Search This Blog

Showing posts with label Security flaw. Show all posts

Ransomware Group Leveraged Mitel Zero-Day Bug To Target VOIP Appliances

 

CrowdStrike researchers have identified ransomware groups targeting a zero-day flaw impacting the Linux-based Mitel VoIP appliance. 

The vulnerability tracked as CVE-2022-29499 was patched earlier this year in April by Mitel after CrowdStrike researcher Patrick Bennett unearthed the bug during a ransomware investigation. 

In a blog post published last week, Bennett explained that after taking the Mitel VoIP appliance offline, he unearthed a “novel remote code execution exploit used by the threat actor to gain initial access to the environment.” 

“After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VoIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity,” Bennett said. 

Although the hacker erased all files from the VoIP device’s filesystem, Bennett was able to retrieve forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the attacker. 

The zero-day bug impacts the Mitel Service Appliance component of MiVoice Connect. The company rated the bug critical and said it could be abused in MiVoice Connect Service Appliances, SA 100, SA 400, and/or Virtual SA, Mitel explained in its security advisory. 

"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company stated.

The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure. 

The hacker leveraged the exploit to design a reverse shell, utilizing it to launch a web shell ("pdf_import.php") on the VoIP appliance and download the open-source Chisel proxy tool.

Subsequently, the binary was implemented, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device." 

But detection of the activity halted their operation and restricted them from moving laterally across the network. The announcement of a zero-day bug arrives less than two weeks after German penetration testing firm SySS disclosed two vulnerabilities in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could have allowed threat actors to secure root privileges on the devices.

New DeadBolt Ransomware Attacks Have Been Reported by QNAP

 

QNAP, Taiwanese network-attached storage (NAS) device vendor, has issued a warning to its clients about a fresh wave of Deadbolt ransomware assaults. "According to the QNAP Product Security Incident Response Team (QNAP PSIRT) investigation, the attack targeted NAS systems running QTS 4.3.6 and QTS 4.4.1, with the most affected models being the TS-x51 and TS-x53 series," the NAS manufacturer claimed. 

This is the third time since the beginning of the year that QNAP machines have been infected with the DeadBolt ransomware. "QNAP strongly advises all NAS customers to check and update QTS to the most recent version as soon as possible, and to avoid exposing its NAS to the internet," the company said in its advisory. 

As many as 4,988 DeadBolt-infected QNAP devices were discovered in late January, requiring the business to issue a forced firmware update. In mid-March, there was a second spike in new infections. Asustor, a storage solutions provider, issued a warning to its clients in February about a wave of Deadbolt ransomware assaults aimed at its NAS devices. QNAP devices were attacked in a new wave of DeadBolt ransomware attacks, according to Censys, an Internet search engine. 

QNAP patched several vulnerabilities in early May, including a major security flaw known as CVE-2022-27588 (CVSS 9.8) that might let a remote attacker execute arbitrary instructions on susceptible QVR devices. 

QNAP QVR is a video surveillance solution from a Taiwanese company that runs on its NAS devices without the need for additional software. DeadBolt assaults are also noteworthy for reportedly exploiting zero-day vulnerabilities in software to obtain remote access and encrypt systems.

According to a new report published by Group-IB, exploiting security vulnerabilities in public-facing applications has emerged as the third most common vector for gaining initial access, accounting for 21% of all ransomware attacks examined by the firm in 2021. However, QNAP owners infected with the DeadBolt ransomware will have to pay the ransom to receive a valid decryption key.

ExtraReplica: Microsoft Patches Cross-Tenant Bug in Azure PostgreSQL

 

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.

 'Dirty Pipe' Kernel Bug Enables Root Patched via Linux Distros

 

Dirty Pipe is a Linux local privilege escalation problem that has been found and publicly released, together with proof-of-concept vulnerability. The 'Dirty Pipe' vulnerability was responsibly disclosed by security researcher Max Kellermann, who indicated it impacts Linux Kernel 5.8 and later versions, as well as Android devices. 

CVE-2022-0847 is a weakness in the Linux kernel which was introduced in version 5.8 and resolved in versions 5.16.11, 5.15.25, and 5.10.102.

Kellerman discovered the flaw while investigating a bug that was causing one of his customer's web server access records to be corrupted. The vulnerability, according to Kellerman, is similar to the Dirty COW vulnerability (CVE-2016-5195), which was addressed in 2016.

A bug in the kernel's pipe handling code allows a user program to rewrite the information of the page cache, which ultimately makes its way into the file system, thanks to a refactoring error. It is identical to Dirty COW, but it is relatively easier to use. 

