Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

Reddit Enabled Attackers to Perform Mod Actions due to IDOR Flaw


Due to a vulnerability in Reddit, attackers were able to execute moderator activities or elevate normal users to mod status without the necessary authorization.  Since Reddit admins have the ability to pin or remove content, block other users, and modify subreddit metadata, the weakness may have allowed for all sorts of mischief. 

According to a recent HackerOne report, a bug researcher with the handle 'high ping ninja' discovered that while attempting to access the mod logs using GraphQL, Reddit failed to validate if the user was a moderator of a certain subreddit. 

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained. 

On August 3, an insecure direct object reference (IDOR) flaw was reported and patched on the same day. Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied data. 

The word IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access restrictions being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur with vertical privilege escalation. 

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes. The researcher received a $5,000 bug reward for his discovery.

Phishing Scam Exploit's American Express, Snapchat Open-Redirect Threats

Phishing emails aimed at users of Google Workspace and Microsoft 365 have been sent as a result of open-redirect vulnerabilities affecting the American Express and Snapchat domains.

The term "open redirects" refers to a software vulnerability that makes it simpler for hackers to point users toward harmful resources they control.

Vulnerabilities :

Open redirect occurs when a website doesn't validate user input, allowing hackers to modify the URLs of domains with stellar reviews to route consumers to malicious sites. Because the initial domain name in the altered link is a well-known one, like American Express or Snapchat, victims will believe it.

The link may seem secure to an untrained eye because the first domain name in the modified link is actually the domain name of the original site. According to email security firm INKY, the trusted domain, such as American Express or Snapchat, serves as a temporary landing page before redirecting the user to a malicious website.

DocuSign, FedEx, and Microsoft were used as baits in phishing emails distributed to the Snapchat group, which led to sites that harvest user credentials. Researchers from Inky claim that 6,812 phishing emails sent from Google Workspace and Microsoft 365 hacked over the course of two and a half months used the Snapchat open redirect.

On August 4, 2021, professionals informed Snapchat of a vulnerability through the Open Bug Bounty site, but nothing has been done to fix it.

The matter was made worse by the discovery of the American Express open-redirect vulnerability in more than 2,000 phishing emails in only two days in July. The vulnerability has since been patched, as per the report, and any user who opens the link now is led to an error page on the company's legitimate website.

Prevention cautions

Roger Kay of INKY provided easy measures for preventing open redirect attacks:
  • Domain owners can undertake a few easy actions if they want to further reduce open redirect attacks. First, don't use redirection at all in your site architecture. Domain owners can, however, build an allowlist of permitted safe links to reduce open-redirect misuse if it's required for business reasons.
  • Additionally, domain owners have the option to display caution about external links before forwarding viewers to external websites.
  • Users should be on the lookout for URLs that include things like "url=," "redirect=," "external-link," or "proxy" as they explore websites online. These strings can suggest that a reputable domain might reroute traffic to another website.
  • Additionally, recipients of emails with links should look for repeated instances of "http" in the URL, another possible sign of redirection.

Emergency Alert System Bugs Can Help Actors Distribute Fraud Messages


The U.S Department of Homeland Security (DHS) has issued a warning of critical vulnerability in the Emergency Alert System (EAS) encoding/decoding devices. If not fixed, the bugs will allow threat actors to send out fraud emergency alerts on cable networks, TV, and radio. 

The advisory came on August 1 from DHS' Federal Emergency Alert Agency (FEMA). Cybersecurity experts Ken Pyle found out about the vulnerabilities. 

FEMA said the EAS national test in 2021 was very similar to regular monthly tests typically originated by state authorities. 

During the test, radios and televisions across the country interrupted normal programming to play the EAS test message in English or Spanish. 

"The EAS national test in 2021 was very similar to regular monthly tests typically originated by state authorities. During the test, radios and televisions across the country interrupted normal programming to play the EAS test message in English or Spanish," reports FEMA.

EAS is a U.S. national public warning system that allows state authorities to send out information in less than 10 minutes if there's an emergency. These warnings can interrupt TV and radio to show emergency alert information. 

