Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

A Major Flaw in the AI Testing Framework MLflow can Compromise the Server and Data

MLflow, an open-source framework used by many organizations to manage and record machine-learning tests, has been patched for a critical vulnerability that could enable attackers to extract sensitive information from servers such as SSH keys and AWS credentials. Since MLflow does not enforce authentication by default, and a growing percentage of MLflow deployments are directly exposed to the internet, the attacks can be carried out remotely without authentication.

"Basically, every organization that uses this tool is at risk of losing their AI models, having an internal server compromised, and having their AWS account compromised," Dan McInerney, a senior security engineer with cybersecurity startup Protect AI, told CSO. "It's pretty brutal."

McInerney discovered the flaw and privately reported it to the MLflow project. It was fixed in the framework's version 2.2.1, which was released three weeks ago, but no security fix was mentioned in the release notes.

Path traversal used to include local and remote files

MLflow is a Python-based tool for automating machine-learning workflows. It includes a number of components that enable users to deploy models from various ML libraries, handle their lifecycle (including model versioning, stage transitions, and annotations), track experiments to record and compare parameters and results, and even package ML code in a reproducible format to share with other data scientists. A REST API and command-line interface are available for controlling MLflow.

All of these features combine to make the framework an invaluable resource for any organisation experimenting with machine learning. Scans using the Shodan search engine confirm this, revealing a steady increase in publicly exposed MLflow instances over the last two years, with the current count exceeding 800.However, it is likely that many more MLflow deployments exist within internal networks and may be accessible to attackers who gain access to those networks.

"We reached out to our contacts at various Fortune 500's [and] they've all confirmed they're using MLflow internally for their AI engineering workflow,' McInerney tells CSO.

McInerney's vulnerability is identified as CVE-2023-1177 and is rated 10 (critical) on the CVSS scale. He refers to it as local and remote file inclusion (LFI/RFI) via the API, in which remote and unauthenticated attackers can send specially crafted requests to the API endpoint, forcing MLflow to expose the contents of any readable files on the server.

What makes the vulnerability worse is that most organisations configure their MLflow instances to store their models and other sensitive data in Amazon AWS S3. In accordance with a review of the configuration of publicly available MLflow instances by Protect AI, seven out of ten used AWS S3. This means that attackers can use the s3:/ URL of the bucket utilized by the instance as the source parameter in their JSON request to steal models remotely.

It also implies that AWS credentials are most likely stored locally on the MLflow server in order for the framework to access S3 buckets, and that these credentials are typically stored in a folder called /.aws/credentials under the user's home directory. The disclosure of AWS credentials can be a serious security breach because, depending on IAM policy, it can give attackers lateral movement capabilities into an organization's AWS infrastructure.

Insecure deployments result from a lack of default authentication

Authentication for accessing the API endpoint would protect this flaw from being exploited, but MLflow does not implement any authentication mechanism. Simple authentication with a static username and password can be added by placing a proxy server, such as nginx, in front of the MLflow server and forcing authentication through it. Unfortunately, almost none of the publicly exposed instances employ this configuration.

McInerney stated, "I can hardly call this a safe deployment of the tool, but at the very least, the safest deployment of MLflow as it stands currently is to keep it on an internal network, in a network segment that is partitioned away from all users except those who need to use it, and put behind an nginx proxy with basic authentication. This still doesn't prevent any user with access to the server from downloading other users' models and artifacts, but at the very least it limits the exposure. Exposing it on a public internet facing server assumes that absolutely nothing stored on the server or remote artifact store server contains sensitive data."

Unpatched ICS Flaws in Critical Infrastructure: CISA Issues Alert

 

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) released recommendations for a total of 49 vulnerabilities in eight industrial control systems (ICS) utilised by businesses in various critical infrastructure sectors. Several of these vulnerabilities are still unpatched. 

Organizations in the critical infrastructure sectors must increasingly take cybersecurity into account. Environments for ICS and operational technology (OT) are becoming more and more accessible via the Internet and are no longer air-gapped or compartmentalised as they once were. As a result, both ICS and OT networks have grown in popularity as targets for both nation-state players and threat actors driven by financial gain.

That's bad because many of the flaws in the CISA advisory can be remotely exploited, only require a simple assault to succeed, and provide attackers access to target systems so they may manipulate settings, elevate privileges, get around security measures, steal data, and crash systems. Products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM all have high-severity vulnerabilities. 

The CISA recommendation was released at the same time as a study from the European Union on threats to the transportation industry, which included a similar warning about the possibility of ransomware attacks on OT systems used by organisations that handle air, sea, rail, and land transportation. Organizations in the transportation industry are also affected by at least some of the susceptible systems listed in CISA's alert. 

Critical vulnerabilities

Siemens' RUGGEDCOM APE1808 technology contains seven of the 49 vulnerabilities listed in CISA's alert and is not currently patched. The flaws give an attacker the ability to crash or increase the level of privileges on a compromised system. The device is presently used by businesses in several critical infrastructure sectors all around the world to host commercial applications. 

The Scalance W-700 devices from Siemens have seventeen more defects in various third-party parts. The product is used by businesses in the chemical, energy, food, agricultural, and manufacturing sectors as well as other critical infrastructure sectors. In order to protect network access to the devices, Siemens has urged organisations using the product to update their software to version 2.0 or later. 

InfraSuite Device Master, a solution used by businesses in the energy sector to keep tabs on the health of crucial systems, is impacted by thirteen of the recently discovered vulnerabilities. Attackers can utilise the flaws to start a denial-of-service attack or to obtain private information that could be used in another attack. 

Other vendors in the CISA advisory that have several defects in their products include Visam, whose Vbase Automation technology had seven flaws, and Rockwell Automaton, whose ThinManager product was employed in the crucial manufacturing industry and had three flaws. For communications and government businesses, Keysight had one vulnerability in its Keysight N6845A Geolocation Server, while Hitachi updated details on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products. 

For the second time in recent weeks, CISA has issued a warning to firms in the critical infrastructure sectors regarding severe flaws in the systems such organisations employ in their operational and industrial technology settings. Similar warnings on flaws in equipment from 12 ICS suppliers, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio, were released by the FCC in January. 

Many of the defects in the previous warning, like the current collection of flaws, allowed threat actors to compromise systems, increase their privileges, and wreak other havoc in ICS and OT contexts. 

