Search This Blog

Showing posts with label Vulnerability. Show all posts

Kubernetes can be Hacked due to a Container Verification Bug

 


An extremely serious vulnerability in the Kyverno admission controller for container images could permit malicious actors to import a raft of malicious code into the production environments of cloud providers by exploiting this vulnerability. 

Using the Kyverno admission controller, the ability to verify signatures is provided as a mechanism for ensuring that only validated and signed containers are pulled into a given cluster running Kubernetes. Many potentially disastrous scenarios can be averted by doing this. There are a lot of malicious payloads that can be found in booby-trapped container images. These include cryptominers, rootkits, container escapes, lateral movement exploit kits, credential stealers, and more. 

However, there is a bug (CVE-2022-47633) that can be exploited to undermine the functionality of this mechanism. It has been revealed that an attacker could take advantage of this vulnerability and inject unsigned images into any protected cluster, bypassing the policy of image verification. This was stated in a blog post on Dec. 21 by researchers at ARMO. 

There are high stakes here: an attacker can effectively take control of a victim's pod, and let themselves access all of the assets, credentials, and service account tokens of the pod, including the token of the service account, used to access the API server, the researchers cautioned. 

Taking advantage of the vulnerability, one can completely bypass the verification process for image signatures. This gives an attacker a wide range of target options when it comes to an attack on a Kubernetes cluster. Ben Hirschberg, CTO, and co-founder of ARMO describe how any workload can mount cluster secrets and data volumes. By having access to the vulnerability of the Kubernetes cluster of the victim of the attack, the attacker can inject code into the cluster. This code steals data and credentials from the cluster. Additionally, the attacker is also able to inject his or her own code, thus allowing the attacker to take advantage of the victim's CPU for cryptocurrency mining. 

Subverting the Container Admission Controller: An inside look at the bug 

When a new workload is requested from a Kubernetes API server that is defined via an image with a tag, that API server sends a request to the Kyverno admission controller to validate the new workload as defined in the image. 

There are several ways in which the admission controller determines whether a workload is admissible to the cluster. This includes requesting the image manifest and the container registry's signature.

The container runtime starts a new workload based on the image. This is true if the image is checked out, and if the image is not checked out, the image does not proceed. 

According to the advisory, the vulnerability was discovered as a result of the controller's signature validation process downloading the image manifest twice - but only verifying the signature for one of those downloads. 

Hence, the attack looks like this: a malicious registry or proxy is used to socially engineer an administrator into pulling a container image from an infected registry or proxy. In the initial import of the malicious registry file, the admission controller receives a valid, benign, signed image that has been imported by the malicious registry. As of now, everything seems to be working well. 

This is followed by a second request from the admission controller for the manifest of the signed image so that the digest for mutation can be retrieved - and it can then be used to alter the human-readable tag associated with the container. In this instance, no signing validation is performed. This allows a different, unsigned and malicious image to be returned by the malicious registry. This image is ultimately the one that will run on your system if you push the button to start it. 

This is a classic example of a TOCTOU problem, which means a time-of-check-to-time-of-use problem, in which an attacker can bait and switch their victim, according to a research paper published by ARMO. 

Because the image manifest which is going to be used in the end is a different one from the one that was verified, it gives the attacker the chance to trick the client. 

Kyverno users should update to version 1.8.5 as soon as possible since this vulnerability was introduced in version 1.8.3 and has been fixed in the updated version. It is ensured that the same hash of the image will be used for modifying the workload specification and verifying the signature in the patch. 

In particular, this vulnerability affects only Kubernetes with the Kyverno container manager. Hirschberg warned that other methods of verifying image signatures also need to take care not to be vulnerable to this technique. 

Concerns About Container Security are on the Rise 

Hirschberg has noted that containers are an excellent target for cybercriminals because they are typically hosted in the cloud. This gives them access to a huge amount of computational resources, which are extremely valuable and expensive. This enables hackers to steal computational resources and data in a relatively short time while also staying unnoticed for a long period. 

According to him, there are no exact statistics. However, based on the current trend of containers being widely adopted, it is clear that this type of problem is becoming more prevalent in the industry. 