Information about the bugs has not been disclosed to prevent threat actors from exploiting them, but we can expect the details publicly soon as a proof-of-concept at the DEF CON conference going to take place in Las Vegas next week. 

Basically, the flaws are public knowledge and will be shown to a large audience in the following weeks. 

To control the vulnerability, users are advised to update the EAS devices to the latest software versions, use a firewall to secure them, and keep an eye on audit and review logs for signs of any suspicious access (unauthorised). 

"The testing process is designed to evaluate the effectiveness of the IPAWS Open Platform for Emergency Networks and assess the operational readiness of the infrastructure for distribution of a national message and determine whether technological improvements are needed," reports FEMA.

Bug Discovered in DrayTek Vigor Routers by Trellix

The widely used series of DrayTek Vigor routers for small businesses have been found to have a significant, pre-authenticated remote code execution (RCE) vulnerability. Researchers caution that if it is exploited, it may enable total device takeover as well as access to a larger network.

The DrayTek Vigor series of business routers has 29 variants that are vulnerable, according to threat detection company Trellix. Although other versions that share the same codebase are also affected, the problem was initially identified in a Vigor 3910 device.

In under 30 days from the time, it was discovered, the Taiwan-based maker delivered firmware patches to fix the flaw. 

The vulnerability CVE-2022-3254 could enable a remote, unauthenticated attacker to run arbitrary code and seize total control of a susceptible device. The hacker might get hold of breach private data, spy on network activity, or use the exploited router to run a botnet. Denial of service (DoS) conditions can result from unsuccessful exploitation efforts.

DrayTek Vigor devices benefited from the "work from home" trend during the pandemic to gain a reputation. Over 700,000 online devices were found in a Shodan search, with the majority being in the UK, Vietnam, Netherlands, and Australia. This is susceptible to attack without user input.

The vulnerability can be exploited without the need for user input or passwords thanks to the default device configuration, which allows for both LAN and internet access.

At least 200,000 of the discovered routers were determined by the researchers to expose the vulnerable service on the internet, making them easily exploitable without user input or any other specific requirements. The attack surface is reduced because many of the remaining 500,000 are considered vulnerable using one-click attacks, but only via LAN.

Although Trellix has not detected any evidence of this vulnerability being exploited in the wild, threat actors frequently employ DrayTek routers as a target for their hacks, therefore it's crucial that customers apply the patch as soon as they can.

There have been no indications of CVE-2022-32548, although as CISA recently highlighted, state-sponsored APTs from China and others frequently target SOHO routers.

Three XSS Bugs Can Cause Complete System Shutdown

What is the bugs trio?

Cybersecurity experts have rolled out information about a trio of cross-site scripting (XSS) vulnerabilities in famous open-source applications that can cause remote code execution (RCE).

Researchers from PT Swarm found the security bugs in the web development applications Evolution CMS, FUDForum, and Gitbucket. 

A primitive XSS attack lets the threat actor's JavaScript code run in the victim user's web browser, which opens the door for cookie theft, redirects to a phishing site, and a lot more. 

Cross-Site Scripting (XSS) is one of the most widely faced attacks in web apps. If a threat actor deploys a javascript code into the app output, not only steals cookies, but it also leads to complete compromise of the systems sometime. In this blog post, we'll try to understand how XSS-driven remote code execution is achieved through examples of Evolution CMS, FUDForum, and Gitbucket. 

Evolution CMS V3.1.8

The first bug, Evolution CMS V3.1.8, allows a hacker to launch a reflected XSS attack in various locations in the admin section. Aleksey Solovev says in case of a successful attack on an administrator authorized in the system, the index.php file will be overwritten with the code that the attacker placed in the payload.

FUDForum v3.1.1

The second vulnerability, discovered in FUDForum v3.1.1, can possibly let a hacker launch a stored XSS attack.  Aleksey Solovev says FUDforum is a super fast and scalable discussion forum. It is highly customizable and supports unlimited members, forums, posts, topics, polls, and attachments. 