OT systems under attack

A report this week on cyberthreats to the transportation industry from the European Union Agency for Cybersecurity (ENISA) issued a warning about potential ransomware attacks against OT systems. The report's analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022 was the basis for the report. 

According to the data, 47% of the attacks were carried out by cybercriminals who were motivated by money. The majority of these attacks (38%) involved ransomware. Operational disruptions, spying, and ideological assaults by hacktivist groups were a few more frequent reasons. 

Even while these attacks occasionally caused collateral damage to OT systems, ENISA's experts did not discover any proof of targeted attacks on them in the 98 events it examined. 

"The only cases where OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report stated. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The research from the European cybersecurity agency cited an earlier ENISA investigation that warned of ransomware attackers and other new threat groups tracked as Kostovite, Petrovite, and Erythrite that target ICS and OT systems and networks. The report also emphasised the ongoing development of malware designed specifically for industrial control systems, such as Industroyer, BlackEnergy, CrashOverride, and InController, as indicators of increasing attacker interest in ICS environments. 

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report further reads. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."

A Privacy Flaw in Windows 11's Snipping Tool Exposes Cropped Image Content

 

A serious privacy vulnerability known as 'acropalypse' has also been discovered in the Windows Snipping Tool, enabling people to partially restore content that was photoshopped out of an image. 

Security researchers David Buchanan and Simon Aarons discovered last week that a bug in Google Pixel's Markup Tool caused the original image data to be retained even when it was edited or cropped out. This flaw poses a significant privacy risk because it may be possible to partially recover the original photo if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed.

To demonstrate the bug, the researchers created an online acropalypse screenshot recovery tool that attempted to recover edited images created on Google Pixel.

The Windows 11 Snipping Tool was also affected

Today, Chris Blume, a software engineer, confirmed that the 'acropalypse' privacy flaw also affects the Windows 11 Snipping Tool. Instead of truncating any unused data when opening a file in the Windows 11 Snipping Tool and overwriting an existing file, it leaves the unused data behind, allowing it to be partially recovered.

Will Dormann, a vulnerability expert, also confirmed the Windows 11 Snipping Tool flaw, and BleepingComputer confirmed the issue with Dormann's assistance. To put this to the test, Bleeping Computer opened an existing PNG file in Windows 11 Snipping Tool, cropped it (you can also edit or mark it up), and saved the changes to the original file. 

While the cropped image comprises far less data than the original, the file sizes for the original image (office-screenshot-original.png) and cropped image (office-screenshot.png) are identical. According to the PNG file specification, a PNG image file must always end with a 'IEND' data chunk, with any data added after that being ignored by image editors and viewers.

However, when used the Windows 11 Snipping Tool to overwrite the original image with the cropped version, the programme did not properly truncate the unused data, and it is still present after the IEND data chunk.

When you open the file in an image viewer, you'll only see the cropped image because anything after the first IEND is ignored. This untruncated data, on the other hand, can be used to partially recreate the original image, potentially revealing sensitive portions.

While the researcher's online acropalypse screenshot recovery app does not currently support Windows files, Buchanan did share with BleepingComputer a Python script that can be used to recover Windows files.

BleepingComputer successfully recovered a portion of the image using this script. This was not a complete recovery of the original image, which may leave you wondering why this poses a privacy risk.

Consider taking a screenshot of a sensitive spreadsheet, confidential documents, or even a naked picture and cropping out sensitive information or portions of the image. Even if you are unable to fully recover the original image, someone may be able to recover sensitive information that you do not want made public. It should also be noted that this flaw does not affect all PNG files, such as optimised PNGs.

"Your original PNG was saved with a single zlib block (common for "optimised" PNGs) but actual screenshots are saved with multiple zlib blocks (which my exploit requires)," Buchanan explained to BleepingComputer.

BleepingComputer also discovered that if you open an untruncated PNG file in an image editor, such as Photoshop, and save it to another file, the unused data at the end is stripped away, rendering it unrecoverable.

Finally, the Windows 11 Snipping Tool behaves similarly to the above with JPG files, leaving data untruncated if overwritten. However, Buchanan told BleepingComputer that his exploit does not currently work on JPGs but that it might in the future. Microsoft confirmed to BleepingComputer that they are aware of the reports and are investigating them.

"We are aware of these reports and are investigating. We will take action as needed to help keep customers protected," a Microsoft spokesperson told BleepingComputer.

Alert Organizations About Aveva HMI, SCADA Vulnerabilities

 


As of recently, several potential vulnerabilities have been identified in Aveva's HMI & SCADA products, which could be of significant concern to organizations using these technologies. The InTouch Access Anywhere HMI and Plant SCADA Access Anywhere products of Aveva and CISA were the subject of a security alert published last week regarding three vulnerabilities. 

One of the researchers at German cybersecurity firm Crisec discovered a high-severity path traversal vulnerability in the software. 

An unauthenticated attacker with access to the network that links to the secure gateway can exploit this vulnerability to read files on the system other than those that are linked to the secured gateway. 

The Full Disclosure mailing list, which Regel belongs to, published a report along with a proof-of-concept (PoC) exploit to demonstrate the difficulty and impact of the vulnerability in September 2022. It was discovered by this man that it was possible for this vulnerability to be exploited, and a vendor hotfix was issued after he disclosed it to be exploitable.  

In combination with the vulnerability identified by CVE-2022-238542, Regel's critical vulnerability gives an unauthenticated attacker with network access to the secure gateway the ability to read files on the system outside of the web server of the secure gateway. 

It was also discovered that there were two other flaws in addition to the path traversal vulnerability. This set of vulnerabilities affects third-party components as well as a critical OpenSSL flaw that can be used to launch a denial-of-service attack or execute arbitrary code, as well as a medium-severity vulnerability that is caused by the use of a vulnerable jQuery version. Several of these vulnerabilities have been addressed by the vendor through the release of software updates. 

The National Cyber Security Centre (NCSC) of the UK also discovered a vulnerability found in Aveva Industries' Plant SCADA and Telemetry Server products. In the event of a remote attack, a remote attacker is capable of reading data remotely, causing a denial of service condition, and manipulating alarm state information. As a result of this vulnerability, both CISA and Aveva are preparing to report it. 

Several potentially serious vulnerabilities in Aviva's HMI and SCADA products should be addressed by organizations. As a result, attackers may be able to access sensitive information, cause a denial of service condition, or alter the alarm state due to these vulnerabilities. To patch all of these vulnerabilities, you are advised to download and install software updates from the vendor as soon as possible to protect your system.   

