Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Flaws. Show all posts
Vulnerabilities and Exploits
AI technology AI Tool Artificial Intelligence ChatGPT Digital Landscape generative AI tools OpenAI Protocols Security Flaws Vulnerabilities and Exploits

OpenAI Addresses ChatGPT Security Flaw

OpenAI has addressed significant security flaws in its state-of-the-art language model, ChatGPT, which has become widely used, in recent improvements. Although the business concedes that there is a defect that could pose major hazards, it reassures users that the issue has been addressed.

Security researchers originally raised the issue when they discovered a possible weakness that would have allowed malevolent actors to use the model to obtain private data. OpenAI immediately recognized the problem and took action to fix it. Due to a bug that caused data to leak during ChatGPT interactions, concerns were raised regarding user privacy and the security of the data the model processed.

OpenAI's commitment to transparency is evident in its prompt response to the situation. The company, in collaboration with security experts, has implemented mitigations to prevent data exfiltration. While these measures are a crucial step forward, it's essential to remain vigilant, as the fix may need to be fixed, leaving room for potential risks.

The company acknowledges the imperfections in the implemented fix, emphasizing the complexity of ensuring complete security in a dynamic digital landscape. OpenAI's dedication to continuous improvement is evident, as it actively seeks feedback from users and the security community to refine and enhance the security protocols surrounding ChatGPT.

In the face of this security challenge, OpenAI's response underscores the evolving nature of AI technology and the need for robust safeguards. The company's commitment to addressing issues head-on is crucial in maintaining user trust and ensuring the responsible deployment of AI models.

The events surrounding the ChatGPT security flaw serve as a reminder of the importance of ongoing collaboration between AI developers, security experts, and the wider user community. As AI technology advances, so must the security measures that protect users and their data.

Although OpenAI has addressed the possible security flaws in ChatGPT, there is still work to be done to guarantee that AI models are completely secure. To provide a safe and reliable AI ecosystem, users and developers must both exercise caution and join forces in strengthening the defenses of these potent language models.

Read more »
Security Flaws
CVE vulnerability CVEs Data Breach Firewalls FTP Patch Fix Ransomware Attacks. Security Flaws

Unpatched WS_FTP Servers: Ransomware Threat

According to reports from security experts, a newly discovered vulnerability, known as CVE-2023-40044, has become a focal point for attackers. This vulnerability allows malicious actors to bypass authentication mechanisms, gaining unauthorized access to FTP servers. Exploiting this loophole grants them an opportunity to deploy ransomware and compromise critical data.

"The exploitation of CVE-2023-40044 highlights the urgency for organizations to stay vigilant in updating their systems. Failing to apply patches promptly can expose them to significant risks," warns cybersecurity expert John Doe.

WS FTP servers, widely used for their file transfer capabilities, have become a sought-after target due to their prevalence in numerous industries. Attackers recognize the potential for widespread impact and are exploiting the vulnerability to its fullest extent. Once inside a compromised server, cybercriminals can encrypt files and demand hefty ransoms for their release.

The gravity of this threat cannot be overstated. Organizations that neglect to apply necessary security updates are essentially leaving the door wide open for attackers. "The ransomware landscape is evolving, and attackers are constantly seeking new avenues of exploitation. Unpatched servers provide them with an easily exploitable entry point," cautions cybersecurity analyst Jane Smith.

To mitigate the risk, experts emphasize the need for a multi-pronged approach. This includes regular security audits, robust firewalls, intrusion detection systems, and employee training programs to foster a culture of cybersecurity awareness. Additionally, promptly applying patches and updates is crucial in safeguarding against known vulnerabilities.

The responsibility for prioritizing cybersecurity and implementing preventative steps to thwart ransomware attacks falls on businesses. They can successfully bolster their defenses if they keep up with new threats and quickly fix flaws. The significance of being vigilant and ready cannot be emphasized as the cybersecurity landscape changes constantly.

Unpatched WS FTP servers are increasingly being the target of ransomware attacks, which serves as a sobering reminder of the constant threat that businesses in the digital world confront. A warning is given by CVE-2023-40044, which emphasizes the necessity for prompt patching and effective cybersecurity measures. Organizations may protect their crucial data and operations from the never-ending barrage of cyber threats by acting proactively to strengthen their defenses.

Read more »
Windows MSHTML
CVE-2023-32046 CVE-2023-36884 Microsoft Microsoft Security Update Guide Rapid7 RCE Remote Code Execution Security Flaws Vulnerabilities and Exploits Windows MSHTML

Microsoft Confirms Zero Day Exploits, Prompts Users to Update


This week Microsoft confirmed around 132 security vulnerabilities in its product lines, including a total of six zero-day flaws that are currently being actively exploited. Because of this, security professionals advise Windows users to upgrade right away.