The FUDforum admin panel has a file manager that allows you to upload files to the server, including files with the PHP extension. An attacker can use stored XSS to upload a PHP file that can execute any command on the server.

Bitbucket v4.37.1

In the last vulnerability, Bitbucket v4.37.1, a security bug was found that can allow an attacker to launch a stored XSS attack in various locations. Aleksey Solovev says having a stored XSS attack can try to exploit it in order to execute code on the server. The admin panel has tools for performing SQL queries – Database viewer.

GitBucket uses H2 Database Engine by default. For this database, there is a publicly available exploit to achieve a Remote Code Execution. So, all an attacker needs to do is create a PoC code based on this exploit, upload it to the repository and use it during an attack:

LockBit Ransomware Exploits Windows Defender to Load Cobalt Strike Payloads


A hacker linked with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been identified exploiting the Windows Defender command-line tool to decrypt and install Cobalt Strike payloads.

According to endpoint security firm SentinelOne, the ransomware operator exploited VMware command-line utility called VMwareXferlogs.exe, to alter VMware tool settings and interface in the targeted operating systems, and downloaded a Cobalt Strike payload. The hacker also leveraged a command line tool associated with Windows Defender named “MpCmdRun.exe to” decrypt and load Cobalt Strike payloads. 

Subsequently, the malicious actor exploited the Log4Shell vulnerability which is the bug found in an open-source logging library employed by apps and services across the internet, and implemented a reconnaissance for thorough observation of the network to download the Cobalt Strike Payload.

SentinelOne stated that Windows Defender needs to be vigilant regarding the current scenario as hackers associated with the LockBit ransomware are exploring to abuse “novel living off the land tools” to deploy Cobalt Strike beacons bypassing traditional AV detection tools. 

“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” SentinelOne said. 

“Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” the company added. 

The LockBit ransomware has been active since 2019 and it has likely been used to target thousands of organizations. 

Earlier this year in June, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program. The group said it will offer rewards ranging between $1,000 and $1 million to security researchers and ethical or unethical hackers for information regarding vulnerabilities in their website, the ransomware encryption process, the Tox messaging app, and bugs exploiting their Tor infrastructure.

This Path Traversal Bug Enabled Hackers to Delete Server Files


Due to a security flaw in the file transfer programme CompleteFTP, unauthenticated attackers were able to delete arbitrary files on vulnerable installations. 

CompleteFTP is a proprietary FTP and SFTP server for Windows developed by EnterpriseDT of Australia that supports FTPS, SFTP, and HTTPS. A security researcher known as rgod uncovered a problem in the HttpFile class that stems from the failure to properly validate a user-supplied path before utilising it in file operations. 

A security advisory explains, “This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP server. An attacker can leverage this vulnerability to delete files in the context of SYSTEM.” 

The vulnerability was given CVE-2022-2560 and was addressed in CompleteFTP version 22.1.1. Other security changes in this release include the SHA-2 cryptographic hash algorithm for RSA signatures and a new format for PuTTY private keys.

Sharing below a brief capture of the vulnerability:
  • CVSS SCORE: 8.2, (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
  • ADDITIONAL DETAILS: Fixed in version 22.1.1.

SharpTongue: A Malware from North Korea that Monitors Emails

About SharpTongue

Threat actor SharpTongue, which is linked to North Korea, was found using a malicious extension on Chromium-based browsers to keep surveillance on victims' Gmail and AOL email accounts. Experts from cybersecurity agency Volexity found the hackers as SharpTongue, but its activities coincide with one of the Kimsuky APT groups. 

The SharpTongue's toolset was covered by Huntress in 2021 in a published report, but in September 2021, Volexity started noticing usage of earlier unreported Malware strain, in the past year. Volexity has looked over various cybersecurity cases which involve SharpTongue and in most of the incidents, hackers use a malicious Microsoft Edge or Google Chrome extension known as "SHARPEXT." 

How does SharpTongue operate?

Contrary to other extensions in use by the Kimsuky APT group, SHARPEXT doesn't steal passwords or usernames, however, it accesses the target's webmail account while they're browsing it. The present version of the extension backs three browsers and is capable of stealing the contents of e-mails from AOL webmail and Gmail accounts. 

