Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security flaw. Show all posts
WinRAR
Mark of the Web Security flaw Symlink Vulnerabilities and Exploits WinRAR

WinRAR Bug Circumvents Windows Mark of Web Security Notifications.

 

A security flaw in the WinRAR file archiver solution might be used to circumvent the Mark of the Web (MotW) security warning and execute arbitrary code on a Windows computer. The vulnerability is known as CVE-2025-31334 and impacts all WinRAR versions except the most recent release, 7.11. 

Mark of the Web is a security mechanism in Windows that uses a metadata value (an additional data stream called 'zone-identifier') to identify potentially dangerous files downloaded from the internet. When you launch an executable with the MotW tag, Windows informs you that it was obtained from the internet and can be risky, and you can choose whether to continue or terminate it.

Symlink to executable

The CVE-2025-31334 flaw allows an attacker to circumvent the MotW security warning when opening a symbolic link (symlink) to an executable file in any WinRAR version prior to 7.11. Using a specially designed symbolic link, an attacker can execute arbitrary code. It should be noted that on Windows, symlinks can only be generated with administrator privileges. 

The security flaw received a medium severity score of 6.8 and was fixed in the latest version of WinRAR, according to the applications change log: “If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored” - WinRaR. 

Shimamine Taihei of Mitsui Bussan Secure Directions reported the vulnerability to the Information Technology Promotion Agency (IPA) in Japan. The responsible disclosure was organised by Japan's Computer Security Incident Response Team with the developer of WinRAR.

Starting with version 7.10, WinRAR allows you to remove information from the MotW alternative data stream (such as location and IP address) that could be deemed a privacy issue. Cybercriminals, including state-sponsored ones, have previously used MotW bypasses to transmit malware without triggering the security warning. 

Recently, Russian attackers exploited a vulnerability in the 7-Zip archiver that did not propagate the MotW when double archiving (archiving one file within another) to launch the Smokeloader malware dropper.
Read more »
Security flaw
Cyber Attacks email servers Exim Security flaw

Serious Security Flaw in Exim Email Servers Could Let Hackers Steal Data

 



A dangerous security flaw has been discovered in Exim, a widely used email server software. The vulnerability, officially tracked as CVE-2025-26794, allows hackers to inject harmful commands into the system, potentially leading to data theft or even complete control over the email server. This issue affects Exim version 4.98 when used with a specific database system called SQLite. Experts warn that this is one of the biggest email security threats of 2025.  


How This Vulnerability Works

The problem occurs because of the way Exim handles database queries under certain settings. It mainly affects systems that:  

1. Use SQLite for storing email-related data – This happens when Exim is set up with a special feature called `USE_SQLITE`.  

2. Enable the ETRN command – This is a function that allows users to request email deliveries, but it can be misused if not properly restricted.  

3. Have weak protections against command execution – Some default settings make it easier for attackers to sneak in harmful database commands.  

If all these conditions are met, a hacker can send specially designed emails to the server, tricking it into running unauthorized commands. This could allow them to access sensitive information, modify system settings, or even take control of the entire email system.  


How Attackers Can Use This Flaw

For this security risk to be exploited, three things need to be true:  

1. The system must be running Exim 4.98 with SQLite enabled.  

2. The ETRN command must be set to "accept" instead of the safer "deny" mode.  

3. A specific security setting, smtp_etrn_serialize, must be left at its default value, which can create a loophole for hackers.  

Even though Exim’s default settings provide some level of security, many organizations adjust them to work with older systems, unknowingly making their servers more vulnerable.  


Steps to Stay Safe

To protect email systems from this issue, cybersecurity experts recommend taking the following steps immediately:  

1. Check which version of Exim is installed using the command `exim -bV`.  

2. Disable SQLite integration if it’s not necessary.  

3. Modify ETRN settings to prevent unauthorized use.  

4. Update to the latest Exim version (4.98.1), which includes a fix for this problem.  

For organizations that must continue using SQLite, additional security measures should be in place, such as filtering out risky commands and monitoring unusual activity in the database.  


How Exim Developers Responded

The Exim development team acted quickly by releasing a patched version within 72 hours after confirming the issue. The flaw was originally reported by cybersecurity researcher Oscar Bataille, who followed responsible disclosure guidelines. This allowed Exim’s developers to fix the problem before it became public, reducing the chances of widespread attacks.  


Why This Matters

Exim is used by over 60% of email servers on the internet, meaning this flaw could have affected millions of systems worldwide. This incident is a reminder that even well-established software can have hidden weaknesses, especially when newer features interact with older components.  

To stay safe, organizations must regularly update their email software, follow security best practices, and stay informed about new threats. The faster vulnerabilities like this are addressed, the lower the risk of cyberattacks.

Read more »
Starlink
Automakers Cyber Attacks data security internet-connected cars PII Security flaw Smart Cars Starlink

Subaru Starlink Security Flaw Exposes Risks of Connected Cars

 

As vehicles become increasingly connected to the internet, cybersecurity threats pose growing risks to drivers. A recent security flaw in Subaru’s Starlink system highlights the potential dangers, allowing hackers to remotely control vehicles and access sensitive data. This incident is part of a broader trend affecting the automotive industry, where weaknesses in connected car systems expose users to financial loss, privacy breaches, and safety concerns. 