"Security teams are learning how to handle them, and Kubernetes in general. I don't think that it is a true 'blind spot,' but container security teams are still learning the whole environment with many neglected areas", Hirschberg added.

Even though image signature verification has just begun to take off, admission controllers still represent one of those potential areas that may have been neglected due to the early stages of its adoption. Nonetheless, they are also part of a broader dialogue that should be conducted about supply chain software security in a way that considers them an imperative issue. 

During the SolarWinds attack, Hirschberg indicated that the world saw how sensitive this issue is when it comes to trusting the security of external code. Kyverno is a security tool that includes signature validation for the first time in the Kubernetes world, and with this, it introduces additional vulnerabilities. However, it does seem that with these vulnerabilities come security improvements that will enable users to overcome this issue in the future.

Researchers Updated Twitter Data Breach as “More Harmful” Than Reported


Last year, Twitter exposed more than five million phone numbers and email addresses following a massive data breach. The research team of 9TO5Mac has been provided with evidence that suggests the same security vulnerability was exploited by multiple threat actors at the same time. Additionally, several sources have advertised the availability of the hacked data on the dark web for sale as well. 

This vulnerability was first reported back in January by HackerOne. Using this tool, anyone could enter a phone number or e-mail address and then find the Twitter account associated with that number or email address. A Twitter handle can be easily converted into an internal identifier used by Twitter, even though it is an internal identifier utilized by Twitter. 

In reality, a threat actor would be able to construct a single database that would contain Twitter handles, email addresses, and phone numbers accumulated from the web. 

When Twitter released an announcement in May, it confirmed that the vulnerability existed and had been patched, but it did not mention that anyone had exploited it. 

According to the restoration privacy report, a hacker had indeed used the vulnerability to gain access to millions of accounts around the world. He had gotten access to personal information as a result. 

There has been a massive breach of Twitter data, and not just one

In a Twitter thread yesterday, there was a suggestion that some threat actors had accessed the same personal data in more than one way. Having seen evidence of multiple breaches, 9to5Mac can now verify that this is indeed the case. 

The security researchers explained that, in a previous report, they had seen a dataset that contained the same information in a different format, and the source told researchers that it was "definitely a different threat actor." This was just one of several files that they had seen. The researchers at 9TO5Mac found that the dataset was just one of several similar files. 

The majority of the data is based on Twitter users in the UK, most EU member countries, and several US states. 

Essentially, the setting the security researchers are referring to here refers to a setting that is quite deeply buried within the settings of Twitter. This setting appears to be on by default if you open Twitter's settings. 

An estimated 500k record was downloaded within one hour by the bad actors, it has been reported. On the dark web, multiple sources have offered this data for sale for a price between $5,000 and $10,000. 

It has been reported that a security expert's account has been suspended after tweeting about it. There was also another security specialist whose Twitter account was suspended the same day. Chad Loder, a well-recognized computer security expert, predicted Twitter's reaction within minutes of it being announced and it was confirmed by other experts. 

There is evidence that multiple hackers have obtained the same data and combined it with other data sourced from other breaches to steal the information.

Cyber-Spy Exploits are Being Dropped by Drones


The use of drones equipped with cyber-spying equipment was previously limited to abstract academic discussions among cybersecurity enthusiasts, but now, drones can be used in the real world to penetrate networks and steal information. 

On October 10, cybersecurity researcher Greg Linares published a Twitter thread providing a brief overview of a drone-based cyberattack he had recently witnessed while working as a freelance researcher.  

According to Mr. Gohel, the incident began when an unnamed financial company picked up unusual traffic on its network as a result of the hack. In the process of tracing the Wi-Fi signal, the con men discovered two drones on the roof and alongside, they also discovered some other activity on the network. 
 
Linares described one of the drones as being a modified DJI Phantom which carried what he called a "modified Wifi Pineapple device" and the other as being a similarly modified DJI Matrice 600 device which contained "a Raspberry Pi, batteries, GPD mini laptop, a 4G modem, and another Wi-Fi device," he explained. 

