Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities. Show all posts
Vulnerabilities
Andriod ATR Cyber Hackers Cybersecurity CyberThreat MaaS malware NFC SiperCard TLS Vulnerabilities

New Android Threat Raises Concern Over NFC Relay Attack Vulnerabilities

 


In recent times, there has been considerable concern with regards to some newly uncovered Android-based malware-as-a-service (Maas) platforms, particularly those based on Android and known as SuperCard X. This is because this platform was able to execute these attacks in near-field communication (NFC). A sophisticated tool such as this enables threat actors to make unauthorised contactless payments, allowing them to withdraw money without requiring direct physical access to their cards. 

Through advanced near-field communication (NFC) relay techniques, this malware is able to allow threat actors to authorize illicit transactions at contactless-enabled ATMs and Point-of-Sale (POS) terminals without actually requiring the victim to give them their card details. Using such methods, the attacker deceives users into installing a malicious Android application, during which their payment cards are tapped against their compromised devices. 

The sensitive data from the NFC tags is intercepted and relayed in real time to the attacker-controlled infrastructure while the attack is taking place. It appears that the platform has been part of a Malware-as-a-Service MaasS) ecosystem for Chinese-speaking users. In addition, it appears to have a significant amount of code overlap with NGate, a malicious NFC toolkit that was previously documented by ESET in 2024. The campaign has had a wide-reaching impact on not only banking customers but also credit card issuers and payment processors as well. 

With the help of widely adopted contactless payment technologies, attackers are able to devise an extremely effective means of executing an unauthorised cashout, especially if they trick the user into disabling transaction limits. This campaign's success has been attributed to its combination of streamlined malware and persuasive social engineering, a development that signals a significant change in the tactics used by mobile threat actors in the future.

Apparently, the current campaign appears to be primarily targeting Italian bank customers and cardholders, according to recent research conducted by the fraud prevention firm Cleafy. It is reported that the attackers intend to collect sensitive payment card data through a methodical and layering approach in a very systematic way. Several analysts, including Federico Valentini, Alessandro Strino, and Michele Roviello, have concluded that SuperCard X uses a multiphase strategic attack method. 

Social engineering tactics are used to lure victims into installing malicious Android applications, which can intercept NFC data that has been compromised from a compromised device. This can include SMS-based phishing (smishing) as well as deceptive phone calls that lure victims into installing malicious Android applications. Additionally, preliminary findings indicate that the service is actively promoted on Telegram channels, which suggests that the tool’s distribution and monetisation are being supported by a larger underground network. 

The campaign's focus is on covert data harvesting and real-time exploitation of data, a trend which highlights the importance of mobile devices as a critical point of entry for financial fraudsters. A growing number of mobile payments is highlighting a need for enhanced awareness of users, robust security protocols, and real-time threat intelligence to combat the ever-increasing number of mobile-focused cyberattacks. As far as the malware's operational architecture is concerned, it displays a clever combination of sophistication and subtlety. 

To keep the component known as "Reader" from being detected by security platforms that are based on heuristics or signature-based and signature-driven algorithms, such as VirusTotal, the component is intentionally designed to only ask for basic system permissions as well as some NFC permissions, an intentional design choice. The technical findings of Cleafy indicate significant code reuse from the open-source relay toolkit NFCGate and the malicious variant NGate, both of which were identified by ESET in 2024. 

Using publicly available frameworks has probably accelerated development and led to a quicker onboarding process for new threat actor affiliates because it allows development to take place faster. When victims are coerced into tapping their credit or debit cards against a compromised device, they are silently captured, including low-level smart card responses such as the Answer To Reset (ATR) messages, from the compromised device. This is often done through social engineering.

Data such as this is sent instantly through a command-and-control network that is based on HTTP and protected with mutually negotiated TLS authentication, which limits communication to validated client instances and reduces the probability of external intrusion. During the same time, a secondary application on a separate attacker-controlled Android device called the "Tapper" is played that simulates the victim's card at a payment terminal or contactless ATM by using Host-Based Card Emulation (HCE). 

With a combination of disabling the card spending limits for the victim, this tactic can ensure that the maximum number of fraudulent withdrawals are made while remaining virtually undetectable by standard mobile security solutions. As a result of Cleafy's analysis, SuperCard X is designed to be stealthy, and it has remained undetected by all antivirus solutions listed on VirusTotal until today. 

Having such a restricted permission model, as well as the absence of overtly malicious behaviours, such as screen overlays and intrusive access requests, which are commonly flagged by heuristic-based security engines, contributes greatly to this success. There is an evident high level of technical competence among the threat actors behind SuperCard X, particularly in the implementation of an ATR-based (Answer to Reset) card emulation system, which demonstrates a high level of technical competence. 

A malware program that replicates the initial response sequence of the smartcard convincingly allows fraudulent transactions to be processed without raising suspicions at a payment terminal by convincingly mimicking authentic smartcard behaviour. In addition to this, users have built a command-and-control infrastructure with mutual Transport Layer Security (MTLS), which ensures that no client devices are permitted to communicate unless they are authenticated. 

A certificate-based verification ensures that not only is data integrity protected, but the network traffic analysis process is hindered significantly by security researchers and law enforcement agencies due to the fact that this certificate is based on verification. Together, these technical safeguards ensure that this malware does not leave a large footprint on the networks and demonstrate how mature the campaign is operationally. 

There is some evidence that the activity associated with SuperCard X is currently restricted to Italy geographically, although Cleafy's report cautions that the threat could rapidly escalate on a global scale if the problem is not addressed promptly. Cybercriminals can acquire and deploy malware-as-a-service (MaaaS) tools on dark web marketplaces that are readily available, which makes it easy for them to acquire and deploy malware against targets from any region. This raises concerns about possible expansion into broader markets, including those in North America and Europe. 

Using convincing social engineering tactics, such as urgent text messages masquerading as official communication from financial institutions, the campaign leverages persuasive social engineering techniques. The messages are designed in such a way that they cause panic in users and prompt them to immediately act, such as clicking on malicious links or downloading unauthorised applications, in order to generate immediate results. 

Individuals should ensure that they verify such messages independently by contacting their financial providers directly through trusted channels in cases where the sender's number matches the victim's actual bank number, especially if the sender's number has been spoofed to match that number. Whenever users receive a request to download an application through an external link, they should be aware that it is a red flag. No legitimate bank would ever ask users for this type of request. 

The user should only install applications from verified sources, such as the Google Play Store, which offer banking apps. It is essential to maintain the functionality of built-in security features on users' Android device, such as Google Play Protect, to mitigate the risk of exposure to threats like SuperCard X. This service continuously scans every application users install and any new applications they download for malicious behavior. 

