Search This Blog

Showing posts with label Vulnerabilities. Show all posts

CISA Adds One Known Exploited Vulnerability to Catalog


On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed in its findings that they have discovered a high-severity vulnerability in the Zimbra email. Based on the evidence of active exploitation, the new vulnerability has now been added to its Known Exploited Vulnerabilities Catalog. 

As of present, researchers are investigating CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could allow the execution of arbitrary Memcached commands and theft of important data. 

These kinds of Vulnerabilities are very frequent and are oftenly seen, as per the data these vulnerabilities pose a higher risk to the federal enterprise. 

“Zimbra Collaboration (ZCS) allows an attacker to inject Memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries”, CISA added. 

The attack first was reported by SonarSource in June, with patches released by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1. 

Before Installing Patch 9.0.0 Patch 24.1, users are recommended to consider the following: 

• Patches are accumulative. 
• Zimlet patches remove existing Zimlets and redeploy the patched Zimlet. 
• Before applying the patch, a full backup should be performed. 
• There is no automated roll-back. 
• Before using ZCS CLI commands Switch to Zimbra user. 
• Must note that you will not be able to revert to the previous ZCS release after you upgrade to the patch.  
• Understand that the installation process has been upgraded. Additional steps to install Zimbra-common-core-libs, Zimbra-common-core-jar and Zimbra-mbox-store-libs packages have been included for this patch release. 

“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria”, CISA further told.

SolarWinds Alerted About Attacks Targeting Web Help Desk Instances

 

SolarWinds alerted customers about attacks on Web Help Desk (WHD) instances that were exposed to the Internet and recommended they remove those from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is a helpdesk ticketing and IT inventory management software for businesses that aim to automate ticketing and IT asset management operations. 

SolarWinds stated, "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue. In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more." 

Customers who are unable to remove WHD instances from servers that are accessible to the Internet should install EDR software and monitor them for attack attempts. SolarWinds hasn't been able to replicate the scenario, the business is working with the customer to analyse the report. 

A SolarWinds spokesperson told BleepingComputer, "We received a report from one customer about an attempted attack that was not successful. While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted." 

Although SolarWinds did not specify what tools or tactics were utilised in the attack, there are at least four security flaws that an attacker may use to target t an unpatched WHD instance: 
• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6 
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1 
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1 
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8 

According to the CVE-2021-35251 advisory, attackers might use unsecured WHD instances to gain access to environmental details about the Web Help Desk installation, making the other three security flaws easier to exploit.

SquirrelWaffle Adds a Spin of Fraud to Exchange Server Malspamming

 

Squirrelwaffle, ProxyLogon, and ProxyShell are being utilized against Microsoft Exchange Servers to conduct financial fraud via email hijacking. Sophos researchers revealed that a Microsoft Exchange Server that had not been fixed to safeguard it against a set of serious vulnerabilities identified last year was used to hijack email threads and disseminate malspam. 

On March 2, 2021, Microsoft released emergency updates to address zero-day vulnerabilities that could be exploited to take over servers. At the time, Hafnium, an advanced persistent threat (APT) group, was constantly exploiting the bugs, and other APTs swiftly followed suit. Despite the fact that the ProxyLogon/ProxyShell flaws are now widely known, some servers remain unpatched and vulnerable to assaults. 

Sophos has described an instance that combined Microsoft Exchange Server vulnerabilities with Squirrelwaffle, a malware loader that was first discovered in malicious spam operations last year. Malicious Microsoft Office documents or DocuSign content tacked on to phishing emails are frequently used to spread the loader. Squirrelwaffle is frequently used to fetch and execute CobaltStrike beacons via a VBS script if an intended victim has permitted macros in the compromised documents. 

According to Sophos, the loader was used in the recent campaign once the Microsoft Exchange Server had been compromised. By hijacking existing email threads between employees, the server of an undisclosed organisation was utilised to "mass distribute" Squirrelwaffle to internal and external email addresses. 

Email Hijacking can take a variety of forms. Social engineering and impersonation, such as an attacker posing as an executive to dupe accounting departments into signing off on a fraudulent transaction, or sending email blasts with links to malware payloads, can disrupt communication channels. The spam campaign was utilized to disseminate Squirrelwaffle in this example, but attackers also extracted an email thread and used the internal knowledge contained within to execute financial fraud. Customer information was obtained, and a victim organization was chosen. The attackers generated email accounts using a domain to reply to the email thread outside of the server, using a technique known as typo-squatting to register a domain with a name that was very similar to the victim. 

Sophos explained, "To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department. In fact, the additional addresses were also created by the attacker under the typo-squatted domain." 

The attackers attempted for six days to divert a legitimate financial transaction to a bank account they owned. The money was about to be processed, and the victim escaped the attack only because a bank involved in the transaction realized the transfer was most likely fake. 

Matthew Everts, Sophos researcher commented, "This is a good reminder that patching alone isn't always enough for protection. In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven't left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection."

