Linux System Service Bug Allows You to Gain Root Access

 

An authentication bypass vulnerability in the polkit auth system service, which is installed by default on many recent Linux distributions, allows unprivileged attackers to gain a root shell. On June 3, 2021, the polkit local privilege escalation flaw (CVE-2021-3560) was officially identified, and a fix was released. Polkit is used by systemd, hence it's included in any Linux distribution that uses systemd. 

Kevin Backhouse, a GitHub security researcher, detailed how he discovered the bug (CVE-2021-3560) in a systemd service called polkit in a blog post on Thursday. The problem, which was first introduced in commit bfa5036 seven years ago and first shipped in polkit version 0.113, took various pathways in different Linux distributions. Despite the fact that many Linux distributions did not ship with the vulnerable polkit version until recently, any Linux machine with polkit 0.113 or later installed is vulnerable to attacks. 

Polkit, formerly known as PolicyKit, is a service that determines whether certain Linux tasks require more privileges than there are currently available. It comes into play when you want to establish a new user account, for example. According to Backhouse, exploiting the issue is shockingly simple, needing only a few commands utilizing common terminal tools such as bash, kill, and dbus-send. 

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse. Polkit asks for the UID of a connection that no longer exists, therefore killing dbus-send — an interprocess communication command – in the middle of an authentication request creates an error (because the connection was killed). 

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times throughout different code paths, this doesn't happen all of the time. According to Backhouse, those code pathways usually handle the error correctly, but one is vulnerable, and if the disconnection occurs while that code path is running, privilege escalation occurs. It's all about timing, which varies in unanticipated ways due to the involvement of various processes. Backhouse believes the bug's intermittent nature is why it went unnoticed for seven years.

GitHub Informed Clients of “Potentially Serious” Security Bug

 

GitHub on Monday informed clients that it had found what it described as an “extremely rare, but potentially serious” security bug identified with how some authenticated sessions were handled. On 8th March GitHub signed out all clients that were signed in before March 8th. The precautionary measure was taken seven days after the organization had gotten an underlying report of dubious conduct, from an external party. 

The Microsoft-owned software development platform said the bug was found on March 2 and an underlying patch was carried out on March 5. A subsequent fix was delivered on March 8 and on the evening of that very day the organization chose to invalidate all authenticated sessions to completely eliminate the possibility of exploitation. On Friday, the GitHub team has remediated the security flaw and kept on analyzing the situation over the weekend. The vulnerability being referred to, could be misused in extremely rare circumstances, when a rare condition would happen during the backend request handling process, permitting the session cookie of a logged-in GitHub client to be sent to the software of another client, giving the latter access to the former user’s account.

“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” says Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.” 

The organization declared that the bug existed on GitHub.com for less than two weeks and it doesn't resemble some other GitHub.com assets or products were impacted as a result of this bug. "We believe that this session misrouting occurred in less than 0.001% of authenticated sessions on GitHub.com. For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance,” continues Hanley in the announcement. 

The organization is still analyzing if any project repositories or source code were messed with because of this vulnerability as this kind of authentication vulnerabilities could pave the way for software supply-chain attacks.

Google Chrome Receives Second Patch for Serious Zero-Day Bug in Two Weeks

Google has recently introduced a fix for another zero-day bug in its Chrome browser and has also released a new security update for desktops. The bug (CVE-2020-16009) that affected the V8 component of the Chrome browser was discovered by Clement Lecigne and Samuel Groß of Google's Threat Analysis Group (TAG) and Google Project Zero respectively. 


 
While addressing the abovementioned flaw for the machines running on Mac, Windows, and Linux, Google released the Google Chrome security patch version 86.0.4240.183. The tech giant further told that the bug when exploited allowed the threat actors to bypass and escape the Chrome security sandbox on Android smartphones and run code on the underlying operating system. 

Google denied disclosing any details of the bug that had been exploited actively in the wild, as a lot of users have not updated yet; it's a part of Google's privacy policy. It prevents attackers from developing exploits alongside and gives users more time to get the updates installed. While Google's TAG hasn't confirmed if the threat actors behind the two bugs were the same, it assured that the acts were not motivated by the ongoing US presidential elections. 
 
Furthermore, a critical memory corruption flaw under active exploitation in the Google Chrome browser (CVE-2020-15999) was identified by the researchers at Google's TAG, who also told that this zero-day vulnerability was under attack in combination with CVE-2020-17087, windows zero-day. The zero-day vulnerability identified as CVE-2020-15999 affected the FreeType font rendering library, thereby demanding attention from all services making use of this library. 
 
Additionally, the latest security update will also allow users to experience a more stable and improved Chrome browser in terms of performance. 
 
In a blog post published on 2nd November, Google said, "The stable channel has been updated to 86.0.4240.183 for Windows, Mac, and Linux which will roll out over the coming days/weeks. A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues." 

"Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," the blog further stated.

Facebook Messenger Kids ‘Technical Error’ exposed kids unauthorized users.







A technical error in Facebook’s messaging app for kids, has exposed thousands of children to join chats with unauthorized users.

The Messenger Kids was launched in 2017 for kids under 13 years, the app gives a private” chat space for kids to talk with contacts that are approved by their parents.

According to a report from The Verge, the flaw allowed a  friend of a child to create a group chat in the app which  invited one or more of the second child’s parent-approved friends — that means a a friend can add secondary contacts to the chat without the approval by the parents of the first child. 

However, the company did not make a public disclosure of the safety issue. 

'We recently notified some parents of Messenger Kids account users about a technical error that we detected affecting a small number of group chats,' a Facebook representative said in a statement. 

'We turned off the affected chats and provided parents with additional resources on Messenger Kids and online safety.'