There are a few things users should consider, such as installing a third-party mobile security solution, as well as awareness and good cyber hygiene practices. As this malware continues to circulate in the wild, awareness and good cyber hygiene are the two best ways to combat the increasing number of mobile malware threats.
Read more »
WhiteHat
Compliance Cyber Security Encryption EthicalHacking Firewalls PenTesting Ransomware Vulnerabilities WhiteHat

Ethical Hacking: The Cyber Shield Organizations Need

 

Ethical hacking may sound paradoxical, but it’s one of the most vital tools in modern cyber defence. Known as white hat hackers, these professionals are hired by companies to simulate cyberattacks, uncover vulnerabilities, and help fix them before malicious actors can strike.

“Ethical hackers mimic real-world threats to identify and patch security flaws. It’s about staying a step ahead of the bad guys,” says a cybersecurity expert.

As cyber threats surge globally, ethical hackers are in high demand. A recent Check Point Software report revealed a staggering 44% rise in global cyberattacks. From ransomware gangs to state-sponsored intrusions, the risks are growing—and the need for skilled defenders is greater than ever.

The ethical hacking process begins with reconnaissance—mapping a company’s digital infrastructure. Next comes scanning and vulnerability testing, using the same techniques as criminal hackers. Once issues are identified, they’re reported, not exploited. Some ethical hackers work independently, participating in bug bounty programs for companies like Google and Microsoft.

Industries like finance, healthcare, and tech—where sensitive data is a prime target—rely heavily on ethical hackers. Their techniques include penetration testing, system and network hacking, internal assessments, and web application testing.

In 2019, a team at Positive Technologies uncovered a Visa card flaw that could’ve allowed contactless payments to exceed set limits—just one example of ethical hacking saving the day.

Penetration testing simulates real breaches, such as injecting code, overloading systems, or intercepting data. System hacking targets devices with tools to crack passwords or exploit system weaknesses. Internal testing flags human errors, like weak credentials or poor security training. Web app testing scans for issues like XSS or SQL injections before launch. Network hacking exposes flaws in protocols, open ports, or wireless vulnerabilities.

The biggest advantage? Ethical hackers reveal blind spots that internal teams might miss. They prevent data breaches, build customer trust, and ensure compliance with regulatory standards—saving organizations from reputational and financial harm.

“Finding flaws isn’t enough. Ethical hackers offer the roadmap to fix them—fast,” a security analyst shares.

With the right skills, anyone can break into this field—often with significant rewards. Major companies offer million-dollar payouts through bug bounty programs. Many ethical hackers hold certifications like CEH, OSCP, or CySA+, with backgrounds ranging from military service to degrees in computer science.

The term “hacker” doesn’t always mean trouble. Ethical hackers use the same tools as their criminal counterparts—but to protect, not exploit. In today’s digital battlefield, they’re the unsung heroes safeguarding the future.


Read more »
Vulnerabilities
Automation Backup Cyber Security Exploits Infrastructure Vulnerabilities

CISA Highlights Major Vulnerabilities in Critical Infrastructure Systems

 

The Cybersecurity and Infrastructure Security Agency (CISA) has released two significant advisories focused on Industrial Control Systems (ICS), urging swift action from organizations operating within vital infrastructure sectors. These advisories—ICSA-25-091-01 and ICSA-24-331-04—highlight newly discovered vulnerabilities that could pose severe threats if left unaddressed.

ICSA-25-091-01 focuses on a critical vulnerability affecting Rockwell Automation's Lifecycle Services, which integrate with Veeam Backup and Replication. This issue stems from improper deserialization of untrusted data (CWE-502)—a known risk that allows remote attackers to execute malicious code. The flaw has received a CVSS v4 score of 9.4, indicating a high-severity, low-complexity threat that is remotely exploitable.

Impacted products include:

  • Industrial Data Center (IDC) with Veeam (Generations 1-5)
  • VersaVirtual Appliance (VVA) with Veeam (Series A-C)
If exploited, the vulnerability could give attackers with admin rights full access to execute arbitrary code, potentially leading to complete system takeover.

"CISA urges organizations to take immediate defensive measures to mitigate the risk, including:
• Minimizing network exposure for all control systems and ensuring they are not directly accessible from the internet.
• Using secure access methods like Virtual Private Networks (VPNs) when remote access is necessary.
• Keeping VPNs up to date to prevent vulnerabilities from being exploited."

Rockwell Automation is collaborating with CISA to inform affected clients—especially those under Infrastructure Managed Service contracts—about available patches and remediation steps.

ICSA-24-331-04 draws attention to multiple security flaws in Hitachi Energy’s MicroSCADA Pro/X SYS600, a system widely used in energy and manufacturing sectors. These vulnerabilities include improper query logic handling, session hijacking via authentication bypass, and path traversal risks.

The most critical issue, CVE-2024-4872, carries a CVSS v3 score of 9.9, making it one of the most severe. It enables attackers with valid credentials to inject harmful code into the system, risking unauthorized access and corruption of persistent data.

Other issues include:
  • CVE-2024-3980: Lack of proper file path limitations
  • Exposure to further system compromise if not promptly patched
"Hitachi Energy has released patches for the affected versions, including a critical update to Version 10.6 for MicroSCADA Pro/X SYS600. Users are also advised to apply necessary workarounds and stay updated with security patches to protect against exploitation."

CISA strongly advises organizations using these systems to implement all recommended mitigations without delay to minimize potential risks.
Read more »
Vulnerabilities
Artificial Intelligence ChatGPT cybercriminals Cybersecurity Ransomware Vulnerabilities

Cybercriminals Exploit Psychological Vulnerabilities in Ransomware Campaigns

 


During the decade of 2025, the cybersecurity landscape has drastically changed, with ransomware from a once isolated incident to a full-sized global crisis. No longer confined to isolated incidents, these attacks are now posing a tremendous threat to economies, governments, and public services across the globe. There is a wide range of organizations across all sectors that find themselves exposed to increasingly sophisticated cyber threats, ranging from multinational corporations to hospitals to schools. It is reported in Cohesity’s Global Cyber Resilience Report that 69% of organizations have paid ransom demands to their suppliers in the past year, which indicates just how much pressure businesses have to deal with when such attacks happen. 

The staggering number of cybercrime cases highlights the need for stronger cybersecurity measures, proactive threat mitigation strategies and a heightened focus on digital resilience. With cybercriminals continuously improving their tactics, organizations need to develop innovative security frameworks, increase their threat intelligence capabilities, and foster a culture of cyber vigilance to be able to combat this growing threat. The cybersecurity landscape in 2025 has changed significantly, as ransomware has evolved into a global crisis of unprecedented proportions. 