Kafdrop Flaw Exposes Data from Kafka Clusters to the Whole Internet

 

Spectral researchers uncovered a security flaw in Kafdrop, a popular open-source UI and administrative interface for Apache Kafka clusters that has been downloaded over 20 million times. Companies affected include significant worldwide companies as well as smaller organisations in healthcare, insurance, media, and IoT — in short, everyone who uses Kafdrop with Apache Kafka. 

Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications, including eight of the world's ten largest banks, the 10 largest global insurance companies, and eight of the world's ten key telecom providers. Kafka is commonly used to process and store logs, financial transactions, and private user data. It also powers consumer-centric data pipelines that process real-time actions, events, and behaviour. Kafka is cloud-native, with the ability to scale from small to massive cloud-based clusters. It is also highly scalable and tolerant. 

“We can’t name any of the companies whose clusters we discovered, as we don’t want to give threat actors the edge, but these flaws are exceptionally widespread,” said Dotan Nahum, CEO at Spectral. “Furthermore, since Kafka serves as a central data hub, threat actors with assistance from a flawed Kafdrop, can infiltrate and exfiltrate data and manage the cluster as they see fit. They can connect as a Kafka subscriber to cause further havoc across the entire network.” 

The Kafdrop security flaw not only exposes secrets in real-time traffic, but it also discloses authentication tokens and other access details that allow hackers to contact enterprises' cloud providers, like as AWS, IBM, Oracle, and others, where Kafka clusters are frequently placed. Kafdrop also provides insights into the layout and topology of a cluster, disclosing hosts, topics, partitions, and consumers, as well as the sampling and downloading of live data and the creation and removal of topics. 

“Misusing Kafdrop allows threat actors to access the nervous system of an entire company, revealing customer data, transactions, medical records, internal system traffic, etc. Immediate mitigation is critical,” said Nahum. 

When the flaw was discovered, Spectral promptly provided an authentication code addition back into Kafdrop. Spectral proposes that enterprises scan not only code, but also configuration, infrastructure, and data horizontally across the whole SDLC to defend themselves from such security blunders that lead to breaches.

Magecart Attacks Surge in the Wild

 

According to a Cyberpion study, several of the world's top corporations in retail, finance, healthcare, power, and many other industries, including Fortune 500, Global 500, and governments, are struggling to avoid Magecart assaults. Magecart is a term used to describe a type of cyber attack wherein cybercriminals compromise third-party code (typically Javascript that runs in browsers) to grab, or scrape, details such as credit card information from web applications (e.g., online checkout software) or webpages that incorporate the code. 

Over the previous two years, the researchers examined over 30,000 flaws and discovered huge shortcomings in existing security platforms and mechanisms for detecting and mitigating Magecart assaults. 

There have also been significant gaps in firms revealing to their customers' security vulnerabilities or exploits happening throughout their digital supply chains, putting all linked organizations at risk of a breach. 

“Our conclusion from the analysis is that as of today, organizations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter. 

“Victims are often the last to know as it’s only later that organizations find that their data was sold or exploited, with the problem extending beyond any single vendor or client relationship. For enterprises, in particular, Magecart attacks pose a significant challenge because it is problematic to set up a solution at scale.” 

Alongside Web, skimming has also been on the surge. It is indeed a danger to online businesses and customers, with cyberattacks significantly affecting firms such as British Airways and Ticketmaster in 2018, Forbes in 2019, as well as local US government portals and messaging app Telegram in 2020. 

At least one of the top five firms in a variety of industries – retail, insurance, financial services, pharma, media, security, and others – were discovered to be susceptible or exploited. And over 1000 online stores are exposed, putting their consumers at risk of being skimmed. Many of the most widely circulated worldwide newspapers were discovered to be susceptible, frequently via their main page. 

Some weak or mistreated businesses deploy anti-Magecart solutions, however, they may be circumvented. Vendor architecture exposes numerous other linked businesses to Magecart, but suppliers frequently fail to notify customers early enough so that preventative action may be taken. In one example, a major internet advertising network impacted 15 worldwide insurance firms, as well as hundreds of smaller businesses.

Critical vulnerability found in Intel processors used in many laptops, IoTs

Positive Technologies specialists discovered a new vulnerability in Intel Pentium, Celeron and Atom processors on the 2016, 2017 and 2019 platforms Apollo Lake, Gemini Lake and Gemini Lake Refresh, which was designated CVE-2021-0146. It can be used to access encrypted files, espionage and circumvent copyright protection.

According to experts, “CVE-2021-0146 vulnerability allows testing or debugging modes in several lines of Intel processors. This may allow an unauthenticated user with physical access to gain elevated privileges in the system.”

Vulnerable processors are used in many netbooks, Internet devices (IoT) based on Intel processors (from household appliances and smart home systems to cars and medical equipment).