The report analysis says that SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. 

The current variant 3.0 supports three browsers:

  • Edge
  • Chrome
  • Whale (It is used in South Korea)

The attack process

The attack chain begins with hackers manually extracting files required to install extensions from the malicious workstation. After a breach of the victim's Windows system, the hackers change the web browser's Preferences and Secure Preferences. 

After that, hackers manually deploy SHARPEXT via a VBS script and enable the DevTools panel in the active tab to keep surveillance on the email contents and steal file attachments from the target's mail account. This is done via PowerShell script, hackers also conceal warning messages running developer mode extensions. 

Security Affairs report, "experts pointed out that this is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session makes this attack stealthy and hard to be detected by the email provider. The researchers shared the YARA rules to detect these attacks and Indicators of Compromise (IOCs) for this threat."

Cross Site Scripting Bugs Identified in Google Cloud and Play


A security researcher recently discovered a pair of vulnerabilities in Google Cloud, DevSite, and Google Play allowing hackers to launch cross-site scripting (XSS) attacks, and creating the way for account hacking. 

The first vulnerability is a reflected XSS flaw in Google DevSite. The hacker could exploit the vulnerability by employing malicious links to run JavaScript on the origins and, meaning a malicious actor could read and alter its contents, circumventing the same-origin policy. 

“Due to a vulnerability in the server-side implementation of part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page,” researcher ‘NDevTK’, explained in a blog post. 

The second vulnerability is a DOM-based XSS on Google Play. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This allows hackers to implement malicious JavaScript, which typically paves a way to hijack other users’ accounts.

The researcher explained in his blog that the CSP would mitigate the Google Play XSS vulnerability. Yet, Google still preferred to reward the bug discovery with a hefty bounty of $3,133.70 for the DevSite bug and $5,000 for the vulnerability in Google Play. 

“On the search page of [the] Google Play console vulnerable code was run when the search resulted in an error. Getting an error was simple as doing /?search=& and because window.location includes the hash which never encodes ' it’s possible to escape the href context and set other html attributes. Unlike the DevSite XSS this is prevented by the CSP but was still awarded more by the panel,” the researcher added. 

Last year in November, a researcher at Persistent System unearthed cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code. The hackers exploited the vulnerability by sending an HTML file to the target that contained a cross-site request forgery (CSRF). 

If the target opened the file, the CSRF script started operating and the query was stored in the browser’s search history. When the user opened an NTP for a second time and clicked on the Google search bar, the malicious code was triggered.

SonicWall: Patch Critical SQL Injection Flaw Immediately


SonicWall, a security firm, issued patches to fix a severe SQL injection (SQLi) vulnerability in its Analytics On-Prem and Global Management System (GMS) products. 

SonicWall patched a significant SQL injection (SQLi) vulnerability in its Analytics On-Prem and Global Management System (GMS) products, identified as CVE-2022-22280 (CVSS score 9.4). 

“Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS and Analytics On-Prem.” reads the advisory published by the company. 

According to SonicWall experts, adding a Web Application Firewall that can identify and stop SQLi assaults can considerably lower the risk of exploitation. Hatlab DBappSecurity's H4lo and Catalpa identified the issue. The following is a list of fixed software: 
Product  and Fixed Version 
  • GMS: 9.3.1-SP2-Hotfix-2 
  • Analytics: 
Organizations are advised to upgrade to the above version as soon as possible. 

“There is no workaround available for this vulnerability,” SonicWall said. “However, the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQLi attempts.”

Spyware Maker Candiru Associated to Chrome Zero-day Targeting Journalists


Candiru, an Israeli monitoring outfit, used the newly patched CVE-2022-2294 Chrome zero-day in assaults on journalists. Avast researchers claimed that the DevilsTongue malware, manufactured by Israeli surveillance business Candiru, was utilised in attacks on journalists in the Middle East and exploited the newly resolved CVE-2022-2294 Chrome zero-day vulnerability. 

