Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Patch. Show all posts
Virus Attacks
Data Breach Lazarus APT Microsoft Web Server North Korean Hackers Security Patch Virus Attacks

Lazarus Hackers Target Microsoft IIS Servers to Propagate Malware

The infamous Lazarus hacker collective has reappeared in a recent wave of cyberattacks, using a cunning plan to spread malware through infected Microsoft Internet Information Services (IIS) servers. Cybersecurity professionals are actively watching the situation to reduce any hazards as a result of the attacks, which have caused them great anxiety.

The Lazarus hackers, according to reports from SC Magazine and Bleeping Computer, have successfully taken control of a number of Microsoft IIS servers and are using their ability to spread malicious malware across different networks to their advantage. The spread of the hackers' virus appears to be their main objective, which presents a serious risk to companies and organizations that depend on Microsoft's web server software.

Symantec's threat intelligence team recently made the attack vectors used by Lazarus public, highlighting the chutzpah with which the hackers used the hacked servers to further their evil ends. The malicious campaign was the Lazarus group's dream job, according to Symantec, who highlighted the gravity of the problem in a blog post.

AhnLab's security analysts have also provided insightful analysis of the ongoing attacks. They have been aggressively tracking the hackers' whereabouts and have found startling proof of their vast powers. In both English and Korean blog entries, AhnLab's research teams have warned users and administrators about the danger posed by Lazarus hackers and urged rapid security measures to prevent IIS servers from being attacked.

The Lazarus hacking group, known for its association with North Korea, has been linked to various high-profile cybercrimes in the past. Their expertise in cyber warfare and financially motivated attacks has made them a prominent concern for governments, businesses, and cybersecurity agencies worldwide. This recent incident involving the exploitation of Microsoft IIS servers signifies a new level of sophistication in their tactics, emphasizing the need for constant vigilance in the face of evolving threats.

Hosting websites and web applications on Microsoft IIS servers is a common practice worldwide. For businesses that depend on this web server software, the disclosure of this vulnerability raises a warning. Users are advised by security experts to swiftly upgrade and patch their systems to the most recent versions, put in place strong security policies, and carry out routine audits to look for any suspicious activity.

Microsoft has been actively engaging with security companies and organizations to study the nature of the attack and strengthen their protection measures in response to the growing cyber threat. Users can greatly lower their risk of succumbing to these malicious attempts by being watchful and proactive.

Read more »
zero Day vulnerability
Mobile Security Security flaw Security Patch Spyware User Security zero Day vulnerability

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.
Read more »
Windows Vulnerability
CryptoAPI Spoofing Proof of concept Security Patch Vulnerabilities and Exploits Windows Vulnerability

Critical CryptoAPI Spoofing Flaw in Windows PoC Exploit Released

 

Proof-of-concept (Poc) code has been made available for a high-severity security vulnerability in the Windows CryptoAPI that Microsoft was notified of by the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) last year. 

The CVE-2022-34689 spoofing vulnerability, with a CVSS score of 7.5, was fixed by the tech giant as part of Patch Tuesday updates delivered in August 2022, although it wasn't made public until October 11, 2022. 

In a then-released advisory, Microsoft warned that "an attacker might alter an existing public x.509 certificate to impersonate their identity and conduct actions such as authentication or code signing as the targeted certificate." 

The Windows CryptoAPI provides an interface for programmers to integrate cryptographic services, including as data encryption and decryption and digital certificate authentication, into their programmes.

CVE-2022-34689, according to web security firm Akamai, which published the proof-of-concept, was caused by a vulnerable piece of code that was intended to accept an x.509 certificate and conducted a check that only considered the certificate's MD5 fingerprint. 

As of December 2008, birthday attacks, a cryptanalytic technique used to identify collisions in a hash function, made it possible for MD5, a message-digest algorithm used for hashing, to be practically cryptographically broken. 

A bad actor might use this flaw to provide a modified version of a genuine certificate to a victim app, then construct a new certificate whose MD5 hash collides with the compromised certificate and use it to pose as the original entity. 

In other words, the vulnerability could be exploited by a malicious third party to launch a mallory-in-the-middle (MitM) attack and reroute users using an outdated version of Google Chrome (version 48 and earlier) to any website of the attacker's choosing simply because the vulnerable web browser trusts the malicious certificate. 

"Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers," Akamai stated.

The Massachusetts-based company noted that despite the flaw's limited reach, "there is still a lot of code that utilises this API and might be susceptible to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7."
Read more »
Vulnerability and Exploits
Node.js patch fixes Security Patch Vulnerabilities and Exploits Vulnerability and Exploits

Node.js Patches Various Flaws that may Lead to Attacks

About vulnerabilities

Node.js maintainers released multiple patches for flaws in the JavaScript runtime environment that can cause HTTP request smuggling and arbitrary code execution, among some other attacks. An advisory mentions the information about the seven patched bugs, it includes three seperate HTTP Request Smuggling vulnerabilities. 

The three flaws- a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213, an errored delimiting of header fields issue, tracked as CVE-2022-32214, and an improper parsing of multi-line transfer encoding exploit, tracked as CVE-2022-32215, can all in the end lead towards HTTP request smuggling. 

The Daily Swig says "the moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances. AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written." 

How Severe are these bugs?

The three bugs were rated as "medium" severity, they affect all three variants of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 includes the patches that were updated inside Node.js. 

Other problems 

The advisory also includes information about a DNS rebinding flaw in --inspect through improper IP addresses. Categorised as "high" severity, the bug (CVE-2022-32212) can permit arbitrary code execution, warns the advisory. 

“The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not.When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” says the advisory. 

The flaw affects all variants of the 18.x, 16.x, and 14.x releases lines.

Read more »
UEFI Firmware
Cyber Security HP Patch Fix Security Patch SMI UEFI Firmware

HP Fixes UEFI Flaws Affecting 200+ Computers

 

HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday. 

CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs' Nicholas Starke and a researcher going by the online handle "yngweijw" with reporting the issues but did not disclose technical details on either of the flaws. 

The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs. 

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory. 

According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode. The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling an attacker to determine the memory location of a specific function and overwrite it in physical memory to refer to attacker code. 

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks,” Starke added.

While the majority of the vulnerable devices have already received firmware updates, a handful has yet to receive them. Users can check HP's advisory for more information on the impact and upgrades. HP also released warnings this week that outline the updates Intel have released to address several firmware and software vulnerabilities affecting its CPUs and chipsets, as well as HP products.
Read more »
Vulnerabilities and Exploits
RCE Security Patch Software Vendor Vulnerabilities and Exploits

Software Vendor VMware Patches Critical Bug Exploited in the Wild

 

Malicious actors are actively exploiting a critical bug, tracked as CVE-2022-22954, in VMware Workspace ONE Access and Identity Manager recently addressed by the vendor. The vulnerability is used in active attacks that infect servers with coin miners. 

Earlier this month, VMWare rolled out an update to resolve a critical security flaw (CVSS: 9.8) in several of their products, including VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products.

The software vendor also warned regarding the possibility of an attacker with network access triggering a server-side template injection that results in RCE. The vulnerability is not unprecedented: in late September 2022, CVE-2021-22005 enabled malicious actors to strike vulnerable systems with RCE attacks, achieving root privileges and reaching the vCenter Server over the network. 

“VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the security advisory. “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” the software vendor said while urging its customers to address the vulnerabilities immediately to prevent its exploitation. 

In the past two weeks, multiple security researchers designed working exploits for CVE-2022-22954, with at least one proof-of-concept exploit released on Twitter. While publishing public exploits raises the risks that threat actors will use them in attacks, they are also meant to help secure systems through testing and serve as validators of existing fixes/patches. 

According to cybersecurity intelligence firm Bad Packets, malicious actors are actively scanning for vulnerable hosts to exploit the flaw in the wild. The IP address, 106.246.224.219, used in the payload, was recently seen dropping the Linux Tsunami backdoor in other attacks. However, it remains unclear what the 'one' executable is, as it is no longer accessible. Security researcher Daniel Card also joined the queue by releasing proof-of-concept exploits on Twitter and stated that the vulnerability was being exploited to deploy coinminer payloads.
Read more »
Zero-Day Bug
Security Patch Vulnerabilities and Exploits Web Servers Zero-Day Bug

F5 Patches NGINX LDAP Zero-Day Bug

 

The maintainers of NGINX, F5 Networks, have disclosed a zero-day bug on NGINX Lightweight Directory Access Protocol Reference (LDAP) implementation at the end of the first week of April. Now, they have released security updates to address security loophole in LDAP.