Enterprise Attack Surface Widening Access Control Gap in Microsoft Active Directory

 

Users in Windows environments may be able to access domains other than those for which they are authenticated due to a security flaw in Microsoft's Active Directory (AD) service that IT administrators may not be aware of. 

The majority of Windows domain-type networks come pre-configured with AD, Microsoft's all-purpose identity management tool for authenticating computers, printers, users, and virtually anything else taking part in an IT environment. According to Frost & Sullivan, tens of thousands of businesses use the service, including 90% of the Global Fortune 1000 corporations.

By using AD to manage authentication across a domain, network administrators may ensure that only authorised users can access the resources that have been assigned to them. 

Nevertheless, Charlie Clark, a security researcher at Semperis, described how a user might circumvent AD's security measures and access domains for which they were not specifically given permission in a study released on March 14. He says that by doing so, an attacker's "attack surface" is greatly enlarged. Obviously, the larger the attack surface, the more likely it is that an attacker will discover an exploitable bug. 

The transitive property of mathematics states that if a = b and b = c, then a = c. In AD, if domain A connects to domain B and domain B links to domain C, domains A and C may or may not be able to access one another depending on whether they share a "transitive trust." According to Microsoft's website, "transitivity controls whether a trust can be extended outside of the two domains with which it was built." 

An external trust—a manually created, nontransitive form of trust in AD—could exist between two domains belonging to two different organisations. The problem, according to Clark, is that one firm can utilise external trust to access sister domains that are part of the same group (referred to by Microsoft as a "forest") as the second, even if no formal external trust has been established for those domains. 

"An authorised user from one domain would only be able to target the precise domain they've established a trust with," as per Clark, assuming what we believed about non-transitive trusts were accurate. They wouldn't be able to go to other domains outside of the forest." 

As opposed to this, "every account within the trusted domain will be able to authenticate against any domain throughout the whole forest in which the trusting domain resides," he stated in his research. 

A malicious user who learns how to move about a forest at will can gain access to things like accounts and data that they shouldn't be able to find.

Clark claims that because it is so simple to take control of one domain inside a forest, it "allows an attacker to have a significantly bigger attack surface from any low-privileged user on a trusted domain." 

On May 4, 2022, Clark informed Microsoft of his initial findings. In an email on September 29, Microsoft stated that "According to our assessment, this submission does not constitute a security issue for servicing. This research doesn't seem to point out any flaws in Microsoft products or services that could allow an attacker to compromise their integrity, accessibility, or confidentiality." The business then concluded the investigation. 

Trust: Why it matters 

Clark spent more than 15 years working as a systems administrator and six years as a pen tester. Every medium-sized to major infrastructure or business I've worked with has had external trusts, he asserts. He claims that if extra safeguards aren't in place, the majority of AD's clients are most likely at risk right now. 

Clark advises administrators to delete all external trusts in order to safeguard against this type of access control misuse in addition to Microsoft's suggestions. The next best thing is to keep track of which users are accessing what if this is not achievable. 

Awareness is ultimately the most crucial factor. A false sense of security could otherwise cause administrators to make mistakes. People can tell that the risk is larger for a trustworthy domain. So they might put more security in place for that domain, Clark says, but they might not put the same level of security in place for the other domains in the forest even though the risk is identical. 

"I think the main thing is to make system admins aware that this is possible," Clark concluded. By knowing this, "they can harden the rest of the domain sufficiently."

LastPass Breach: CISA Warns of Exploited Plex Bug

 


An employee of LastPass was responsible for the massive breach at the company as he failed to update Plex on his home computer when he was updating Plex on his work computer. A potential danger lurks in failing to keep software up-to-date, as this is a sobering reminder of the risks involved. 

In a recent report on the embattled password management service, it was revealed that unidentified actors used information stolen from a previous incident that occurred before August 12, 2022, to launch a coordinated second attack between August and October 2022 based on information that was obtained from a third-party data breach and vulnerabilities in third-party media software packages. 

In the end, an intrusion led to the adversary stealing information about customers and password vault data, which was partially encrypted. 

Secondly, an attack targeted one of the DevOps engineers, forging credentials and breaching the cloud storage environment by infecting the engineer's home computer with keylogger malware. 

In addition to a critical severity vulnerability, CISA added a known exploited vulnerability to its Known Exploited Vulnerabilities (KEV) section (tracked as CVE-2021-39144), exploited by third parties since early December. 

U.S. federal agencies have been made aware that, by a binding operational directive (BOD 22-01) issued by the Army in November 2021, they are now mandated to secure their systems against attacks until March 31st to prevent potential attacks exploiting the two security holes that could impact their networks. 

As part of its ongoing effort to identify security flaws exploited by hackers, CISA has discovered a high-severity and relatively older remote code execution (RCE) vulnerability in Plex Media Server that was discovered almost three years ago.

This issue has been tracked as CVE-2020-5741 and it has been described as a deserialization flaw in Plex Media Server that can be exploited remotely to execute arbitrary Python code, which is also described as a high-severity flaw. 

It should be noted that this vulnerability has been addressed with the release of Plex Media Server 1.19.3, which means the attacker would need administrator rights to exploit the vulnerability successfully. Due to this, it is unlikely that it will be a target of an attack in the future. 

In August 2022, Plex reported that there had been a data breach that could adversely affect over 15 million customers. In this breach, usernames, emails, and passwords were stolen, resulting in the loss of personal information. 

The implications of this are that unpatched Plex Media Server instances are still vulnerable to CVE-2020-5741 attacks and could be exploited by malicious individuals. 

Although the CISA team added the vulnerability to the KEV list without providing any information about its potential in-the-wild exploitation, media reports recently suggested that a Plex bug exploited to hack a DevOps engineer's computer may have been responsible for the data breach at LastPass last year that led to the theft of user vault data.

Unpatched Akuvox Smart Intercom Flaws Can Be Exploited for Spying

 

The E11, a popular smart intercom and videophone from Chinese company Akuvox, contains more than a dozen flaws, including a critical bug that allows unauthenticated remote code execution (RCE). Malicious actors could use these to gain access to an organization's network, steal photos or video captured by the device, control the camera and microphone, and even lock and unlock doors. 