The issue, which Google addressed on July 4, 2022, is a heap buffer overflow in the Web Real-Time Communications (WebRTC) component; it is Google's fourth zero-day patch in 2022. The majority of the assaults discovered by Avast researchers occurred in Lebanon, and threat actors employed various attack chains to target journalists. 

Since March 2022, further infections have been detected in Turkey, Yemen, and Palestine. In one case, threat actors carried out a watering hole assault by hacking a website frequented by news agency staff. The researchers discovered artefacts associated with exploitation attempts for an XSS flaw on the website. 

The sites contained calls to the Javascript function "alert" as well as terms like "test," implying that the attackers were testing the XSS vulnerability before abusing it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com). This injected code was used to send victims to the exploit server via a chain of domains controlled by the attacker. 

Once the victim arrives at the exploit server, the code written by Candiru collects further information about the target machine, and the exploit is utilised to distribute the spyware only if the obtained data satisfies the exploit server. 

“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. 

“We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.” 

The zero-day was linked to a sandbox escape vulnerability, but specialists could not retrieve it owing to malware protection. After gaining access to the victim's computer, the DevilsTongue malware attempts to escalate its privileges by exploiting another zero-day vulnerability. 

In a BYOVD (Bring Your Own Vulnerable Driver) way, the malicious software attacks a valid signed kernel driver. To exploit the driver, it must first be dropped to the filesystem; experts noted that this may be exploited. 

“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.

Alert WordPress Admins! Uninstall the Modern WPBakery Plugin Immediately


WordPress administrators have been cautioned to uninstall a problematic plugin or risk a total site takeover. This threat is associated with a plugin that is no longer in use: Modern WPBakery page builder extensions. CVE-2021-24284 is a vulnerability in the plugin that allows "unauthenticated arbitrary file upload through the 'uploadFontIcon' AJAX action." 

As a result, attackers might upload malicious PHP scripts to the WordPress site, resulting in remote code execution and site takeover. There has been a significant surge in attacks due to this defunct WordPress relic. 

Researchers detected "many vulnerable endpoints" in Modern WPBakery in 2021, which might lead to the injection of malicious JavaScript or even the deletion of arbitrary data. The goal of the game this time is to upload rogue PHP files and then inject malicious JavaScript into the site. 

Approximately 1.6 million sites have been examined for the presence of the plugin by malicious actors, and current estimates imply that 4,000 to 8,000 websites are still hosting the plugin. Check and delete immediately. 

The current recommendation is to search for the plugin and then uninstall it as quickly as possible. It has been entirely abandoned, and no security updates will be sent. If anyone has it installed, it's only a matter of time until the exploiters find their way to your Modern WPBakery hosting website and begin collecting information. It's advised to as soon as possible, remove this out-of-date invitation to site-wide compromise.

Prototype Bug in Blitz.js. Allows RCE on Node.js Servers


Blitz.js, a JavaScript web online framework, has issued a patch for a critical prototype pollution bug to prevent remote code execution (RCE) on Node.js servers. 

Prototype pollution is a specific kind of JavaScript vulnerability that allows hackers to manipulate the structure of the programming language and exploit it in multiple ways, Paul Gerste, security researcher at Sonar explained. It also allowed hackers to exploit the code in the Blitz.js app to design a reverse shell and run arbitrary commands on the server. 

Blitz is designed on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform. One of the popular components of Blitz.js is its ‘Zero-API’ layer, which allows the customer to employ specific functions to call server-side business logic without having to design API code. 

Additionally, it makes an RPC call to the server in the background and returns the response to the client function call. Gerste identified a chain of exploits that could be exploited via the prototype pollution bug and lead to RCE. 

The attackers target Node.js by sending a JSON request, a browser service that enables two-way data exchange with any JSON data server without exposing users’ data, to the server, which triggers the routing function of Blitz.js to load a JavaScript file with the polluted prototype. This allows the hacker to employ the malicious JavaScript object to implement arbitrary code. 

In an ideal scenario, the hacker would design and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s spawn() function to launch a new process. 

The attacker could use this function to launch a CLI process and run an arbitrary command on the server. The vulnerability can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.  