Researchers found that with just a license plate number and basic owner details, attackers could exploit Subaru’s Starlink system to start or stop the car, lock or unlock doors, and track real-time locations. More alarmingly, hackers could extract personally identifiable information (PII), including billing details, emergency contacts, and historical location data accurate within five meters. The vulnerability stemmed from weak security in the Starlink admin portal, including an insecure password reset API and insufficient protection against two-factor authentication (2FA) bypass. 

Subaru quickly patched the issue within 24 hours of its discovery, but the incident underscores the risks associated with connected vehicles. This is not an isolated case. Other automakers have faced similar security lapses, such as a flaw in Kia’s dealer portal that allowed hackers to track and steal vehicles. Common security issues in connected car systems include weak authentication, improper encryption, centralized storage of sensitive data, and vulnerabilities in third-party integrations. Delayed responses from automakers further exacerbate these risks, leaving vehicles exposed for extended periods. 

Beyond direct system hacks, connected cars face a range of cybersecurity threats. Attackers could remotely hijack vehicle controls, steal onboard financial and personal data, or even deploy ransomware to disable vehicles. GPS spoofing could mislead drivers or facilitate vehicle theft, while compromised infotainment systems may leak personal details or spread malware. While automakers must strengthen security measures, consumers can take steps to protect themselves. Regularly updating vehicle firmware and connected apps can help prevent exploits. 

Using multi-factor authentication (MFA) for connected car accounts and avoiding weak passwords add an extra layer of security. Limiting the amount of personal data linked to vehicle systems reduces exposure. Disabling unnecessary connectivity features, such as remote start or location tracking, also minimizes risk. Additional precautions include avoiding public Wi-Fi for accessing connected car systems, using a virtual private network (VPN) when necessary, and carefully vetting third-party apps before granting permissions. Traditional security tools like steering wheel locks and GPS trackers remain valuable backup measures against cyber threats. 

As connected cars become more common, cybersecurity will play a crucial role in vehicle safety. Automakers must prioritize security by implementing robust encryption, strong authentication, and rapid vulnerability response. At the same time, consumers should stay informed and take proactive steps to safeguard their vehicles and personal data from evolving digital threats.
Read more »
sophisticated attacks
Business Security Cyber Security IT Flaw Security flaw sophisticated attacks

Public Holidays And Weekends Make Companies More Vulnerable to Cyberattacks

 


 Cyberattacks Surge During Holidays and Weekends: Semperis Report

Companies are particularly susceptible to cyberattacks during public holidays and weekends due to reduced security manpower. A recent report on ransomware assaults, published by Semperis, a provider of identity-based cyber resilience, confirms this vulnerability.

The study revealed that an average of 86% of organizations assessed across the United States, United Kingdom, France, and Germany were targeted during public holidays or weekends. The findings also indicate that 75% of businesses reduced their security workforce by up to 50% during these periods, leaving critical systems exposed.

Targeted Attacks During Key Business Events

Half of the respondents who experienced cyberattacks reported being targeted during major business events such as mergers or acquisitions. For instance, after UnitedHealth acquired Change Healthcare, cybercriminals exploited a security flaw in remote access systems to breach the company’s infrastructure.

The report highlighted that 90% of ransomware attacks compromised a firm’s identity service, such as Microsoft Active Directory (AD) or Entra ID, as these are widely used and vulnerable. Additionally:

  • 35% of businesses reported insufficient funds to safeguard against cyberattacks.
  • 61% of organizations lacked adequate backup solutions for their identity services.

While 81% of respondents stated they possess the knowledge to defend against identity-related threats, 83% admitted to experiencing a successful ransomware assault within the past year. This disconnect underscores the need for better implementation of security measures.

The US Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly emphasized the need for vigilance during weekends and public holidays. Notably, the ransomware group Clop exploited a long weekend to take advantage of a vulnerability in the MOVEit data exchange software. This attack affected over 130 companies in Germany, leading to significant data breaches and blackmail attempts.

Solutions to Mitigate Risks

To address these vulnerabilities, enterprises must take the following measures:

  • Protect critical flaws, such as those in Active Directory (AD) and other identity services.
  • Ensure security operations centers (SOCs) are adequately staffed during off-hours.
  • Integrate cybersecurity into the broader business resiliency strategy, alongside safety, financial, and reputational risk management.

Prioritizing security as an essential component of business resilience can make the difference between surviving and thriving in the face of catastrophic cyber incidents.

Read more »
Windows Security
Bitlocker Security flaw TPM Vulnerabilities and Exploits Windows Security

TPM-Equipped Devices Trigger Warnings Due to a Windows BitLocker Flaw

 

Microsoft is examining a flaw that activates security alerts on systems equipped with a Trusted Platform Module (TPM) processor after enabling BitLocker. 

A Windows security feature called BitLocker encrypts storage discs to guard against data leakage or theft. Redmond claims that when combined with a TPM, it "provides maximum protection" "to ensure that a device hasn't been tampered with while the system is offline.”  