While using Linux, check for and install security updates from the distro. Wait for Google (and maybe your maker and/or carrier) to send you an update if you're using Android; because it runs a kernel older than 5.8, the current version of Android for the Google Pixel 6 and the Samsung Galaxy S22 is currently in jeopardy. 

Kellerman revealed a proof-of-concept (PoC) vulnerability as part of the Dirty Pipe disclosure which essentially allows users to inject their own content into sensitive read-only files, removing limitations or modifying settings to provide wider access than they would normally have. 

However, security researcher BLASTY disclosed an improved vulnerability today which makes gaining root privileges easier by altering the /usr/bin/su command to dump a root shell at /tmp/sh and then invoking the script. 

Starting on February 20th, 2022, the vulnerability was responsibly revealed to several Linux maintainers, including the Linux kernel security team and the Android Security Team. Despite the fact that the defect has been resolved in Linux kernels 5.16.11, 5.15.25, and 5.10.102, numerous servers continue to use outdated kernels, making the release of this vulnerability a major concern for server admins. 

Furthermore, due to the ease with which these vulnerabilities may be used to acquire root access, it will only be a matter of time before threat actors start exploiting the vulnerability in upcoming attacks. The malware had previously used the comparable Dirty COW vulnerability, which was more difficult to attack.  

This flaw is particularly concerning for web hosting companies that provide Linux shell access, as well as colleges that frequently provide shell access to multi-user Linux systems. It has been a difficult year for Linux, with a slew of high-profile privilege-escalation flaws exposed.

Google WAF Circumvented Via Oversized POST Requests

 

It is possible to circumvent Google's cloud-based defences due to security flaws in the default protection offered by the company's web application firewall (WAF). 

Researchers from security firm Kloudle discovered that by sending a POST request larger than 8KB, they were able to get beyond the web app firewalls on both Google Cloud Platform (GCP) and Amazon Web Services (AWS). 

“The default behaviour of Cloud Armor, in this case, can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle. 

"This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.” 

Even if an underlying application is still susceptible, WAFs are designed to guard against web-based attacks like SQL Injection and cross-site scripting. If a targeted endpoint accepts HTTP POST requests "in a manner that could trigger an underlying vulnerability," bypassing this safeguard would bring a potential attacker one step closer to attacking a web-hosted application. 

Kloudle explains in a technical blog post,“This issue can be exploited by crafting an HTTP POST request with a body size exceeding the 8KB size limitation of Cloud Armor, where the payload appears after the 8192th byte/character in the request body." 

Google's Cloud Armor WAF comes with a collection of predefined firewall rules based on the OWASP ModSecurity Core Rule Set, which is open source. The possible attack vector can be blocked by setting a custom Cloud Armor rule to block HTTP requests with request bodies larger than 8192 bytes - a general rule that can be customised to accommodate defined exceptions. 

Even though AWS' WAF has similar issues, Kloudle faulted GCP for neglecting to notify customers about the problem. According to the researchers, other cloud-based WAFs have comparable drawbacks. 

Kloudle told The Daily Swig: “This is part of ongoing work… so far, we have seen request body limitations with Cloudflare, Azure, and Akamai as well. Some have 8KB and others extend to 128KB.” 

In response to questions from The Daily Swig, a Google spokesperson stated that the 8KB restriction is stated in the company's documentation. Kloudle's representative expressed concern over security and functionality. 

The representative explained, “Perimeter security software is hard. I suspect in this case 8KB limit allows them to reliably process other WAF rules. They could be doing more for developer awareness, including adding that rule by default with the option to disable in case someone wants to. As per the shared security responsibility model they put the onus on the end-user to use the service securely.”  

Kloudle's representative expressed sympathy for the security and functionality trade-offs that cloud providers must make but suggested to The Daily Swig that cloud providers could do more to educate consumers about the issue.

Decade-Old Critical Vulnerabilities Might Affect Infusion Pumps

 

According to scans of over 200,000 infusion pumps located on the networking of healthcare providers and hospitals, increasing numbers of gadgets are vulnerable to six critical-severity issues (9.8 out of 10) reported in 2019 and 2020.

According to Palo Alto Networks experts, 52% of scanned devices are vulnerable to two significant security issues discovered in 2019: CVE-2019-12255 (CVSS score of 9.8) and CVE-2019-12264 (CVSS score of 9.8). (CVSS score of 7.1) In a research report, the business stated over 100,000 infusion pumps were vulnerable to older, medium-severity issues (CVE-2016-9355 and CVE-2016-8375). 

"While some of these vulnerabilities and alerts may be difficult for attackers to exploit unless it is physically present in an organization," the researchers added, "all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations where threat actors may be motivated to devote additional resources to attacking a target." 