In addition to the successful cyberattack, Linares explained that the attackers were also able to access devices connected to the Atlassian Confluence site from the internal page. This was done to steal credentials and other information. During the threat hunters' investigation, they discovered that one of the drones had been damaged but was still functional. 

"In light of the limited success of this attack, it appears that once the attackers were detected, they crashed the drone as they were recovering it from the ground," Linares claimed on Twitter.

He further explained that a drone attack of this kind would probably not cost more than $15,000 to be put together, although he did not provide an exact figure. 

As he explained in his warning, attackers spend this amount of money on internal devices and do not care about destroying them. "This is the third real-world attack I have encountered from a drone in the last two years," he added. 

Ransomware is Now the Top Attack Vector Due to Bug Exploitation

 



Security experts at Secureworks have revealed that vulnerability exploitation has accounted for 52% of ransomware incidents investigated by the company over the past 12 months. This makes it the number one initial access vector for attackers, according to a new report published by the company.

As an annual report, the security firm's State of the Threat report is compiled based on the insight gathered from the anti-terrorism unit of the organization over the past year.

A leading ransomware researcher has found that last year, ransomware actors mainly used vulnerabilities found in systems exposed to the Internet to increase their effectiveness, rather than to take advantage of credentials  often associated with the compromise of Remote Desktop Protocol (RDP), and using malicious emails.

Reports suggested that this shift in tactics may directly result from a significant imbalance between the capabilities of threat actors and network defenders. This imbalance may explain this shift in tactics.

At the same time as threats are rapidly weaponizing newly discovered vulnerabilities, developers of offensive security tools (OSTs) are also driven by the need to generate profit or keep their tools relevant  to implement updated exploit code as soon as possible, the report illustrated. 

A lot of people often overlook the fact that responsible disclosure is often about not having to wait for patches to become available. Even if a patch is available, the process of patching a vulnerability in an enterprise environment is far more complicated and much slower than the process for threat actors or OST developers of weaponizing publicly accessible exploit code.

As a result, vulnerability management teams must also take precautions against the persistent threat of credential-based attacks. In a recent report, Secureworks reported a 150% growth in the use of info-stealers that are designed to grab credentials from networks and gain access to them in an attempt to steal sensitive information.

There has been an investigation launched by an anti-virus vendor on a single day in June, during which it claimed to have observed over 2.2 million credentials, which were collected by criminals who stole information and made them available for sale on an underground platform.

According to Secureworks, ransomware continues to represent the number one threat to global organizations, accounting for more than a quarter of the attacks analyzed by the company. Among the threats that have been reported, most of them have been linked to Russian cybercrime groups.

So far this year, the good news is that the median dwell time of attackers has dropped from 22 days in 2021 to 11 days. This is a decrease of two days from last year, but it still leaves attackers with plenty of time to steal data from organizations and deploy the payloads for ransomware attacks.

Preventions for ransomware attacks


Safeguarding your systems from malware attacks includes simple yet effective measures like

• Never click on unknown or unauthorized links or stores.
• Never input your personal information on unofficial stores or websites.
• Never click on any unknown attachments on emails.
• Never plug into any unknown USB sticks.
• Never download any software or application from unauthorized sources.
• Always keep your systems up-to-date.
• Always work under VPN security while using public wi-fi.
 
To ensure that the vulnerabilities do not get exploited, you need to identify and address them as soon as possible. Keeping track of your vital systems and their security is impossible without implementing an effective vulnerability management system (VM). 

Choosing the right VM tools is important as they provide accuracy, guidance in the right directions, and efficiency, to help your team in dealing with the most critical vulnerabilities. Once you establish a scalable and sustainable VM program you will be capable of defending your systems from ransomware attacks.

Moody's Intensifies its Scrutiny Of the 'Riskiest' Sectors Of the Economy

 



According to Moody's Investors Service, nearly $22 trillion of global rated debt has a "high" or "very high" level of cyber-risk exposure. This includes electrical, gas, and water utilities, as well as hospitals, which are among the sectors with the greatest risk of cyberattacks.