TPMs are specialised security processors that offer hardware-based security features and serve as reliable hardware parts for storing private data, including encryption keys and other security credentials.

The company stated in a notice issued past week that unmanaged devices, or BYOD (bring your own device), are also impacted by this known vulnerability. These are typically privately held devices utilised in business settings that can be secured or onboard using methods provided by the IT or security department of each firm.  

Users of vulnerable Windows 10 and 11 PCs will notice a "For your security, some settings are managed by your administrator" alert "in the BitLocker control panel and other places in Windows.” 

The tech giant noted that it is currently working on a fix and will provide further details regarding the flaw when it has more information. In April 2024, Microsoft resolved another issue that led to faulty BitLocker drive encryption issues in select managed Windows environments. In October 2023, the company classified this as a reporting issue with no impact on drive encryption.  

Microsoft revealed in June 2021 that TPM 2.0 is required for installing or upgrading to Windows 11, claiming that it will make PCs more resistant to manipulation and sophisticated cyberattacks. However, this has not prevented Windows users from developing a variety of tools, programs, and strategies to circumvent it. 

More than three years later, in December 2024, Redmond emphasised that TPM 2.0 compliance is a "non-negotiable" condition, as consumers will be unable to upgrade to Windows 11 without it. According to Statcounter Global data, more than 62% of all Windows computers globally are still using Windows 10, with less than 34% on Windows 11 three years after its October 2021 launch. 
Read more »
Threat Intelligence
Cyber Security FBI Security flaw Tech Firms Threat Intelligence

Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.
Read more »
User Privacy
Chrome Extension Manifest V3 Mobile Security Security flaw SquareX User Privacy

Chrome Extensions Continue to Pose a Threat, Even With Google's Manifest V3

 

Users have always found browser extensions to be a useful tool for increasing productivity and streamlining tasks. They have, however, become a prime target for malicious actors attempting to exploit flaws, impacting both individual users and companies. 

Despite efforts to boost security, several of these extensions have found ways to exploit vulnerabilities in Google's latest extension framework, Manifest V3 (MV3). SquareX's recent research explained how these rogue extensions can continue to evade crucial security protections, exposing millions of users to risks such as data theft, malware, and unauthorised access to sensitive information. 

Google has always had troubles with Chrome addons. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before being removed. 

Google's previous extension framework, Manifest Version 2 (MV2), was notoriously unstable. It frequently granted excessive rights to extensions and allowed scripts to be introduced without user knowledge, making it less complicated for cybercriminals to steal data, access sensitive information, and install malware.

In response, Google launched Manifest V3, which intended to improve security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was supposed to address the vulnerabilities found in MV2, SquareX's study indicates that it falls short in important areas. 

Malicious extensions built on MV3 can still circumvent security measures and grab live video streams from collaboration services such as Google Meet and Zoom Web without requiring specific permission. They can even add unauthorised contributors to private GitHub repositories and send users to phishing pages masquerading as password managers. 

Furthermore, these malicious extensions, like their MV2 counterparts, can access browser history, cookies, bookmarks, and download history by displaying a fake software update pop-up that dupes users into downloading the malware. 

Once the malicious extension is installed, individuals and businesses are unable to notice its activity, leaving them vulnerable. Endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are examples of security solutions that cannot dynamically assess potential risks in browser extensions. 

SquareX has created a number of solutions targeted at enhancing browser extension security in order to address these issues. Their strategy includes customised rules that let administrators choose which extensions to accept or ban depending on user ratings, reviews, update history, and extension permissions.

This system can prevent network requests from extensions in real time using policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a customised Chromium browser on its cloud server, which will provide greater insights into the behaviour of potentially malicious extensions.
Read more »
Wordpress Vulnerability
brute-force protection CVE-2024-50550 Cyber Security LiteSpeed Cache plugin Patchstack plugin security role simulation Security flaw Unauthorized access update LiteSpeed Cache Wordpress Vulnerability

Critical Security Vulnerability Found in LiteSpeed Cache Plugin: Urgent Update Advised for WordPress Users

 

A significant security flaw has been uncovered in the LiteSpeed Cache plugin, used by over 6 million WordPress sites, which could allow unauthorized visitors to gain administrator-level access. The vulnerability stems from a weakness in the plugin's role simulation feature, making it possible for attackers to bypass security and install harmful plugins.

The LiteSpeed Cache plugin, popular for site performance enhancements, is compatible with widely-used WordPress plugins like WooCommerce, bbPress, and Yoast SEO.

According to cybersecurity firm Patchstack, this vulnerability results from weak hash checks, which can be exploited under certain administrator-defined configurations. The issue is particularly pronounced when high run durations and minimal load limits are applied within the plugin's Crawler feature.

Listed as CVE-2024-50550, the vulnerability is concerning due to its susceptibility to brute-force attacks, enabling attackers to bypass essential security mechanisms.

Specific configurations that make this vulnerability more likely include:
  • Enabling the Crawler feature with run durations between 2500-4000 seconds
  • Setting the server load limit to 0
  • Activating role simulation for administrator-level users
  • Recommended Actions to Mitigate the Risk
  • In response, LiteSpeed has removed the role simulation feature and enhanced hash generation processes. The company has also shared plans with Patchstack to introduce more sophisticated random value generation in future updates to further safeguard against brute-force exploits.
Patchstack recommends that all LiteSpeed Cache users update to version 6.5.2 or later to mitigate these risks.

