Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilites and Exploits. Show all posts
Zero Day Exploits
Cyber Reconnaissance End To End Encryption Metadata Exposure Mobile Spyware Privacy Risks Vulnerabilites and Exploits WhatsApp Security Zero Day Exploits

WhatsApp Bug Leads to Exposure of User Metadata

 


The Meta organization has begun to address a number of vulnerabilities in WhatsApp that expose sensitive user information. These vulnerabilities indicate that, even when platforms are encrypted, they can inadvertently reveal critical device details. 

The vulnerabilities are caused by the messaging service's multi-device architecture, which allows subtle implementation differences to reveal whether the user is using an Android or an iOS device, while still maintaining end-to-end encryption for message content. 

According to security researchers, this type of capability, which helps identify or identify operating systems by their fingerprints, is of particular value to advanced threat actors. These actors often choose WhatsApp-with its more than three billion active users per month-as their preferred channel for delivering advanced spyware to their customers.

It was discovered that attackers are able to exploit zero-day flaws that allow them to passively query WhatsApp servers for cryptographical session details without being able to interact with the victim, using variations in key identifiers, such as Signed Pre-Keys and One-Time Pre-Keys, in order to determine the target platform. 

By utilizing this intelligence, adversaries can tailor exploits to the specific needs of their victims, deploying Android-specific malware only to compatible devices, while avoiding detection by others, emphasizing the difficulties in masking metadata signatures even within encrypted communication ecosystems despite this intelligence.

It has been warned that threat actors who abuse WhatsApp as an attack vector may be able to passively query WhatsApp's servers for encryption-related content, which would allow them to obtain information regarding devices without the need for user interaction. With this capability, adversaries can accurately determine the operating system of a victim, with recent findings suggesting that subtle differences in key ID generation can be used to reliably differentiate between Android and iOS devices. 

APT operations that are targeted at advanced persistent threats (APTs) often involve the deployment of zero-day exploits tailored to specific platforms. However, deploying these exploits to inappropriate devices can not only result in the failure of the attack, but may expose highly sensitive attack infrastructure worth millions of dollars. 

 Furthermore, the study concluded that there may also be a risk of data theft, as it estimated that data linked to at least 3.5 billion registered phone numbers could possibly be accessed, a number that may include inactive or recycled accounts as well. 

Besides cryptographic identifiers, the accessible information included phone numbers, timestamps, “About” field text, profile photos, and public encryption keys, which prompted researchers to warn against the possibility that, in the wrong hands, this dataset could have led to one of the largest data leaks ever documented in human history. 

Among the most concerning findings of the study was the fact that more than half of the accounts displayed photos, with a majority displaying identifiable faces. There is a strong possibility that this will lead to large-scale abuse, such as reverse phonebook services using facial recognition technology.

It was pointed out by Gabriel Gegenhuber, the study's lead author, that the systems should not be allowed to handle such a large number of rapid queries from a single source as they might otherwise. He pointed out that Meta tightened the rate limiting on WhatsApp's web client in October 2025 after the problem had been reported through the company's bug bounty program earlier that year, which led to a change in rate limits on WhatsApp's web client. 

It has been determined by further technical analysis that attackers can obtain detailed insights about a user's WhatsApp environment by exploiting predictable patterns in the application's encryption key identifiers that give detailed insight into a user's environment. 

Research recently demonstrated the possibility of tracing the primary device of a user, identifying the operating system of each linked device, estimating the relative age of each connected device, and determining whether WhatsApp is accessed through a mobile application or a desktop web client, based on if WhatsApp is accessed through either app. 

A number of conclusions were drawn from the history of deterministic values assigned to certain encryption key IDs that have effectively served as device fingerprints for decades. It is Tal Be'ery, co-founder and chief technology officer of Zengo cryptocurrency wallet, who was one of the researchers leading this research, who, along with other experts, shared their findings with Meta. 

As early reports indicated little response from the company, Be'ery observed later that the company began to mitigate the issue by introducing a randomization system for key ID values, specifically on Android devices, which seemed to have worked. He was able to confirm that these changes represent progress when he used a non-public fingerprinting tool to test the system, even though the technique was only partially effective. 