The threat of these attacks is not just limited to isolated incidents but has become a significant threat to governments, industries, and essential public services. Across the board, companies of all sizes are increasingly vulnerable to cyber threats, from multinational corporations to hospitals and schools. In the last year, Cohesity released its Global Cyber Resilience Report, which revealed that 69% of organizations paid ransom demands, indicating the immense pressure that businesses face in the wake of such threats. 

This staggering figure underscores how urgent it is that we take more aggressive cybersecurity measures, develop proactive threat mitigation strategies, and increase our emphasis on digital resilience to prevent cyberattacks from taking place. Organizations must embrace new security frameworks, strengthen threat intelligence capabilities, and cultivate a culture of cyber vigilance to combat this growing threat as cybercriminals continue to refine their tactics. A persistent cybersecurity threat for decades, ransomware remains one of the biggest threats today. 

However, the first global ransom payment exceeded $1 billion in 2023, marking a milestone that hasn't been achieved in many years. Cyber extortion increased dramatically at this time, as cyber attackers constantly refined their tactics to maximize the financial gains that they could garner from their victims. The trend of cybercriminals developing increasingly sophisticated methods and exploiting vulnerabilities, as well as forcing organizations into compliance, has been on the rise for several years. However, recent data indicates a significant shift in this direction. It is believed that in 2024, ransomware payments will decrease by a substantial 35%, mainly due to successful law enforcement operations and the improvement of cyber hygiene globally.

As a result of enhanced security measures, increased awareness, and a stronger collective resistance, victims of ransom attacks have become increasingly confident they can refuse ransom demands. However, cybercriminals are quick to adapt, altering their strategies quickly to counteract these evolving defences to stay on top of the game. A response from them has been to increase their negotiation tactics, negotiating more quickly with victims, while simultaneously developing stealthier and more evasive ransomware strains to be more stealthy and evasive. 

Organizations are striving to strengthen their resilience, but the ongoing battle between cybersecurity professionals and cybercriminals continues to shape the future of digital security. There has been a new era in ransomware attacks, characterized by cybercriminals leveraging artificial intelligence in increasingly sophisticated manners to carry out these attacks. Using freely available AI-powered chatbots, malicious code is being generated, convincing phishing emails are being sent, and even deepfake videos are being created to entice individuals to divulge sensitive information or transfer funds by manipulating them into divulging sensitive information. 

By making the barriers to entry much lower for cyber-attacking, even the least experienced threat actors are more likely to be able to launch highly effective cyber-attacks. Nevertheless, artificial intelligence is not being used only by attackers to commit crimes. There have been several cases where victims have attempted to craft the perfect response to a ransom negotiation using artificial intelligence-driven tools like ChatGPT, according to Sygnia's ransomware negotiation teams. 

The limitations of AI become evident in high-stakes interactions with cybercriminals, even though they can be useful in many areas. According to Cristal, Sygnia’s CEO, artificial intelligence lacks the emotional intelligence and nuance needed to successfully navigate these sensitive conversations. It has been observed that sometimes artificial intelligence-generated responses may unintentionally escalate a dispute by violating critical negotiation principles, such as not using negative language or refusing to pay outright.

It is clear from this that human expertise is crucial when it comes to managing cyber extortion scenarios, where psychological insight and strategic communication play a vital role in reducing the potential for damage. Earlier this year, the United Kingdom proposed banning ransomware payments, a move aimed at deterring cybercriminals by making critical industries less appealing targets for cybercriminals. This proposed legislation would affect all public sector agencies, schools, local councils, and data centres, as well as critical national infrastructure. 

By reducing the financial incentive for attackers, officials hope to decrease both the frequency and severity of ransomware incidents across the country to curb the number of ransomware incidents. However, the problem extends beyond the UK. In addition to the sanctions issued by the Office of Foreign Assets Control, several ransomware groups that have links to Russia and North Korea have already been sanctioned. This has made it illegal for American businesses and individuals to pay ransoms to these organizations. 

Even though ransomware is restricted in this manner, experts warn that outright bans are not a simple or universal solution to the problem. As cybersecurity specialists Segal and Cristal point out, such bans remain uncertain in their effectiveness, since it has been shown that attacks fluctuate in response to policy changes, according to the experts. Even though some cybercriminals may be deterred by such policies, other cybercriminals may escalate their tactics, reverting to more aggressive threats or increasing their personal extortion tactics. 

The Sygnia negotiation team continues to support the notion that ransom payments should be banned within government sectors because some ransomware groups are driven by geopolitical agendas, and these goals will be unaffected by payment restrictions. Even so, the Sygnia negotiation team believes that government institutions should not be able to make ransom payments because they are better able to handle financial losses than private companies. 

Governments can afford a strong stance against paying ransoms, as Segal pointed out, however for businesses, especially small and micro-sized businesses, the consequences can be devastating if they fail to do so. It was noted in its policy proposal that the Home Office acknowledges this disparity, noting that smaller companies, often lacking ransomware insurance or access to recovery services, can have difficulty recovering from operational disruptions and reputational damage when they suffer from ransomware attacks. 

Some companies could find it more difficult to resolve ransomware demands if they experience a prolonged cyberattack. This might lead to them opting for alternative, less transparent methods of doing so. This can include covert payment of ransoms through third parties or cryptocurrencies, allowing hackers to receive money anonymously and avoid legal consequences. The risks associated with such actions, however, are considerable. If they are discovered, businesses can be subjected to government fines on top of the ransom, which can further worsen their financial situation. 

Additionally, full compliance with the ban requires reporting incidents to authorities, which can pose a significant administrative burden to small businesses, especially those that are less accustomed to dealing with technology. Businesses are facing many challenges in the wake of a ransomware ban, which is why experts believe a comprehensive approach is needed to support them in the aftermath of this ban.

Sygnia's Senior Vice President of Global Cyber Services, Amir Becker, stressed the importance of implementing strategic measures to mitigate the unintended consequences of any ransom payment ban. It has been suggested that exemptions for critical infrastructure and the healthcare industries should be granted, since refusing to pay a ransom may lead to dire consequences, such as loss of life. Further, the government should offer incentives for organizations to strengthen their cybersecurity frameworks and response strategies by creating incentives like these.

A comprehensive financial and technical assistance program would be required to assist affected businesses in recovering without resorting to ransom payments. To address the growing ransomware threat effectively without disproportionately damaging small businesses and the broader economy, governments must adopt a balanced approach that entails enforcing stricter regulations while at the same time providing businesses with the resources they need to withstand cyberattacks.
Read more »
Vulnerability
CISA Critical Exploits cyberattacks trending news News Vulnerabilities Vulnerability

CISA Warns of Critical Exploits in ProjectSend, Zyxel, and Proself Systems


Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has discovered and added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, impacting North Grid Proself, ProjectSend, and Zyxel firewalls, are being actively exploited, posing serious risks of data breaches and operational disruptions to unpatched systems. At the time of publishing, Zyxel acknowledged the issue and advised users to update their firmware promptly and strengthen admin credentials.