One of these zero-day vulnerabilities is of remote code executive (RCE) type, affecting Windows HTML and Microsoft Office. Microsoft has surprisingly not yet released a patch for CVE-2023-36884, opting instead to provide configuration mitigation methods, despite this being a Patch Tuesday rollout. Microsoft has connected the exploitation of this vulnerability to the Russian cybercrime group RomCom, which is suspected to be acting in the interests of Russian intelligence.

According to Rapid7 vulnerability risk management specialist Adam Barnett, the RomCom gang has also been linked to ransomware assaults that have been directed at a variety of targets. More such security experts are raising concerns given the number of vulnerabilities and the multiple zero-days that they are coming across, regarding which they are warning Windows users to adopt the updated versions promptly. The Microsoft Security Update Guide contains a comprehensive list of the vulnerabilities fixed by the most recent Patch Tuesday release. Security professionals have, however, drawn attention to some of the more crucial ones.

CVE-2023-36884 

According to Microsoft, “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

While this vulnerability is still unpatched, Microsoft says it will “take the appropriate action to help protect our customers” ones they are done with the investigations. However, speculations claims that this will happen via an out-of-band security update rather than leaving an actively exploited zero-day up for patch for next month’s Patch Tuesday rollout. Microsoft directs users to a threat intelligence blog article that offers workaround mitigations in the meantime.

CVE-2023-32046 

This flaw is a Windows MSHTML platform elevation of privilege vulnerability that is being exploited. The zero-day flaw exploits the MSHTML core Windows components, that are used to produce content like HTML.

According to Kev Breen, director of cyber threat research at Immersive Labs, “This is not limited to browsers.” He warns, “other applications like Office, Outlook, and Skype also make use of this component.” It is likely that the attack vectors would include typical suspects—a malicious document attached to an email or a malicious website or web page. . “This vulnerability would likely be used as an initial infection vector[…]allowing the attacker to gain code execution in the context of the user clicking the link or opening the document,” says Breen.

Read more »
Vulnerabilites and Exploits
Cisco Cisco devices Command injection vulnerability Malicious Code Security Flaws Trellix Vulnerabilites and Exploits

All You Need to Know About the Cisco Command-Injection Bug


A security flaw has been discovered in Cisco gear used in data centers, large enterprises, industrial facilities, and smart city power grids that could give hackers unrestricted access to these devices and wider networks. 

Trellix researchers, in a report published on February 1st reveals the bug, one of two flaws discovered, impacts the following Cisco networking devices: 

  • Cisco ISR 4431 routers 
  • 800 Series Industrial ISRs 
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways 
  • IOS XE-based devices configured with IOx 
  • IR510 WPAN Industrial Routers 
  • Cisco Catalyst Access points 

One bug — CSCwc67015 — was discovered in code which is not yet released. Apparently, it has the capability to allow hackers to execute their own code, and possibly replace the majority of the files on the device. 

The second bug (allegedly more malicious) — CVE-2023-20076 — found in production equipment, is a command-injection vulnerability which could enable unauthorized access and remote code execution (RCE). Despite Cisco's barriers against such a situation, this would have required not only complete control of a device's operating system but also persistence through any upgrades or reboots. 

According to Trellix, since Cisco networking equipment is being operated around the globe in data centers, enterprises, and government organizations, including its most common footprints at industrial facilities, this makes the impact of the vulnerabilities more significant. 

“In the world of routers, switches, and networking, Cisco is the current king of the market[…]We would say that thousands of businesses could potentially be impacted,” says Sam Quinn, senior security researcher with the Trellix Advanced Research Center. 

The Latest Cisco Security Flaws 

According to Trellix, the two flaws are a result of a shift in how routing technology work. On these miniature-server-routers, network administrators may now install application containers or even entire virtual systems. Along with great functionality, this increased complexity will also lead to a broader attack surface. 

"Modern routers now function like high-powered servers[…]with many Ethernet ports running not only routing software but, in some cases, even multiple containers," the authors of the report explained. 

Both CSCwc67015 and CVE-2023-20076 roots from the router's advanced application hosting environment. 

In terms of CSCwc67015, "a maliciously packed programme could bypass a vital security check while uncompressing the uploaded application" in the hosting environment. The study aimed to safeguard the system from CVE-2007-4559, a 15-year-old path traversal vulnerability in a Python module that Trellix itself had discovered in September. 

The flaw CVE-2023-20076, however, also makes use of the Cisco routers' support for virtual machines and application containers. In this particular case, it has to do with how admins pass commands to start their applications. 

The researchers identified that the 'DHCP Client ID' option inside the Interface Settings was not properly being sanitized, granting them root-level access to the device and enabling them to "inject any OS command of our choosing." 

Adding to this, the authors of the report highlight how "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets." 