An article by Be'ery published recently and a demonstration that followed showed that attackers are still able to distinguish Android and iPhone devices based on One-Time Pre-Key identifiers with a high degree of confidence. 

It is cited in the article that the iPhone's initial values are low with gradual increments as opposed to Android's broader, randomized range, which is much larger. However, he acknowledged that Meta had recognized the issue as a legitimate security and privacy concern and welcomed the steps taken to reduce its impact despite these limitations.

It is important to emphasize, therefore, that the study highlights WhatsApp metadata exposed to the outside world is not a theoretical worry, but a real security risk with wide-ranging consequences. When advanced attacks take place, metadata plays a key role in reconnaissance, providing adversaries with the ability to identify targets, differentiate between iOS and Android environments, select compatible exploits, and reduce the number of unsuccessful intrusion attempts, thereby allowing them to succeed with social engineering, spear-phishing, and exploit chain attacks as a whole.

In a large-scale scenario, such data can be fed into OSINT applications and AI-driven profiling tools, which allows for significant cost reduction on the selection of targets while also enhancing the precision of malicious operations when applied at scale. Moreover, researchers warned of the dangers associated with public profiles photos, stating that by being able to tie facial images to phone numbers on a mass scale, specialists might be able to create facial recognition-based reverse phonebook services based on the ability to link facial recognition to phone numbers.

A significant portion of these risks may be magnified for those with a high exposure rate or who are in regulated environments, such as journalists, activists, and professionals who perform sensitive tasks, where metadata correlation may result in physical or personal harm. 

It was learned from the study that millions of accounts are registered in jurisdictions where WhatsApp has been banned officially, raising concerns that using WhatsApp in these regions may have legal and/or persecutorial repercussions. It is important to note that this study highlights the structural problems that WhatsApp's centralized architecture creates, resulting in a single point of failure that affects billions of users, limits independent oversight, and leaves individuals with little control over their data. 

As a result, the research highlights a number of structural issues inherent in WhatsApp’s centralized architecture. A number of researchers recommend that users should take practical steps in order to reduce exposure until deeper structural safeguards are implemented or alternative platforms are adopted. 

Some of those steps include restricting profile photo visibility, minimizing personal details in public fields, avoiding identifiable images when appropriate, reviewing connected devices, limiting data synchronization, and utilizing more privacy-preserving messaging services for sensitive communication, just to name a few.

In sum, the findings of the research suggest that there is a widening gap between the protections users expect from encrypted messaging platforms and the less visible risks related to metadata leaks. It is evident from Meta’s recent mitigation efforts that the issue has been acknowledged, but that the persistance of device fingerprinting techniques illustrates that large and globally scaled systems can be difficult to completely eradicate side-channel signals. 

The fact remains that even limited metadata leakage on a platform that functions as a primary communication channel for governments, businesses, and civil society organizations alike may have outsized consequences if it is aggregated or exploited by capable adversaries. 

It is also important to recognize that encryption alone is not sufficient to guarantee privacy when the surrounding technical and architectural decisions allow the inference of contextual information. 

WhatsApp’s experience serves as a reminder that, as regulators, researchers, and users increasingly scrutinize the security boundaries of dominant messaging services, it is imperative that strong cryptography be used to protect billions of users as well as continuous transparency and rigorous oversight. Metadata needs to be treated as a first-class security concern, rather than something that can't be avoided.
Read more »
zero Day vulnerability
APTs Citrine Sleet CyberCrime Cybersecurity CyberThreat FudModule Rootkit Googlex Chrome lazarus Microsoft ransomware attacks Vulnerabilites and Exploits zero Day vulnerability

Citrine Sleet APT Exploits Chrome Zero-Day Vulnerability for Rootkit Infiltration

 


It is believed that North Korean hackers have been able to use unpatched zero-day in Google Chrome (CVE-2024-7971) to install a rootkit called FudModule after gaining admin privileges by exploiting a kernel vulnerability in Microsoft Windows. An investigation by Microsoft has revealed that a North Korean threat actor exploited a zero-day vulnerability in the Chromium browser that has been tracked as CVE-2024-7971 to conduct a sophisticated cyber operation.  