“One example of a real threat is lost or stolen laptops containing confidential information in encrypted form. Using this vulnerability, an attacker can extract the encryption key and gain access to information inside the laptop,” said the company's specialist Mark Ermolov.

According to the expert, the vulnerability is due to the presence of over-privileged debugging functionality that is not properly protected. To avoid such problems and prevent the possibility of bypassing the built-in protection, manufacturers should take a more careful approach to ensure the security of debugging mechanisms.

In addition, the availability of information about the end-users, for example, about the subjects of the critical infrastructure of the Russian Federation can be very dangerous.

According to Pavel Korostelev, head of the product promotion department of the Security Code company, the discovered problem in Russia is potentially dangerous only for super-important systems that are of interest to Western intelligence services. Ordinary users, according to him, should not worry.

Positive Technologies also notes that in order to eliminate the detected vulnerability, it is necessary to install UEFI BIOS updates published by the end manufacturers of laptops or other devices.

Magniber Ransomware Group now Shifted to Exploiting Internet Explorer Flaws

 

The Magniber ransomware group is now infecting users and encrypting their devices via two Internet Explorer vulnerabilities and fraudulent advertising. CVE-2021-26411 and CVE-2021-40444 are the two Internet Explorer vulnerabilities, both with a CVSS v3 severity score of 8.8. 

The first, CVE-2021-26411, is a memory corruption bug that may be triggered by visiting a skillfully constructed website. It was resolved in March 2021. The second flaw, termed CVE-2021-40444, is essentially a remote code execution flaw in Internet Explorer's rendering browser engine. This has an 8.8 rating as well.

Magniber was caught breaching Windows servers in August exploiting the 'PrintNightmare' vulnerabilities, which took Microsoft a considerable time to fix because of their impact on printing. According to Tencent security experts who discovered "new" payloads, the most recent Magniber activity focused on attacking Internet Explorer vulnerabilities utilising malvertising that distributes exploit kits. 

One probable reason for this trend is that Microsoft has substantially solved the 'PrintNightmare' vulnerabilities over the last four months, and the news has been widely broadcasted, compelling administrators to implement security upgrades. Another reason Magniber may have chosen Internet Explorer vulnerabilities is that they are remarkably easy to exploit, relying merely on the recipient's willingness to open a file or webpage to activate them. 

Targeting an old, unpopular browser like Internet Explorer may appear weird. However, according to StatCounter, IE still accounts for 1.15 per cent of worldwide page views. Although this is a small fraction, StatCounter monitors approximately 10 billion page views every month, equating to 115,000,000 page views by Internet Explorer users. 

Furthermore, because Firefox and Chromium-based browsers, such as Google Chrome and Microsoft Edge, use an auto-update system that immediately protects users from known vulnerabilities, it is much more difficult to target them. 

About the Magniber group 

The Magniber group is notorious for exploiting security flaws in order to get access to computers and spread ransomware. They started their operations in 2017, and they are considered the successors of the Cerber ransomware.

Initially, they primarily targeted victims in South Korea. The gang then expanded its activities to other Asian nations such as China, Singapore, and Malaysia. Magniber's reach has grown to the point that it now affects exclusively Asian businesses and organizations. 

The Magniber ransomware has been under active development since its release, and its payload has been totally rebuilt three times. Because it is yet uncracked, there is no decryptor available to assist users to recover any data that have been encrypted by this strain. 

Lastly, because Magniber does not follow the trend of file-stealing and double-extortion, their assaults are confined to file encryption.

Google Releases New Android Fixes, Warns Users of Dangerous Zero Day Vulnerabilities

 

Google recently released its monthly security patches for Android with patches for 39 flaws, which also includes a zero-day vulnerability which it said is currently being exploited in the open in targeted, limited attacks. Known as CVE-2021-1048, the zero-day vulnerability is known as a use-after-free vulnerability in the kernel that can also be exploited for local escalation privileges. These vulnerabilities can be dangerous as they can allow an attacker to get access or reference memory once it has been freed, which leads to a 'write what where' situation resulting in the implementation of arbitrary code to get access over the target's device. 

There are hints that CVE-2021-1048 may be under restricted, specific exploit, said the company in its November notification without unveiling any technical information of the flaw, the nature of the exploit, and attackers' identity that may have exploited the vulnerability. Security patches also fixed two other RCE (critical remote code execution) flaws, CVE-2021-0918 and CVE-2021-0930, in the device component, allowing remote threat actors to launch malicious codes with the assistance of privileged mechanisms via sending a specifically built transmission to attack victim targets. 

"Two more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV (CVE-2021-0889) could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required," reports the hacker news. As per the latest Google security patches, it identified a total of six zero-day vulnerabilities from January 2021 in the android devices. 

Google says security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung. To know in detail about Google's security patches released recently, readers can visit Google's source website. Stay updated with Cy Security to know more.