"This vulnerability underscores the importance of strong, unpredictable values for security hashes or nonces," Patchstack noted, adding that features like role simulation should always include robust access controls.

Additionally, administrators are advised to review plugin settings, optimizing configurations like Crawler run duration and load limits to strengthen security.
Read more »
Zero-day Flaw
Hash Password Security flaw Security Patch Vulnerabilities and Exploits Zero-day Flaw

Unofficial Patches Published for New Windows Themes Zero-Day Exploit

 

Free unofficial fixes are now available for a new zero-day flaw in Windows Themes that allows hackers to remotely harvest a target's NTLM credentials.

NTLM has been extensively exploited in NTLM relay attacks, in which threat actors force susceptible network devices to authenticate against servers under their control, and in pass-the-hash attacks, in which attackers exploit system vulnerabilities or deploy malicious software to steal NTLM hashes (hash passwords) from target systems. 

Once they acquire the hash, the attackers can impersonate the affected user, gaining access to sensitive data and expanding laterally throughout the now-compromised network. Microsoft indicated a year ago that it will drop the NTLM authentication technology in Windows 11. 

ACROS security experts uncovered the new Windows Themes zero-day (which has yet to be assigned a CVE ID) while working on a micropatch for a flaw tracked as CVE-2024-38030 that might reveal a user's credentials (reported by Akamai's Tomer Peled), which was itself a workaround for another Windows Themes spoofing vulnerability (CVE-2024-21320) fixed by Microsoft in January. 

According to Peled, "when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such a theme file would be viewed in Windows Explorer.”

"This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action," ACROS Security CEO Mitja Kolsek stated. 

Even though Microsoft fixed CVE-2024-38030 in July, ACROS Security discovered another vulnerability that attackers may use to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2. 

"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file," Kolsek added. 

The firm is now offering free and unofficial security updates for this zero-day flaw via its 0patch micropatching service for all affected Windows versions until official patches from Microsoft are available, which have already been applied to all online Windows systems running the company's 0patch agent.

To install the micropatch on your Windows device, first create a 0patch account and then install the 0patch Agent. If no specific patching policy prevents it, the micropatch will be applied immediately without the need for a system restart once the agent is activated. 

However, it is crucial to remember that in this case, 0patch only delivers micropatches for Windows Workstation, as Windows Themes does not work on Windows Server until the Desktop Experience feature is deployed.
Read more »
User Privacy
iPhone Security flaw Security Update Technology User Privacy

Apple's Latest iPhone Update: Bad News for Millions of Google Users

 

If the latest reports are correct, Apple consumers have just over a fortnight to wait until the launch of iOS 18.1 and the belated arrival of Apple Intelligence, the flagship feature in the latest iOS release. Until then the most significant update is still RCS, the even more belated upgrade of stock SMS on iPhones. 

As security experts commented before, Apple’s RCS upgrade has a lot of security flaws—no end-to-end encryption is the key one, with its lack being a major step back, but there’s also patchy carrier adoption, no full iMessage integration, and no end in sight for those dreaded green bubbles.

But Google campaigned hard for years, cajoling Apple into making this move as its own Android Messages app lost ever more ground to WhatsApp and other over-the-tops, while Apple seemingly brushed away any concerns, with its critical US user base continuing to iMessage between themselves. 

And, while Google has teased Apple over their flawed RCS implementation, it has also made it clear how welcome this is. But there was always the chance that Google and its consumers would not see the equal playing field they desired, and that risk appears to be coming true. 

Android Authority recently claimed that "iPhone users are not as into RCS as their Android buddies would have liked." There are some clear barriers to better adoption, particularly carrier support. But the underlying issue is much simpler: WhatsApp. This long-awaited partial integration of iMessage and Google Messages has been so delayed that WhatsApp has effectively locked down every significant market outside of the United States (and China). 

With Apple's iMessage security being one of its main selling points, security and privacy have grown so central to the iPhone and its user base that an update that abandons all of that appears counter-intuitive in every sense. The fact that even Google is unable to view user content due to its extensive usage of end-to-end encryption throughout its own platform—which is akin to Apple's—makes this situation worse. However, all of that disappears when using cross-platform RCS texting.,
Read more »
Threat Landscape
Linux malware Misconfiguration Security flaw Threat Landscape

Stealthy Malware Has Infected Thousands of Linux Systems Since 2021

 

Aqua Security researchers have raised concerns about a newly identified malware family that targets Linux-based machines in order to get persistent access and control resources for crypto mining. The malware, known as perfctl, purports to exploit over 20,000 different types of misconfigurations and known vulnerabilities and has been active for over three years. 

Aqua Security uncovered that perfctl uses a rootkit to hide itself on compromised systems, runs as a service in the background, is only active when the machine is idle, communicates via a Unix socket and Tor, installs a backdoor on the infected server, and attempts to escalate privileges. The malware's handlers have been detected deploying more reconnaissance tools, proxy-jacking software, and a cryptocurrency miner. 