The flaws were discovered and highlighted by Claroty's Team82, a security firm that became aware of the device's flaws when they moved into an office where the E11 was already installed. Team82 members' interest in the device grew into a full-fledged investigation as they discovered 13 vulnerabilities, which they classified into three categories based on the attack vector used.

The first two types can occur via RCE within a local area network or through remote activation of the E11's camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector focuses on gaining access to an external, insecure file transfer protocol (FTP) server, which allows the actor to download stored images and data.

The Akuvox 311 contains a critical RCE bug

One critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

"The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another notable vulnerability (CVE-2023-0348, with a CVSS score of 7.5) affects the SmartPlus mobile app, which iOS and Android users can use to interact with the E11. The main problem is that the app uses the open-source Session Initiation Protocol (SIP) to allow communication between two or more participants over IP networks. The SIP server does not validate SmartPlus users' authorization to connect to a specific E11, which means that anyone with the app installed can connect to any E11 connected to the Internet, including those behind a firewall.

"We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."

Unpatched Akuvox Security Vulnerabilities

Beginning in January 2022, Team82 detailed their efforts to bring the vulnerabilities to the attention of Akuvox, but after several outreach attempts, Claroty's account with the vendor was blocked. Following that, Team82 published a technical blog detailing the zero-day vulnerabilities and enlisted the help of the CERT Coordination Center (CERT/CC) and CISA.

Organizations that use the E11 should disconnect it from the Internet until the vulnerabilities are fixed, or ensure that the camera is not capable of recording sensitive information. According to the Claroty report, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network" within the local area network. 

"Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."

A world of increasingly connected devices has provided sophisticated adversaries with a vast attack surface.As per Juniper Research, the number of industrial internet of things (IoT) connections alone — a measure of total IoT device deployment — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020.

And, despite the fact that the National Institute of Standards and Technology (NIST) has agreed on a standard for encrypting IoT communications, many devices remain vulnerable and unpatched. Akuvox is the latest in a long line of these that have been found to be severely lacking in device security. Last year, for example, a critical RCE vulnerability in Hikvision IP video cameras was disclosed.

New Cybersecurity Vulnerabilities are Being Discovered Using 'Intelligent Mining'

 

When brute force attacks shut down operations and force mines to pay a ransom, "intelligent mining" activities have emerged as the gold mine for cybercriminals. 

Dr. Pierre Jacobs, the head of cybersecurity operations and compliance at CyberAntix, a member of the Sizwe Africa IT Group, holds this opinion. According to him, cyber security breaches have reached a point where they have legalised this dishonest behaviour, giving criminals the opportunity to commit cybercrimes in conditions that are very similar to those of legitimate organisations. Lone hackers are still around and may wish to stop production for fun or to see how far they can go. 

“South African mining companies are no exception,” Jacobs stated. “The transition from traditional mining practices to intelligent mining is exposing the industry to a new frontier of cyber threats.” 

74% of internet businesses have had serious Computer breaches, according to Fortinet research, and this problem was made worse by the Covid-19 outbreak. With an 11% increase in network intrusions, the mining and manufacturing industries in particular experienced a sharp rise in infiltration activity. 

Attackers are focusing their efforts on Industrial Control Systems (ICS) in a variety of industries because these systems regulate a wide range of automated processes, including measuring devices, packaging equipment, and all the other assembly-line parts that are essential to any production process. Attackers are aware that by focusing on these systems, they might negatively impact business operations. 

Although ICS devices are frequently specific to industries and used for specialised systems or activities, they are normally less well-known than enterprise information technology (IT) devices like laptops, desktops, and smartphones. In this sector, cybercriminal activity is becoming more organised and specialised. 

The bulk of cyberattacks on mining businesses aim to disrupt corporate operations and threaten supply chains by stealing intellectual property and other important data, such as geotechnical studies and production plans. According to Jacobs, the Internet of Things (IoT) is a threat to mines with any amount of automation (IoT). Criminals frequently use email platforms as their first method of entry in all sectors. 

Any of these devices—desktops, laptops, smartphones, even the workplace printer—can serve as entry points for hackers. The fact is that mining operations in South Africa are also impacted by geopolitical concerns, rising geopolitical dangers, and intermittent conflicts between other nations, especially Western nations and China. Mines from throughout the world compete with South African exporters. Competitors worldwide would benefit from any disruption to our supply systems.

Cybersecurity breaches are caused by a number of factors, including a lack of understanding of the Industrial Internet of Things (IIoT) and the Internet of Things (IoT), supply chain weaknesses, lax security procedures used both internally and by outside contractors, identity theft, and insufficient incident response. 

"Strategies to mitigate risk should seek to identify and understand the business models and motivation of the cyber criminals. Businesses also need to understand the risks and vulnerabilities of their industry and anticipate threats," Jacobs concluded. "People, processes, and technologies all pose risks, and to address cyber security threats, it’s important to take a three-pronged approach to security – one that focuses on people, processes, and technologies. The challenge is to secure the enterprise by locking all the information entrance gates to bridge any gaps in the system. Identify critical business systems and then identify risks against those systems. Secure protocols need to be in place wherever there is a connection to the Internet. Real-time monitoring and investigation are vital." 

New Phishing Scam Targets User's With Fake ChatGPT Platform

The general population is fascinated with AI chatbots like OpenAI's ChatGPT. Sadly, the popularity of the AI tool has also attracted scammers who use it to carry out extremely complex investment frauds against naive internet users. Nevertheless, security experts warn that ChatGPT and other AI techniques may be used to rapidly and on a much wider scale produce phishing emails and dangerous code.

Bitdefender Antispam Labs claims that the most recent wave of "AI-powered" scams starts with a straightforward unwanted email. In reality, our researchers were instantly drawn to what seemed to be a harmless marketing ploy, and they went on to uncover a complex fraud operation that poses a threat to participants' wallets and identities.

The initiative is currently focused on Denmark, Germany, Australia, Ireland, and the Netherlands.

How does the Scam Operate?

In the past several weeks, fake ChatGPT apps have appeared on the Google Play and Apple App Stores, promising users weekly or monthly memberships to utilize the service. The con artists behind this specific scheme go above and beyond to deceive customers.

Users who click the email's link are taken to a clone of ChatGPT that tempts them with money-making chances that pay up to $10,000 per month 'just on an exclusive ChatGPT platform.'

The recipient must click on an embedded link to access further information because the email itself is short on specifics. They click on this link to be taken to a bogus ChatGPT chatbot, where they are prompted to invest at least €250 and provide their contact information, including phone number, email address, and card details.