InHand Networks Routers Could Expose Many Organizations to Remote Attacks

 

Researchers uncovered many major vulnerabilities in InHand Networks industrial routers that might expose numerous enterprises to remote attacks, and no patches appear to be available. Researchers from industrial cybersecurity firm OTORIO identified the issues in IR615 LTE routers made by industrial IoT solutions supplier InHand Networks over a year ago. The company has offices in China, the United States, and Germany, and its products are sold worldwide. Siemens, GE Healthcare, Coca-Cola, Philips Healthcare, and other large corporations are among InHand's customers, according to the company. 

OTORIO researchers detected 13 vulnerabilities in the IR615 router, according to a report issued last week by the US Cybersecurity and Infrastructure Security Agency (CISA). The list contains high-severity improper authorization and cross-site scripting (XSS) vulnerabilities, as well as critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues. 

Cisco also addressed dozens of vulnerabilities in its IOS software in 2020, including a dozen security vulnerabilities affecting its industrial routers and switches. Cisco released its semi-annual security advisory bundle for IOS and IOS XE software. The warnings included 25 vulnerabilities that were classified as critical or high severity. Hundreds of other advisories for high- and medium-severity problems affecting IOS and other software were also published by the firm. 

Coming back to InHand Networks, CISA warned that threat actors might use the flaws to gain complete control of the devices and intercept communications in order to acquire sensitive data. 

Thousands of internet-exposed InHand routers have been discovered as vulnerable to assaults, according to OTORIO, however, exploitation via the internet requires authorization to the router's web management portal. An attacker might use default credentials to enter into the device or use brute-force assaults to obtain login credentials. The router's weak password policy and a vulnerability that can be used to enumerate all valid user accounts facilitate brute-force assaults.

“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, a penetration tester at OTORIO.

“The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”

Data of 200,000 Shareholders Exposed due to a Vulnerability in the BrewDog App

 

BrewDog allegedly leaked the personal identifying information (PII) of around 200,000 shareholders for the better part of 18 months, according to experts. BrewDog "declined to inform their shareholders and asked not to be named" in the investigation that revealed the system vulnerabilities, according to PenTestPartners. 

The Scottish brewery incorporated a hard-coded Bearer authentication token associated with API endpoints targeted for BrewDog's mobile applications, according to the cybersecurity company. 

These tokens were delivered, however, this verification step was skipped because it was hardcoded to be activated after a user entered their credentials, providing access to an endpoint. 

Members of PenTestPartners, who also happened to be BrewDog stockholders, added one another's customer IDs to API endpoint URLs. During testing, they discovered that without an appropriate identification issue, they could access the PII of Equity for Punks stockholders. 

Identities, birth dates, email addresses, gender identities, contact information, prior delivery addresses, shareholder numbers, shares owned, referrals, and other information were all available in the leak. The customer IDs, however, were not regarded as "sequential." 

"An attacker could brute force the customer IDs and download the entire database of customers," the researchers said. "Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!" Hard-coding authentication tokens, according to PenTestPartners, are a failure to fulfill these criteria since some of the PII exposed falls within the GDPR security banner. 

The bug has been there since March 2020, since BrewDog's app version 2.5.5 introduced hard-coded tokens. However, BrewDog's team was unaware of the vulnerability for a long time and failed to protect their token system in later releases.

The problem was eventually resolved in version 2.5.13, which has been released on September 27, 2021. BrewDog, on the other hand, elected not to reveal anything significant in the release's changelog announcement. 

"The vulnerability is fixed," the researcher says. "As far as I know, BrewDog has not alerted their customers and shareholders that their details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure." 

BrewDog also told that: "BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO." 

However, the corporation will also have to notify the UK's data protection officer due to the type of personal information exposed, as PII falls under GDPR, which is still in effect in the country.

Research shows that 91.5% Malware in Q2 2021 Appeared Over Encrypted Connections

 

According to the recent WatchGuard data, 91.5 percent of malware originated via encryption techniques during Q2 2021. This represents a significant increase compared to the previous quarter, implying that any organization that does not examine encrypted HTTPS traffic at the periphery is overlooking 9/10 of all malware. 

The study also showed worrisome increases in file-less malware threats, a substantial increase in ransomware, and a massive increase in network cyber attacks. “With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation,” said Corey Nachreiner, CSO at WatchGuard. 

AMSI.Disable.A appeared in the leading malware segment for the very first time in Q1 and quickly rose to the forefront this quarter, ranking second overall by volume as well as first for cumulative encoded attacks. This malware family employs PowerShell techniques to leverage various Windows security flaws, but what makes it particularly intriguing is its evasive technique. 

AMSI.Disable.A employs code capable of deactivating the Antimalware Scan Interface (AMSI) in PowerShell, enabling it to avoid script-security screening while carrying out its malware payload completely unnoticed. Within the first six months of 2021, malware observations believed to have originated from scripting engines such as PowerShell already have managed to reach 80% of last year's overall script-initiated attack volume, representing a significant increase compared to the previous year. 