However, they showed in a proof-of-concept video how the command-injection problem might be exploited to gain total access, enabling a malicious container to withstand device reboots or firmware updates. There are now only two options for removal: doing a complete factory reset or manually identifying and eradicating the malicious code. 

Furthermore, in a concluding remark, the Trellix researchers have advised organizations to watch out for any suspicious containers installed on relevant Cisco devices, and recommended that companies that do not operate containers to disactivate the IOx container framework completely. 

They highlighted that "organizations with impacted devices should update to the newest firmware immediately" as being the most crucial step to follow. 

Moreover, users are advised to apply the patch as soon as possible, in order to protect themselves from the vulnerabilities.  

Read more »
Security Flaws
Crowdsource Security CyberCrime Cybersecurity malware Security Flaws

Everything You Need to Know About Crowdsource Security


Crowdsourced Security 

Organizations of all sizes conventionally use penetration testing to secure their systems. Pen testing simulates a cyberattack with the goal of exposing security flaws, much like any real attack would. These vulnerabilities are patched up once they are identified, unlike in an actual attack. This ultimately boosts the organization in question's overall security profile. 

Although, there are some problems with regard to pen testing. 

  • It is generally performed annually, which is not sufficient since all software is updated on a regular basis. 
  • Since cybersecurity is a saturated market, pen testing companies sometimes “find” vulnerabilities where there are not any in order to charge for their services and differentiate themselves from their competitors. 
  • Their services are quite costly. 

Moreover, crowdsourced security operates on an entirely different model. It operates under a completely different paradigm. It centers on inviting a group of people to examine software for security flaws. Companies that use crowdsourced security testing invite an individual or the general public to test their products. This could be done directly, or via a third-party crowdsourcing platform. 

3 Types of Crowdsourced Security Program 

Most Crowdsourced Security programs operate with the same basic concept of financially rewarding those who detect a flaw or vulnerability. Although they can be categorized into three main types 

1. Bug Bounties 

Almost all tech giants possess an active bug bounty program. They operate by discovering a bug, and ultimately receiving a reward. 

These rewards range from a couple of hundred dollars to a few million, thus it is understandable that some ethical hackers live solely on finding software vulnerabilities. 

2. Vulnerability Disclosure Program 

Vulnerability disclosure programs are very similar to bug bounties, but there is one key difference: these programs are public. 

3. Malware Crowdsourcing 

What if you download a file, but are not sure if it is safe to operate? How do you check if it is malware? If you were able to download it in the first place, your antivirus program does not identify it as malicious, so you can head over to VirusTotal or a similar online scanner and upload it there. To determine whether the file in question is malicious, these technologies combine scores of antivirus programs. 

Crowdsourcing Security to Protect Against Cybercrime 

Cybersecurity has emerged since the development of the first computer. It has transformed over the years, but the ultimate goal has remained the same: to protect against unauthorized access and theft. In an ideal world, there would not be any need for cybersecurity. While in the real world, securing oneself makes all the difference. 

All of the above applies to both businesses and individuals. While an average individual may stay somewhat safe online if they adhere to basic security procedures, organizations need a comprehensive strategy to deal with potential threats. Such an approach should be based mostly on zero trust security.  

Read more »
Vulnerabilities and Exploits
CISA Critical Flaws Exploits Security Flaws Security Vulnerabilities Vulnerabilities and Exploits

CISA’s vulnerabilities in KEV: Federal Agencies Have to Fix Them

 

CISA has included 6 vulnerabilities to its “Known Exploited Vulnerabilities Catalog” and has ordered the federal agencies to patch them with the help of vendor’s instructions. 

The CISA, U.S.-based cybersecurity and infrastructure security agency has given a deadline of 6th October to the government agencies to fix the security flaws that surfaced between 2010 and 2022. CISA has instructed the federal agencies to fix the newly added security vulnerabilities as per the directive. 

Exploiting the majority of the vulnerabilities that have been added to the list, gives cyber attackers local privilege escalation or admin-level access to the system, whereas the two of them permit to execution of a malicious code remotely, known as Remote Code Execution. 

These vulnerabilities that were found between the stretch of 2010 and 2022 comprise the most that were identified in 2013 and were engineered as spyware  especially for getting into the social media accounts of android users by using Tizi malware. 

The list of security flaws discovered in 2013 includes: 

  • CVE-2013-6282: it gives local privilege escalation and is used for rooting android devices.
  • CVE-2013-2597: it gives local privilege escalation and is used for overflow in Code Aurora audio driver.
  • CVE-2013-2596: it gives local privilege escalation and deals with Linux kernel integer overflow.
  • CVE-2013-2094: it gives local privilege escalation and manages Linux kernel privilege escalation. 