Vulnerabilities Identified in North Grid Proself, ProjectSend, and Zyxel Firewalls

North Grid Proself Vulnerability (CVE-2023-45727): A severe XML processing vulnerability in North Grid Proself has been identified, allowing attackers to bypass restrictions and access sensitive server data. Systems running versions older than 5.62, 1.65, and 1.08 are vulnerable to exploitation through maliciously crafted XML requests, which can extract sensitive account information.

ProjectSend Vulnerability (CVE-2024-11680): A critical authentication flaw in ProjectSend, an open-source file-sharing platform, has been flagged with a CVSS severity score of 9.8. Versions prior to r1720 are susceptible to attacks where malicious actors manipulate the options.php file using crafted HTTP requests. This enables them to create unauthorized accounts, upload webshells, and inject harmful JavaScript code. Security researchers from VulnCheck report that attackers are leveraging automated tools such as Nuclei and Metasploit to exploit this vulnerability.

Notably, exploitation attempts are marked by altered server configurations, including random strings in landing page titles—a trend observed since September 2024. Despite a patch being released in May 2023, over 4,000 exposed instances remain vulnerable.

Zyxel Firewall Vulnerability (CVE-2024-11667): Zyxel firewalls running firmware versions between V5.00 and V5.38 are vulnerable to a directory traversal attack. This flaw allows attackers to upload or download files via manipulated URLs within the web management interface, potentially compromising system integrity.

Exploitation Attempts and Mitigation Strategies

ProjectSend instances have been the primary focus of attackers. Public-facing systems have seen unauthorized user registrations—a setting not enabled by default—facilitating access for malicious actors. Webshells uploaded during these attacks are often stored in predictable directories, with filenames tied to timestamps and user data. Organizations are urged to review server logs to identify and address suspicious activities.

Under Binding Operational Directive (BOD) 22-01, federal agencies must prioritize these vulnerabilities, while CISA has recommended that private organizations take immediate action to mitigate the risks. Updating software, reviewing server configurations, and enhancing log analysis are critical steps to safeguard systems from exploitation.

Read more »
Vulnerabilities
CyberCrime Cybersecurity CyberThreat HM Surf macOS Microsoft Privacy Safari Vulnerabilities

HM Surf Bug in macOS Raises Data Privacy Concerns

 


Several vulnerabilities in the Safari web browser for macOS may have left users open to being spied on, having their data stolen, and acquiring other types of malware thanks to this security weakness. Specifically, the vulnerability arises from the special permissions Apple gives to its proprietary apps, and here, it is the browser, as well as the ease with which an attacker can obtain the important configuration files of an app. 

Ultimately, what it allows a user to do is to circumvent the Transparency, Consent, and Control (TCC) security layer on MacBooks that is designed to safeguard sensitive data from an attacker. CVE-2024-44133 has been rated as a "medium" severity vulnerability by the Common Vulnerability Scoring System (CVSS), meaning that it has a 5.5 severity score as per the CVSS. According to the CVE-2024-44133 vulnerability report, attackers can bypass the user data protection methods implemented by the operating system by bypassing Transparency, Consent, and Control (TCC). 

During the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later), the vulnerability, also referred to as CVE-2024-44133, had been fixed. Please take note that this vulnerability will only impact devices that are managed by Mobile Device Management (MDM), not any other device. Typically, MDM managed devices are subject to policies and procedures set by the IT department of an organization, which is responsible for centrally managing and maintaining the devices.


According to Microsoft, the flaw has been named "HM Surf." By exploiting this vulnerability an attacker would be able to bypass macOS' Transparency, Consent, and Control (TCC) features and gain unauthorized access to a user's protected data, which they would have no control over. There is a possibility users may discover Safari's TCC in action while browsing a website that requires access to the camera or microphone when browsing through the website. It was noted by Apple in mid-September that a bug in macOS Sequoia 15 has been fixed by removing the vulnerable code. However, the bug does not seem to affect MDM-managed devices. As stated in the blog post, Microsoft’s Sequoia 15 release only protects Apple’s Safari web browser when it is installed. 

It was also pointed out that browsers like Google Chrome and Mozilla Firefox don't have the same private entitlements as Apple applications, so they cannot bypass TCC checks like Apple applications can. Therefore, once TCC checks are approved, it is up to the app to maintain access to the privacy database as long as people have approved the checks. This vulnerability can be exploited by removing the TCC protection for the Safari browser directory and editing a configuration file in that directory. It is stated in Microsoft's response that it involves gaining access to the user's data, such as browsed pages, the camera, microphone, and location of the device, without the user's knowledge.

Users of macOS are strongly encouraged to apply these security updates as soon as possible so that their system will be protected. Using its behavior monitoring capabilities, Microsoft Defender for Endpoint has detected activities associated with Adload, one of the most prevalent macOS threat families, which may be exploiting this vulnerability in some way. In addition to detecting and blocking CVE-2024-44133 exploitation, Windows Defender for Endpoint also detects and blocks anomalous modifications of the Preferences file through HM Surf or other mechanisms that potentially exploit the vulnerability.

According to Microsoft, it was TCC technology that first enabled them to learn how to bypass the technology when they discovered powerdir's vulnerability. Please remember that TCC, as its name implies, is a technology that prevents apps from accessing users' personal information when they are installed and that this includes services such as location services, camera and microphone devices, download directories, and others, without the user's knowledge or consent. 

In the world of mobile applications, the only legal way for them to gain access to these services is by approving a popup through their user interface, or if they approve per-app access via the settings in their operating system. This vulnerability, known as HM-Surf, may allow attackers to bypass key security features on macOS systems, which gives them a chance to gain access to sensitive data through the use of malicious code. It is possible that users who are not authorized to exploit the flaw could exploit macOS' own security functions, such as the sandboxing mechanisms and restrictions on file access. 

HM-Surf exploit is a vulnerability that allows attackers to gain enhanced privileges, which allows them to access sensitive data and files that would otherwise require a login and password. Initial warnings were raised about this vulnerability because it played a role in adware campaigns, where malicious actors used this loophole to install unwanted software on users' devices in order to profit from the vulnerability. There are, however, a lot more dangers than just adware; though, it is only the beginning. If the same vulnerability were weaponized, then it might even be used for more serious attacks, such as data exfiltration, surveillance, or even as a gateway to further malware infiltration in the near future. There is probably no doubt that HM-Surf's unique ability to bypass Apple's robust security architecture is one of the most troubling aspects of this malware. 