Wind River, the company which supports VxWorks RTOS, has patched all URGENT/11 concerns since July 19, 2019. However, in the embedded device world, large delays in applying patches or not applying them at all are well-known issues. The last five critical-severity bugs that were discovered in June 2020, affect items made by the American healthcare corporation Baxter International. 

Malicious misuse of software security flaws might put human lives in danger, according to the firm. Infusion pumps are used to give medications and fluids to patients, and the company cautioned how malicious exploitation of software security flaws could put human lives at risk. The majority of the discovered flaws can be used to leak sensitive information and gain unauthorized access. Bugs that lead to the release of sensitive information harm not only infusion pumps, but also other medical devices, and may affect credentials, operational information, and patient-specific data.

Another area of concern is the use of third-party modules which may have security flaws. CVE-2019-12255 and CVE-2019-12264, for example, are significant vulnerabilities in the IPNet TCP/IP stack utilized by the ENEA OS of Alaris Infusion Pumps, according to the researchers. 

"Overall, most of the typical security alerts triggered on infusion systems imply avenues of attack which the device owner should be aware of," the security experts told. "For example, via internet access or default login and password usage."Given some infusion pumps are utilized for up to ten years, healthcare practitioners seeking to protect the security of devices, data, and patient information should consider the following.

Vulnerability in GitHub Actions Allowed Attackers to Take Control of Victim's Device

 

Cybersecurity researchers at Cider Security have unearthed a code review bypass threat impacting organizations that had not even enabled the recently introduced GitHub Actions feature. 

To patch the loophole, Omer Gil and colleagues from security start-up Cider Security introduced multiple security mechanisms. GitHub Actions provides a mechanism to build and run software development workflows all the way from development to production systems.

The authorization bypass weaknesses make it potentially possible for either a rogue developer or threat actors to self-approve pull requests, opening the door to planting malicious software into the tributaries that feed production software, researchers explained in a blog post on Medium. 

Threat actors are only required to exploit a single user account before launching an attack, which relies on editing the permissions key in the workflow file. Last year in October, Cider Security was cleared to reveal its stance on the security loophole, weeks before GitHub patched the bug. Additionally, GitHub has introduced a new policy setting that allows system administrators to control whether GitHub Actions can approve pull requests. 

“This protects against a user using Actions to satisfy the ‘required approvals’ branch protection requirement and merging a change that was not reviewed by another user. To prevent breaking existing workflows, allow GitHub Actions reviews to count towards required approval’ is enabled by default. However, an organization admin can disable it under the organization's Actions settings,” GitHub explained. 

Additionally, GitHub recently introduced a new setting to fix this vulnerability; organization admins can now disallow GitHub Actions from approving pull requests. This is an organization-wide setting, which by default allows Actions to approve pull requests in existing organizations, and disallows it in newly created organizations. This means that any organization that was created before this setting was introduced is still vulnerable unless the default setting is changed. 

“We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests. We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests,” Cider Security concluded.

Vulnerability in NetUSB Could Impact Millions of Routers

 

A critical flaw in KCodes NetUSB kernel module could allow attackers to secure remote access and has the capability to infect millions of devices. 

Researchers from SentineLabs published a report on the remote code execution vulnerability, tracked as CVE-2021-45388, identified in software vendor KCodes' NetUSB kernel module. NetUSB is a kernel module connectivity solution developed by KCodes, allowing remote devices in a network to interact with the USB devices directly plugged into a router. 

NetUSB is used by millions of router devices from various vendors, including Netgear, TP-Link and Western Digital, to provide USB-over-IP functionality. While SentinelOne has not noticed any attacks in the wild, the team determined that the threat actor could alter the code that the router would then execute. 

The SentinelOne report noted three limitations that make it difficult to exploit the vulnerability, such as "the structure must be sprayable from a remote perspective." "While these restrictions make it difficult to write an exploit for this vulnerability, we believe that it isn't impossible, and so those with Wi-Fi routers may need to look for firmware updates for their router," researchers explained.

The researchers initially spotted the flaw after examining a targeted Netgear device from 2019 and discovered it could affect millions of other "end user" routers. The types of routers that use NetUSB are commonly found in homes. As working from home grew tenfold following the onset of the pandemic, routers have become a common target.

"While small businesses may also use these routers as they are cost-effective and easier to manage, larger organizations will tend to opt for more complicated devices they can have greater control over," researchers added.

Following responsible disclosure to KCodes on September 20, 2021, the Taiwanese firm released a patch to all vendors on November 19, after which Netgear released firmware updates containing fixes for the vulnerability. 

SentinelOne has refrained from releasing a proof-of-concept (PoC) code in light of the fact that other vendors are still in the process of shipping updates. However, the cybersecurity firm cautioned the possibility of an exploit emerging in the wild despite the technical complexity involved, making it imperative that users apply the fixes to mitigate any potential risk.