According to the report, Citrine Sleet, the notorious group behind the attack that targets cryptography sectors in particular, is responsible for the attack. It has been reported that CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine that had been impacted in versions of Chrome before 128.0.6613.84. By exploiting this vulnerability, threat actors could gain remote code execution (RCE) access to the sandboxed Chromium renderer process and conduct a remote attack. 

There was a vulnerability that was fixed by Google on August 21, 2024, and users should ensure that they are running the most recent version of Chrome. It is clear from this development that the nation-state adversary is trying to increase its penetration of Windows zero-day exploits in recent months, indicating that they are persistent in their efforts to acquire and introduce oodles of zero-day exploits. 

A Microsoft security researcher found evidence that Citrine Sleet (formerly DEV-0139 and DEV-1222) was responsible for the activity. Citrine Sleet is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, all of which are associated with Citrine Sleet. There is an assessment that this sub-cluster is part of the Lazarus Group (a.k.a. Diamond Sleet and Hidden Cobra) which is related to Lazarus. 

Several analysts have previously credited the use of AppleJeus malware to a Lazarus subgroup called BlueNoroff (also known as APT38, Nickel Gladstone, and Stardust Chollima), indicating the fact that the threat actors share both toolsets and infrastructure from one subgroup to another. Some cybersecurity vendors maintain track of this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736, among others. 

Hidden Cobra is a term used by the U.S. government to describe malicious actors sponsored by the North Korean government collectively as being influenced by the state. It is mostly targeted at financial institutions, with a special focus on cryptocurrency organizations and individuals who are closely associated with the cryptocurrency industry. 

In the past, it has been linked to Bureau 121 of the Reconnaissance General Bureau of North Korea, where it practices intelligence gathering. Moreover, North Korean hackers are also known for using malicious websites that appear to be legitimate cryptocurrency trading platforms to infect prospective victims with fake job applications, weaponized cryptocurrency wallets, and cryptocurrency trading apps designed to steal sensitive information. 

This is the first time UNC4736 malware has been identified in a supply chain attack, for example in March 2023 it attacked the Electron-based desktop client of video conferencing software provider 3CX. Further, they were able to breach the website of Trading Technologies, an automation company for stock market trading, to sneakily push trojanized versions of the X_TRADER software into the system. In a March 2022 report, Google's Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies' website, highlighting AppleJeus as being behind the attack. 

For years, the U.S. government has repeatedly issued warnings about state-sponsored cyberattacks targeting cryptocurrency-related businesses and individuals with AppleJeus malware that is backed by the North Korean government. As a result of the security vulnerability CVE-2024-7971 that was discovered last week, Google patched Chrome's version 8 JavaScript engine and reported it as a type confusion vulnerability. 

In a recent cybersecurity incident report, it was revealed that victims were directed to a domain controlled by the threat group Citrine Sleet, identified as voyagorclub[.]space. The exact method by which victims were lured to this domain remains undetermined, though it is suspected that social engineering tactics were employed. This is consistent with Citrine Sleet’s established modus operandi, which frequently involves manipulating individuals through social engineering to initiate attacks. 

Upon successful redirection to the malicious domain, attackers leveraged a zero-day remote code execution (RCE) vulnerability, identified as CVE-2024-7971. This vulnerability is linked to a type of confusion flaw in Chrome’s V8 JavaScript engine. Google addressed this security issue in a recent patch, highlighting that it allowed attackers to achieve RCE within the sandboxed Chromium renderer process of the victim's browser. Once inside this sandboxed environment, the attackers further escalated their access by exploiting a secondary vulnerability in the Windows kernel. 

The additional vulnerability, CVE-2024-38106, was exploited to escape the browser’s sandbox environment. This kernel vulnerability, which Microsoft had patched in their latest Patch Tuesday release, allowed attackers to gain SYSTEM-level privileges on the compromised system. Following this, the attackers downloaded and activated a highly sophisticated rootkit known as FudModule. This malware, when loaded into memory, enabled direct kernel object manipulation (DKOM), providing attackers with the capability to bypass critical kernel security measures.