Security macOS is widely regarded as a secure platform, but the recent discovery of the HM-Surf vulnerability shows that even advanced systems are not immune to evolving cyber threats. This finding serves as a crucial reminder for users and organizations to prioritize cybersecurity and adopt proactive measures to protect their digital environments. Microsoft's cybersecurity team uncovered HM-Surf, an exploit posing a serious risk to macOS. Their investigation revealed a program altering Google Chrome settings to grant unauthorized microphone and camera access while collecting user and device data. 

These actions suggested preparations for a second-stage payload that could further compromise the device. The culprit was identified as the well-known macOS adware "AdLoad." This malware hijacks browser traffic, inundates users with ads, harvests data, and transforms infected devices into botnet nodes for further malicious activity. Although Microsoft's findings aligned with HM-Surf techniques, the researchers could not conclusively link AdLoad to actively exploiting the vulnerability. 

Nevertheless, they warned that "attackers using a similar method to deploy a prevalent threat" underscored the need for enhanced protection. The HM-Surf vulnerability illustrates the risks associated with macOS, highlighting that no operating system is invulnerable to sophisticated attacks. Exploiting such weaknesses could lead to severe consequences, including financial losses, reputational damage, and the exposure of sensitive data. The evolving nature of these threats suggests that attackers are continuously refining their methods to bypass security measures.

To address these challenges, organizations must adopt a multi-layered approach to cybersecurity. This includes regular system updates, comprehensive monitoring, and user education on safe practices. Deploying advanced threat detection and real-time monitoring can help detect and mitigate attacks before they cause significant harm. Regular security assessments can also identify and address potential vulnerabilities. In summary, the emergence of the HM-Surf vulnerability is a stark reminder of the dynamic landscape of cybersecurity threats. For macOS users and businesses, this discovery emphasizes the need to act swiftly in strengthening defenses and protecting digital assets against evolving risks.
Read more »
Vulnerabilities
CPS critical Cyber Security Cyberattack Cybersecurity Digital Infrastructure National Security public safety Supply Chain Vulnerabilities

Cyberattacks on Critical Infrastructure: A Growing Threat to Global Security

 

During World War II, the U.S. Army Air Forces launched two attacks on ball bearing factories in Schweinfurt, aiming to disrupt Germany’s ability to produce machinery for war. The belief was that halting production would significantly affect Germany’s capacity to manufacture various war machines.

This approach has a modern parallel in the cybersecurity world. A cyberattack on a single industry can ripple across multiple sectors. For instance, the Colonial Pipeline attack affected American Airlines operations at Charlotte Douglas Airport. Similarly, the Russian NotPetya attack against Ukraine spilled onto the internet, impacting supply chains globally.

At the 2023 S4 Conference, Josh Corman discussed the potential for cascading failures due to cyberattacks. The creation of the Cybersecurity and Infrastructure Security Agency’s National Critical Functions was driven by the need to coordinate cybersecurity efforts across various critical sectors. Corman highlighted how the healthcare sector depends on several infrastructure sectors, such as water, energy, and transportation, to provide patient care.

The question arises: what if a cyber incident affected multiple segments of the economy at once? The consequences could be devastating.

What makes this more concerning is that it's not a new issue. The SQL Slammer virus, which appeared over two decades ago, compromised an estimated one in every 1,000 computers globally. Unlike the recent CrowdStrike bug, Slammer was an intentional exploit that remained unpatched for over six months. Despite differences between the events, both show that software vulnerabilities can be exploited, regardless of intent.

Digital technology now underpins everything from cars to medical devices. However, as technology becomes more integrated into daily life, it brings new risks. Research from Claroty’s Team82 reveals that insecure code and misconfigurations exist in software that controls physical systems, posing potential threats to national security, public safety, and economic stability.

Although the CrowdStrike incident was disruptive, businesses and governments must reflect on the event to prevent larger, more severe cyber incidents in the future.

Cyber-Physical Systems: A Shifting Threat Landscape

Nearly every facility, from water treatment plants to hospitals, relies on digital systems known as cyber-physical systems (CPS) to function. These systems manage critical tasks, but they also introduce vulnerabilities. Today, billions of tiny computers are embedded in systems across all industries, offering great benefits but also exposing the soft underbelly of society to cyber threats.

The Stuxnet malware attack in 2014, which disrupted Iran's nuclear program, was the first major cyber assault on CPS. Since then, there have been several incidents, including the 2016 Russian Industroyer malware attack that disrupted part of Ukraine’s power grid, and the 2020 Iranian attempt to attack Israeli water utilities. Most recently, Chinese hackers have targeted U.S. critical infrastructure.

These incidents highlight how cybercriminals and nation states exploit vulnerabilities in critical infrastructure to understand weaknesses and the potential impact on security. China, for example, has expanded its objectives from espionage to compromising U.S. infrastructure to weaken its defense capabilities in case of a conflict.

The CrowdStrike Bug and Broader Implications

The CrowdStrike bug wasn’t a malicious attack but rather a mistake tied to a gap in quality assurance. Still, the incident serves as a reminder that our dependence on digital systems has grown significantly. Failures in cyber-physical systems—whether in oil pipelines, manufacturing plants, or hospitals—can have dangerous physical consequences.

Although attacks on CPS are relatively rare, many of these systems still rely on outdated technology, including Windows operating systems, which account for over 25% of vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog. Coupled with long periods of technological obsolescence, these vulnerabilities pose significant risks.

What would happen if a nation-state deliberately targeted CPS in critical infrastructure? The potential consequences could be far worse than the CrowdStrike bug.

Addressing the vulnerabilities in CPS will take time, but there are several steps that can be taken immediately:

  • Operationalize compensating controls: Organizations must inventory assets and implement network segmentation and secure access to protect vulnerable systems.
  • Expand secure-by-design principles: CISA has emphasized the need to focus on secure-by-design in CPS, particularly for medical devices and automation systems.
  • Adopt secure-by-demand programs: Organizations should ask the right questions of software vendors during procurement to ensure higher security standards.
Although CPS drive innovation, they also introduce new risks. A failure in one link of the global supply chain could cascade across industries, disrupting critical services. The CrowdStrike bug wasn’t a malicious attack, but it underscores the fragility of modern infrastructure and the need for vigilance to prevent future incidents
Read more »
Vulnerabilities
Baxer CISA Cyber Bugs Cyber Security Cyberattacks CyberCrime Cyberhackers Cyberthreats Mitsubishi Products Vulnerabilities

CISA Identifies Industrial Cybersecurity Bugs in Baxter and Mitsubishi Products

 


A report published recently by the Cybersecurity and Infrastructure Security Agency (CISA) warned about two new ICS vulnerabilities found in products widely used in healthcare, critical manufacturing, and other sectors susceptible to cybercrime activity. Among the affected products are Baxter's Connex Health Portal, as well as Mitsubishi Electric's MELSEC line of programmable controllers for the home and office. 