The attack chain begins with the exploitation of a vulnerability or misconfiguration, followed by the deployment and execution of the payload from a remote HTTP server. Next, it copies itself to the temporary directory, terminates the old process, deletes the initial binary, and runs from the new location. 

The payload contains an attack for CVE-2021-4043, a medium-severity Null pointer dereference vulnerability in the open source multimedia framework Gpac, which it uses to get root access. The flaw was recently uploaded to CISA's Known Exploited Vulnerabilities database. 

In addition to the cryptominer, the malware was observed copying itself to numerous additional locations on the computers, dropping a rootkit and popular Linux applications modified to function as userland rootkits. It uses a Unix socket to handle local communications and the Tor anonymity network for external command-and-control (C&C). 

"All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defence mechanisms and hinder reverse engineering attempts," the company said. 

Furthermore, the malware monitors specific files and, if a user logs in, it suspends activities to conceal its presence. It also ensures that user-specific configurations are executed in Bash contexts, allowing the server to run normally. 

For persistence, perfctl alters a script such that it is executed before the server's legitimate workload. It also attempts to terminate the processes of any additional malware it detects on the infected PC. 

The deployed rootkit hooks into various functions and modifies their functionality, including changes that allow "unauthorised actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behaviour of authentication mechanisms," according to Aqua Security. 

The cybersecurity firm found three download servers linked to the attacks, as well as other websites that were likely hacked by the threat actors, resulting in the finding of artefacts used in the exploitation of vulnerable or misconfigured Linux servers. 

“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company added.
Read more »
Vectra AI
cloud storage vulnerability Cyber Security cybersecurity threat Google Cloud Document AI malware injection Security flaw Sensitive Data Leak Vectra AI

Security Flaw in Google Cloud Document AI Could Expose Sensitive Data, Experts Warn

 

A critical vulnerability in Google Cloud's Document AI service could have allowed cybercriminals to steal sensitive information from users' cloud storage accounts and even inject malware, cybersecurity experts have warned. 

The flaw was first discovered by researchers at Vectra AI, who reported it to Google in April 2024. Document AI is a suite of machine learning tools that automates the extraction, analysis, and processing of documents, converting unstructured files like invoices and contracts into structured data to streamline workflows.

The issue arose during the batch processing of documents, a feature that automates large-scale document analysis. Instead of using the caller’s permissions, the system relied on broader permissions granted to a "service agent," a Google-managed entity responsible for processing tasks. This created a security gap, allowing a malicious actor with access to a project to potentially retrieve and modify any files stored in the associated Google Cloud Storage buckets.

Vectra AI researchers provided a proof of concept to demonstrate how an attacker could exfiltrate and alter a PDF file before reuploading it to its original location. Although Google released a patch and labelled the issue "fixed" soon after, the researchers criticized the initial fix as inadequate.

In response to further pressure, Google implemented a more comprehensive downgrade in September 2024, addressing the vulnerability by limiting access to impacted projects.
Read more »
Zero-day Flaw
remote access Security flaw Veeam Software Vulnerabilities and Exploits Zero-day Flaw

Veeam Software Issues Fixes for Exploitable Security Flaws

 

Security experts recommend all Veeam Backup & Replication software customers to upgrade their software immediately to address a critical, remotely exploitable vulnerability. Veeam first revealed the flaw, dubbed CVE-2024-40711, on Thursday, when it issued fixes to address 18 vulnerabilities across its product range, including five major issues, which are so named because they may be remotely abused to execute arbitrary code. 

The upgrade for the widely used Veeam Backup & Replication software patches security flaws detected in version 12.1.2.172 and all previous version 12 versions. The software is employed for backup and recovery in cloud, virtual, and physical IT settings and is directly compatible with operating systems and environments such as AWS, Azure, Google Cloud, Oracle, SAP Hana, and Broadcom's VMware. 

Veeam Backup & Replication versions that are no longer supported, such as version 11, for which support ended in February, come with a warning from the company stating that they "are not tested, but are likely affected and should be considered vulnerable." 

Threat actors can exploit CVE-2024-40711 to remotely execute code on a Veeam Backup & Replication server without having to first authenticate to the server. The vendor rated the vulnerability 9.8 on the 10-point CVSS scale and credited its discovery to researcher Florian Hauser at cybersecurity service provider Code White. 

The company stated that the vulnerability could be leveraged to enable "full systems takeover" and that it would not immediately release any technical details regarding the flaw "because this might instantly be abused by ransomware gangs." 

Four additional vulnerabilities in Veeam Backup & Replication that were addressed in the Thursday update are classed as high-severity because exploiting them needs an attacker to first achieve a low-privileged role with the software or to have network access. 

Prior to the Veeam Backup & Replication March 2023 patch, Veeam addressed known vulnerabilities in the form of CVE-2023-27532, which has been the target of ransomware and cybercrime groups. Researchers warned that attackers might use that vulnerability to obtain encrypted credentials, which would give them illegal access to the program and possibly allow them to go to other areas of the network.