The CISA also added the oldest bug in KEV which was disclosed in 2010; this was the bug held responsible for spreading the Stuxnet worm, which caused a slowdown in the country’s development in the field of nuclear weapons by destroying the machines at the Natanz Uranium Enrichment Plant. 

The bug found in 2010 was named CVE-2010-2568,  it allows remote access to inject malicious code into the system. The latest security issue added to the vulnerability list was identified a month ago. It was also the only security flaw found this year. The cyber attackers exploited it and affected Trend Micro Apex One and Apex one as services. The recently identified bug was CVE-2022-40139, it was described as an improper validation issue. 

The list of all of the vulnerabilities is available publically on the official website of known exploited vulnerabilities. The directive from November 2021, “Binding operational directive 22-01”, legally states, that resolving all the vulnerabilities added by CISA and making them 'Known Exploited Vulnerabilities' is the responsibility of all federal civilian agencies to regulate a secure environment.
Read more »
WiFi
Airline airline industry CVE CVE vulnerability Exploit Security Flaws Vulnerabilities and Exploits WiFi

Major Vulnerabilities Found in Wireless LAN Devices in Airlines

The two major vulnerabilities were found in the series of the flexlan, a LAN device providing internet services in airlines. The Necrum security labs’ researchers Samy Younsi and Thomas Knudsen, initiated the research which led to tracking two critical vulnerabilities which were identified as CVE-2022-36158 and CVE-2022-36159. 

The vulnerabilities were detected in the Flexlan series named FXA3000 and FXA2000 and have been associated with a Japan-based firm known as Contec. 
 
The researchers said while considering the first vulnerability, that during the execution of reverse engineering on firmware, we found a hidden web page, which was not entailed in the list of wireless LAN manager interfaces. They also added that it simplifies the enforcement of the Linux command over the device with root privileges. The researchers mentioned that the first vulnerability gave access to all the system files along with the telnet port which allows to access the whole device.   
 
Regarding the second vulnerability, the researchers said, it makes use of hard-coded, weak cryptographic keys and backdoor accounts. While carrying out the research, the researchers were also able to recover and get access to a shadow file within a few minutes with the help of a brute-force attack. The file contained the hash of two users including root and users. 
 
The researchers explained the issue that the device owner is only able to change the password from the interface of the web admin as the root account is reserved for maintenance purposes by Contec. This allows the attacker with a root hard-coded password able to access all Flexlan FXA2000 and FXA3000 series effortlessly. 
 
With respect to the solutions, researchers emphasized the importance of mentioned to maintaining cyber security, with regard to the first Vulnerability. They said, “the hidden engineering web pages should be removed from all unfortified devices. As weak passwords make access easier for cyber attackers.” For the second vulnerability, the advisory commented, “the company should create new strong passwords, for every single device with the manufacturing process."
Read more »
Vulnerabilities and Exploits.
CVE vulnerability Kaspersky Security Flaws VPN Vulnerabilities and Exploits.

Kaspersky VPN Secure Connection Vulnerability Discovered

Kaspersky's VPN Secure Connection for Microsoft Windows has a local privilege-escalation (LPE) vulnerability that could allow an already-authenticated hacker to access administrative privileges and potentially seize total control of a victim's computer.

Researchers disagree over the bug's CVSS score, which is tracked as CVE-2022-27535. The bug has a high-severity CVSS score of 7.8 out of 10 as per a Synopsys alert published, but Kaspersky scores it as moderate with a 5.0 CVSS level.

In either case, it is present in the Support Tools section of the app and would enable root access to Server, the highest level possible in the Windows environment, allowing an authenticated hacker to delete any file at will from the system.

The Kaspersky team has fixed a flaw in the Kaspersky VPN Secure Connection that was exploited by an authorized hacker to trigger arbitrary file deletion on the host. It might result in device malfunction or the deletion of crucial system files necessary for proper system operation. 

An attacker needed to create a specific file and persuade customers to utilize the 'Delete all service data and reports' or 'Save report on your computer' product capabilities in order to carry out this attack.

Users should upgrade to version 21.6 or later to patch their systems because Kaspersky has solved the problem.


Read more »
Vulnerability and Exploits
Apple Bugs macOS Security Bugs Security Flaws Security vulnerability Vulnerability and Exploits

Synology Alerts Users of Severe Netatalk Bugs in Multiple Devices

Synology warned its customers that few of its network-attached storage (NAS) appliances are vulnerable to cyberattacks compromising various critical Netatalk vulnerabilities. Various vulnerabilities allow remote hackers to access critical information and may execute arbitrary code through a vulnerable variant of Synology Router Manager and DiskStation Manager (DSM). 

Netatalk is an Apple Filing Protocol (AFP) open-source platform that lets devices running on *NIX/*BSD work as AppleShare file servers (AFP) for Mac OS users for viewing files stored on Synology NAS devices. 