The victim is then given access to a copy of ChatGPT, which varies from the original chatbot in that it provides a limited number of pre-written responses to user inquiries. Only a domain that is blacklisted allows access to this chatbot.

It's nothing unusual for scammers to take advantage of popular internet tools or patterns to trick users. Use only the official website to test out the official ChatGPT and its AI-powered text-generating capabilities. Avoid clicking on links you get in unsolicited mail, and be particularly suspicious of investment schemes distributed on behalf of a corporation, which generally are scams.

Popular Real Estate Theme in WordPress Leaves Websites Vulnerable to Cyber Attacks


The WP Residence Theme: An Overview of a Popular Real Estate Theme

Real estate sites are one of the most famous and thriving sites on the web, and WordPress is one of the most generally used content management systems (CMS) for making and handling these sites. But recent reports have disclosed that there is a flaw in one of the most popular real estate themes for WordPress that has been abused by threat actors to get access to personal info and hack websites.

The flaw exists in the WP Residence theme, which thousands of real estate websites use across the world. The theme lets site owners to make and manage property listings, show property details, and handle user inquiries. The issue coms from a vulnerability in the theme’s code, which lets threat actors to execute arbitrary code and get administrative privileges on the site.

When the threat actors gain access to the website’s backend, they can steal sensitive information, like user credentials, personal data, and financial information. They can also deploy malicious code, which can cause more dangerous attacks, like spreading malware or ransomware, disrupting the site, or launching a distributed denial-of-service (DDoS) attack.

The Discovery of the Vulnerability: How Wordfence Identified the Issue

The flaw was first found by Wordfence, a leading cybersecurity firm that specialises in WordPress security. The firm discovered that the flaw was being actively exploited in the open, which hints that threat actors were already exploiting it to hack real estate websites. The vulnerability impacted all variants of the WP Residence theme up to version 1.60.3, which was launched in January 2021.

Wordfence immediately alerted the theme’s developers, who released a patch to fix the issue. The patch was included in version 1.60.4, which was released in February 2021. Website owners who use the WP Residence theme are urged to update to the latest version as soon as possible to protect their website from potential attacks.

The Importance of Maintaining Strong Website Security Practices

This incident highlights the importance of keeping your website up-to-date with the latest software patches and security updates. Even popular and well-maintained themes and plugins can contain vulnerabilities that can be exploited by hackers. Therefore, it’s essential to have a robust security strategy in place, which includes regular backups, malware scans, and security audits.

In conclusion, the vulnerability in the WP Residence theme is a reminder that no website is immune to cyber-attacks. Website owners need to be vigilant and proactive in securing their websites, especially if they handle sensitive information or financial transactions. By following best practices for website security and staying informed about the latest threats and vulnerabilities, website owners can protect their website and their users from harm.



Rapid7 Report: Attackers are Launching Exploits Faster Than Ever Before

 

Rapid7 has released its latest Vulnerability Intelligence Report, which examines 50 of the most significant security vulnerabilities and high-impact cyberattacks in 2022. The report examines attacker use cases and highlights exploitation trends, as well as provides a framework for understanding new security threats as they emerge. 

According to the report, attackers are developing and deploying exploits faster than ever before. The report includes 45 vulnerabilities that were exploited in the wild, 44% of which were caused by zero-day exploits. In contrast, 56% of the vulnerabilities in the report were exploited within seven days of their public disclosure, a 12% increase over 2021 and an 87% increase over 2020. 

Furthermore, the median time for exploitation in 2022 was only one day. As per the Rapid7 report, only 14 of the vulnerabilities have been exploited to carry out ransomware attacks. Despite ongoing ransomware activity, it is a 33% decrease from 2021.

The decline could imply that ransomware operations have become less reliant on security flaws, but it could also be due to other factors, such as lower reporting of ransomware incidents. Other vulnerability and exploit trends covered in this report include ransomware ecosystem complexity, network perimeter privilege escalation, and the long tail of exploitation across older vulnerabilities.

Caitlin Condon, Rapid7 vulnerability research manager and lead author of the Vulnerability Intelligence Report stated, “Rapid7’s team of vulnerability researchers work around the clock to thoroughly investigate and provide critical context into emergent threats. We produce the annual Vulnerability Intelligence Report to help organizations understand attack trends and proactively address the unique and shared threats they face. The ransomware ecosystem and the cybercrime economy have continued to mature and evolve. As a result, we saw many more ransomware families actively compromising organizations in 2022, which naturally creates challenges for threat tracking and reporting."

Security, IT, and other teams tasked with vulnerability management and risk reduction work in high-pressure, high-stakes environments where separating signal from noise is critical. When a new potential threat arises, information security professionals often need to translate vague descriptions and unproven research artefacts into actionable intelligence for their particular risk models.

Condon further concluded, “Rapid7 is known for its ongoing research initiatives that keep its customers and the broader business community safer. The company is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 10,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. The Rapid7 Insight Platform collects data from across your environment, making it easy for teams to manage vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate your operations.”

How SMB Protocol Functions and its Susceptibility to Vulnerabilities

 

The SMB protocol enables computers connected to the same network to share files and hardware such as printers and external hard drives. However, the protocol's popularity has also led to an increase in malicious attacks, as older versions of SMB do not use encryption and can be exploited by hackers to access sensitive data. It is crucial to understand the different types of SMB and how to stay protected from associated risks. 

The Server Message Block (SMB) is a network protocol used for sharing data between devices on a local or wide area network. Originally developed by IBM in the mid-1980s for file sharing in DOS, it has since been adopted by other operating systems including Microsoft's Windows, Linux, and macOS.

The SMB protocol plays a crucial role in the regular activities of various businesses and groups by providing a convenient means of retrieving files and accessing resources from other computers connected to the network.

Consider a scenario where you are part of a team whose members operate from distinct locations. In such situations, the SMB protocol is an excellent tool for swiftly and effortlessly exchanging files. It enables every team member to retrieve identical data and collaborate on assignments. Several individuals can remotely view or modify the same file as if it were stored on their personal computers.

How Does the SMB Protocol Function?

To establish a connection between the client and server, the SMB protocol employs the request and response method. Here are the steps to make it work:

Step 1: Client request: The client (the device making the request) sends an SMB packet to the server. The packet includes the complete path to the requested file or resource.