In response to the vulnerabilities found in the respective technologies, both vendors have released updates to plug the vulnerabilities and recommended mitigations for customers who wish to mitigate risk further. According to CISA's advisory, two vulnerabilities were identified in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that could be remotely exploited and have low attack complexity, which made them suitable for remote attacks. 

The CVE-2024-6795 vulnerability is one of the highest severity (CVSS score of 10.0) SQL injection vulnerabilities that an unauthenticated attacker could exploit to run arbitrary SQL queries on affected systems through one of the vulnerabilities, assignment CVE-2024-6795. It was described by CISA that this vulnerability would allow attackers to view, manipulate, and delete sensitive data, in addition to taking other administrator-level actions, including shutting down the database in some cases. As part of the U.S. 

Cybersecurity and Infrastructure Security Agency (CISA) various advisory letters regarding industrial control systems (ICS) have been released, including one specifically for medical devices as well as two updates. As part of the project, we are developing advisories that serve to provide ICS owners with timely information about security threats, vulnerabilities, and exploits. It had previously been announced that the cybersecurity agency was deploying advisories across critical infrastructure sectors to warn users and technical administrators about ICS vulnerabilities and offer mitigation strategies. 

Hughes Network Systems has identified hardware vulnerabilities in its WL3000 Fusion software equipment that are caused by bugs in the hardware. This report contains updated information on vulnerabilities in Mitsubishi Electric's MELSEC iQ-R, Q, and L Series, as well as the MELSEC iQ-R, iQ-L Series, and the MELIPC Series, which are all produced by Mitsubishi Electric. During the CISA study, the vulnerability in the hardware architecture of the Baxter Connex Health Portal was also identified. 

CISA warned it in an advisory that Hughes' WL3000 Fusion Software deployed across critical infrastructure sectors appears to have several vulnerabilities that are not sufficiently protected such as credentials that are insufficiently protected and sensitive data that are not encrypted. The report states that if these vulnerabilities are exploited successfully, an attacker could gain access read-only to information associated with network configurations and terminal configurations, and otherwise gain access to confidential data. 

It is important to note that credentials for gaining access to device configuration information are stored in flash memory unencrypted. It is also possible with these credentials, to gain read-only access to information about the network configuration and terminal configuration. It has been assigned the designation CVE-2024-39278 as the vulnerability that needs to be addressed. The CVSS v3.1 base score was determined to be 4.2 out of a possible five points, and the CVSS v4 base score was calculated to be 5.1. 

A report by CISA also revealed that credentials for accessing device configurations were being transmitted using an unencrypted protocol that was not secure. These credentials would allow the administrator to access only the data associated with the configuration of the network and the terminals. The vulnerability has been identified as CVE-2024-42495 and it has been assigned a severity of critical. The CVSS v3.1 base score has been determined to be 6.5, and the CVSS v4 base score has also been calculated to be 7.1, based on the CVSS v3.1 and CVSS v4 scores. 

During publishing this advisory, Hughes Networks pointed out that the vulnerabilities had been corrected, which did not require any user action.  There is a risk of remote attackers, unauthenticated and remotely situated, running arbitrary SQL queries anywhere, at any time, including accessing, changing, and deleting sensitive data, as well as performing administrative operations on the database such as halting it. 

Two vulnerabilities in this system are associated with one CVE-2024-6795, and a CVSS v3.1 base score of 10.0 has been calculated for this vulnerability. A CISA report also indicated that the system was not appropriately protecting against an improper access control vulnerability in the application. As a result, an unauthorized user could have access to clinical and sensitive information about patients, as well as be able to change or delete information about the clinic. 

There has been a vulnerability identified as CVE-2024-6796 and it has been assigned a CVSS v3.1 base score of 8.2, which makes it a high vulnerability. As revealed by the advisory, Baxter is unaware of any exploits of these vulnerabilities or any compromises of personally identifiable information or health information related to this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has identified and flagged vulnerabilities in industrial control systems (ICS) used in products from Baxter and Mitsubishi. 

These vulnerabilities, which posed potential cybersecurity risks, were promptly addressed by both companies. Following their discovery, Baxter implemented the necessary patches to rectify the issues. As a result, no further action is required from users at this time. In addition to these remedial actions, CISA has issued general recommendations to mitigate future risks. One of the key suggestions is to minimize network exposure for all control system devices and systems, ensuring that they are not directly accessible from the internet. 

CISA further advises that control system networks and remote devices should be placed behind firewalls and segregated from business networks to enhance security. For instances where remote access is necessary, organizations are encouraged to adopt more secure solutions such as Virtual Private Networks (VPNs). However, CISA stresses the importance of maintaining up-to-date versions of VPN software, as vulnerabilities may exist in older versions. 

It is also emphasized that the overall security of the VPN is dependent on the security of the devices it connects to, underscoring the need for comprehensive security measures across all connected devices. By following these defensive measures, organizations can reduce the likelihood of exploitation and enhance the security of their industrial control systems against potential cyber threats.
Read more »
WordPress
Cache Plugin Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat LitesSpeed Patchstack Vulnerabilities WordPress

Critical LiteSpeed Cache Plugin Flaw CVE-2024-28000 Sparks a Surge in Cyberattacks

 


According to cyber security researchers, there is a critical security flaw in the LiteSpeed Cache plugin for WordPress that users can exploit without authentication to gain administrative privileges on the site. It is an all-in-one site acceleration plugin that features an exclusive server-level cache along with a suite of optimization features designed to make the websites more efficient with LiteSpeed Cache for WordPress. As a WordPress Multisite plugin, LowSide supports a wide range of plugins, including WooCommerce, bbPress, and Yoast SEO, for the best possible experience. 

There is no compatibility issue with ClassicPress when using LiteSpeed Cache for WordPress. In LiteSpeed Cache, which comes bundled with WordPress, there is a critical vulnerability that can allow attackers to take full control of millions of sites once a rogue admin account is created. This is an open-source and almost universally popular WordPress site acceleration plugin with over 5 million active installations, and it also supports WooCommerce, bbPress, ClassicPress, and Yoast SEO. It is available as a free download. 

In LiteSpeed Cache versions 6.3.0.1 and earlier, the plugin's user simulation feature has an unauthenticated privilege escalation vulnerability (CVE-2024-28000). As a result of this vulnerability, the highest bounty has been awarded in the history of bug bounty hunting for WordPress. This researcher has been rewarded USD 14,400 in cash through the Patchstack Zero Day program as part of this award. It would be great if anyone else interested in joining the community as well would be able to benefit from the program. 