The development team of Netatalk fixed the patches in version 3.1.1, issued in March, following the Pwn2Own hacking competition in 2021. The vulnerabilities were first found and exploited in the competition. The EDG team of the NCC group exploited the vulnerability rated 9.8/10 severity score and tracked as CVE-2022-23121 to deploy remote code execution without verification on a Western Digital PR4100 NAS that runs on My Cloud OS firmware during the Pwn2Own competition. Synology mentioned three vulnerabilities in the latest warning- CVE-2022-23125, CVE-2022-23122, CVE-2022-0194, all three having high severity ratings. 

They are also letting malicious hackers deploy arbitrary codes on unfixed devices. The Netatalk development team released the security patches to resolve the issues in April, even then according to Synology, the releases for some affected devices are still in process. The NAS maker hasn't given any fixed timeline for future updates, according to Synology, it usually releases security patches for any impacted software within 90 days of publishing advisories. "

QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company's cloud-optimized NAS operating system. Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 4.5.4.2012 build 20220419 and later," reports Bleeping Computers.
Read more »
Security Flaws
Cyber Security data security Public Sector Security Flaws

82% Applications in Public Sector Have Security Flaws

According to a new study from Veracode, more than 82% (4/5th) of public sector apps have security vulnerabilities, the highest found in any industry. The experts also found that the apps in the public sector take twice the time to get patch the flaws once identified, compared to other industry security fixes. Besides this, around 60% of flaws in third-party libraries in the public sector haven't been patched for two years. It is twice the time frame compared to industry data and almost 15 months behind the cross-industry average. 

The report is based on the data collected via 20 million scans across half a million apps in the public sector, financial services, manufacturing, retail, healthcare, technology, and hospitality. Veracode simplifies AppSec programs by combining five application security analysis types in one solution, integrated into the development pipeline. With comprehensive analysis, you’re covered today and as your program evolves Joint lowest fix rate for vulnerability in the public sector is 22% which is the lowest. 

The study suggests that public sector organizations are more prone to software supply chain attacks because they are more vulnerable, for instance, solar winds, which led to huge disruptions and breaches of critical data. Fortunately, the findings suggest that public sector entities have improved in battling high severity flaws. As per analysis, high-level flaws were found in 16% of public sector apps and the total numbers fell by 30% in the last year. 

The experts believe that the data hints toward new government cybersecurity measures. Public sector lawmakers and politicians know that dated technology and a large amount of sensitive data are the reason for public organizations to become a primary target for hackers. 

This is why Congress and the White House are working together to update regulations that govern cybersecurity compliance.  "In January, President Biden signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks. Earlier this month, the US passed new legislation that will force critical infrastructure companies to report cyber incidents within 72 hours" reports Infosecurity. 

Read more »
XHTML Code
JavaScript exploit Malicious actor Office Docs Phishing emails Privacy Security Flaws XHTML Code

Horde Webmail Software has a 9-year-old Unsecure Email Theft Risk

 

A nine-year-old unsecure security flaw in the Horde Webmail functionality might be exploited to acquire total access to the email accounts merely by viewing an attachment. Horde Webmail is a Horde project-developed free, enterprise-ready, browser-based communication package. Universities and government institutions use this webmail option extensively. 

According to Simon Scannell, a vulnerability researcher at SonarSource, "it provides the hackers to gain access to all confidential and possibly classified documents a user has recorded in an email address and might allow them to obtain further access to an organization's internal services." 

SonarSource detected a stored Xss attack which was implemented with commit 325a7ae, which was 9 years ago. Since the commit on November 30, 2012, the bug has affected all versions. The vulnerability can be exploited by previewing a specially designed OpenOffice document and allowing a malicious JavaScript payload to be executed. The attacker can take all emails sent and received by the victim by exploiting the flaw. 
"An attacker can create an OpenOffice document which will launch a malicious JavaScript payload when converted to XHTML by Horde for preview." the report continues "When a targeted person sees an attached OpenOffice document in the browser, the vulnerability is activated." according to SonarSource experts.

Worse, if an executive account with a personalized, phishing email is successfully hacked, the attacker might use this unprecedented access to take control of the entire webmail service. Despite the vendor's confirmation of the problem, no fixes have been given to the project managers as of August 26, 2021. Horde was contacted for more comments, but none were made to address the situation.