Step 2: Server response: The server (the device that has access to the requested file or resource) evaluates the request and, if successful, responds with an SMB packet containing additional information on how to access the data.

Step 3: Client Process: The client receives the response and then processes the data or resource as needed.

SMB Protocol Types

The SMB protocol has seen a few upgrades as technology has advanced. There are several types of SMB protocols available today, including:
  • SMB Version 1: This is the original version of the SMB protocol, released by IBM in 1984 for file exchange on DOS. It was later modified by Microsoft for use on Windows.
  • CIFS: The Common Internet File System (CIFS) is a modified version of SMBv1 that was designed to allow for the sharing of larger files. It was first included in Windows 95.
  • SMB Version 2: SMB v2 was released by Microsoft in 2006 with Windows Vista as a more secure and efficient alternative to previous versions. This protocol added features like improved authentication, larger packet sizes, and fewer commands.
  • SMB Version 3: SMB v3 was released by Microsoft with Windows 8. It was created to boost performance while also adding support for end-to-end encryption and improved authentication methods.
  • Version 3.1.1 of SMB: The most recent version of the SMB protocol was released with Windows 10 in 2015, and it is fully compatible with all previous versions. It adds new security features such as AES-128 encryption and enhanced security features to combat malicious attacks.
What Are the SMB Protocol's Risks?

Although the SMB protocol has been a valuable asset to many businesses, it also poses some security risks. This protocol has been used by hackers to gain access to corporate systems and networks. It has evolved into one of the most popular attack vectors used by cyber criminals to breach systems.

Worse, despite the availability of upgraded versions of SMB, many Windows devices continue to use the older, less secure versions 1 or 2. This increases the likelihood that malicious actors will exploit these devices and gain access to sensitive data.

The following are the most common SMB exploits.
  • Brute Force Attacks
  • Man-in-the-Middle Attacks
  • Buffer Overflow Attacks
  • Ransomware Attacks
  • Remote Code Execution
Maintain Your Safety While Employing the SMB Protocol

Despite the risks associated with the SMB protocol, it remains an important component of Windows. As a result, it is critical to ensure that all business systems and networks are protected from malicious attacks.

To stay safe, only use the most recent version of the SMB protocol, keep your security software up to date, and keep an eye on your network for unusual activity. It is also critical to train your staff on cybersecurity best practices and to ensure that all users use strong passwords. By taking these precautions, you can keep your company safe from malicious attacks.

Most Ransomware Attacks in 2022 Took Advantage of Outdated Bugs

 

In the 2022 attacks, ransomware operators took advantage of a number of outdated vulnerabilities that allowed the attackers to become persistent and migrate laterally to complete their objectives. 

A report from Ivanti released last week stated that the flaws, which are prevalent in products from Microsoft, Oracle, VMware, F5, SonicWall, and several more companies, pose a clear and present danger to organisations who haven't yet remedied them. 

Old bugs are still popular

Ivanti's study is based on data analysis from teams at Securin, Cyber Security Works, and Cyware as well as from its own threat intelligence team. It provides a thorough examination of the flaws that criminals frequently used in ransomware attacks in 2022. 

In attacks last year, ransomware operators used a total of 344 different vulnerabilities, up 56 from 2021, according to Ivanti's analysis. A stunning 76% of these bugs were from 2019 or before. Three remote code execution (RCE) defects from 2012 in Oracle's products, CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment, were the oldest flaws in the group. 

Ivanti's chief product officer, Srinivas Mukkamala, claims that while the data indicates that ransomware operators leveraged new vulnerabilities quicker than ever last year, many still relied on older vulnerabilities that are still present on enterprise systems.

"Older flaws being exploited is a byproduct of the complexity and time-consuming nature of patches," Mukkamala stated. "This is why organisations need to take a risk-based vulnerability management approach to prioritise patches so that they can remediate vulnerabilities that pose the most risk to their organisation." 

Critical flaws 

Ivanti identified 57 vulnerabilities as affording threat actors the ability to complete their whole goal, making them among the vulnerabilities that pose the most risk. These flaws gave an attacker the ability to acquire initial access, maintain persistence, elevate privileges, get around security measures, access credentials, find resources they might be looking for, move laterally, gather information, and carry out the intended task. 

There were 25 vulnerabilities in this category that were dated 2019 or earlier, including the three Oracle flaws from 2012. Scanners are not presently picking up exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products made by ConnectWise, Zyxel, and QNAP, respectively. 

Inadequate input validation was the cause of the majority (11) of the vulnerabilities in the list that presented a full attack chain. Path traversal flaws, OS command injection, out-of-bounds write errors, and SQL injection were some more frequent causes of vulnerabilities. 

The most common flaws are broadly prevalent 

Moreover, ransomware authors have a tendency to favour defects that affect a variety of items. CVE-2018-3639, a form of speculative side-channel vulnerability that Intel disclosed in 2018, was one of the most well-known of them. According to Mukkamala, the flaw affects 345 goods from 26 vendors. Other instances include the famed Log4Shell hole, CVE-2021-4428, which at least six ransomware gangs are presently using as an attack vector. The weakness was one of many that Ivanti discovered threat actors were using as recently as December 2022. At least 176 products from 21 different manufacturers, including Oracle, Red Hat, Apache, Novell, and Amazon, contain it. 

The Linux kernel vulnerability CVE-2018-5391 and the critical elevation of privilege hole in Microsoft Netlogon CVE-2020-1472 are two further flaws that ransomware developers like to exploit because of their widespread availability. The vulnerability has been utilised by at least nine ransomware gangs, including those responsible for Babuk, CryptoMix, Conti, DarkSide, and Ryuk, and it is growing in popularity with other groups as well, according to Ivanti. 

A total of 118 vulnerabilities that were leveraged in ransomware attacks last year were discovered, according to the security research.

According to Mukkamala, "threat actors are particularly interested in defects that are present in most products." 

The closely watched Known Exploited Vulnerabilities (KEV) database maintained by the US Cybersecurity and Infrastructure Security Agency does not contain 131 of the 344 weaknesses that ransomware attackers exploited last year. The database includes information on software weaknesses that threat actors are actively exploiting and that CISA deems to be particularly hazardous. According to CISA, federal entities must prioritise and usually respond to vulnerabilities listed in the database within two weeks. 

Because many businesses use the KEV to prioritise patches, Mukkamala argues it's crucial that these aren't in the CISA KEV. This demonstrates that, although being a reliable resource, KEV does not give a comprehensive overview of all the vulnerabilities that are employed in ransomware attacks. 