The FudModule rootkit is particularly concerning, as it is designed to manipulate kernel-level processes, enabling attackers to establish persistent backdoor access to the compromised system. Through DKOM, the rootkit effectively tampers with core system functions, allowing attackers to evade detection, steal sensitive information, and potentially deploy additional malicious software. Interestingly, the FudModule rootkit has been linked to another North Korean state-sponsored group known as Diamond Sleet, which has utilized this malware since its discovery in October 2022. 

This suggests a potential collaboration between Citrine Sleet and Diamond Sleet or, at the very least, shared access to malicious tools and infrastructure. Furthermore, the rootkit bears similarities to tools used by another notorious hacking group, the Lazarus Group, indicating that FudModule may be part of a broader North Korean cyber-espionage toolkit. Citrine Sleet's attack demonstrates a highly coordinated and multi-faceted approach, beginning with social engineering techniques to lure victims to a compromised domain and culminating in the exploitation of critical vulnerabilities to gain deep control over target systems. 

By leveraging both CVE-2024-7971 and CVE-2024-38106, the attackers were able to bypass multiple layers of security, from browser sandboxing to Windows kernel defences. Microsoft has issued a series of recommendations to help organizations mitigate the risk of such attacks. They stress the importance of maintaining up-to-date software and operating systems, as timely patching is critical to closing vulnerabilities before they can be exploited. 

Additionally, Microsoft advocates for the deployment of security solutions that provide unified visibility across the entire cyberattack chain. Such tools can detect and block attacker tools and post-compromise malicious activity. Lastly, strengthening the configuration of the operating environment is recommended to minimize the likelihood of successful exploitation and post-compromise activity. This incident underscores the evolving nature of cyber threats and highlights the importance of proactive cybersecurity measures to detect, block, and mitigate advanced persistent threats (APTs).
Read more »
Vulnerabilites and Exploits
Apple CISA iOS iPad Vulnerabilites and Exploits

Apple iOS and iPadOS Memory Corruption Vulnerabilities: A Critical Alert


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) raised the alarm by adding two such vulnerabilities in Apple’s iOS and iPad to its Known Exploited Vulnerabilities catalog. These vulnerabilities are actively exploited, posing significant risks to users’ privacy, data, and device security.

The Vulnerabilities

CVE-2024-23225: This vulnerability targets the kernel of both Apple iOS and iPadOS. A flaw in memory handling allows malicious actors to corrupt critical system memory, potentially leading to unauthorized access, privilege escalation, or even remote code execution. Exploiting this vulnerability can have severe consequences, compromising the integrity of the entire operating system.

CVE-2024-23296: Another memory corruption vulnerability affecting Apple iOS and iPadOS, CVE-2024-23296, has also been identified. While specific technical details are not publicly disclosed, it is evident that attackers are leveraging this flaw to gain unauthorized access to sensitive data or execute arbitrary code on affected devices.

The Impact

These vulnerabilities are not merely theoretical concerns; they are actively being exploited in the wild. Cybercriminals are capitalizing on them to compromise iPhones and iPads, potentially gaining access to personal information, financial data, and corporate secrets. The impact extends beyond individual users to organizations, government agencies, and enterprises relying on Apple devices for daily operations.

Immediate Action Required

CISA’s Binding Operational Directive (BOD) 22-01 specifically targets Federal Civilian Executive Branch (FCEB) agencies, urging them to take immediate action to remediate these vulnerabilities. However, the urgency extends beyond the federal sector. All organizations, regardless of their affiliation, should prioritize the following steps:

Patch Management: Ensure that all iOS and iPadOS devices are updated to the latest available versions. Apple has released security patches addressing these vulnerabilities, and users must apply them promptly.

Security Awareness: Educate users about the risks associated with memory corruption vulnerabilities. Encourage them to be cautious while clicking on suspicious links, downloading unverified apps, or interacting with unfamiliar content.

Monitoring and Detection: Implement robust monitoring mechanisms to detect any signs of exploitation. Anomalies in system behavior, unexpected crashes, or unusual network traffic patterns may indicate an active attack.