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste explained. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.” 

In his blog post, the researcher mentioned some general recommendations to safeguard JavaScript apps against prototype pollution, including freezing 'object.prototype or using the --disable-proto=delete flag in Node.js

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste added. “I don’t see developers often use the patterns that we recommended in our article. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”

Homeland Security Warns Log4j’s 'Endemic' Threats for Years to Come


The US Department of Homeland Security (DHS) published the Cyber Safety Review Board's (CSRB) first report into the December 2021 Log4j incident, when a variety of vulnerabilities with this Java-based logging framework were revealed, this week. 

The report's methodology comprised 90 days of interviews and information requests with around 80 organisations and individuals, including software developers, end users, security specialists, and businesses. 

This was done to ensure that the board met with a wide range of representatives and understand the complexities of how different attack surfaces are constructed and defended. According to the report, although standardised and reusable "building blocks" are essential for developing and expanding software, they also allow any possible vulnerability to be mistakenly included in multiple software packages, putting any organization that uses those programs at risk. 

According to the report, while Log4j remains dangerous, the government-wide approach helped tone down the vulnerability. The board also noted the need for extra financing to help the open-source software security community, which is primarily comprised of volunteers. 

Industry experts, such as Michael Skelton, senior director of security operations at Bugcrowd, said of Log4J: “Dealing with it is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities.” 

John Bambenek, the principal threat hunter at Netenrich, was more critical of the report’s timing, believing that “anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly.” 

The CSRB report went on to state that, thankfully, it is unaware of any large Log4j-based attacks on critical infrastructure assets or systems, and that efforts to hack Log4j happened at a lesser level than many experts expected. 

The paper, however, emphasises that the Log4j incident is "not over" and will continue to be an "endemic vulnerability" for many years, with considerable risk persisting. The research concluded with 19 actionable recommendations for government and business, which were divided into four divisions. They were as follows:
  • Address Continued Risks of Log4j
  • Drive Existing Best Practices for Security Hygiene
  • Build a Better Software Ecosystem
  • Investments in the Future

Vulnerabilities in the ExpressLRS Protocol Enable the Takeover of Drones


The ExpressLRS protocol for radio-controlled (RC) drones is vulnerable to flaws that might allow device takeover. Researchers warn of vulnerabilities in the ExpressLRS protocol for radio-controlled (RC) drones, which may be exploited to take control of unmanned vehicles. 

ExpressLRS is a high-performance open-source radio control link that achieves maximum range while maintaining minimal latency. An attacker may take control of any receiver by watching the communication from the connected transmitter, according to a recently released alert. After watching traffic from a similar transmitter, it is feasible to take control of any receiver using merely a normal ExpressLRS compatible transmitter. 

An attacker may be able to extract a portion of the identity shared by the receiver and transmitter due to security flaws in the binding process. The examination of this section, along with a brute force attack, can lead to the discovery of the remaining part of the identifier. Once the attacker has acquired the whole identifier, it may use a transmitter to take control of the craft holding the receiver without knowing the binding phrase. This attack scenario is software-capable when utilising typical ExpressLRS compliant hardware. 

“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. 

“Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.” 

The ExpressLRS protocol encrypts the phrase using the hashing technique MD5, which is known to be cryptographically weak. The experts discovered that the "sync packets" that are transferred at regular intervals between transmitter and receiver for synchronisation reasons leak a significant portion of the binding phrase's unique identity (UID). The remaining portion may be determined via brute-force assaults or by watching packets over the air without brute-forcing the sequences. 

The advisory read, “Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.”

“(i) The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid a collision. Observation of a single sync packet, therefore, gives 75% of the bytes required to take over the link. (ii) The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” 

The third weakness occurs in the FHSS sequence generation. 

“Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4-byte seed produce the same FHSS sequence as the first 128,” the advisory concludes. 

Experts advised the users against transmitting the UID via the control connection while adding that the data used to construct the FHSS sequence should not be sent wirelessly. They also suggest that the random number generator be improved by employing a more secure approach or modifying the present algorithm to deal with repeated sequences.