In total, Moody's has rated nearly 80 trillion dollars in debt across 71 different sectors across the globe. This represents a quarter of Moody's $180 trillion in debt that Moody's has rated across 71 different sectors worldwide. This represents an increase of nearly a billion dollars from the firm's 2019 numbers.

According to Moody, the Cyber Heatmap takes into account two factors, namely exposure and mitigation. It weighs both equally across all the sectors that it rates for this report.

A major component of exposure is the industry's "systemic role" - the fact that it is appealing from an attacker's perspective in terms of disrupting a wide array of industries, along with its interconnectedness with other sectors. It has also been emphasized that "digitalization" has increased the attack surface by extending its digital footprint.

The mitigation plan will include measures to reduce perimeter vulnerability as well as basic cybersecurity practices based on financial loss estimates. While determining perimeter vulnerability, Moody's takes into account at-risk open ports and patching cadence, which it gathers from data and metrics provided by cyber-ratings company BitSight, in which Moody's owns a minority stake, which provides data and metrics about open ports and patching schedules.

"It has been mentioned before that poor patches can have a significant impact on a company's risk of ransomware, as well as reports of a high rate of ransomware instances," BitSight chief risk officer Derek Vadala said in a press release.

According to Moody's, this year's Heatmap provides insight into cyber risk within the 71 sectors. The information is based on exposures and mitigations, which Moody's has categorised as "low," "moderate," "high" and "very high" risk. Utility companies were found to have high levels of cyber risk.

In this sector, which has a total amount of $2.5 billion in collective debt rated by Moody's, there are both regulated and self-regulated electric utilities operating in the generation, transmission, and distribution of electricity and gas. There are also unregulated electric and power companies, as well as water and wastewater companies. Moody's noted, "this does not mean the issuers within these sectors have weak cybersecurity practices."

Most economists believe that it has more to do with the "multiplier effect across an economy," as per the report. Cyberattacks that knock out a regional power grid, for example, will have far more consequences than simply for the utility itself. Hospitals may be unable to provide life-saving surgery or critical medicine to patients if a cyberattack knocks them out of service. For assisted living facilities, it would be extremely challenging for them to keep their elderly residents comfortable during heat waves or cold snaps. This is because they cannot provide heat or air conditioning.

There is no doubt that this is why critical infrastructure has become such an attractive target for cybercriminals seeking to cause the most damage, as evidenced by the seemingly constant barrage of government warnings regarding nation-state threat groups targeting power systems and infrastructure.

As far as cyber risk is concerned, non-profit hospitals also ranked extremely high when it comes to the threats they face. In Moody's view, non-profit hospitals are particularly attractive targets for attackers because of the huge amount of data that these institutions possess, as well as the average mitigation measures, they have in place to reduce the impact of potential cyber threats. 

Banks, the technology sector, telecommunications, and midstream energy are some of the sectors with the highest levels of risk. Meanwhile, in the Heatmap, some sectors have moderate levels of risk, such as advanced economies and emerging regions, regional and local governments, manufacturing, retail, and apparel, and integrated oil.

In conclusion, low-risk sectors include structured finance, real estate, independent exploration and production, mining, and public housing, which are all low-risk sectors. The analysis evinces how there has been a significant increase in the number of ransomware attacks against hospitals and healthcare organizations over the last few years which in turn calls for strict cyber security measures. 

Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature

Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. 

Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability. Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” 

There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical. The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. 

The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key. This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. 

Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library. Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. 

If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt. The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. 

If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success. Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. 

Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. 

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.

Researcher Demonstrated How Tesla Key Card Feature Can be Exploited to Steal Cars

 

A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle. 

Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in Bluetooth security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle. 

The researcher discovered that when a Tesla is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key. The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob. 

Findings by the researcher: 

During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted. According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X. At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted. 

In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own. The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem. 
Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability. 

According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.

Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.

 New Confluence Remote Code Execution Flaw is Exploited by Cryptocurrency Miners

 

Atlassian has issued a security advisory on a severe unpatched remote code execution vulnerability that affects Confluence Server and Data Center products and is being actively abused in the field, according to the company. The CVE-2022-26134 vulnerability was found as an extensively exploited zero-day towards the end of May, and the vendor issued a patch on June 3, 2022. 