According to security analysts at F5, NGINX Open Source and NGINX Plus are not affected by the bug by themselves. So, there is no action required if the reference implementation is not employed.

“NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation,” Liam Crilly and Timo Stark of F5 Networks said in an advisory. However, if LDAP reference implementation is used, any of the following conditions will cause vulnerability in the systems: 

• Command-line parameters to configure the Python-based reference implementation daemon 
• Unused, optional configuration parameters and 
• Specific group membership to carry out LDAP authentication

If any of these conditions are fulfilled, a threat actor could override the configuration parameters by sending specially designed HTTP request headers and even bypass LDAP authentication. This would allow LDAP authentication failure to occur even if the user is falsely authenticated. 

“The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (member Of) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups,” F5 researchers told.

“To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters – () – and the equal sign (=), which all have special meanings for LDAP servers. advisory. The backend daemon in the LDAP reference implementation will be updated in this way in due course.” 

NGINX project developers advised users to strip special characters so as they are removed from the username field during authentication, and to update configuration parameters using an empty value. The LDAP-reference implementation mainly explains how the integration operates, and all the components necessary to verify it and how it is not a production grade LDAP solution.
Read more »
Vulnerabilities and Exploits
Critical Flaws Japanese Firm Security Patch Vulnerabilities and Exploits

Japanese Automation Firm Yokogawa Patches CENTUM, Exaopc Vulnerabilities

 

Yokogawa Electric Corp., of Japan, recently patched multiple critical flaws in its control system software that can be abused to suppress alarms, read or write files, crash the server, or execute arbitrary code. 

Researchers at cybersecurity firm Dragos have identified ten critical flaws in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems. The remotely exploitable vulnerabilities are related to hard-coded credentials, relative path traversal, improper output neutralization for logs, OS command injection, permissions, privileges, access controls, and uncontrolled resource consumption. 

The vulnerabilities, a lot of which have been assigned a “high severity” rating, require local access to the targeted device, while others can be abused by sending specially designed packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).

“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability expert in Dragos' Threat Operations Center, stated. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.” 

Thus far, Dragos researchers have no evidence to suggest that vulnerabilities are exploited in the wild. However, in a real-world attack, a malicious actor could abuse the security loopholes to secure access to the HIS or render it useless by causing a DoS condition. 

“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson added. 

Japanese automation giant has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached the end of life, will not receive updates and users have been recommended to update to CENTUM VP. The company released details about the flaws in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March. 

“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson concluded. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).” 

Earlier this year in February, Dragos reported that 1,703 ICS/OT vulnerabilities received a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the security loopholes examined by the firm impacted systems located deep within the industrial network.
Read more »
Vulnerabilities and Exploits
Bug Hunter Cross-platform malware Security Patch Vulnerabilities and Exploits

Mozilla Patches Critical Security Bug in Cross-Platform Cryptography library

 

Mozilla has patched a critical bug present in the NSS (Network Security Services) cross-platform cryptographic library that could be potentially abused by threat actors to crash a susceptible device and even implement arbitrary code. 

The vulnerability tracked as CVE-2021-43527, was discovered by Tavis Ormandy, a renowned bug-hunter with Google Project Zero who named the flaw “BigSig.” 

“I've discovered a critical vulnerability in Network Security Services (NSS). NSS is the Mozilla project's cross-platform cryptography library. In 2021, all good bugs need a catchy name, so I'm calling this one "BigSig",” Ormandy explained in a blog post.

According to Ormandy, the flaw could have directed to a heap-based buffer overflow while verifying DER-encoded DSA or RSA-PSS signatures in multiple email users and PDF viewers that use the NSS versions prior to 3.73 or 3.68.1 ESR. 

All applications that depend on NSS for managing signatures encoded within CMS, PKCS #7, PKCS #12, and S/MIME are likely to be impacted, Mozilla said in an advisory. Additionally, the vulnerability may also affect applications that employ NSS for validating certificates, or for additional CRL, OCSP, TLS, or X.509 functionality, depending on how NSS is configured. The exploitation of the flaw could allow an attacker to crash an application or potentially achieve arbitrary code execution.

“This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted,” Mozilla says. 