In the following quarter, the said number increased by another million, indicating an aggressive course that emphasizes the evolving importance of keeping perimeter security along with user-focused safeguards. Whereas overall ransomware detections on endpoints fell from 2018 to 2020, the trend reversed in the first half of 2021, with the six-month total finishing just short of the full-year total for 2020. 

The Colonial Pipeline attack on May 7, 2021, demonstrated unequivocally that ransomware will be here to stay. The breach, which was the top security incident of the quarter, demonstrates how cybercriminals are not only targeting the most essential services – such as hospitals, industrial control, and infrastructure – but also seem to be intensifying attacks against such elevated targets. 

One of the most notable examples was a 2020 vulnerability within the popular online scripting language PHP, however, the other three aren't. A 20ll Oracle GlassFish Server vulnerability, a 2013 SQL injection flaw in the medical records application OpenEMR, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge are among them. Even though they are all out of date, they all pose a danger if not patched. 

Although it's an old attack vector that has hopefully been fixed in most systems, those who are yet to patch will be in for a huge shock if an attacker manages to get to it before they do. A very relatively similar RCE security flaw, CVE-2021-40444, hit the headlines earlier this month when it was purposefully abused in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. 

Malware designed to target Microsoft Exchange servers and generic email clients to install remote access trojans (RATs) in highly sensitive locations has recently increased. It's most probably because Q2 was the second consecutive quarter in which remote employees and learners reverted to either hybrid offices and educational environments or normally functioning on-site behavior. 

Strong security consciousness and monitoring of departing communications on gadgets that aren't essentially connected directly to the connected devices is advised in any event – or location.

Unpatched Dahua Cameras are Prone to Authentication Bypass Vulnerabilities

 

Two authentication bypass vulnerabilities exist in unpatched Dahua cameras, and a proof-of-concept exploit released on 7th October makes the case for upgrading urgent. Both CVE-2021-33044 and CVE-2021-33045 are authentication bypass weaknesses that can be remotely exploited during the login process by sending specially crafted data packets to the target device. 

This comes a month after Dahua issued a security advisory urging owners of vulnerable models to update their firmware, but given how often these devices are forgotten after initial setup and installation, it's possible that many of them are still running an old and vulnerable version. The list of impacted models is long and includes several Dahua cameras, including some thermal cameras. 

IPVM confirmed in 2019 that numerous Dahua cameras had a wiretapping vulnerability, based on tests and information from Dahua. Even if the camera's audio was turned off, an unauthenticated attacker could still listen in. 

An emergency investigation was conducted by the Dahua Security Team and the R&D Team, with the following preliminary findings: 

 • Unauthorized download vulnerability in video chat - This vulnerability no longer exists after code reworking because the relevant functional modules were refactored. Some EOL products would have posed a threat to security.

 • Replay attack vulnerability: This was a newly discovered vulnerability that had affected several Dahua products. 

Dahua spokesperson Tim Shen said, "Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods." 

The flaw was initially reported to Dahua in May of 2019. Tenable Research Engineer Jacob Baines discovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC here, CVE-2019-3948), allowing unauthenticated access to the audio stream. 

The Chinese surveillance camera provider Dahua Technology has been barred from doing business and selling products in the United States since October 2019, when it was added to the US Department of Commerce's 'Entity List.' However, tens of thousands of Dahua cameras are still in use around the country, and some of them may not be readily apparent. Many cameras marketed in the United States under American or Canadian brands use Dahua hardware and even software, according to a new revelation from The Intercept.

Every tenth significant IT system in Russia is infected with malware

 According to Rostelecom-Solar research, every 10th critical information infrastructure (CII) in the Russian Federation is compromised by malware. Even hackers with low qualifications are able to attack most of these IT networks: a significant part of the detected vulnerabilities have existed for more than 10 years, but organizations have not prevented them.

Vladimir Drukov, director of the Cyber Attack Monitoring and Response Center at Rostelecom-Solar, associates the presence of vulnerabilities in CII with the fact that the process of regular software updates has not yet been established in more than 90% of companies.

Kaspersky Lab experts agreed with the findings of the study. According to Anton Shipulin, Lead Business Development Manager at Kaspersky Industrial CyberSecurity, cybersecurity is still at a low level in most CII facilities.

"In terms of data protection, a large number of CII objects are currently in a "depressing situation", and there are no serious hacker attacks on them "by happy accident", but it is only a matter of time," added Fedor Dbar, Commercial Director of Security Code.

In addition, the number of hosts with the vulnerable SMB protocol has almost doubled. It is a network protocol for sharing files, printers, and other network resources that is used in almost every organization. Such vulnerabilities are particularly dangerous, as they allow hackers to remotely run arbitrary code without passing authentication, infecting all computers connected to the local network with malware.

The main problem in internal networks is incorrect password management. Weak and dictionary passwords that allow an attacker to break into an organization's internal network are extremely common. Password selection is used by both amateur hackers and professional attackers.