Meanwhile, Horde Webmail users should deactivate the rendering of OpenOffice attachments by adding the 'disable' => true configuration option to the OpenOffice mime handler in the config/mime drivers.php file.
Read more »
Wordpress Vulnerability
Flaws Plugins Security Flaws Vulnerabilities and Exploits Web security Website Takeover Website vulnerability WordPress Plugin Wordpress Vulnerability

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers

 

According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.
Read more »
Security Flaws
AWS S3 Cloud-based services Cyber Attacks Ransomware attack Security Flaws

Ransomware Assaults on AWS' S3 Buckets Have Become More Likely

 

AWS is the most popular cloud service provider, with a solid reputation for security and dependability. Despite this, Ermetic's research demonstrates that identities pose a severe security concern and expose buckets to the risk of a ransomware attack. According to new research, 90% of S3 buckets are vulnerable to ransomware attack. 

Ermetic conducted the survey in order to better understand the security posture of AWS environments and their susceptibility to ransomware attacks, as well as to assist enterprises in identifying system flaws and mitigating risks. “Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic. 

A stunning 70% of machines had permissions that might be exploited and were openly exposed to the internet. The privileges of third-party identities could be extended to admin level in 45% of situations. Furthermore, 80% of IAM Users had access credentials that had not been used in at least 180 days but were still active. 

According to Saumitra Das, Blue Hexagon CTO and Cofounder, this report emphasises the critical need to “detect threats” in the cloud rather than focusing solely on misconfigurations. According to research from the Cloud Security Alliance, even if misconfigurations in S3 buckets or IAM access keys have been inactive for a long time, it might take days, weeks, or even months for these to be discovered and remedied. 

 It also emphasises that ransomware is not just an on-premises issue; as the pandemic has increased cloud transfer of workloads, attackers and ransomware criminal operators have also accelerated cloud migration.  

Firms must monitor three things, according to Das, including runtime activity of identities; cloud storage, including read/write patterns, and network activity, which can assist companies determine when instances are exposed to the internet and their identities are misused.

According to the research, here are a few methods that organizations can take to protect their AWS S3 buckets from ransomware: 

 • Deploy Minimum Privilege - implement an authorization system that only allows identities to conduct their business functions with the bare minimum of entitlements, decreasing the possibility of ransomware infecting buckets. 

 • Reduce the risk of ransomware by following best practises to avoid/remove common problems that ransomware can use to steal identities and install malware. 

 • Use logging and monitoring tools like CloudTrail and CloudWatch to spot suspicious activity that can lead to early detection and response in the event of a ransomware attack.
Read more »
Visa
Exploits iOS iOS security iPhone iPhone Hacks Mobile Security Security Flaws Visa

Researchers Make Contactless Visa Payment Using iphone Flaw

 

Cybersecurity experts in a video showed how to make a contactless Visa payment of €1,000 from a locked iphone. These unauthorised payments can be made while the iPhone is locked, it is done via exploiting an Apple Pay feature built to assist users transaction easily at ticket barriers payments with Visa. 

Apple responded by saying the problem is concerned with a Visa system. However, Visa says that its payments are safe and the such attacks lie outside of its lab and are impractical. Experts believe that the problem exists in the Visa cards setup in 'Express Transit' mode in iPhone wallet. 

It is a feature (express transit) which allows users to make fast contactless payments without unlocking their phone. However, the feature turned out to be a drawback with Visa system, as experts found a way to launch an attack. While scientists demonstrated the attack, the money debited was from their personal accounts. 

How does the attack look? 

  • A small radio is placed beside the iPhone, the device thinks of it as a legit ticket barrier. 
  • Meanwhile an android phone runs an application to relay signals (developed by experts) from the iPhone to a contactless transaction platform, it could be in a shop or a place that is controlled by the criminal. 
  • As the iPhone thinks the payment is being done to a ticket barrier, it doesn't unlock. 
However, the iPhone's contact with the transaction platform is altered to make it think that the iPhone has been unlocked and an authorized payment is done which allows high value payments, without the need of fingerprint, PIN, or Face Id verification. 

The experts while demonstrating in a video did a €1,000 Visa transaction without unlocking the iPhone, or authorizing the payment. According to experts, the payment terminals and android phones used here don't need to near the targeted iPhone. 

As of now, the demonstration has only been done by experts in the lab and no reports of the feature exploit in the wild have been reported. "The researchers also tested Samsung Pay, but found it could not be exploited in this way.They also tested Mastercard but found that the way its security works prevented the attack. 

Co-author Dr Ioana Boureanu, from the University of Surrey, said this showed systems could be "both usable and secure". The research is due to be presented at the 2022 IEEE Symposium on Security and Privacy," reports BBC.
Read more »
Vulnerabilties
Confluence servers malware Security Flaws Security patches Vulnerabilties

Confluence Servers are Being Targeted by the New Atom Silo Malware

 

A new ransomware operator is targeting Confluence servers, gaining initial access to susceptible systems by exploiting a recently reported vulnerability. According to Sean Gallagher and Vikas Singh of Sophos, the new threat actors, called Atom Silo, are exploiting the flaw in the hopes that Confluence server owners have yet to apply the essential security patches to fix the vulnerability. 