The vulnerability exists because a VFYContext structure that NSS manufactures to store data when verifying a digital signature could only accommodate maximum signature sizes of 16384 bits (RSA at 2048 bytes). Thus, signatures larger than that would lead to a buffer overflow, Ormandy explained. 

“The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data,” Ormandy said. The security researcher also observed that the security bug can be easily reproduced and that multiple algorithms are affected.

“The bug is that there are simply no bounds checking at all; sig and key are arbitrary-length, attacker-controlled blobs, and cx->u is a fixed-size buffer. The hashobj member contains function pointers, so redirecting execution is trivial,” Ormandy concluded.
Read more »
Vulnerabilities and Exploits
Flaws Security Patch Security Update SSRF Flaw VMware Vulnerabilities and Exploits

VMware Patched SSRF& Arbitrary File Read Flaws in vCenter Server

 

VMware has published security upgrades for the vCenter Server after addressing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).

A VMWare security alert was released on November 23 and the US Cybersecurity and Infrastructure Security Agency (CISA) also encouraged enterprises to use vulnerable instances of the server management platform to deploy required upgrades. 

In terms of severity, both flaws were labelled as 'important.' The most serious, with a CVSS rating of 7.5, is the arbitrary file read flaw (CVE-2021-21980), which if exploited might allow a nefarious attacker to get access to sensitive data. The SSRF vulnerability (CVE-2021-22049) was discovered in the vSAN Web Client (vSAN UI) plugin, with a CVSS of 6.5. An attacker might take advantage of this vulnerability by gaining access to an internal service or making a URL request from outside of the vCenter Server. 

VMware has released security updates for vCenter Server versions 6.5 and 6.7 that address both vulnerabilities. The issues do not impact the 7.x release line, which cannot utilise vSphere Web Client (FLEX/Flash).Cloud Foundation's 3.x release line is still waiting for patches for both problems, whereas 4.x is untouched. 

VMware acknowledged Orz lab's 'ch0wn' for disclosing the arbitrary file read issue and the QI-ANXIN Group's'magiczero for reporting the SSRF. As per Statista, three of the top five server virtualization systems with the largest market share are VMware platforms, with vSphere leading the pack and vCenter Server ranking fifth. 

VMware's dominance in the server virtualization market, along with many organisations' latency to implement upgrades, has made its systems great targets for skilled attackers. The Daily Swig revealed in September that another significant arbitrary file upload flaw in the vCenter Server was being exploited. 

In June, it was revealed that thousands of vCenter Server instances remained unpatched for three weeks after a pair of serious issues in the vSphere Client (HTML5) were discovered.
Read more »
Vulnerable Network
Citrix Critical Flaw DDoS Flaw Flaws Security Patch Vulnerabilities and Exploits Vulnerable Network

Critical Citrix DDoS Flaw Collapses Network Access

 

Cyberattackers could use a significant security flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway to disrupt entire corporate networks without requiring them to authenticate. 

The two Citrix solutions in issue (previously the NetScaler ADC and Gateway) are used to manage application-aware traffic and provide secure remote access, respectively. According to the alert, the federated working specialist released a security patch on Tuesday for the CVE-2021-22955 vulnerability, which permits unauthenticated denial of service (DoS) due to uncontrolled resource consumption. 

Citrix also fixed an issue of a lower severity that was caused by unmanaged resource usage. It affects both prior Citrix SD-WAN WANOP Edition products and the Citrix SD-WAN WANOP Edition appliance. The latter offers optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.

The second vulnerability, labelled CVE-2021-22956, allows for temporary interruption of a device's management GUI; the Nitro API for configuring and monitoring NetScaler appliances; and remote procedure call (RPC) communication, which is what facilitates Citrix's distributed computing in Citrix settings. 

In terms of exploitation's effect, all three products are extensively used over the world, with Gateway and ADC deployed in at least 80,000 firms in 158 countries as of early 2020, as per Positive Technologies analysis at the time. 

Any of the equipment being down could hinder remote and branch access to corporate assets and the blocking of cloud and virtual assets and apps in general. All of this makes them a tempting target for cybercriminals, and the Citrix ADC and Gateway, in particular, are far from novices when it comes to severe vulnerabilities. 