Incident Response: Develop and test incident response plans. In case of successful exploitation, organizations should be prepared to isolate affected devices, investigate the breach, and remediate the impact swiftly.

Beyond the Technical Realm

The addition of Apple iOS and iPadOS memory corruption vulnerabilities to CISA’s Known Exploited Vulnerabilities catalog serves as a wake-up call. It reminds us that threats are real, and proactive measures are essential to protect our devices, data, and digital lives.

Read more »
Vulnerabilites and Exploits
AI technology Artifcial Intelligence Digital Privacy Sensitive Content Technology Vulnerabilites and Exploits

Growing Concerns Regarding The Dark Side Of A.I.

 


In recent instances on the anonymous message board 4chan, troubling trends have emerged as users leverage advanced A.I. tools for malicious purposes. Rather than being limited to harmless experimentation, some individuals have taken advantage of these tools to create harassing and racist content. This ominous side of artificial intelligence prompts a critical examination of its ethical implications in the digital sphere. 

One disturbing case involved the manipulation of images of a doctor who testified at a Louisiana parole board meeting. Online trolls used A.I. to doctor screenshots from the doctor's testimony, creating fake nude images that were then shared on 4chan, a platform notorious for fostering harassment and spreading hateful content. 

Daniel Siegel, a Columbia University graduate student researching A.I. exploitation, noted that this incident is part of a broader pattern on 4chan. Users have been using various A.I.-powered tools, such as audio editors and image generators, to spread offensive content about individuals who appear before the parole board. 

While these manipulated images and audio haven't spread widely beyond 4chan, experts warn that this could be a glimpse into the future of online harassment. Callum Hood, head of research at the Center for Countering Digital Hate, emphasises that fringe platforms like 4chan often serve as early indicators of how new technologies, such as A.I., might be used to amplify extreme ideas. 

The Center for Countering Digital Hate has identified several problems arising from the misuse of A.I. tools on 4chan. These issues include the creation and dissemination of offensive content targeting specific individuals. 

To address these concerns, regulators and technology companies are actively exploring ways to mitigate the misuse of A.I. technologies. However, the challenge lies in staying ahead of nefarious internet users who quickly adopt new technologies to propagate their ideologies, often extending their tactics to more mainstream online platforms. 

A.I. and Explicit Content 

A.I. generators like Dall-E and Midjourney, initially designed for image creation, now pose a darker threat as tools for generating fake pornography emerge. Exploited by online hate campaigns, these tools allow the creation of explicit content by manipulating existing images. 

The absence of federal laws addressing this issue leaves authorities, like the Louisiana parole board, uncertain about how to respond. Illinois has taken a lead by expanding revenge pornography laws to cover A.I.-generated content, allowing targets to pursue legal action. California, Virginia, and New York have also passed laws against the creation or distribution of A.I.-generated pornography without consent. 

As concerns grow, legal frameworks must adapt swiftly to curb the misuse of A.I. and safeguard individuals from the potential harms of these advanced technologies. 

The Extent of AI Voice Cloning 

ElevenLabs, an A.I. company, recently introduced a tool that can mimic voices by simply inputting text. Unfortunately, this innovation quickly found its way into the wrong hands, as 4chan users circulated manipulated clips featuring a fabricated Emma Watson reading Adolf Hitler’s manifesto. Exploiting material from Louisiana parole board hearings, 4chan users extended their misuse by sharing fake clips of judges making offensive remarks, all thanks to ElevenLabs' tool. Despite efforts to curb misuse, such as implementing payment requirements, the tool's impact endured, resulting in a flood of videos featuring fabricated celebrity voices on TikTok and YouTube, often spreading political disinformation. 

In response to these risks, major social media platforms like TikTok and YouTube have taken steps to mandate labels on specific A.I. content. On a broader scale, President Biden issued an executive order, urging companies to label such content and directing the Commerce Department to set standards for watermarking and authenticating A.I. content. These proactive measures aim to educate and shield users from potential abuse of voice replication technologies. 