Services Australia Dismisses Security Concerns with COVID-19 Digital Certificates

 

During Australia's federal Budget Estimates last year, senators questioned Services Australia on a variety of initiatives under its purview, ranging from the COVID-19 digital certificate rollout to the botched Robo-debt programme. 

The purported lack of security of Australia's COVID-19 digital certificates concerned Labor Senators Tim Ayres and Nita Green, with both accusing the certificate of being easily falsified by man-in-the-middle cyber-attacks. 

Fenn Bailey, a Melbourne-based software developer, discovered the security flaw in September 2021 after reading about previous publicly disclosed flaws. He observed that the government was using a "high-school grade permissions password" to prevent unauthorized people from altering or copying vaccination certificates. Mr. Bailey discovered that it was then possible to change a name or the vaccinated status on the certificate.

Responding to the senators' concerns, Services Australia stated that it was aware of reports of man-in-the-middle cyber assaults using the Medicare Express Plus app, but dismissed the worries by stating that such attacks "need significant knowledge and skill."

It further stated that there are no existing vulnerability disclosure mechanisms in existence, nor are there any plans to develop such a programme for digital vaccination certificates in the future. This is despite the fact that security researcher Richard Nelson detailed last year the difficulty for the private sector and the general public in disclosing issues about certificates to the government, which Ayres mentioned during Budget Estimates. 

"Services Australia takes the integrity of the Medicare system and the Australian Immunisation Register extremely seriously," Services Australia said in its response to questions on notice. "Full cyber assessments are undertaken several times a year and we work closely with the Australian Signals Directorate and Australian Cyber Security Centre on potential vulnerabilities on mobile applications."

The Digital Transformation Agency (DTA) released an update for Australia's other federal COVID-19 product, COVIDSafe, stating that monthly costs to run the app have been approximately what it expected of around AU$60,000 per month since it took over responsibility for the app. During Budget Estimates, Labor Senator Marielle Smith asked the DTA how many individuals downloaded and then removed the app, but the agency said it does not track that data. 

In response to complaints regarding Service Australia's progress in refunding incorrectly issued Robo-debts, the agency supplied additional information about the clients who have yet to get a refund.
 
According to the organization, approximately 8,500 customers have yet to get a reimbursement; 501 are deceased estates, 280 are incarcerated, 539 are indigenous, and 106 had a vulnerability indicator on their customer record at the time they were last paid.

CSA Issue Cybersecurity Alert, Calls Emergency Meeting

 

Singapore's cybersecurity organization calls together representatives from critical information infrastructure industries for two emergency meetings, during which technical information and instructions were given to help these companies in dealing with possible threats from Log4j. The country's cybersecurity agency released alerts on the Apache Java logging library flaw and is "closely analayzing" developments. 

The first alarm went out on 14 December, CSA (Cyber Security Agency) of Singapore warned "critical vulnerability," when compromised successfully, lets a hacker take full access to compromised servers. "A briefing session also was held on Friday with trade associations and chambers to highlight the severity of the Log4j vulnerability and urgency for all organizations, including small and midsize businesses (SMBs), to immediately deploy mitigation measures," reports ZD Net. It also mentioned that there was only a small window opportunity to execute mitigation actions and organizations should do it immediately. 

CSA mentioned that alerts were sent out to CII sector leads and businesses, telling them to immediately update their systems with the latest security patches. The government agency was working in collaboration with these CII representatives to take out damage control measures. The cybersecurity bill of Singapore includes 11 critical information infrastructure (CII) sectors, which allows local agencies to take proactive measures to safeguard these CIIs. 

The bill highlights a regulatory framework that formalises the duties of CII providers in protecting systems under their accountability, which includes both before and after cybersecurity incidents. These 11 "essential services" also include water, healthcare, energy, aviation and, banking, and finance. As of now, no Log4j related breaches have been reported, after the CSA issued an alert on December 14th. According to ZD Net, "CSA on Friday issued another update, raising the alert on the security flaw. It noted that because Log4j was widely used by software developers."

Kafdrop Flaw Exposes Data from Kafka Clusters to the Whole Internet

 

Spectral researchers uncovered a security flaw in Kafdrop, a popular open-source UI and administrative interface for Apache Kafka clusters that has been downloaded over 20 million times. Companies affected include significant worldwide companies as well as smaller organisations in healthcare, insurance, media, and IoT — in short, everyone who uses Kafdrop with Apache Kafka. 

Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications, including eight of the world's ten largest banks, the 10 largest global insurance companies, and eight of the world's ten key telecom providers. Kafka is commonly used to process and store logs, financial transactions, and private user data. It also powers consumer-centric data pipelines that process real-time actions, events, and behaviour. Kafka is cloud-native, with the ability to scale from small to massive cloud-based clusters. It is also highly scalable and tolerant. 