Moreover, the pandemic has also significantly weakened IT perimeters. Over the past year, the number of automated process control systems (APCS) available from the Internet has grown by more than 60%. This increases the risks of industrial espionage and cyber-terrorism.


Northeastern University Team Finds New Ways to Detect Bugs in its Research

A research team at Northeastern University finds vulnerabilities and code defects. It does it by detecting when a programmer uses various code snippets to carry out the same tasks. Consistent and repeatable programming is said to be one of the best ways in software development, it has also become more crucial as the development team grows in size every day. Today, Northeastern University's research team reveals that finding irregular programming, code snippets that carry out the same tasks but in unique ways, can also help in finding bugs and potential vulnerabilities. 

The team presented a paper at USENIX Security Conference last year, researchers used machine learning to detect bugs. It first identified code snippets that carried out the same functions, later compared the codes to find irregularities. Known as "Functionally Similar yet Inconsistent Code Snippets" aka FICS, the program detected 22 new bugs after investigating QEMU and OpenSSL open-source projects." From basic bugs such as absent bounds checking to complex bugs such as use-after-free, as long as the codebase contains non-buggy code snippets that are functionally similar to a buggy code snippet, the buggy one can be detected as an inconsistent implementation of the functionality or logic," said the experts. 

Expert Mansour Ahmadi, research associate at Northeastern University says that they don't intend to change other methods of static analysis with this research, however, they want to give developers an idea about addition tool in their infantry which can be used to analyze code and find bugs. Mr. Ahmadi currently works at Amazon as a security engineer. An earlier different approach uses static analysis, when faced with an issue or had to be encountered with a rule to find the pattern. 

For instance, if a system has previously found a variant of a bug, these approaches are likely to fail in finding the bug. However, with accurate implementations of code snippets with similar functions, the FICS method can easily find the bug. According to Mr. Ahmadi, " While we were acknowledged by the developers for our findings, the developers did not proceed to assign CVEs to them as they believe the bugs are not exploitable."

Microsoft Finds Critical Code Execution Bugs In IoT, OT Devices

 

Recently, world-leading giant Microsoft security unit has reported that around 24 critical remote code execution (RCE) vulnerabilities have been found in Operational Technology (OT) industrial systems and Internet of Things (IoT) appliances. The research unit said that this security flaw in the system is collectively known as BadAlloc and because of the memory allocation Integer Overflow or Wraparound bugs, the attack occurred. 

The unit reported that the cybercriminal could utilize this access into the system to crash and execute malicious code remotely into the system. The vulnerabilities have been discovered by Microsoft's researchers into standard memory allocation systems that come into use in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. 

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations…”, the research team noted. 

"…Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device, the Microsoft security research team has reported”, they further added.

There is a long list of appliance that get affected by the BadAlloc vulnerabilities: 

• Amazon FreeRTOS, Version 10.4.1 
• ARM Mbed OS, Version 6.3.0 
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 
• ARM mbed-uallaoc, Version 1.3.0 
• Cesanta Software Mongoose OS, v2.17.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3 
• Apache Nuttx OS, Version 9.1.0 
• Media Tek LinkIt SDK, versions prior to 4.6.1 
• Google Cloud IoT Device SDK, Version 1.0.2 
• Micrium OS, Versions 5.10.1 and prior 
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior 
• Linux Zephyr RTOS, versions prior to 2.4.0 
• NXP MCUXpresso SDK, versions prior to 2.8.2 
• NXP MQX, Versions 5.1 and prior 
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB 
• Redhat newlib, versions prior to 4.0.0 
• Texas Instruments SimpleLink MSP432E4XX 
• Texas Instruments CC32XX, versions prior to 4.40.00.07 
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 
• Windriver VxWorks, prior to 7.0 
• Uclibc-NG, versions prior to 1.0.36 
• TencentOS-tiny, Version 3.1.0 

Reportedly, as soon as the security flaw was found out into the system the research unit reported it to the CISA and the vendors.

First Horizon Bank Online Accounts Hacked to Steal Customers’ Funds

The financial institution, First Horizon Corporation reported that earlier this month some of its customers’ online banking accounts have been breached by unidentified cybercriminals.

‘First Horizon’ is a regional financial company that provides facilities including capital market, wealth management services and offers banking services in a region with $84 billion in assets. 

Additionally, the institution also operates its company's banking subsidiary; hundreds of banks are located in 12 states across the Southeast region. 

According to the company, the attack came into light in the middle of April 2021 and as per the reports it only impacted limited customers’ accounts. Whilst investigation was going on, it was discovered that the unidentified cybercriminals could possibly get access to customers' online bank accounts with the help of previously stolen sensitive information and by trespassing third-party software. 

"Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts," First Horizon added in an 8-K form filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday. 

It is also being reported that the threat actors were also able to get access to the customers’ credentials kept in the infringement accounts and fetch reserve money from some of them before the attack was being discovered. 

However, the firm reported that they "fraudulently obtained an aggregate of less than $1 million from some of those accounts." 