The Impact of Personalized A.I. Solutions 

In pursuing A.I. dominance, Meta's open-source strategy led to unforeseen consequences. The release of Llama's code to researchers resulted in 4chan users exploiting it to create chatbots with antisemitic content. This incident exposes the risks of freely sharing A.I. tools, as users manipulate code for explicit and far-right purposes. Despite Meta's efforts to balance responsibility and openness, challenges persist in preventing misuse, highlighting the need for vigilant control as users continue to find ways to exploit accessible A.I. tools.


Read more »
Vulnerabilites and Exploits
Citrix Bleed Bug Foreign Ransomware Healthcare Security Ransowmare Vulnerabilites and Exploits

AHA, Federals Urge Healthcare Ogranizations to Minimize Citrix Bleed Vulnerability

Citrix Vulnerability

Healthcare departments under threat

The alert from the Department of Health and Human Services Health Sector Cybersecurity Coordination Center on Nov. 30 and the AHA warning on Friday come amid an outbreak of ransomware attacks alleged to involve Citrix Bleed exploitation that has hit companies in the healthcare and other sectors in recent weeks. This blog will cover the threats and everything related to the Citrix Bleed flaw.

CySecurity News had already reported on a Citrix bleed bug delivering sharp blows earlier in November 2023.

"HC3 strongly recommends companies to make improvements to prevent additional harm against the healthcare and public health sector," alerted the Department of Health and Human Services.

High severity Citrix Bleed Vulnerability

According to John Riggi, AHA's national adviser for cybersecurity and risk, the urgency of HHS's alert "confirms the gravity" of the Citrix Bleed vulnerability and the urgent requirement to install existing Citrix patches and upgrades to secure healthcare IT systems.

Google’s Mandiant report in October “identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023. Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. 

These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment and subsequently used by a threat actor, the report further added.

Foreign ransomware groups involved

Riggi said in a statement that this instance further shows the severity by which foreign ransomware groups, mainly Russian-speaking groups, continues targeting hospitals and health organizations. Ransomware threats interrupt and disrupt the delivery of healthcare, jeopardizing patients' lives. We must be attentive and strengthen our cyber security, as hackers will undoubtedly continue to target the field, particularly over the holiday season, he further added.

Rise in attacks during the holiday season?

NetScaler released an advisory on the flaw in October and then again in late November, citing reports of "a rapid spike in attempts" to take advantage of the vulnerability in unfixed NetScaler ADCs.

The AHA cautioned that exploiting the vulnerability allows hackers to evade password constraints and multifactor authentication mechanisms.

According to HHS HC3, the vulnerability has been routinely exploited since August. Citrix issued a patch for the vulnerability in early October, but the firm warned that compromised sessions would remain active after the patch was applied.

HC3 encourages all administrators to upgrade their devices according to NetScaler's instructions and to erase or "kill" any active or permanent connections with particular commands.

Also read: NetScaler's report to know full details about Citrix Bleed Threat.


Read more »
Worldcoin Vulnerability
Blockchain Security Certik User Privacy Vulnerabilites and Exploits Worldcoin Vulnerability

Worldcoin’s Verification Process Under Scrutiny After CertiK’s Discovery

Worldcoin Vulnerability

Blockchain security company CertiK recently revealed a severe flaw that put the Worldcoin system at serious risk. The system’s security and integrity might have been compromised if the vulnerability allowed Orb operators unrestricted access. Users’ iris information was collected as part of Worldcoin’s Orb activities, necessitating a robust verification process to guarantee that only reputable businesses are in charge of the operations.

The Vulnerability

CertiK, a blockchain security company, discovered the vulnerability that allowed Orb operators unrestricted access to the Worldcoin system, putting its security and integrity at serious risk. This flaw could have compromised the entire system, allowing malicious actors to access sensitive user information.

The Importance of Verification

Worldcoin’s Orb activities involve collecting users’ iris information. This sensitive data must be protected at all costs, and a robust verification process is necessary to ensure that only reputable businesses are in charge of the operations. If the verification process is not rigorous enough, unverified Orb operators could gain access to the system, putting users’ data at risk.