In July, cybersecurity company Group-IB revealed that, only a few weeks after its public release, groups like EstateRansomware appear to have begun concentrating on CVE-2023-27532. The United States Cybersecurity and Infrastructure Security Agency added CVE-2023-27532 to its Known Exploited Vulnerabilities catalogue in August of last year.
Read more »
Vulnerabilities and Exploits
Data Flaws Patch Safety Security flaw Vulnerabilities and Exploits

CISA Issues Warning on Critical Vulnerabilities in Vonets WiFi Bridge Devices, No Patch Released

 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory highlighting several critical vulnerabilities discovered in Vonets WiFi Bridge devices. These vulnerabilities present significant risks, including the potential for attackers to execute arbitrary code, access sensitive data, or disrupt device operations.

This poses a serious threat to the security of industrial and commercial networks that depend on these devices. Despite the gravity of these issues, Vonets has not responded to CISA’s outreach for collaboration on mitigation efforts, leaving users at risk.

Key Vulnerabilities and Their Impacts:

The vulnerabilities identified in the Vonets devices vary in severity and include:

  • CVE-2024-41161 (CVSSv4 8.7): This flaw involves the use of hard-coded credentials, allowing unauthorized users to bypass authentication and gain full device access using pre-set administrator credentials that cannot be disabled. This makes it a particularly dangerous vulnerability.
  • CVE-2024-29082 (CVSSv4 8.8): An issue with improper access control permits attackers to bypass authentication and perform a factory reset on the device through unprotected endpoints, leading to potential service disruptions and loss of configuration data.
  • CVE-2024-41936 (CVSSv4 8.7): A directory traversal vulnerability that enables attackers to read arbitrary files on the device, bypassing authentication and exposing sensitive information.
  • CVE-2024-37023 (CVSSv4 9.4): OS command injection vulnerabilities allow authenticated attackers to execute arbitrary operating system commands on the device, potentially giving them control over its operation.
  • CVE-2024-39815 (CVSSv4 8.7): A flaw in the handling of exceptional conditions could lead to a denial-of-service (DoS) scenario when attackers send specially crafted HTTP requests to the device.
  • CVE-2024-39791 (CVSSv4 10): The most severe vulnerability, a stack-based buffer overflow, allows remote attackers to execute arbitrary code, potentially gaining full control of the device without needing authentication.
  • CVE-2024-42001 (CVSSv4 6.1): An issue with improper authentication enables attackers to bypass authentication by sending specially crafted requests during an active user session.

CISA’s Recommendations

In light of Vonets' lack of response, CISA has issued several recommendations to help organizations mitigate the risks associated with these vulnerabilities:

  • Minimize Network Exposure: Ensure that control system devices and networks are not directly accessible from the internet to reduce the risk of unauthorized access.
  • Isolate Control Systems: Position control system networks and remote devices behind firewalls and separate them from business networks to prevent cross-network attacks.
  • Secure Remote Access: When remote access is necessary, use secure methods like Virtual Private Networks (VPNs). However, it's crucial to keep VPNs updated and ensure the security of connected devices.
CISA stresses the importance of conducting thorough impact analysis and risk assessments before implementing any defensive measures to avoid unintended operational disruptions.

While no public exploitation of these vulnerabilities has been reported yet, the critical nature of these issues demands immediate attention. Organizations and individuals must act swiftly to safeguard their networks and reduce the risk of potential attacks
Read more »
Security Flaws
Android Android App Android App Safety Android Applications Android Apps Cyber Security Microsoft Security flaw Security Flaws

Microsoft Uncovers Major Security Flaw in Android Apps with Billions of Downloads

 

Microsoft recently made a troubling discovery regarding the security of numerous Android applications, including some of the most widely used ones, each boasting over 500 million installations. After uncovering a common security weakness, Microsoft promptly notified Google's Android security research team, prompting Google to release new guidance aimed at helping Android app developers identify and rectify the issue. 
 
Among the applications found to be vulnerable were Xiaomi Inc.'s File Manager, boasting over 1 billion installations, and WPS Office, with around 500 million downloads. Although Microsoft confirms that the vendors of these products have since addressed the issue, they caution that there may be other apps out there still susceptible to exploitation due to the same security flaw. 
 
The vulnerability in question pertains to Android applications that share files with other apps. To enable secure sharing, Android employs a feature known as "content provider," which essentially serves as an interface for managing and exposing an app's data to other installed applications on the device. 
 
However, Microsoft's research uncovered a significant oversight in many cases: when an Android app receives a file from another app, it often fails to adequately validate the content. Particularly concerning is the practice of using the filename provided by the sending application to cache the received file within the receiving application's internal data directory. This oversight creates an opportunity for attackers to exploit the system by sending a file with a malicious filename directly to a receiving app, without the user's knowledge or consent. 
 
Typical targets for such file sharing include email clients, messaging apps, networking apps, browsers, and file editors. If a malicious filename is received, the receiving app may unwittingly initialize the file, triggering processes that could lead to compromise. 
 
The potential consequences vary depending on the specific implementation of the Android application. In some scenarios, attackers could exploit the vulnerability to overwrite an app's settings, leading to unauthorized communication with attacker-controlled servers or the theft of user authentication tokens and other sensitive data. In more severe cases, attackers could inject malicious code into a receiving app's native library, enabling arbitrary code execution. 
 