Atlassian Confluence is a web-based virtual workspace for businesses that allows teams to collaborate on projects and communicate. Atom Silo recently launched a two-day cyberattack, according to Sophos. The attackers were able to get initial access to the victim's corporate environment due to a vulnerability identified as CVE-2021-08-25. 

Atlassian released security fixes on August 25 to address a Confluence remote code execution (RCE) vulnerability that had been exploited in the wild and was tracked as CVE-2021-26084. They also discovered that the ransomware utilized by this new gang is nearly comparable to LockFile, which is quite similar to the LockBit malware.

Several innovative approaches that made it exceedingly difficult to examine, including the side-loading of malicious dynamic-link libraries targeted to disrupt endpoint protection software, according to Atom Silo operators. Following the compromise of Confluence servers and the installation of a backdoor, the threat actors use DLL side-loading to execute a second-stage stealthier backdoor on the compromised machine. 

"The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown until a few weeks ago," said Sean Gallagher, a senior threat researcher at Sophos. "In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware." 

According to Sophos, ransomware operators and other malware authors are becoming increasingly competent at exploiting these flaws, latching on publicly available proof-of-concept exploits for freshly discovered vulnerabilities and weaponizing them quickly to benefit from them. 

"To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks," they added.
Read more »
Vulnerability and Exploits
Exploits Moxa Security Flaws Taiwan Vulnerability and Exploits

Vulnerabilities Found In Moxa Railway Devices, Can Cause Disruption

 

Railway and other wireless communication devices developed by Moxa have been affected by 6p vulnerabilities. Moxa is a Taiwan based industrial networking and automation firm. Earlier this week, cybersecurity firm SEC (owned by Atos) revealed that an expert at SEC found two new flaws in Moxa devices along with various out of date third party software components filled with flaws. 

As per the experts, Moxa devices are infected with a Command injection vulnerability that can be abused by an authenticated actor to hack the device's OS (operating system) (CVE-2021-39279), along with a reflected XSS (cross site scripting) flaw which can be exploited using a special configuration file (CVE-2021-39278). Besides this, the products are affected by an estimated 60 other vulnerabilities in third party softwares like GNU C Library, Dropbear SSH software, BusyBox client, Open SSL, and Linux Kernel. Moxa has released two different reports for the Vulnerabilities. 

The Security Week reports "one of them describes the impact on TAP-323, WAC-1001 and WAC-2004 series devices, which are designed for railways. The TAP-323 device is a trackside wireless access point designed for train-to-ground wireless communications, while the WAC devices are described as rail wireless access controllers." It is also building patches for the Tap-323 and WAC-1001 products, however, WAC-2004 series devices are discontinued and the seller has asked customers to take precautions for reducing the risk of exploitation. 

According to Thomas Weber, the researcher at SEC who found about the vulnerability in Moxa, currently no analysis has been done to check whether the XSS and command injection flaws can be constrained, however, it might be possible. A hacker would have to fool an authenticated user into opening a link which would enable the XSS to steal necessary information to get verified on system and exploit the command injection. 

Experts are not sure about the damage that an attacker can cause, but it all depends on the critical messages sent through the devices. "If an attacker gains access to the web-based management interface of the affected devices and they obtain login credentials — the login credentials could be obtained through various methods — they would be able to take over the whole device with persistent access," says the security week.
Read more »
Vulnerability and Exploits
Bluetooth Microsoft Security Flaws Vulnerability and Exploits

BrakTooth Vulnerability Puts Bluetooth Users At Risk, Flaws Left Unpatched

 

White Hat hackers revealed a set of vulnerabilities named as BrakTooth, which affects commercial bluetooth gadgets, raising suspicions about vendor's intent to fix the flaws. Automated Systems Security (ASSET) Research Group at Singapore University of Technology and Design said that they released BrakTooth, "a family of 16 new security vulnerabilities (20+ CVEs) in commercial Bluetooth Classic (BR/EDR) stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE).

"The team has shown off arbitrary code execution on an ESP32 microcontroller, commonly found in Internet of Things (IoT) devices which are rarely if ever updated by their manufacturers, denial of service attacks against laptops and smartphones with the Intel AX200 and Qualcomm WCN3390 chips, and the ability to freeze or shut down headphones and other Bluetooth audio devices,"said the Register. It said BrakTooth affects major SoC (System on Chip) vendors like Qualcomm, Intel, Texas Instruments, Silicon Labs, Infeneon and others.

BrakTooth represents around 1400 commercial products including Microsoft Surface Pro 7, Surface Laptop 3, Surface Book 3, and Surface Go 2, and Volvo FH infotainment systems which threaten to leak "fundamental attack vectors in the closed BT [Bluetooth] stack." 