57 vulnerabilities that were leveraged in ransomware attacks last year by organisations including LockBit, Conti, and BlackCat have low- and medium-severity rankings in the national vulnerability database, according to Ivanti. The risk, according to the security provider, is that enterprises who utilise the score to prioritise patching may get complacent as a result.

Attackers Use a Poisoned Google Search to Target Chinese-speaking Individuals

A new nefarious campaign has been discovered that promotes malicious websites and fake installers by using tainted Google Search results. FatalRAT is primarily targeting Chinese people in East and Southeast Asia. The IOCs of the threat activities did not correspond to any previously identified threat group. 

According to telemetry data collected by ESET researchers, the campaign began in May 2022 and lasted until January 2023. The most targeted victims were found in China, Hong Kong, and Taiwan, with attacks also occurring in Thailand, Singapore, Indonesia, the Philippines, Japan, Malaysia, and Myanmar. Attackers promoted their rogue websites hosting trojanized installers via Google paid advertisements. These advertisements have now been removed.
 
To host the malicious websites, attackers enrolled several equivalents to legitimate typosquatting domains (such as telegraem[.]org) from (telegram[.]org). These bogus domains host websites that look exactly like the real ones, and they all point to the same IP address. This IP address is associated with a server that hosts multiple fake websites and tainted installers, as well as actual installers and the FatalRAT loader.

Since Chinese language versions of genuine software applications are not available in China, the websites and installers are disguised. Telegram, LINE, WhatsApp, Signal, Skype, Google Chrome, Mozilla Firefox, WPS Office, Electrum, Sogou Pinyin Method, and Youda are among the spoof apps.

The tainted installers were hosted on an Alibaba Cloud Object Storage Service, which isolated them from the server where websites are hosted. Advanced Installer is used to create and digitally sign the installers, which are MSI files.

When run, these installers would drop and execute a genuine installer, a malicious loader, an updater, and, eventually, the FatalRAT payload. When infected, the malware gives the attacker complete control of the victimized device, allowing them to remotely execute commands, harvest data from web browsers, run files, and capture keystrokes.

According to researchers, the tactics used in this attack are not highly sophisticated; however, attackers have made several attempts to make it appear to be one by using paid Google ads, fake domain names, and tainted installers carrying genuine software. When clicking on links promoted as advertisements, users must be mindful and perform multiple mental checks.

Managing Privileges is Essential Security Strategy

In order to stop increasingly sophisticated hacker assaults, having a system that regulates privileged access is crucial. Therefore, one must integrate privilege removal into their cyber strategy to ensure secure protection without loopholes.

Privileged access: What Is It?

Privileged access occurs when a system's technical maintenance, changes, or privileged emergency outages are carried out by an entity using an administrative account or a credential with boosted permissions. This could happen on-site or in the cloud. Technical privileges are separate from high-risk entitlements connected to business operations in this context. For all essential use instances, PAM controls ensure that privileges, including any related mechanisms like privileged accounts or credentials, are used in permitted target systems.

According to several institutions, safeguarding administrator passwords in a password vault entails securing privileged identities. In reality, a comprehensive plan that addresses what qualifies as a privileged action is required.

Eliminating privileges will safeguard one against attacks

Around 80% of breaches include violation of privileges, according to Verizon's Data Breach Investigations Report 2022.

Hackers use linked devices, local repositories, and more to access privileged passwords. As a result, every company's defensive plan should include reducing privilege. A hacker must complete several steps in order to carry out a cyber-attack. To begin with, they hack into the system of the business and then attempt to escalate privileges or move laterally in their investigation process until they find new privileges that offer more access. And finally, when they carry out the attack.

Hence, robbing a hacker of their privileges through PAM stops them from moving on to the next stage. No matter how they entered, if they are unable to pass through, the attack fails. Employing privilege elimination will also defend against a variety of attacks.




Critical Baicells Device Vulnerability Could Make Telecom Networks Vulnerable to Spying

 

Baicells Technologies is a US-based manufacturer of 4G and 5G telecommunications equipment. According to the company, more than 100,000 of its base stations have been installed in 64 different nations worldwide. 

A serious flaw in wireless communication base stations made by Baicells Technologies can be used to take full control of voice and data traffic or to disrupt telecom networks, the latest report revealed. 

Rustam Amin, a threat analyst, has found that at least a few of Baicells' Nova base station products are vulnerable to a serious command injection flaw that can be remotely exploited without authentication by sending specially crafted HTTP requests to the targeted device.

Amin said that by making use of the weakness, known as CVE-2023-24508, an attacker may be able to execute shell commands with root capabilities and seize total control of a device. The researcher explained that a device might be quickly shut down by an attacker in order to interrupt operations. A targeted network's phone calls and traffic might also be completely under their control. Phone numbers, IMEIs, and location data might all be obtained by a hacker.

However, carrying out such an assault is not a simple task and necessitates in-depth familiarity with the targeted network. Amin informed SecurityWeek that there are more than 1,150 internet-accessible devices, most of which are situated in the United States. On January 24, Baicells released a warning to let clients know about the flaw. 

The researcher reported that the vendor responded quickly to his notification and quickly released a patch. The impacted base stations are Nova 227, 233, 243, and 246. With the introduction of version 3.7.11.3, the security flaw has been fixed. Although other items may also be compromised, the vendor's advice only lists Nova products as being affected. 

Last week, a warning about CVE-2023-24508 was released by the US Cybersecurity and Infrastructure Security Agency (CISA). Amin recently found several flaws that might be used to manipulate traffic signals in the Econolite EOS traffic controller software.

Following a Breach at ION Group, LockBit Hackers Received a Ransom

LockBit hackers who took credit for a severe hack at financial data company ION claim that a ransom was paid, although they would not specify the sum or provide any proof that the payment had been transferred. Meanwhile, the ION Group chose not to comment on the situation. 

The British spying intelligence agency GCHQ's National Cyber Security Agency told Reuters there's nothing further to add. A key to access the files should be provided by the hacking gang if a ransom is paid. As per cybersecurity experts, ransomware often demands the individual file-by-file decryption of computer servers, which can involve days or weeks. Additionally, a machine that has had its data decrypted cannot be trusted after that point and must be wiped clean and rebuilt from scratch. PCs often speed up the process.