This vulnerability has been automatically protected for all Patchstack users who have enabled protection, so they are no longer at risk. For only $5 per site per month, Patchstack offers a free Community account, where users can scan for vulnerabilities and apply protection for only $5 / site per month by creating a PatchStack account. It is the plugin's user simulation feature that is vulnerable to the vulnerability, as it uses a weak security hash as part of its security process. 

It must be said that the hash value is generated by using an insecure random number generator and the value is stored without being salted or related to a particular request made by the user.  The Patchstack security research tool warns that the hash is relatively easy to guess due to the limited number of possible values, which allows attackers to iterate through all possible hashes to discover the appropriate one and to simulate a user who is an administrator. 

This vulnerability affects all versions of the LiteSpeed Cache plugin for WordPress, from version 6.3.0.1 onwards. In addition, the plugin is susceptible to privilege escalation attacks. Certainly! Here is the rewritten information in a formal, expanded, and third-person tone: --- The security vulnerability identified as CVE-2024-28000 in the LiteSpeed Cache plugin has been linked to a critical issue concerning the improper restriction of role simulation functionality. This flaw allows a user with access to a valid hash—discoverable through debug logs or susceptible to brute-force attacks—to alter their current user ID to that of an administrator. 

This, in turn, enables unauthenticated attackers to impersonate an administrator and utilize the `/wp-json/wp/v2/users` REST API endpoint to create a new user account with administrative privileges. The vulnerability is present in all versions of the LiteSpeed Cache plugin up to and including version 6.3.0.1. The vulnerability was addressed in LiteSpeed Cache version 6.4, released on August 13, 2024. Website administrators utilizing the plugin are strongly advised to update to this latest version to prevent exploitation. 

The urgency of this update is underscored by a report from Wordfence, a leading WordPress security provider, which disclosed that over 30,000 attacks targeting CVE-2024-28000 were blocked within a single day. This surge in attacks illustrates the swift adoption of this exploit by cybercriminals, who are leveraging the vulnerability to compromise WordPress installations. Currently, the attacks are predominantly directed at non-Windows-based WordPress sites. This is because the vulnerability exploits a PHP method called `sys_getloadavg()`, which is not available on Windows systems. 

Consequently, while Windows-based WordPress installations are not vulnerable to this specific exploit, other systems remain at significant risk. The flaw was reported to Patchstack's bug bounty program by security researcher John Blackbourn on August 1, 2024. The LiteSpeed development team promptly created and released a patch with LiteSpeed Cache version 6.4 on August 13. Successful exploitation of this vulnerability can grant unauthenticated visitors administrator-level access, potentially allowing them to fully control compromised websites. 

This control includes installing malicious plugins, altering critical settings, redirecting traffic to harmful sites, distributing malware to visitors, or stealing user data. Additionally, in June 2024, the Wordfence Threat Intelligence team reported that a threat actor had compromised at least five plugins on WordPress.org, adding malicious PHP scripts to enable the creation of administrator accounts on affected websites. 

To protect against this vulnerability, Wordfence Premium, Wordfence Care, and Wordfence Response users were provided with a firewall rule effective from August 20, 2024. Users of the free version of Wordfence will receive similar protection starting on September 19, 2024.
Read more »
Vulnerabilities
Cyber Security Digital Communication email security Malware Detection Vulnerabilities

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

In an era where digital communication dominates, email remains a fundamental tool for personal and professional correspondence. However, recent research by web browser security startup SquareX has exposed alarming vulnerabilities in email security. 

The study, titled “Security Bite: iCloud Mail, Gmail, Others Shockingly Bad at detecting malware, Study Finds,” highlights the shortcomings of popular email service providers in safeguarding users from malicious attachments.

The State of Email Security

1. The Persistent Threat of Malicious Attachments

  • Despite advancements in cybersecurity, email attachments continue to be a prime vector for malware distribution.
  • Malicious attachments can carry viruses, trojans, ransomware, and other harmful payloads.
  • Users often unknowingly open attachments, leading to compromised devices and data breaches.

2. The SquareX Study

Researchers collected 100 malicious document samples, categorized into four groups:

  • Original Malicious Documents from Malware Bazaar
  • Slightly Altered Malicious Documents from Malware Bazaar (with changes in metadata and file formats)
  • Malicious Documents modified using attack tools
  • Basic Macro-enabled Documents that execute programs on user devices

These samples were sent via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL.

3. Shockingly Bad Detection Rates

The study’s findings were alarming:

  • iCloud Mail and Gmail failed to deliver any of the malicious samples. Their malware detection mechanisms worked effectively.
  • Outlook, Yahoo! Mail, and AOL delivered the samples, leaving users potentially exposed to threats.

Implications and Recommendations

1. User Awareness and Caution

  • Users must exercise caution when opening email attachments, even from seemingly legitimate sources.
  • Educate users about the risks associated with opening attachments, especially those from unknown senders.

2. Email Providers Must Step Up

  • Email service providers need to prioritize malware detection.
  • Regularly update and enhance their security protocols to prevent malicious attachments from reaching users’ inboxes.
  • Collaborate with cybersecurity experts to stay ahead of evolving threats.

3. Multi-Layered Defense

Implement multi-layered security measures:

  • Attachment Scanning: Providers should scan attachments for malware before delivery.
  • Behavioral Analysis: Monitor user behavior to detect suspicious patterns.
  • User Training: Educate users about phishing and safe email practices.

4. Transparency and Reporting

  • Email providers should transparently report their detection rates and improvements.
  • Users deserve to know how well their chosen service protects them.

What next?

Always think before you click. The SquareX study serves as a wake-up call for email service providers. As the digital landscape evolves, robust email security is non-negotiable. Let’s bridge the gaps, protect users, and ensure that our inboxes remain safe havens rather than gateways for malware.
Read more »
Vulnerabilities
AI workload scaling Anyscale CVE Cyber Security Cybersecurity hacking campaign python Ray Framework ShadowRay Vulnerabilities

Hackers Exploit Flaw in Ray Framework to Breach Servers

 

The Ray framework, a tool for scaling AI and Python workloads in open source, has been found vulnerable to multiple flaws that enable hackers to take control of devices and pilfer sensitive data. Cybersecurity researchers from Oligo disclosed their discoveries about a new hacking campaign named “ShadowRay”.

Operating since early September 2023, ShadowRay targeted various sectors including education, cryptocurrency, and biopharma by exploiting five distinct vulnerabilities in Ray. Four of these vulnerabilities, identified as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, were patched by Anyscale, the developer of Ray. However, the fifth vulnerability, labelled as a critical remote code execution (RCE) flaw and tracked as CVE-2023-48022, remained unaddressed.

Anyscale defended the unpatched vulnerability, stating that it was a deliberate decision rather than a bug, as Ray lacks built-in authentication. They indicated their intention to introduce authentication in a future release as part of a defense-in-depth strategy. Anyscale argued that exploitation of this RCE flaw would only be feasible in deployments deviating from their recommended network environment controls.