SAP Security Patch for July: Six High Priority Notes

The July 2022 patch release from SAP was released in addition to 27 new and updated SAP Security Notes. The most serious of these problems is information disclosure vulnerability CVE-2022-35228 (CVSS score of 8.3) in the BusinessObjects Business Intelligence Platform's central administration console.

Notes for SAP Business One 

The three main areas that are impacted by the current SAP Security Notes are as follows, hence Onapsis Research Labs advises carefully reviewing all the information:
  • In integration cases involving SAP B1 and SAP HANA, with a CVSS score of 7.6(CVE-2022-32249), patches a significant information release vulnerability. The highly privileged hackers take advantage of the vulnerability to access confidential data that could be used to support further exploits.
  • With a CVSS rating of 7.5 (CVE-2022-28771),  resolves a vulnerability with SAP B1's license service API. An unauthorized attacker can disrupt the app and make it inaccessible by sending bogus HTTP requests over the network if there is a missing authentication step.
  • A CVSS score of 7.4(CVE-2022-31593), is the third High Priority note. This notice patches SAP B1 client vulnerability that allowed code injection. An attacker with low privileges can use the vulnerability to manipulate the application's behavior.
On July 20, 2022, SAP announced 17 security notes to fix vulnerabilities of medium severity, the bulk of which affect the NetWeaver Enterprise Portal and Business Objects.

Cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal were addressed in six security notes that SAP published, each of which had a CVSS score of 6.1. Medium-severity problems in Business Objects are covered by five more security notes.

The SAP July Patch Day illustrates the value of examining all SAP Security Notes prior to applying patches. 

Microsoft IIS Servers Targeted by SessionManager Backdoor

Since March 2021, threats on Microsoft IIS Servers have used a new backdoor called "SessionManager," according to Kaspersky Lab researchers. 

Victims of the backdoor

SessionManager, the malicious software that takes advantage of one of the ProxyLogon vulnerabilities in Exchange servers, poses as a module for Internet Information Services (IIS), a virtual server application for Windows systems. 

The 24 different targets were spread over the continents of Africa, South America, Asia, Europe, Russia, and the Middle East. They also included political, military, and industrial institutions. To date, a SessionManager variation has compromised 34 servers in total.

Due to the comparable victims and a widely used OwlProxy variation, the researchers describe the attack as the GELSEMIUM malicious attacker.

Features  supported by SessionManager:
  • On the hacked server, reading, writing to, and deleting arbitrary files is possible.
  • Remote command execution also runs on arbitrary programs from the compromised server.
  • Creating connections to any network endpoints that the hacked server is capable of accessing, as well as reading and writing in those connections.
The backdoor also might serve as a post-deployment tool, enabling operators to spy on the intended environment, collect in-memory passwords, and introduce new malicious payloads.

Elements of  command and control code

Since its initial discovery in March 2021, ProxyLogon has drawn the interest of numerous malicious actors, and the most recent attack chain is no exception. The Gelsemium team took use of the flaws to drop SessionManager, a backdoor designed in C++ to handle HTTP requests submitted to the server.

Once the malicious code receives the carefully constructed HTTP requests from the threat actors, it runs the instructions concealed in the requests before sending them to the server to be handled like any other request.

Additionally, the malware serves as a covert route for spying, collects passwords stored in memory, and distributes other tools like Mimikatz and an Avast memory export application.

Rozena Backdoor Deployed by Abusing the Follina Vulnerability


A newly discovered phishing campaign is exploiting the Follina security vulnerability to deploy a private backdoor, named Rozena on the Windows systems. 

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Cara Lin, a researcher at Fortinet FortiGuard Labs stated in a report published this week. 

Tracked as CVE-2022-30190, the security bug is related to the Microsoft Support Diagnostic Tool (MSDT) that impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The vulnerability came to light in late May 2022 but the root cause of the flaw has been known for at least a couple of years. 

The latest attack chain is a weaponized Office document that, when opened, links to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, triggers the diagnostic utility employing a PowerShell command to download next-stage payloads from the same CDN attachment space. 