“We can’t name any of the companies whose clusters we discovered, as we don’t want to give threat actors the edge, but these flaws are exceptionally widespread,” said Dotan Nahum, CEO at Spectral. “Furthermore, since Kafka serves as a central data hub, threat actors with assistance from a flawed Kafdrop, can infiltrate and exfiltrate data and manage the cluster as they see fit. They can connect as a Kafka subscriber to cause further havoc across the entire network.” 

The Kafdrop security flaw not only exposes secrets in real-time traffic, but it also discloses authentication tokens and other access details that allow hackers to contact enterprises' cloud providers, like as AWS, IBM, Oracle, and others, where Kafka clusters are frequently placed. Kafdrop also provides insights into the layout and topology of a cluster, disclosing hosts, topics, partitions, and consumers, as well as the sampling and downloading of live data and the creation and removal of topics. 

“Misusing Kafdrop allows threat actors to access the nervous system of an entire company, revealing customer data, transactions, medical records, internal system traffic, etc. Immediate mitigation is critical,” said Nahum. 

When the flaw was discovered, Spectral promptly provided an authentication code addition back into Kafdrop. Spectral proposes that enterprises scan not only code, but also configuration, infrastructure, and data horizontally across the whole SDLC to defend themselves from such security blunders that lead to breaches.

Cisco SD-WAN Security Flaw Allows Root Code Execution

 

Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation flaw in the IOS IE operating system, which could result in arbitrary code execution. 

Cisco's SD-WAN portfolio enables enterprises of all sizes to link different office sites over the cloud utilising a variety of networking technologies, including standard internet connections. Appliances at each location allow advanced analytics, monitoring, application-specific performance specifications and automation throughout a company's wide-area network. Meanwhile, IOS XE is the vendor's operating system that runs those appliances. 

The vulnerability (CVE-2021-1529) is an OS command-injection flaw that allows attackers to execute unexpected, harmful instructions directly on the operating system that would otherwise be inaccessible. It exists especially in the command-line interface (CLI) for Cisco's IOS XE SD-WAN software, and it could permit an authenticated, local attacker to run arbitrary commands with root privileges. 

According to Cisco’s advisory, posted this week, “The vulnerability is due to insufficient input validation by the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” 

The alert further stated that the exploit method would comprise authenticating to a susceptible device and delivering "crafted input" to the system CLI. An attacker with successful compromise would be able to read and write any files on the system, execute operations as any user, modify system configurations, install and uninstall software, update the OS and/or firmware, and much more, including subsequent access to a corporate network. 

CVE-2021-1529 has a rating of 7.8 on the CVSS vulnerability-severity scale, and researchers and the Cybersecurity and Infrastructure Security Agency (CISA) have advised organisations to fix the problem as soon as possible. 

Greg Fitzgerald, the co-founder of Sevco Security, cautioned that some firms may still have outdated machines connected to their networks, which might provide a hidden threat with issues like these. 

He stated in the email, “The vast majority of organizations do an excellent job patching the vulnerabilities on the systems they know about. The problem arises when enterprises do not have complete visibility into their asset inventory, because even the most responsive IT and security teams can’t patch a vulnerability for an asset they don’t know is connected to their network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

This is solely the latest SD-WAN vulnerability addressed by Cisco this year. It patched many significant buffer-overflow and command-injection SD-WAN flaws in January, the most serious of which could be abused by an unauthenticated, remote attacker to execute arbitrary code with root privileges on the affected server.

Hacker Spotlight: Interview with 'Cyberboy', Bug Bounty Hunter who Won $3000

A few days ago Indian bug bounty hunter, Shashank aka Cyberboy came up with a creative hack that led him from multiple errors to Django admin takeover. The bug was about a private target he had been hunting for a while, he passed all the subdomains to FFUF, the most recent and fastest fuzzing open-source tool written in GoLang. The tool is used to brute force directories and files. You can read about the bug in detail in his blog post. I was impressed by the determination and creativity required to discover this exploit; being curious as I was, I decided to interview the innovative mind behind the process involved in discovering this hack and I'm sharing his answers with you all!


1) Hello Shashank, can you briefly introduce yourself to EHackingNews readers? 

Hi, I am Shashank. I am a security analyst at HackerOne, team lead at Cobalt (part-time), and a bug bounty hunter. I started bug bounties when I was 15 years old. I still do it in my free time after my regular job and part-time jobs. This all started in 2012-2013 when I heard that companies like Facebook and google pay hackers for finding a valid security issue on their website. I have been rewarded/recognized by Facebook, google, apple, Microsoft, PayPal, and 100+ top companies for reporting a valid security issue. 
 