Several proof-of-concept (PoC) exploits for the CVE-2022-26134 bug have been made public. Following the disclosure of the RCE, Check Point Research (CPR) researchers observed a large number of exploitation attempts, with some of the malicious payloads used in the attacks being used as part of the same campaign carried by a crypto mining gang known as the "8220 gang" by doing bulk net scans to discover vulnerable Windows and Linux endpoints to plant miners. 

Miners are special-purpose programs that mine cryptocurrency like Monero for the threat actor using the host's available computational capabilities. Reduced server performance, increase hardware wear, greater operating costs, and even business disruption are all direct consequences of this action. These actors can also improve their attack at any time and dump more potent payloads because they have access to the system.

Multiple infection chains are used to target Linux and Windows operating systems. The attack starts with a specially crafted HTTP request which exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware injects script and a Windows child process spawner. Both scenarios try to set up reboot persistence, then delete all current devices before activating the miner. 

The miner will deplete all system resources in both circumstances, therefore the "8220 gang" is aiming for maximum profit until the malware is uprooted, rather than silently mining on infected servers and attempting to remain undiscovered by using only a portion of the available processing capacity. Eventually, the Linux script looks for SSH keys on the host in an attempt to expand to other computers nearby. 

The web shell is believed to have been used to distribute two further web shells to disk, namely China Chopper and a bespoke file upload shell for exfiltrating arbitrary files to a remote server. The news comes within a year of another severe remote code execution issue in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively exploited in the open to install cryptocurrency miners on compromised servers (CVE-2021-26084, CVSS score: 9.8). 

"Attackers can get direct access to highly valuable systems by exploiting such type of vulnerability," Volexity stated. "Furthermore, because they lack the necessary monitoring or logging capabilities, these systems can be difficult to investigate."

Mitigating Software Security Flaws with Automation

 

A group of UTSA researchers is investigating how a new automated approach could be used to prevent software security vulnerabilities. The team intended to create a deep learning model that could train the software on how to automatically extract security policies. 

Unlike traditional software development models, the agile software development process is intended to deliver software more quickly, eradicating the requirement for lengthy paperwork and changing software requirements. The only required documentation is user stories, which are specifications that define the software's requirements. However, the fundamental practises of this method, such as frequent code changes, restrict the capacity to perform security assurance evaluations.

Ram Krishnan, associate professor in the UTSA Department of Electrical and Computer Engineering stated, “The basic idea of addressing this disconnect between security policies and agile software development came from happenstance conversation with software leaders in the industry.” 

Before arriving on a deep learning strategy that can handle several formats of user stories, the researchers looked at various machine learning approaches. To conduct the prediction, the model is composed of three parts: access control classifications, named entity recognition, and access type classification. The software uses access control classification to determine whether or not user stories contain access control information. The actors and data objects in the storey are identified by a named entity. The link between the two is determined by the access type classification. To evaluate their approach, the researchers used a data collection of 21 online applications, each with 50-130 user stories (a total of 1,600). 

Krishnan stated, “With a dataset of 1,600 user stories, we developed a learning model based on transformers, a powerful machine learning technique. We were able to extract security policies with good accuracy and visualize the results to help stakeholders better refine user stories and maintain an overview of the system’s access control.” 

According to Krishnan, this unique new method will be a valuable tool in the modern agile software development life cycle. A manual method of extracting security policies would be error-prone and costly because agile software development focuses on incremental modifications to code. It is just another area where machine learning and artificial intelligence have proven to be effective. 

He further added, “We recognize that there is little additional information about access control that can be extracted or determined directly from user stories in a fully automated approach. That means it is difficult, or impossible, to determine a software’s exact access control from user stories without human involvement. We plan to extend our approach to make it interactive with stakeholders so that they can help refine the access control information.”

Hackers Exploit Log4j Flaw to Attack Belgium Defense Ministry

 

The Belgian Ministry of Defense has stated that the Log4j vulnerability was used in a cyberattack on its networks. 