The institution, after discovering the attack, informed the affected customers while also notifying the data management department and law enforcement firms. Furthermore, for security purposes, it also opened new online banking accounts for its directly affected customers. 

The vulnerability exploited by the attackers, that was present in the system, has also been taken care of by the company, they have also successfully reset the passwords of the affected accounts. 

In this regard, lastly, the first Horizon concluded by saying that, "Based on its ongoing assessment of the incident to date, the Company does not believe that this event will have a material adverse effect on its business, results of operations or financial condition." However, at present, the firm did not report anything on the exploited third-party software.

Fleeceware Apps Prey on Android Users

 

A fleeceware application isn't customary Android malware as it doesn't contain pernicious code. Rather, the danger comes from unnecessary subscription charges that it may not clearly specify to mobile clients. Fleeceware tricks a victim into downloading an application that intrigues them. At that point, the developer relies on the client overlooking the program as well as neglecting to see the actual subscription charge. These developers target more youthful clients who probably won't focus on the subscription details. The developer fleeces the victim by fooling them into paying cash for something they probably won't need. Chances are, they won't realize they have or they may have gotten somewhere else complimentary or free of charge.

In January 2020, SophosLabs uncovered that it had distinguished more than 20 fleeceware applications hiding out in the Android market place. These applications acquired an aggregate all out of more than 600 million installations. One of those applications charged clients $3,639.48‬ yearly, or $69.99 every week, for showing day by day horoscopes. A couple of months after the fact, Google updated its policies to guarantee that clients comprehended the full price of an application subscription when free trials and introductory offers end and how to deal with their application subscriptions. That didn't prevent a few people from endeavoring to get around Google's policies. In August 2020, Google eliminated some fleeceware applications for neglecting to incorporate a dismiss button and for showing subscription data in small, light font styles. 

Avast reported seven fleeceware applications to Google Play in mid-November. A large portion of these applications professed to offer Minecraft-related skins, maps, and additionally mods for the well-known game. Others offered skins for different games or advertised themes and wallpapers for Android devices. Utilizing those disguises, the entirety of the applications figured out how to pull in excess of 100,000 individuals before Avast found them. Five of them flaunted more than 1,000,000 downloads. 

Associations can help safeguard their clients against fleeceware applications, for example, by utilizing Mobile Device Management (MDM) to restrict the functionality of applications introduced on corporately owned cell phones. They can likewise utilize ongoing security awareness training and incorporate a list of permitted mobile applications and market places that employees can use on their cell phones.

Google Security Researcher Banned From COD: Modern Warfare For Reverse Engineering


A security researcher from Google has been banned from Call of Duty: Modern warfare for attempting to reverse engineer its networking code while studying the security to hunt memory corruption vulnerabilities. 
 
Almost a week later, after getting his account suspended by Call of Duty's developer, Activision Blizzard, Google Project Zero's Williamson, who carried out the research in his personal capacity, published a blog post telling that the research he conducted required him to reverse engineer the networking code in COD'e executable ( For reviewing the code for memory corruption vulnerabilities). However, as the executable was heavily obfuscated, IDA failed to examine it, forcing him to as he said in the blog, "dump the unobfuscated code from the memory of a running game process." 
 
It was at that point when the developers of the game suspected him as a cheater and consequently, his activities were flagged for being suspicious in nature. To ensure he doesn't affect any players in the process, Williamson tried to read memory while he was in the main menu; he attached WinDbg debugging tool – in consequence to which the game exited, the incident was attributed to the flagging event as per Williamson who also attempted to pause the process prior to dumping memory from it. He dumped an image of the game from memory in the main menu and exited normally, as explained in his blog post. 
 
The researcher who was saddened by the ban for multiple reasons, told, "after spending a few days reviewing the binary, I decided that the binary was so large and unwieldy to deal with that I would table the project for a later date. But unfortunately, I was banned about a month later, losing over a year of progress on my account." 
 
"The ban saddens me on a personal level as I’ve reconnected with family and friends from throughout my life playing this game during the pandemic. But more importantly, this sends a clear signal: this research is not welcome. I believe I had a reasonable expectation that it would be. I had done similar work during a CTF, where I reverse engineered and fuzzed CS:GO without ever risking a ban," he further added. 
 
Williamson, while scaling the magnitude of 'cheating' as a threat to online gaming, said that, "I understand that the developers shoulder an impressive burden in preventing cheat development and use. They need to leverage a variety of signals to detect cheat development and use. I’m guessing that because they may not have seen security researchers reviewing their platform before, they interpret any attempt to reverse engineer as a sign of malicious behavior. No typical player would attach a debugger to the game, and therefore they probably assume they don’t need much more evidence beyond this to issue a ban." 
 