2) A few days back, I read your blog post on the Django admin takeover and I was impressed by your persistence despite multiple errors you encountered, can you please share how did the final idea that led to the discovery of this exploit occur to you? 

Going back to my first bounty from google. It took me four months to find my first bug back in 2013. And I concluded that I need persistence in this field. 
 
The vulnerable endpoint where I found the bug. I had that endpoint in my suspicion notes from a week. After a week, when I managed to bypass the 500 error to access the endpoint, I started reviewing all API endpoints. Then I chained all the bugs to make the final exploit. I have tested countless APIs. With the experience of common patterns I see in all APIs, and I was able to construct the right API call to execute the privilege escalation. 
 
3) How did you discover hacking? Anything you can recall from your initial days as a bug bounty hunter? 

Yes, and I can never forget that incident because that changed my life forever. I studied at Sainik School. It was a boarding school. During my summer vacation, I was using Orkut, and I used to chat with one of my seniors. You know, way back then, social media was gaining popularity, and Orkut was a new thing. I used to chat with my senior every day after dinner. One day he was not online, and later, he informed me that his account was hacked. I was amazed at how this is even possible. So we together started digging and looking for clues about how it could have happened. After weeks of searching, we realized that his account was phished. 

After that, I wanted to learn it as well. Since I had zero programming experience, I had to spend months learning to phish. Later next year, while I was in school, I read in the library that hackers hack websites as well. After class 10th, I dropped out of Sainik school to pursue my career in IT and went to Delhi for JEE preparations. There I had my own computer, so I taught myself web hacking. I heard about the bug-bounty program during those days, and after my first bounty, I never stopped. Even today, in my free time. I love to participate in bug bounty programs. 
   
4) What was the most exciting bug you ever discovered? 

My most exciting bug was in blockchain.com. I have always been a crypto enthusiast. I believe that blockchain will be the next big thing. Blockchain.com is an online bitcoin wallet that I use. I found a bug that allowed me to steal anyone’s bitcoin wallet backup file. This could be exploited to steal money from the user’s account with a single click. 

Besides, I found a bug in Apple iOS in 2017, which allowed me to permanently crash an iOS user’s WhatsApp by sharing a contact. 
 
5) What motivates you to hunt exploits? 

Finding security issues in big and popular platforms is challenging and thrilling. It gives me immense happiness when I am able to chain all pieces of information and small bugs to make it a bigger exploit. Apart from that, we can get financial rewards, swags, and recognition for every valid submission, which adds motivation to do it again and again. 
  
6) How did you feel about the response from the affected organizations? 

Honestly, I stick with programs that appreciate hackers and are responsive irrespective of how much they pay. If I notice a program is not very responsive. I tend to move to other targets. 
 
7) How do you see the bug bounty space evolving over 5 years? 

Bug bounty has already boomed in 8 years. When I started, there were a few companies that had a bug-bounty program. Now it is almost countless. Millions have been paid out to hackers, and in the next five years, I am sure we will see more companies starting bug bounties. Even a government project like arogya setu has started bug-bounty programs. We are going to see more in the coming future. More companies and better rewards. 
  
8) What would you advise to the upcoming bounty hunters, any reading recommendations? 

I strongly believe in 2 things. One is reading, and the other is persistence. Even today, after eight years, I still read writeups of bugs published by other hackers on a daily basis. Software upgrades their security each day, and as a hacker, we need to be ahead and more creative to remain in the game. In this field of ethical hacking and bug-bounty, the day you stop learning is the end of the career. 

Apart from that hacking requires patience and persistence. It is not easy to find a bug when so many people are looking into the same application. It's all about never giving up and keep looking for bugs until you find one. This has always worked for me. 
  
9) What are your thoughts about E Hacking News? 

I know about E hacking news from the time I got into security. It is one of the few blogs that started long back when ethical hacking and bug bounties were not very popular. I would like to thank the people behind every such blog who are trying to make this world understand that hacking is not a criminal activity. It is a profession now.

Thank you very much for your time Cyberboy, Goodluck hunting in the future!

UPnP Vulnerability Affects Billion of Devices Allowing DDoS Attacks, Data Exfiltration


A new security vulnerability affecting devices running UPnP protocol has been discovered by a researcher named Yunus Çadırcı; dubbed as CallStranger the security flaw could be exploited by remote unauthenticated attackers to perform a number of malicious acts such as data exfiltration and distributed denial-of-service popularly known as DDoS attacks.

UPnP protocol is designed to speed up the process of automatic discovery and to facilitate interaction with devices on a network, it doesn't have any kind of verification or authentication and therefore is supposed to be employed within trusted LANs. Most of the internet-connected devices contain support for UPnP, however, the Device Protection service responsible for adding security features has not been broadly accepted.