The Defense Ministry said in a statement that an attack on its computer network with internet access was identified on Thursday. They didn't disclose whether the attack was ransomware, but they did state that "quarantine measures" were swiftly implemented to "contain the affected elements." 

The Defense Ministry stated, "Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners." 

"This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage." 

Government hacking groups all across the world are using the Log4j vulnerability, according to multiple reports from firms like Google and Microsoft. State-sponsored hackers from China, Turkey, Iran, and North Korea, according to Microsoft, have begun testing, exploiting, and abusing the Log4j issue to spread a range of malware, including ransomware. 

According to multiple sources, since the vulnerability was found over two weeks ago, cybercriminal organisations have attempted to exploit it not only to acquire a foothold in networks but also to sell that access to others. 

To avoid attacks and breaches, governments around the world have advised agencies and companies to fix their systems or devise mitigation strategies. Singapore conducted emergency meetings with vital information infrastructure sectors to prepare them for potential Log4j-related threats, and the US' Cybersecurity and Infrastructure Security Agency instructed all federal civilian agencies to fix systems before Christmas. 

Katrien Eggers, a spokesperson for the Centre for Cybersecurity Belgium, told ZDNet that the organisation had also issued a warning to Belgian companies about the Apache Log4j software issue, stating that any organisation that had not already taken action should "expect major problems in the coming days and weeks." 

The Centre for Cybersecurity Belgium stated, adding that any affected organizations should contact them. "Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale. It goes without saying that this is a dangerous situation."

Dridex Banking Malware is Now Being Installed Using a Log4j Vulnerability

 

The Log4j vulnerability is presently being leveraged to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter, according to Cryptolaemus, a cybersecurity research firm. Dridex, also known as Bugat and Cridex, is a type of malware that specializes in obtaining bank credentials through a system that uses Microsoft Word macros. This malware targets Windows users who open an email attachment in Word or Excel, enabling macros to activate and download Dridex, infecting the computer and potentially exposing the victim to banking theft.

The major objective of this software is to steal banking information from users of infected PCs in order to conduct fraudulent transactions. Bank information is used by the software to install a keyboard listener and conduct injection attacks. The theft perpetrated by this software was estimated to be worth £20 million in the United Kingdom and $10 million in the United States in 2015. Dridex infections have been linked to ransomware assaults carried out by the Evil Corp hacker gang. 

Log4j, an open-source logging library widely used by apps and services on the internet, was revealed to have a vulnerability. Attackers can breach into systems, steal passwords and logins, extract data, and infect networks with harmful software if they are not fixed. Log4j is widely used in software applications and internet services around the world, and exploiting the vulnerability needs no technical knowledge. As a result, Log4shell may be the most serious computer vulnerability in years. 

Threat actors use the Log4j RMI (Remote Method Invocation) exploit version, according to Joseph Roosen, to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. When the Java class is launched, it will first attempt to download and launch an HTA file from several URLs, which will install the Dridex trojan, according to BleepingComputer. If the Windows instructions cannot be executed, the device will be assumed to be running Linux/Unix and a Python script to install Meterpreter will be downloaded and executed. 

On Windows, the Java class will download and open an HTA file, resulting in the creation of a VBS file in the C:ProgramData folder. This VBS program is the primary downloader for Dridex and has previously been spotted in Dridex email campaigns. When run, the VBS code will examine numerous environment variables to determine whether or not the user is a member of a Windows domain. If the user is a domain member, the VBS code will download and run the Dridex DLL with Rundll32.exe.

Hackers Use Insulin Pump Management Vulnerability To Compromise Device

 

A recent study by Lyrebirds, a cybersecurity consultancy organization from Denmark, reveals that a design protocol vulnerability in the Insulet Omnipod Insulin Management System, aka Omnipod Eros, allows a hacker to take command of the device and send programming commands, which includes instant insulin injection. The flaw was found in the communication protocol, that makes it possible for a threat attacker to cut the signal through jamming or via sending messages after the nonce transmission, without the nonce being invalidated by the device. 