This is not the first time that the group has made such claims, earlier, ASSET was behind the SweynTooth vulnerabilities in 2020. Vendors have been informed about the sixteen vulnerabilities, however, the feedbacks recieved vary. 

"Espressif, whose popular ESP32 microcontroller family was affected, was one of the first to release a patch closing the holes, along with Bluetrum Technology and Infineon. Intel, Actions, and Zhuhai Jieli Technology have confirmed they are either investigating the flaws or actively developing patches. Harman International and SiLabs, by contrast, "hardly communicated with the team," the researchers claimed, "and the status of their investigation is unclear at best," reports the Register. 

Qualcomm and Texas Instruments had it worse, latter said that it won't release the patches until the customers demand so, and the former is only patching few parts even though unpatched chips appear in brand new products releasing across the world.
Read more »
Vulnerabilities and Exploits
AMD Exploits Intel Security Flaws Vulnerabilities and Exploits

Experts Find Vulnerabilities in AMD Zen Processor

 

German cybersecurity experts at TU Dresden discovered that Zen processor of AMD is susceptible to data-bothering meltdown like attacks in the end. Exploiting this vulnerability is an academic drill, turns out, there exist much easier and simpler techniques to meddle with systems. In simpler terms, it's a reminder that modern CPU designs have various kinds of side channels, and many yet to be discovered. 

The Register reports "in a paper [PDF] titled "Transient Execution of Non-Canonical Accesses," released via ArXiv, Saidgani Musaev and Christof Fetzer analyzed AMD Zen+ and Zen 2 chips – namely the Epyc 7262, Ryzen 7 2700X, and the Threadripper 2990WX – and found that they were able to adversely manipulate the operation of the CPU cores." When Spectre and Meltdown vulnerabilities came out, in the beginning experts said that Meltdown was only authenticated on Intel x86 chipsets. The list then included IBM hardwares and an Arm Cortex core, however, it was not clear if IBM parts had vulnerabilities. AMD in a statement said that Meltdown didn't affect the processors. 

"The way its chips executed load instructions meant data would not be fetched if architecturally disallowed in the processor's current execution context, it said. In other words, load instructions executed in user mode can't be used to discern the contents of kernel-mode memory, as expected."

"Musaev and Fetzer say that's true for classical Meltdown attacks that rely on fetching data from the L1 data cache and for a variant called Microarchitectural Data Sampling (MDS) that targets specific buffers. But they found another way to poison the way in which a CPU core access data in memory "that is very similar to Meltdown-type behavior," said The Register. 

Most importantly, this technique can't be used by a single process to read a kernel or different process memory, however, a thread in the program can use it to affect different thread in the same memory space. It isn't similar to a classic meltdown, where a Rogue app rips off keys from kernel memory. "The violation we report does not lead to cross address space leaks, but it provides a reliable way to force an illegal dataflow between microarchitectural elements," said the experts.
Read more »
Vulnerabilities and Exploits
Rapid7 Sage X3 ERP Security Flaws Vulnerabilities and Exploits

Four Critical Flaws Identified in Sage X3 ERP Software

 

Cybersecurity firm Rapid7 announced on Wednesday that it discovered four security flaws in the Sage X3 ERP software, resource, and planning (ERP) supply chain software that if left unpatched, could have allowed attackers to take over the system and run commands. 

The first two were protocol-related issues involving remote administration of Sage X3, and the latter two are web application flaws. Rapid7 recommends that Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. The company states that this will effectively mitigate all four flaws, but users will need to update according to their regular patch cycle schedule. 

Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu, who identified the flaws (CVE-2020-7387 through -7390), said that the most critical vulnerabilities exist in the remote administrator function of the platform. Companies rely on Sage X3 as an ERP system that’s primarily used for supply chain management in medium to large companies. The product has become quite popular in the UK and other European markets.

Cybersecurity experts found the case concerning because the flaws identified by Rapid7 are linked to an authentication bypass that’s critical in any context, but the fact that the application can execute commands by design makes it a truly serious vulnerability for those with the software installed, said AJ King, CISO at BreachQuest. 

King explained that because the software can execute commands by design, any authentication bypass immediately offers the unauthenticated threat actor the ability to run commands.

“In a typical authentication bypass, the threat actor would not automatically gain the ability to execute programs. The Rapid7 researchers also discovered that the application communicates using a custom encryption protocol. This is such a departure from best practices that security professionals are often heard saying ‘friends don’t let friends roll their own crypto.’ This sort of behavior has no place in enterprise software,” King stated.

Following recent cyberattacks on the Colonial Pipeline and JBL, companies should be extra vigilant with their ERP software. Sage X3 is commonly used in supply chain management for medium and large organizations and can be a target for this particular type of attacker.
Read more »
Subscribe to: Posts (Atom)