In contrast, Oligo criticized Anyscale's stance, highlighting that disputing the CVE left many developers unaware of potential security risks. They termed the unresolved CVE as a "shadow vulnerability", explaining that it could lead to breaches despite not being detected in static scans. 

Oligo observed numerous instances of the CVE-2023-48022 actively exploited in the wild, resulting in compromised Ray servers and the theft of sensitive data, including AI models and production database credentials, along with instances of cryptominer installations.


Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
Vulnerabilities and Exploits
cyber attack Cyberattacks Ivanti system hacked USA VPN Vulnerabilities Vulnerabilities and Exploits

Ivanti US Faces Security Crisis, Threatening Worldwide Systems


In a recent development, a critical server-side request forgery (SSRF) vulnerability has been discovered in Ivanti Connect Secure and Ivanti Policy Secure servers, marked as CVE-2024-21893. Security experts have confirmed that this vulnerability is being actively exploited by multiple attackers, raising concerns over the security of affected systems worldwide. 

Let's Understand SSRF and Its Impact 

SSRF vulnerabilities allow attackers to send crafted requests from the vulnerable server, potentially leading to unauthorized access to internal resources, sensitive data exposure, or even full system compromise. Imagine you have a key to open doors in a building. Now, imagine someone tricks you into using that key to open doors you are not supposed to. That is what happens in an SSRF attack. 

Normally, a website can only talk to the outside world through your web browser. But in an SSRF attack, the bad guys make the website talk to other places it is not supposed to, like secret internal parts of a company's network or even random outside websites. This can lead to big problems. 

For example, if the website connects to a secret part of a company's network, the bad guys might steal important information. Or if it connects to a random website, it might give away sensitive data, like your passwords or credit card numbers. 

Ivanti and the Vulnerabilities 

Ivanti raised the alarm about a critical flaw in the gateway's SAML components on January 31, 2024. This vulnerability, identified as CVE-2024-21893, was immediately classified as a zero-day exploit, indicating that hackers were already taking advantage of it. Initially, the impact seemed limited, affecting only a small number of customers. 

However, the exploitation of CVE-2024-21893 opened the door for attackers to sidestep authentication measures and gain unauthorized access to restricted resources on vulnerable devices, specifically those operating on versions 9.x and 22.x. 

Now, according to the threat monitoring service Shadowserver, the situation has escalated. They have detected numerous attackers capitalizing on the SSRF bug, with a staggering 170 unique IP addresses attempting to exploit the vulnerability. This widespread exploitation poses a significant threat to the security of affected systems and the data they hold. 

The disclosure of CVE-2024-21893 revealed a series of critical vulnerabilities affecting Ivanti Connect Secure and Policy Secure VPN appliances. Alongside CVE-2024-21893, two other zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were also identified on January 10, 2024, prompting Ivanti to release temporary mitigations. 

These vulnerabilities were exploited by the Chinese espionage threat group UTA0178/UNC5221, resulting in the installation of webshells and backdoors on compromised devices. Despite initial mitigations, attackers managed to bypass defenses, compromising even device configuration files. 

What Measures Company is Taking? 

Ivanti postponed firmware patches scheduled for January 22 due to the sophisticated nature of the threat. Given the active exploitation of multiple critical zero-days, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has mandated federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. 

Only devices that have been factory reset and updated to the latest firmware should be reconnected. However, older versions without a patch remain vulnerable. While this directive is not compulsory for private organizations, they are strongly advised to assess the security status of their Ivanti deployments and overall environment, considering the potential risks posed by these vulnerabilities. 

About the Company 

Ivanti is a company based in Utah, USA, that makes different kinds of computer software for things like keeping your computer safe, managing IT services, tracking IT assets, managing all your devices from one place, controlling who has access to what, and managing the supply chain. It was created in 2017 when two companies, LANDESK and HEAT Software, joined together. Later, they also bought another company called Cherwell Software. Ivanti became more famous because of some big problems with the security of the VPN hardware they sell.
Read more »
Vulnerabilities
connected gadgets Cyber Security Cyber Threats Data Privacy IoT Network Security Remote Work Risks Smart Devices Vulnerabilities

Unveiling the Unseen Cybersecurity Threats Posed by Smart Devices

 

The number of smart devices worldwide has surpassed the global population, with a continuous upward trend, particularly amidst remote and hybrid work settings. Ranjit Atwal, Gartner's senior research director, attributes this surge to the increase in remote work. As work mobility grows, the demand for connected devices like 4G/5G laptops rises, crucial for employees to work from anywhere.

Smart devices encompass gadgets connecting to the internet, like smart bulbs, speakers (e.g., Amazon's Alexa), and wearables such as the Apple Watch. They collect data, enhancing user experience but also pose security risks exploited by cybercriminals. Surprisingly, consumers often overlook security when purchasing smart devices, as shown by Blackberry's research.

In response, the European Union proposed the "Cyber Resilience Act" to enforce cybersecurity standards for all connected devices. Failure to comply may result in hefty fines. Margrethe Vestager from the European Commission emphasizes the need for market products to meet robust cybersecurity measures, likening it to trusting CE-marked toys or fridges.

Security vulnerabilities in smart devices pose threats, as seen in TP-Link's smart lightbulb. Exploiting these vulnerabilities could grant hackers access to networks, risking data and enabling potential malware deployment. Even smart homes face numerous entry points for hackers, as illustrated by investigations conducted by Which?, showcasing thousands of hacking attempts in a week.

Mirai botnet targets smart devices, using brute-force attacks to gain access via weak passwords. In a concerning case, a Google Home speaker was turned into a wiretap due to vulnerabilities, highlighting the potential risks associated with unsecured devices.

Securing home networks becomes paramount. Strategies include:

1. Purposeful Device Selection: Opt for devices that suit your needs, avoiding unnecessary interconnected gadgets.
2. Router Security: Update router settings, change default passwords, and enable automatic firmware updates.
3. Password Management:Use password managers to create strong and unique passwords for each account.
4. Multi-Factor Authentication (MFA): Employ MFA to add layers of verification during logins.
5. Wi-Fi Network Segmentation: Create separate networks for different devices to isolate potential threats.
6. Virtual Private Networks (VPNs):Invest in VPNs to encrypt online activities and protect against cyber threats on unsecured networks.

Implementing these measures strengthens overall cybersecurity, safeguarding personal data and devices from potential breaches and threats.
Read more »
Vulnerabilities
Cryptojacking Cryptojacking Campaign Imperva Imperva Threat Research malware Oracle Weblogic Server Threat research TTPs Vulnerabilities

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Read more »
Subscribe to: Posts (Atom)