The nonce, alone, isn't linked to the device, meaning it can be used for any command the threat actor would like to execute and lets both devices to return to the anticipated, instant program flow, meanwhile continuing to send or set the harmful tactics. The controller and its pump communicate above 433 MHz radio with three packaging layers that exist on top of radio communication, which includes command and respond message and packet. The controller sends an order to the pump and it replies. The programming commands need a 4-byte nonce as the first parameter. 

Upon setting off a pump, the pump and the controller exchange the LOT and serial identification of the pump used for seeding a pseudo-random generator within both the pump and the controller. Once paired, the generators stay in synchronization for the lifetime of a pump. If it gets out of sync, a re-sync process is done but the new seed depends on the identification number sent during pump setup. The device needs a message with a serial number to deliver any packet, but it doesn't involve encryption within the system comes. 

Experts say that the information sent between controller and device isn't encrypted. As a result, the information in the message and packet headers can be exposed. "For example, the report shows a passive observer could parse the needed information from the pump status before a scheduled time. An attacker could also extract the data directly from the headers they’re trying to exploit from the programming command," SC Media.

Linux Kernel Detected With New Side-Channel Vulnerability

 

The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers. 

As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it. 

Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.

As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade. 

The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels. 

Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers. 

According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete. 

This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.

Cisco Vulnerability Damages the Firewall

 

Positive Technologies threat experts have warned that a defect identified this week in Cisco's Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls could potentially contribute to denial-of-service (DoS) attacks. 

As per Positive Technologies expert Nikita Abramov, the high-severity bug (CVE-2021-34704) does not demand elevated privileges or specific access to attack. An attacker only needs to create a demand wherein one of the portions is larger than the device expects. 

According to Cisco, the flaw is the consequence of poor input validation while parsing HTTPS queries. The problem, if abused, might allow an attacker to compel the device to restart, culminating in a DoS circumstance, according to the vendor. 

This has the potential to have a significant effect on the business., noted Abramov. “If attackers disrupt the operation of Cisco ASA and Cisco FTD, a company will be left without a firewall and remote access,” he wrote in a research note. 

“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from outside will be restricted. At the same time, firewall failure will reduce the protection of the company.” 

Cisco has already fixed the flaw in the most recent versions of its ASA and FTD firmware. 

Positive Technologies further advises concerned clients to use security information and event management (SIEM) solutions to prevent and identify breaches.

The vendor addressed a bug in its Firepower Devices Manager (FDM) and On-Box software in August, allowing the researcher to take complete control of the company's Firepower next-generation firewalls. 

The vulnerability, identified by Abramov and threat researcher Mikhail Klyuchnikov, received a severity score of 6.3 on the standard vulnerability ranking methodology. 

The vulnerability exploited another flaw in Cisco's FDM On-Box representational state transfer (REST) API, allowing intruders to execute arbitrary code on a compromised device's operating system.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” Abramov wrote. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”

Linux Foundation Patches Critical Critical Code Vulnerability

 

CVE-2021-43267 vulnerability is detailed as a heap overflow Transparent Inter-Process Communication (TIPC) module shipping with Linux kernels to let nodes in a group communicate with each other in a fault-proof way. 'While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation "makes this a dangerous vulnerability" for those that use it in their networks," reports Security Week. 

The flaw can be abused either locally or via remote code execution within a network framework to get kernel privileges, which allows a hacker to exploit an entire system. Experts discovered a bug in most attacks that used Microsoft's CodeQL, an open-source semantic code analysis engine that assists to identify security flaws. As per the experts, the flaw surfaced in the Linux kernel in September last year, after a MSG_CTYPTO (a new message type) was included to let actors distribute cryptographic codes. 

While investigating the code, expert Van Amerongen discovered a “clear-cut kernel heap buffer overflow," along with remote code execution hints. , Vulnerable TIPC module is loaded with main Linux distributions, however, it requires loading in order to trigger the vulnerability and enable the protocol. A patch was shipped by Linux foundation on October 29, confirming the existing vulnerability which affects kernel variants between 5.10 and 5.15. 

As per cybersecurity firm Sentinel One, it hasn't found any proof of vulnerability exploits in the wild. “This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports. As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” says cybersecurity expert Van Amerongen.