The security vulnerability that is being tracked as CVE-2020-12695, affects Windows PCs, TVs, Cisco, Belkin Broadcom, Dell, D-Link, Gaming Consoles, Samsung, routers from Asus, Huawei, ZTE, TP-Link and probably many more.

While giving insights into his discovery, Çadırcı told, “[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet-facing and billions of LAN devices.”

“Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet-facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to the Internet. Don't port forward to UPnP endpoints,” he further added.

“Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end-user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from the Internet to Intranet but Intranet2Intranet may be an issue.” The researcher concluded.

In order to stay safe, vendors are recommended to act upon the latest specifications put forth by the OCF, and users are advised to actively look out for vendor support channels for updates. Meanwhile, Device manufacturers are advised to disable the UPnP protocol on Internet-obtainable interfaces.

Russia-Linked APT Group Exploited 3 Vulnerabilities in Exim Servers, NSA Warns


The russia-linked APT group have been running campaigns wherein the authors exploited a critical vulnerability (CVE-2019-10149), also called as "The Return of the WIZard" in the Exim mail transfer agent (MTA) software, according to the warnings of the U.S National Security Agency (NSA).

As per the findings of the NSA, the threat actors have been exploiting the vulnerability since an update was released in June 2019. The critical flaw that affects Exim mail transfer agent (MTA) software's version from 4.87 to 4.91 could be taken advantage of by dubious remote hackers to execute arbitrary commands – such as sending a command in the "MAIL FORM" field of a Simple Mail Transfer Protocol message on mail servers.

In the same campaign, the attackers from Unit 74455, the Russian GRU Main Center for Special Technologies (GTsST) had also exploited two other issues in Exim, first one is a remote code execution flaw (CVE-2019-15846) that was fixed in September 2019 and was found to be affecting version 4.92.1 and older. The second one was a DoS and code execution vulnerability (CVE-2019-16928), it affected versions from 4.92 to 4.92.2, according to the revelations made by RiskIQ.

In an advisory published by the NSA, the experts state, "Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August.”

"The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”

“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation. System administrators should continually check software versions and update as new versions become available.” The advisory further reads.

Indian Security Researcher Finds Starbucks API Key Exposed on GitHub



Developers at Starbucks left an API (Application Programming Interface) key exposed to hackers with no password protection that could have been used by them to gain access to internal systems and consequently manipulate the list of authorized users. Hackers could have exploited the vulnerability in several ways which allowed them to execute commands on systems, add or remove the listed users and AWS account takeover.

The key was discovered by Vinoth Kumar who is an India security researcher, he happened to locate the open key in a public GitHub repository and responsibly reported it to Starbucks on 17th October via HackerOne vulnerability coordination and bug bounty platform. While reporting the same, HackerOne told, “Vinoth Kumar discovered a publicly available Github repository containing a Starbucks JumpCloud API Key which provided access to internal system information.”

“While going through Github search I discovered a public repository which contains JumpCloud API Key of Starbucks.” the expert himself told.

The key would have allowed an attacker to access a Starbucks JumpCloud API and hence the severity of the flaw was all the way up to critical. Colorado-based JumpCloud is an Active Directory management platform that offers a directory-as-a-service (DaaS) solution that customers employ to authorize, authenticate and manage users, devices, and applications. Other services it provides include web app single-on (SSO) and Lightweight Directory Access Protocol (LDAP) service.

The issue had been taken into consideration by Starbucks very early on, however, Kumar tends to take note of the same on October 21 and told that the repository had been taken down and the API key had been revoked. As soon as the company examined Kumar's proof-of-concept of the flaw and approved of the same, the expert was rewarded with a bounty worth US$4,000 for responsibly disclosing the vulnerability.

While commenting on the matter, Starbucks said, “Thank you for your patience! We have determined that this report demonstrates “significant information disclosure and is therefore eligible for a bounty,”

“At this time, we are satisfied with the remediation of the issue and are ready to move to closure. Thank you again for the report! We hope to see more submissions from you in the future.”

LPE Security Flaw Affecting Symantec Allows Attackers to Escalate Privileges on Compromised Devices


Symantec Endpoint Protection recently fixed a local privilege escalation security flaw influencing all software variants before 14.2 RU2 by enabling attackers to raise benefits on undermined devices and execute noxious code utilizing SYSTEM privileges.

Security researcher Peleg Hadar was the person who discovered the Symantec Endpoint Protection LPE bug and shockingly this isn't the first time when a security local privilege escalation issue was reported to a security vendor.