About affected versions: 

Though Citrix did not provide technical information on the new vulnerabilities, VulnDB stated on Wednesday that “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” 

Despite Citrix's internal classification of "critical," it gave the issue a severity score of 5.1 out of 10. The site stated that vulnerabilities are worth up to $5,000, and that "manipulation with an unknown input leads in a denial of service vulnerability...This will have a negative influence on availability." 

The vulnerabilities, according to the vendor, impact the following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956): 
• Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27 
• Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22 
• Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23 
• Citrix ADC 12.1-FIPS before 12.1-55.257 

Citrix SD-WAN WANOP Edition (CVE-2021-22956): 
• Models 4000-WO, 4100-WO, 5000-WO and 5100-WO 
• Version 11.4 before 11.4.2 
• Version 10.2 before 10.2.9c 
• The WANOP feature of SD-WAN Premium Edition is not impacted. 

Appliances have to be set up as a VPN or AAA virtual server to be vulnerable to the initial Citrix ADC and Gateway flaw. In the case of the second bug, appliances must have management interface access to NSIP or SNIP. Customers that use Citrix-managed cloud services will not be impacted.
Read more »
Vulnerabilities and Exploits
Old Bugs ransomware attacks Ransomware families Security Patch Vulnerabilities and Exploits

Threat Actors are Still Exploting Old Bugs to Target Organizations

 

Cybersecurity researchers at Qualys have published a free ransomware risk and assessment tool designed to scan systems, identify flaws and finally automate patching and remediation.

Researchers at Qualys analyzed 36 leading ransomware families and their attacks in recent years. It was found that unpatched flaws, device misconfigurations, internet-facing assets, and cracked software were consistently ranked among the top attack vectors.

According to researchers, the top five CVEs exploited by leading ransomware families to target organizations worldwide, have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain susceptible to ransomware attacks. 

CVE-2012-1723, is the oldest of the top five vulnerabilities, a flaw in the Java Runtime Environment (JRE) component in Oracle Java SE 7, detailed in 2012. According to researchers, it's been commonly used to distribute Urausy ransomware. 

The other two other common flaws detailed by researchers are from 2013; CVE-2013-0431 is a vulnerability in JRE leveraged by Reveton ransomware, while CVE-2013-1493 is a vulnerability in Oracle Java that is exploited by Exxroute ransomware. In both cases, security updates have been available for more than eight years.

CVE-2018-12808, on the other hand, is a three-year-old bug in Adobe Acrobat, which is used to deliver ransomware via phishing emails and malicious PDF files. Both Ryuk ransomware and Conti ransomware have been known to use this attack method. The latest bug on the list is Adobe CVE-2019-1458, a privilege escalation flaw in Windows that appeared in December 2019 and has been commonly used by the NetWalker ransomware group.

“For IT and information security teams, applying all the patches needed to keep a network secure is often an uphill battle. The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched It is easy for operations teams to get overwhelmed when they do not have a prioritized list of patches or software listings provided from security teams," Shailesh Athalye, SVP of product management at Qualys, stated. 

Threat actors exploit these flaws because they know many organizations don’t pay attention to the security updates and so they are actively searching for flaws that allow them to lay down the foundations for ransomware attacks.

"There is no silver bullet to prevent ransomware and remediate vulnerabilities, but overall, driving processes for reducing an attack surface should be the goal. The important part of vulnerability management is the combination of vulnerability assessment, prioritization, and remediation," Athalye further told.
Read more »
Vulnerabilities and Exploits
Arbitrary Files Security Advisory Security Patch Vulnerabilities and Exploits

SonicWall Patches Critical Flaw in SMA 100 Products

 

SonicWall has released a security advisory to warn users regarding a critical flaw impacting some of its Secure Mobile Access (SMA) 100 appliances. The vulnerability spotted as CVE-2021-20034 could potentially allow a remote unauthenticated hacker to delete arbitrary files from the targeted appliance and secure administrator access to the device.

"The vulnerability is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as 'nobody'. There is no evidence that this vulnerability is being exploited in the wild,” researchers explained. 

The critical flaw has received a score of 9.1 out of 10 on the CVSS scale of severity. The products that are affected are SMA 100, 200, 210, 400, 410, and 500v; As there are no temporary mitigations, SonicWall recommends impacted users execute applicable patches as soon as possible. 

Since the start of 2021, SonicWall SMA 100 series appliances have been targeted multiple times by ransomware gangs, with the end goal of moving laterally into the firm’s network.