Microsoft and Google have both offered guidance to developers on how to address this issue, emphasizing the importance of validating file content and ensuring the secure handling of shared files. Meanwhile, end users can mitigate the risk by keeping their Android apps up to date and exercising caution when installing apps from sources they trust.
Read more »
WordPress Plugin
Avada Builder Plugin Avada Theme Patchstack Security flaw Vulnerabilities and Exploits WordPress Plugin

Avada Theme and Plugin Witnesses Critical Vulnerabilities


Several vulnerabilities have been discovered in the popular Avada theme and its companion Avada Builder plugin by security researcher Rafie Muhammad from Patchstack, who revealed that many WordPress websites are vulnerable to these flaws. 

Avada Theme and Plugin

Avada theme – the most popular theme in WordPress – is the top-selling theme in ThemeForest, selling over 900,000 copies. The theme is paired with an Avada Builder plugin, developed by ThemeFusion.

This theme calls itself "The Complete WordPress Website Building Toolkit," and is geared for premium website builders. Without ever writing a single line of code, it can create everything from one-page business websites to an online marketplace.

Security Flaws

Among the many vulnerabilities exhibited in the Avada Builder plugin, the first is the Authentic SQL Injection(CVE-2023-39309). By exploiting this flaw, the threat actors may enable authentication access, followed by compromising sensitive data and may execute remote code. 

The second vulnerability, named ‘Reflected Cross-Site Scripting (XSS)’ vulnerability (identified as CVE-2023-39306) enables unauthenticated attackers to steal sensitive data and perhaps elevate their privileges on affected WordPress sites.

Additionally, Patchstack found a number of flaws in the Avada theme. A Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307) is the first among them. In this case, Contributors are given the authority to upload whatever file they choose, including potentially harmful PHP scripts, allowing remote code execution and jeopardizing the integrity of the site.

The discovery of a similar Author+ bug (CVE-2023-39312) is also significant. Here, Authors are given the option to post malicious zip files, potentially introducing the website as susceptible to vulnerabilities and remote code execution.

Also, this series of vulnerabilities include the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). This flaw allows Contributors to send requests to internal WordPress services, which could lead to illegal actions or data access within the organizational structure.

The vulnerabilities were first discovered and reported to the Avada vendor on July 6, 2023, following which patched versions were made available on July 11. The security alert was made public on August 10, 2023, and Patchstack added the flaws to their database of vulnerabilities.

In order to address the flaws, users are advised to update their Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2, ensuring website security.

Read more »
Security research
AI AI bots Artificial Intelligence ChatGPT Check Point Cyber Security Google Bard keylogger Law Enforcement Phishing emails Security flaw Security research

Forget ChatGPT, Google Bard may Possess Some Serious Security Flaws


A latest research claims that Google’s AI chatbot, Google Bard may let its users to use it for creating phishing emails and other malicious content, unlike ChatGPT.

At one such instances, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code, by using the Redmond giant’s AI tool.

Using the AI tool of the Redmond behemoth, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code.

The researchers' report further noted how they set out to compare Bard's security to that of ChatGPT. From both sites, they attempted to obtain three things: phishing emails, malicious keyloggers, and some simple ransomware code.

The researchers described that simply asking the AI bots to create phishing emails yielded no results, however asking the Bard to provide ‘examples’ of the same provided them with plentiful phishing mails. ChatGPT, on the other hand, refused to comply, claiming that doing so would amount to engaging in fraudulent activity, which is illegal.

The researchers further create malware like keyloggers, to which the bots performed somewhat better. Here too, a direct question did not provide any result, but a tricky question as well yielded nothing since both the AI bots declined. However, answers for being asked to create keyloggers differed in both the platforms. While Bard simply said, “I’m not able to help with that, I’m only a language model,” ChatGPT gave a much detailed explanation.

Later, on being asked to provide a keylogger to log their keys, both ChatGPT and Bard ended up generating a malicious code. However, ChatGPT did provide a disclaimer before doing the aforementioned.

The researchers finally proceeded to asking Bard to run a basic ransomware script. While this was much trickier than getting the AI bot to generate phishing emails or keylogger, they finally managed to get Bard into the game.

“Bard’s anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT[…]Consequently, it is much easier to generate malicious content using Bard’s capabilities,” they concluded.

Why Does it Matter? 

The reason, in simpler terms is: Malicious use of any new technology is inevitable.

Here, one can conclude that these issues with the emerging generative AI technologies are much expected. AI, as an extremely developed tool has the potential to alter an entire cybersecurity script.

Cybersecurity experts and law enforcements have already been concerned for the same and have been warning against the AI technology for it can be well used in increasing the ongoing innovation in cybercrime tactics like convincing phishing emails, malware, and more. The development in technologies have made it accessible to users in such a way that now a cybercriminal can deploy a sophisticated cyberattack by only having minimal hand in coding.

While regulators and law enforcement are doing their best to impose limits on technology and ensure that it is utilized ethically, developers are working to do their bit by educating platforms to reject being used for criminal activity.