After a business pays a ransom, additional ransomware gangs might try to extort them once more by using the company's IT system flaws. Considering to be completely secure, ransomware victims might seek to redesign their technical infrastructure.

In addition, victims' files are kidnapped by LockBit, the group behind the ION assault, which also demands payment by February 4 to prevent their disclosure.

Ransoms should not be paid, according to the National Cyber Security Centre of the UK, 42 of ION's clients were impacted by the early-morning Tuesday attack. Eventually, it caused several banks and brokers in Europe and the US to conduct some trades manually, thus setting them back for decades. About the attack, the FBI has contacted ION management.

LockBit Ransomware Group

In certain cases, the affiliate of LockBit 3.0 is required to start the ransomware binary using a 32-character password. The typical assault procedure consists of infecting the device, encrypting files, removing specific services, and changing the device's background image.

The information can be offered for sale on the dark web if the ransom is not paid. Cobalt Strike, a security testing tool, and a series of malware attacks have been linked to LockBit 3.0's abuse of Windows Defender.

Operating with affiliates who may lack the means to develop and launch attacks, LockBit uses a ransomware-as-a-service (RaaS) business model. The associated hacker in this case receives a percentage of the ransom, based on a December 2022 warning from the U.S. Department of Health & Human Services.

Among the most expensive and disruptive concerns for businesses globally in recent years has been ransomware. Several ransomware groups not only encrypt a victim's files in exchange for a ransom payment, but they also steal data and threaten to expose it online as an added inducement to pay up.

Numerous brokers have experienced difficulties as a result of the exchange-traded financial derivatives trading and clearance being impacted by the ransomware attack on ION. Reuters reports that among the numerous ION customers whose operations have been interrupted are ABN Amro Clearing and Intesa Sanpaolo, the largest bank in Italy.

Specifically, Targeted VMware RCE Vulnerabilities

 


As of today, VMware's vRealize Log Insight platform is vulnerable to three security vulnerabilities, that have been exposed by publicly available exploit code. This has enabled cybercriminals to weaponize these vulnerabilities in a variety of ways. Several critical unauthenticated remote code execution (RCE) bugs have been found. 

In the vRealize Log Insight platform, VMware claims that the platform is moving forward under the name Aria Operations, which provides intelligent log management for infrastructures and applications "in any environment," VMware states. In addition to offering IT departments visibility across physical, virtual, and cloud environments, dashboards and analytics are also able to be extended by third parties. This is done through the use of third-party extensions. 

This platform is typically incorporated into an appliance and can gain access to sensitive areas of an organization's IT infrastructure across a wide range of devices. 

Once an attacker has gained access to the Log Insight host, he could exploit some interesting features depending on the type of application he integrates with. This is according to Horizon.ai researcher James Horseman, who examined the publicly available exploit code. Often, the ingested logs may include sensitive information from other services. This includes session tokens, API keys, and personally identifiable information, all of which can be gathered during an attack. Having acquired keys and sessions on one system, one could pivot to another. This would enable one to further compromise the system by obtaining the key and session from the other system. 

As a result, according to Dustin Childs, chief executive officer of Trend Micro's Zero Day Initiative (ZDI), the organization responsible for disclosing the vulnerabilities, organizations need to be aware of the risks associated, particularly since these bugs and their accessibility are low barriers to exploitation. 

This type of centralized log management tool can be used in an enterprise to do centralized log management. However, using this tool for this type of centralized log control poses a substantial risk for the enterprise. This is because VMware recommends that the patch be tested and deployed as quickly as possible after it has been received by you. 

VMware vRealize Log Insight Bugs: An In-Depth Look 

According to the original VMware advisory, both critical issues carry severity scores of 9.8 out of 10. As a result, malicious actors may be able to inject files into an impacted appliance's operating system. This could result in remote code execution if an unauthenticated, malicious actor can perform such a task. 

A first-case vulnerability (CVE-2022-3172) allows an attacker to traverse a directory, which is the most serious vulnerability; a second-case vulnerability (CVE-2022-31704) allows an attacker to exploit some issues with access control. 

As for the third flaw, it is a denial of service vulnerability that is less likely to trigger a denial of service due to its risk of being exploited by an unauthenticated malicious actor (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to remotely trigger a denial of service. 

Creating a Bug Chain to Facilitate a full Takeover of a System

It was revealed by researchers at Horizon.ai that the three exploit issues could have been chained together after they identified the code in the wild. This led VMware to update its advisory today as a result. 

As Horseman wrote, it is apparent that this particular vulnerability chain [combined] can be exploited very easily. However, he added that it requires some kind of infrastructure setup to serve malicious payloads to the attacker. There is an issue with this vulnerability that allows remote code execution as root, which means an attacker can take full control of a computer by exploiting this vulnerability. 

However, he did point out that the product is intended for use in an internal network. There were 45 cases out there in which the appliances were discovered to be publicly exposed on the internet based on Shodan data. Despite that, it should be noted that the chain can be used both internally and externally. 

"It's very likely that the attacker already has a foothold somewhere else on the network by the time they target this product since this product is not likely to be exposed to the Internet," he noted. To determine if there has been any damage caused by an attacker, additional investigation is necessary.

The virtualization giant released a cache containing the three vulnerabilities last week as part of a larger cache that contained one other weakness. A medium-severity vulnerability that has the potential to enable data harvesting without authentication (CVE-2022-31711, CVSS 5.3) is another weakness. Currently, there is no public exploit code for the latter, but that could change shortly, especially since cybercriminals are becoming increasingly interested in VMware's offerings. 

Likely, other issues could also be exploited in a variety of ways in the future. To prove that the vulnerabilities exist, ZDI's children claim that they have proof-of-concept code available. The researchers did not think it would be a surprise if others were able to come up with an exploit quickly. 

What are the Best Practices for Protecting an Enterprise? 

Admins should apply VMware's patches to their organizations as soon as possible to ensure that their organizations are protected, or use another workaround recommended by VMware. A recent release by Horizon.ai has also enabled organizations to track the progress of any attacks by publishing indicators of compromise (IoCs). 

The key to ensuring that your log data is protected is to make sure that you are using either vRealize or Aria Operations for centralized log management, Childs advises. Aside from patching, which should be the first step, there are other things to consider. These include whether it is connected to the Internet and whether there is an IP restriction on who can access the platform. Furthermore, it reminds us that every tool or product within an organization is a potential target for an attacker to gain a foothold.