Earlier, a threat group Mandiant tracked as UNC2447 exploited the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to set up a new ransomware strain known as FiveHands. Their attacks targeted multiple North American and European organizations before SonicWall released patches in late February 2021. A similar zero-day flaw was also abused in January in attacks targeting SonicWall's internal systems and later instinctively exploited in the wild. 

Earlier this year in July, SonicWall issued a warning for an increased threat of ransomware attacks targeting unpatched end-of-life (EoL) SMA 100 series and Secure Remote Access (SRA) devices. Security researchers at CrowdStrike and CISA added to SonicWall's warning saying that the ransomware campaign was ongoing.

The latest updates for SMA 100 series products also address two medium-severity flaws, including one that can direct to privilege escalation to root, and one that can be abused for authenticated arbitrary code injection and DoS attacks. 

SonicWall recently revealed that its products are used by more than half a million customers in over 215 countries and territories worldwide. Many of them are deployed on the networks of the world's largest organizations, businesses, and government agencies.
Read more »
Vulnerabilities and Exploits
elFinder File Manager Open Source Software Risk Management Security Patch Vulnerabilities and Exploits

Vulnerabilities Detected in Open Source elFinder File Manager

 

In elFinder, an open-source web file organizer, security researchers from SonarSource identified five flaws that form a severe vulnerability chain.

The elFinder file manager is often used in content management systems and frameworks like WordPress plugins and Symfony bundles to make it easier to manage both local and remote files. It's written in JavaScript with the use of jQuery UI. 

The five flaws, termed CVE-2021-32682 as a group, have a CVSS score of 9.8, which means they're highly dangerous. The vulnerability chain impacts elFinder version 2.1.58. 

According to the researchers, exploiting the vulnerabilities may allow an intruder to run arbitrary code and instructions on the server hosting the elFinder PHP connector. The vulnerabilities have been patched in elFinder version 2.1.59. The five weaknesses in the chain are classified by researchers as "innocuous bugs" that may be combined to acquire arbitrary code execution. 

The researchers noted, "We discovered multiple new code vulnerabilities in elFinder and demonstrate how they could be exploited to gain control of the underlying server and its data." 

Update to the latest version:

According to Thomas Chauchefoin, the security researcher at SonarSource, all users should immediately upgrade elFinder to the latest upgrade. 

"There is no doubt these vulnerabilities will also be exploited in the wild because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites." 

While the researchers did not announce any publicly available exploits, they claim that exploiting these issues can allow an attacker to run arbitrary PHP code on the server where elFinder is installed, eventually leading to its takeover. Attackers could then delete or remove any files they want, upload PHP files, and so on. 

"All these bug classes are very common in software that exposes filesystems to users and are likely to impact a broad range of products, not only elFinder," Chauchefoin added.
Read more »
Vulnerabilities and Exploits
BIG-IP Networking Device Configuration Tool Critical Flaws F5 Security Security Patch Vulnerabilities and Exploits

F5 Security Patched Severe Vulnerabilities in its BIG-IP Networking Device

 

F5 Security has patched over a dozen critical-severity vulnerabilities in its BIG-IP networking device, including one which was classified as critical severity when exploited under certain conditions. 

A privilege escalation flaw, tracked as CVE-2021-23031 affects the BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI). 

An authorized attacker who has entry to the Configuration tool can exploit the issue to run arbitrary system commands, create or remove files, and/or discontinue services. Due to the flaw, an attacker can totally compromise the network device. 

The vulnerability was assigned a severity level of 8.8, but according to the security notice, users that use the Appliance Mode, which imposes some technical constraints, get a severity value of 9.9 out of 10. As per the security advisory for CVE-2021-23031, the problem is only affecting a small number of clients in critical condition. 

“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.” states the advisory. 

“The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9. For information about Appliance mode, refer to K12815: Overview of Appliance mode.” 

The vendor advises that the device should be updated; however, if this is not feasible, admins should restrict access to the Configuration utility to only 100% trusted users. 

The U. S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a security notification advising users and administrators to examine the F5 security advisory and install updated software or implement adequate measures as soon as possible. 

F5 addressed 30 high-severity flaws in various products, including authenticated remote command execution vulnerabilities, cross-site scripting (XSS) issues, request forgery bugs, inadequate permission flaws, and denial-of-service flaws. 