While voicing his concerns regarding the ban for security researchers, he said, "Let me be clear: at no point did I intend to develop or use a cheat, and at no point did I manipulate any aspect of the game for another player or even myself. To this day, I don’t know what exactly caused the ban, and there’s no process to appeal it. What if using a reversing tool as part of my job gets me flagged? This fear is in the back of my mind for all games with anti-cheat, not just Warzone."

Apple Patches-Up Three Actively Exploited And Identified Zero-Day Vulnerabilities In its iPhone, iPod and iPad Devices

 

This month Apple released iOS 14.2 and iPad 14.2, which patched up a sum total of 24 vulnerabilities in different parts of the OSes, including sound, crash reporter, kernel, and foundation. 

The multinational technology has fixed up three identified zero-day vulnerabilities in its iPhone, iPod, and iPad devices possibly associated with a spate of related flaws very recently found by the Google Project Zero team that additionally had an impact over Google Chrome and Windows. 

Ben Hawkes from Google Project Zero who was able to identify the zero-day vulnerabilities as "CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel advantage escalation)," he said in a tweet. 

Apple likewise offered credit to Project Zero for recognizing these particular defects in its security update and gave a little more detail on each.

CVE-2020-27930 is 'a memory corruption flaw' in the FontParser on iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and iPad mini 4 and later, as indicated by Apple. 

The vulnerabilities take into account an attacker to process a “maliciously crafted font” that can prompt arbitrary code execution.

Apple described CVE-2020-27950 as a memory initialization issue in the iOS kernel that influences iPhone 6s and later, iPod tough 7th generation, iPad Air 2 and later, and iPad smaller than usual 4 and later. 

The defect would permit a pernicious application to reveal kernel memory, according to the company. The Apple update comes along with the time of updates by Google over the last two weeks to fix various zero days in Google Chrome for both the desktop and Android versions of the browser. 

Shane Huntley from Google's Threat Analysis Group claims that the recently fixed Apple zero-day flaws are identified with three Google Chrome zero-days and one Windows zero-day likewise uncovered over the last two weeks, possibly as a component of a similar exploit chain.

“Targeted exploitation in the wild similar to the other recently reported 0days,” he tweeted, adding that the attacks are “not related to any election targeting.” 

It is however critical to take into notice that both Apple and Google have had an infamous past with regards to vulnerability revelation. 

The two tech monsters famously butted heads a year ago over two zero-day bugs in the iPhone iOS after Google Project Zero analysts guaranteed that they had been exploited for quite a long time.

US Army Says North Korea Has Hackers and Electronic Warfare Specialists Working and Operating Abroad


In a report published a month ago by the US Army said North Korea has at least 6,000 hackers and electronic warfare specialists working in its ranks with a large number of these are operating in nations, like Belarus, China, India, Malaysia, and Russia. 
The report is a tactical manual that the US Army uses to train their troops and military pioneers, and which the Army has made public for the first time just the previous month. 

Named "North Korean Tactics," the 332-page report consists of a 'treasure trove' of data about the Korean People's Army (KPA) like the military strategies, weaponry, leadership structure, troop types, logistics, and electronic warfare capacities. 

By far most of the report manages exemplary military tactics and capacities; the report likewise highlights North Korea's clandestine hacking units. "Most EW [electronic warfare] and cyberspace warfare operations take place within the Cyber Warfare Guidance Unit, more commonly known as Bureau 121," the US Army said. 

This evaluation is equivalent to the past reports from the intelligence and cybersecurity communities, which have additionally connected all of North Korea's hackers back to Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency that is a part of the National Defence Commission. 

The US Armed force says Bureau 121 has developed exponentially lately, as North Korea has expanded it’s the cyberspace exercises. According to the report, Bureau 121 developed from "at least 1,000 elite hackers in 2010" to more than 6,000 members today. 

The number is a steady one with comparable figures published by the South Korean Defence Ministry, which said that North Korea was operating a cyberwarfare staff of 3,000 out of 2013, a number that later multiplied to 6,000 by 2015. 

Notwithstanding, the US Army as of now believes that it's 6,000 figure isn't totally accurate. Army officials state that they have estimates for the internal divisions within Bureau 121, numbers that seem to have not been released previously, until the previous month. 

They don't have an exact number for the members part of the Lazarus Group sub-division, yet this group is the one, for the most part, the one to which North Korean authorities turn "to create social chaos by weaponizing enemy network vulnerabilities and delivering a payload if directed to do so by the regime." 

While the US Army report doesn't go a lot into details on why the Pyongyang regime lets military hackers travel abroad, there are previous reports and court documents that have gone into these details, with the Pyongyang regime utilizing its hackers to set up shell companies that serve both as cover when setting up 'foreign-based server infrastructure', yet in addition as 'intermediary entities in money laundering operations'. 

In any case, while the US Army report acknowledges that North Korean hackers have been engaged with financial cybercrime, Armed officials go significantly further and outline the whole North Korean government as a criminal network, with the Kim regime being associated with a wide scope of activities that likewise incorporated drug trading, counterfeiting, and human trafficking, and not simply the variety of cybercrime.