The Response from Worldcoin

Worldcoin has not yet released an official statement regarding the vulnerability exposed by CertiK. It is unclear what steps the company will take to address this issue and ensure the security of its users’ data. Worldcoin needs to take swift action to address this vulnerability and restore confidence in its system.

The vulnerability exposed by CertiK highlights the importance of solid verification processes in protecting sensitive user data. Companies like Worldcoin must take all necessary steps to ensure the security and integrity of their systems, and users must remain vigilant in protecting their personal information.

Read more »
Vulnerabilites and Exploits
Cisco Cisco devices Command injection vulnerability Malicious Code Security Flaws Trellix Vulnerabilites and Exploits

All You Need to Know About the Cisco Command-Injection Bug


A security flaw has been discovered in Cisco gear used in data centers, large enterprises, industrial facilities, and smart city power grids that could give hackers unrestricted access to these devices and wider networks. 

Trellix researchers, in a report published on February 1st reveals the bug, one of two flaws discovered, impacts the following Cisco networking devices: 

  • Cisco ISR 4431 routers 
  • 800 Series Industrial ISRs 
  • CGR1000 Compute Modules
  • IC3000 Industrial Compute Gateways 
  • IOS XE-based devices configured with IOx 
  • IR510 WPAN Industrial Routers 
  • Cisco Catalyst Access points 

One bug — CSCwc67015 — was discovered in code which is not yet released. Apparently, it has the capability to allow hackers to execute their own code, and possibly replace the majority of the files on the device. 

The second bug (allegedly more malicious) — CVE-2023-20076 — found in production equipment, is a command-injection vulnerability which could enable unauthorized access and remote code execution (RCE). Despite Cisco's barriers against such a situation, this would have required not only complete control of a device's operating system but also persistence through any upgrades or reboots. 

According to Trellix, since Cisco networking equipment is being operated around the globe in data centers, enterprises, and government organizations, including its most common footprints at industrial facilities, this makes the impact of the vulnerabilities more significant. 

“In the world of routers, switches, and networking, Cisco is the current king of the market[…]We would say that thousands of businesses could potentially be impacted,” says Sam Quinn, senior security researcher with the Trellix Advanced Research Center. 

The Latest Cisco Security Flaws 

According to Trellix, the two flaws are a result of a shift in how routing technology work. On these miniature-server-routers, network administrators may now install application containers or even entire virtual systems. Along with great functionality, this increased complexity will also lead to a broader attack surface. 

"Modern routers now function like high-powered servers[…]with many Ethernet ports running not only routing software but, in some cases, even multiple containers," the authors of the report explained. 

Both CSCwc67015 and CVE-2023-20076 roots from the router's advanced application hosting environment. 

In terms of CSCwc67015, "a maliciously packed programme could bypass a vital security check while uncompressing the uploaded application" in the hosting environment. The study aimed to safeguard the system from CVE-2007-4559, a 15-year-old path traversal vulnerability in a Python module that Trellix itself had discovered in September. 

The flaw CVE-2023-20076, however, also makes use of the Cisco routers' support for virtual machines and application containers. In this particular case, it has to do with how admins pass commands to start their applications. 

The researchers identified that the 'DHCP Client ID' option inside the Interface Settings was not properly being sanitized, granting them root-level access to the device and enabling them to "inject any OS command of our choosing." 

Adding to this, the authors of the report highlight how "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets." 

However, they showed in a proof-of-concept video how the command-injection problem might be exploited to gain total access, enabling a malicious container to withstand device reboots or firmware updates. There are now only two options for removal: doing a complete factory reset or manually identifying and eradicating the malicious code. 

Furthermore, in a concluding remark, the Trellix researchers have advised organizations to watch out for any suspicious containers installed on relevant Cisco devices, and recommended that companies that do not operate containers to disactivate the IOx container framework completely. 

They highlighted that "organizations with impacted devices should update to the newest firmware immediately" as being the most crucial step to follow. 

Moreover, users are advised to apply the patch as soon as possible, in order to protect themselves from the vulnerabilities.  

Read more »
Subscribe to: Comments (Atom)