The flaws were given a severity score ranging from 7.2 to 7.5. The following is a list of issues patched by the vendor, along with their CVE and CVSS scores: 
  •  CVE-2021-23025: High 7.2
  •  CVE-2021-23026: High 7.5
  •  CVE-2021-23027: High 7.5
  •  CVE-2021-23028: High 7.5
  •  CVE-2021-23029: High 7.5
  •  CVE-2021-23030: High 7.5
  •  CVE-2021-23031: High–Critical – Appliance mode only 8.8–9.9
  •  CVE-2021-23032: High 7.5
  •  CVE-2021-23033: High 7.5
  •  CVE-2021-23034: High 7.5
  •  CVE-2021-23035: High 7.5
  •  CVE-2021-23036: High 7.5
  •  CVE-2021-23037: High 7.5

Lastly, the vendor also fixed medium and low severity vulnerabilities.
Read more »
Vulnerabilities and Exploits
AppC Security Patch U.S. Firm VMware Vulnerabilities and Exploits

VMware Patches Authentication Bypass in Carbon Black App Control

 

VMware, the California-based cloud computing and virtualization technology firm has patched an authentication bypass vulnerability in its Carbon Black App Control (AppC) management server. According to VMware’s advisory, the authentication-bypass vulnerability affected AppC versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x. 

The flaw tracked as CVE-2021-21998, falls into a highly critical range with a maximum CVSSv3 base score of 9.4 out of 10.A malicious actor with network access to the VMware Carbon Black App Control management server might be able to gain administrative privileges to the application without the need to authenticate, VMware explained. 

However, even if the attacker doesn’t need valid credentials for the target application, they would still have to first gain network access to the VMware Carbon Black App Control management server for the attack to succeed, VMware explains in an advisory.

AppC is designed to strengthen the security of servers and to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC. 

Besides the authentication-bypass patch, VMware also patched a local privilege escalation flaw affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes that could allow an attacker to implement arbitrary code on compromised systems. 

At this point, the flaw doesn’t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, CVE-2021-21999, is a local privilege-escalation vulnerability.

"An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges," VMware noted. 

The flaw in AppC is only the latest severe problem that VMware has patched. In February, VMware fixed three bugs in its virtual machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to discover other vulnerable points of network entry to take over affected systems.
Read more »
Vulnerabilities and Exploits
HPE Security Patch SIM Vulnerabilities and Exploits

HPE Patches the Zero-Day Vulnerabiity in Systems Insight Manager Software for Windows

 

Hewlett Packard Enterprise (HPE) has released a security update to patch critical zero-day remote code execution (RCE) vulnerability in its HPE Systems Insight Manager (SIM) software for Windows that it initially revealed in December 2020.

HPE updated its original security advisory on Wednesday. However, the SIM hotfix update kit which resolves the flaw was published more than a month ago, on April 20. HPE SIM is a management and remote support automation tool for Windows and Linux intended to be used with the company's servers, storage, and networking products, including the HPE ProLiant Gen10 and HPE ProLiant Gen9. 

Security researchers labeled the flaw (CVE-2020-7200) as an ‘extremely high-risk’ flaw. It allows attackers with no privileges to remotely execute the code and is commonly found in the latest versions (7.6.x) of HPE’s SIM software and specifically targets the Windows version. This bug allows low-complexity attacks that don’t require user interaction.

“This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM,” according to Packet Storm. The lack of proper validation of user-supplied data can lead to the deserialization of untrusted data, enabling attackers to execute code on servers running vulnerable SIM software.

HPE has released a security advisory for the system admins who are unable to deploy the CVE-2020-7200 security update on vulnerable systems. To safeguard your devices, HPE has provided mitigation measures that involve removing the “Federated Search” & “Federated CMS Configuration” features that allowed the vulnerability.

System admins who use the HPE SIM management software have to use the following procedure to block CVE-2020-7200 attacks: 

1. Stop HPE SIM Service 

2. Delete file from sim installed path del /Q /F C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war 

3. Restart HPE SIM Service

4. Wait for HPE SIM web page "https://SIM_IP:50000" to be accessible and execute the following command from command prompt. mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul

By following the above procedures system admins can be prevented from being exploited by potential attackers, it will also mean that HPE SIM users can no longer use the federated search feature.
Read more »
Subscribe to: Posts (Atom)