While generative AI market is decentralized, big companies will always be under the watch of regulatory bodies and law enforcements. However, smaller companies will remain in the radar of a potential cyberattack, especially the ones that are incapable to fight against or prevent the abuse.

Researchers and security experts suggests that the only way to improve the cybersecurity posture is to fight with full strength. Even though AI is already being used to identify suspicious network activity and other criminal conduct, it cannot be utilized to make entrance barriers as high as they once were. There is no closing the door ever again.

Read more »
zero Day vulnerability
Mobile Security Security flaw Security Patch Spyware User Security zero Day vulnerability

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.
Read more »
Vulnerabilities and Exploits
Application Security Security flaw Threat Intelligence Unpatched Flaws Vulnerabilities and Exploits

Online Thieves Exploits Vulnerability in Microsoft Visual Studio

 

Security professionals are alerting users regarding a vulnerability in the Microsoft Visual Studio installer that enables hackers to distribute harmful extensions to application developers while posing as a trusted software vendor. From there, they may sneak into development environments and seize control while contaminating code, stealing very valuable intellectual property, and doing other things. 

The CVE-2023-28299 spoofing vulnerability was patched by Microsoft as part of its April security release. At the time, the business rated the bug as having a low likelihood of being exploited and categorised the vulnerability as having moderate severity. However, the Varonis researchers who first identified the vulnerability provided a somewhat different perspective on the flaw and its potential consequences in a blog post this week.

According to the researchers, the flaw should be addressed because it is easily exploitable and is present in a product with a 26% market share and more than 30,000 consumers.

"With the UI bug found by Varonis Threat Labs, a threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis security researcher Dolor Taler explained. "Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system." 

Varonis identified a vulnerability that affects several iterations of the Visual Studio integrated development environment (IDE), ranging from Visual Studio 2017 through Visual Studio 2022. The problem is a security restriction in Visual Studio that makes it simple for anyone to get over, preventing users from entering data in the "product name" extension field. 

Taler discovered that an attacker may get around that restriction by opening a Visual Studio Extension (VSIX) package as a.ZIP file, and then manually adding newline characters to a tag in the "extension.vsixmanifest" file. Developers use a newline character to indicate the end of a line of text so that the cursor will move to the start of the following line on the screen.

"And because a threat actor controls the area under the extension name, they can easily add fake 'Digital Signature' text, visible to the user and appearing to be genuine," Taler added.
Read more »
Windows
Online Safety Proof of concept Security flaw Vulnerabilities and Exploits Windows

PoC Published for Windows Win32k Flaw Exploited in Assaults

 

For a Windows local privilege escalation vulnerability that was patched as part of the May 2023 Patch Tuesday, researchers have published a proof-of-concept (PoC) exploit. 

The Win32k subsystem (Win32k.sys kernel driver) controls the operating system's window manager and handles screen output, input, and graphics in addition to serving as an interface for various types of input hardware. Since they usually grant elevated rights or code execution, these kinds of vulnerabilities are often exploited. 

Avast, a company that specialises in cybersecurity, first identified the flaw, which is tracked as CVE-2023-29336. It was given a CVSS v3.1 severity rating of 7.8, as it enables low-privileged users to obtain Windows SYSTEM privileges, the highest user mode privileges in Windows. 

CISA also released a warning and listed it in its database of "Known Exploited Vulnerabilities" in order to inform people about the actively exploited vulnerability and the importance of installing Windows security upgrades. 

Security researchers at Web3 cybersecurity company Numen have now published comprehensive technical information on the CVE-2023-29336 bug and a Proof of Concept exploit for Windows Server 2016 exactly one month after the patch became accessible. 

Re-discovering the vulnerability 

Although the flaw is being actively used against previous versions of Windows, including Windows 8, Windows Server, and earlier versions of Windows 10, Microsoft claims that Windows 11 is unaffected. 

"While this vulnerability seems to be non-exploitable on the Win11 system version, it poses a significant risk to earlier systems," Numen explained in their report. "Exploitation of such vulnerabilities has a notorious track record, and in this in-depth analysis, we delve into the methods employed by threat actors to exploit this specific vulnerability, taking into account evolving mitigation measures."

Win32k only locks the window object but fails to lock the nested menu object, according to Numen's researchers who examined the vulnerability on Windows Server 2016. 

This oversight, which the researchers attribute to out-of-date code being transferred to more recent Win32k versions, makes menu objects susceptible to manipulation or hijacking if attackers change the precise address in the system memory.

Even if the initial step doesn't provide attackers admin-level rights, it serves as a useful stepping stone to enable them to obtain this via the following steps. Controlling the menu object means gaining the same-level access as the programme that launched it. Overall, it can be said that it's not extremely difficult to exploit CVE-2023-29336.

"Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques," the report further reads. "This type of vulnerability heavily relies on leaked desktop heap handle addresses […], and if this issue is not thoroughly addressed, it remains a security risk for older systems." 

System administrators, according to Numen, should watch out for unusual offset reads and writes in memory or connected to window objects, as these could point to active CVE-2023-29336 privilege escalation.

Applying the May 2023 patch is advised for all Windows users as it corrected two additional active zero-day vulnerabilities in addition to the specific issue.
Read more »
Subscribe to: Posts (Atom)