The Symantec Endpoint Protection LPE bug currently tracked as CVE-2019-12758 requires potential attackers to have Administrator privileges to effectively exploit the issue to Hadar. While the danger level of this vulnerability isn't immediately evident, such bugs are normally evaluated with medium and high 'severity' CVSS 3.x base scores.

As indicated by Hadar, attackers misuse DLL search-order hijacking issues, such as this as part multi-stage attacks in the wake of penetrating a target's machine to 'elevate permissions' in order to additionally compromise the device.

“The vulnerability gives attackers the ability to load and execute malicious payloads within the context of a Symantec’s signed process," Hadar states. Symantec albeit effectively tended to the LPE vulnerability in the Symantec Endpoint protection 14.2 RU2 release issued on October 22, 2019.

In any case he further specified that that misuse of the CVE-2019-12758 bug on machines running 'vulnerable' adaptations of Symantec Endpoint Protection could likewise make it feasible for attackers to load and dispatch malevolent code each time the Symantec administrations are loaded on the system, picking up 'persistence' between system reboots.


VLC player has ‘critical’ security flaw

Popular media software VLC Media Player has a critical software vulnerability that could put millions of users at risk, security researchers have warned.

Researchers from German firm CERT-Bund say they have detected a major safety flaw in the video player, which has been downloaded billions of times across the world, which could allow hackers access to compromise users' devices.

Although the vulnerability is yet to be exploited by hackers publicly to date, it poses an increasing threat for users of the popular software.

- VLC for Nintendo Switch and PS4 could be on the way
- How to convert videos with VLC
- VLC Media Player is about to hit 3bn downloads, with new features on the way

Hijacked

According to CERT-Bund, the flaw enables remote code execution (RCE), unauthorised modification and disclosure of data/files, and overall disruption of service, meaning users could see their devices hijacked and made to run malicious code of software.

Known as CVE-2019-13615, the vulnerability is found in the latest edition of the software, VLC Media Player version 3.0.7.1, and is rated at 9.8 in NIST's National Vulnerability Database, meaning it can be labelled as 'critical'.

The issue has been detected in the Windows, Linux and UNIX versions of VLC, however the macOS version appears to be unaffected.

VideoLAN, the not-for-profit organisation beind VLC Media Player, says it has been working on a patch for the flaw for the last four weeks, and is 60 percent through.

Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the programme. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and 10 rated low.

Flaw in Zoom app could allow Mac webcams to be hacked

Jonathan Leitschuh, a US-based security researcher on Monday had publicly disclosed a major zero-day vulnerability in the Zoom video conferencing software. Leitschuh had demonstrated that any website can start a video-enabled call through the Zoom software on a Mac with the help of a web server which gets installed by the Zoom app.

According to a report by The Verge, the server accepts the requests which the regular would not. The report further says that even if you uninstall the Zoom software, the server will still remain and it can reinstall Zoom without the user’s choice. As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.

On a Medium post published on Monday, Leitschuh gave a demonstration through a form of a link which after being clicked takes Mac users (currently using/or have used Zoom app before) to a conference room activating their webcams. He notes that this particular code can get embedded to any website and also on malicious ads or a phishing campaign.

Leitschuh further writes that even if Mac users uninstall the Zoom app, the local web server still remains and it will “happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

The Verge in its report said that they tried the flaw themselves by using Leitschuh’s demo and were able to confirm that the issue does persist on clicking the link if Mac users have used the Zoom app and have not checked a particular checkbox in settings. The link auto joins the users to a conference call with the web camera on.

As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days. According to him, Zoom does not seem to have done enough to resolve the problem. The particular vulnerability was also disclosed to both Chromium and Mozilla teams, however, because it is not an issue with their browsers, there is not much those developers can do about this.

Ransomware found exploiting former Windows flaw

Researchers at cybersecurity firm Kaspersky have uncovered new encryption ransomware named Sodin (Sodinokibi or REvil) that exploits a recently discovered Windows vulnerability to get elevated privileges in an infected system. The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection - functionality that is not often seen in ransomware.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors," said Fedor Sinitsyn, a security researcher at Kaspersky.

"We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely," Sinitsyn added.

The researchers found that most targets of Sodin ransomware were found in the Asian region: 17.6 percent of attacks have been detected in Taiwan, 9.8 percent in Hong Kong and 8.8 percent in the Republic of Korea.

However, attacks have also been observed in Europe, North America and Latin America, Kaspersky said, adding that the ransomware note left on infected PCs demands $2500 worth of Bitcoin from each victim.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

To avoid falling victim to Sodin threats, make sure that the software used in your company is regularly updated to the most recent versions, said Kaspersky researchers.

Security products with vulnerability assessment and patch management capabilities may help to automate these processes, they added.