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy. 

The primary function of the Rozena backdoor is to inject a shellcode that launches a reverse shell to the hacker’s device (“microsofto.duckdns[.]org”), in this way the malicious actor can secure full control of the system. 

The exploitation of the Follina security bug is done by distributing the malware via malicious word documents. The word documents act as a dropper and are distributed through emails that contains a password-encrypted ZIP as an attachment, an HTML file, and a link to download, in the body of the email. Multiple malware such as Emotet, QBot, IcedID, and Bumblebee are then injected into the victim’s device. 

According to researchers, the assaults discovered in early April primarily featured Excel files with XLM macros. Microsoft's decision to block macros by default around the same time is said to have forced the hackers to shift to alternative techniques like HTML smuggling as well as .LNK and .ISO files. 

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware through an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog, we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat,” the researcher concluded.

Node.js Patches Various Flaws that may Lead to Attacks

About vulnerabilities

Node.js maintainers released multiple patches for flaws in the JavaScript runtime environment that can cause HTTP request smuggling and arbitrary code execution, among some other attacks. An advisory mentions the information about the seven patched bugs, it includes three seperate HTTP Request Smuggling vulnerabilities. 

The three flaws- a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213, an errored delimiting of header fields issue, tracked as CVE-2022-32214, and an improper parsing of multi-line transfer encoding exploit, tracked as CVE-2022-32215, can all in the end lead towards HTTP request smuggling. 

The Daily Swig says "the moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances. AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written." 

How Severe are these bugs?

The three bugs were rated as "medium" severity, they affect all three variants of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 includes the patches that were updated inside Node.js. 

Other problems 

The advisory also includes information about a DNS rebinding flaw in --inspect through improper IP addresses. Categorised as "high" severity, the bug (CVE-2022-32212) can permit arbitrary code execution, warns the advisory. 

“The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not.When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” says the advisory. 

The flaw affects all variants of the 18.x, 16.x, and 14.x releases lines.

Fortinet Fix Multiple Path Traversal Vulnerabilities


Fortinet has patched a slew of security flaws in many of its endpoint security products. On Tuesday, the California-based cybersecurity behemoth, which accounts for more than a third of all firewall and unified threat management deployments globally, published a massive number of firmware and software upgrades (July 5). 

Multiple relative route traversal faults in FortiDeceptor's administrative interface, which sets up virtual computers that act as honeypots for network intruders, are among a quartet of high-severity problems (CVE-2022-30302). 

According to the accompanying Fortinet alert, abusing these may permit a remote and authorised attacker to obtain and delete arbitrary files from the underlying filesystem using carefully crafted web requests. Similarly, path traversal in the named pipe responsible for the FortiESNAC service might allow attackers to gain privilege escalation in Windows versions of the endpoint security and VPN application FortiClient (CVE-2021-41031). 

Meanwhile, the FortiNAC network access control system was vulnerable to a "empty password in configuration file vulnerability," which allowed an authorised attacker to access the MySQL databases via the command line interface (CLI) (CVE-2022-26117). 

Additional flaws

The other high severity issue, which affects the FortiAnalyzer security event analysis appliance, the FortiManager network management device, the FortiOS operating system, and the FortiProxy web proxy, "may allow a privileged attacker to execute arbitrary code or command via crafted CLI 'execute restore image' and 'execute certificate remote' TFTP protocol operations" (CVE-2021-43072). 

Meanwhile, FortiEDR endpoint security solution cross-site scripting (XSS) vulnerabilities (CVE-2022-29057); a privilege escalation issue in FortiManager and FortiAnalyzer (CVE-2022-26118); and stack-based buffer overflows in diagnostic CLI commands impacting FortiOS and FortiProxy (CVE-2022-26118) (CVE-2021-44170). 

The sixth and final medium severity problem affects FortiOS, FortiProxy, FortiSwitch ethernet switches, the FortiRecoder video surveillance system, and the FortiVoiceEnterprise communications system (CVE-2021-42755). Last but not least, a low severity XSS vulnerability impacts FortiOS (CVE-2022-23438).