Latest Microsoft Exchange Server Feature Mitigates High-Risk Bugs

 

One of the prominent targets for hackers is Microsoft Exchange, and the attack vector typically involves a popular vulnerability which the organization hasn't recently patched. A new solution by Microsoft aims at providing urgent protection after several attacks over the last year that used zero-days against on-site versions of Microsoft Exchange servers. 

Microsoft has implemented a new Exchange Server capability that automatically implements interim mitigations to protect on-site systems against incoming cyberattacks, against high-risk (and probably regularly exploited) security vulnerabilities, and allows administrators to deploy security upgrades. 

This update comes following a series of zero-day vulnerabilities detected in Microsoft Exchange, which was used to infiltrate servers by state-supported hacker organizations with no patch or mitigation information accessible for administrators. 

Built on the Microsoft Emergency Exchange Mitigation (EM), which was launched in March to limit the attack surface, exposes the ProxyLogon vulnerabilities, the new Exchange Server component, suitable for the Microsoft exchange Emergency Mitigation (EM) service. EM is operating on Exchange Mailbox servers as a Windows service. 

After implementing the September 2021 (or later) CU on Exchange Server 2016 or Exchange Server 2019 it will be installed automatically on servers having the Mail Box role. It detects Exchange Servers susceptible to one or many known threats and provides provisional mitigation until security updates can be installed by administrators. 

Automatically deployed EM service mitigation is temporary until the security update could be loaded that resolves the issue and does not supersede Exchange SUs. 

"This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before installing applicable SUs," the Exchange Team explained. 

EM is an EOMT variant created in an Exchange server that can download from and defend against high-risk issues with existing mitigation using the cloud-based Office Config Service (OCS). Admins may deactivate the EM service unless Microsoft would like to automatically implement attenuations to its Exchange servers. They may also manage applied mitigation strategies via PowerShell cmdlets or scripts that allow mitigations to be seen, reapplied, blocked, or removed. 

"Our plan is to release mitigations only for the most severe security issues, such as issues that are being actively exploited in the wild," the Exchange Team added. "Because applying mitigations may reduce server functionality, we plan on releasing mitigations only when the highest impact or severity issues are found."

Telegram's Encryption Protocol Detected with Vulnerabilities

 

A multinational computer team claimed on Friday that the popular encrypted chat app Telegram is detected with four cryptographic vulnerabilities by their researchers. 

The vulnerabilities, based on the security study, range from technically trivial and easy to use to advanced and of theoretical interest. But in the end, it is demonstrated by ETH Professor Kenny Paterson, who was a member of the team that exposed the vulnerability, that the four important aspects could be done better, more secure, and more efficiently using a standard approach to cryptography. 

Telegram's a cloud-based free, open-source instant messaging app on cross-platform. This program also provides encoded video calling, VoIP, file sharing, and various other functions from one end to the next. It was launched in August 2013 for iOS and in October 2013 for Android. 

The greatest vulnerability found by researchers is what they call the vulnerability "crime pizza." An attacker could modify the sequence of messages from a client to a telegram-operated cloud server in this easily. 

“For example, if the order of the messages in the sequence ‘I say “yes” to’, ‘pizza’, ‘I say “no” to’, “crime” was altered then it would appear that the client is declaring their willingness to commit a crime,” according to the universities.

An attacker may detect which of two communications is encrypted by the client, even if particular circumstances are required to do so using one of the more theoretical vulnerabilities. 

Rather than using more common protocols like Transport Layer Security, Telegram uses its MTProto encryption protocol. In the past, too, cryptographers have skeptically eyed MTProto. The recent investigation recalls that while encrypted apps give considerable protection, they are not 100% impermissible to use. 

The flaws in the telegram were reported by cryptographers from ETH Zürich, a public research university in Switzerland, and the Royal Holloway constituent college of the University of London. 

“For most users, the immediate risk is low, but these vulnerabilities highlight that Telegram fell short of the cryptographic guarantees enjoyed by other widely deployed cryptographic protocols,” a university summary states. 

Telegram wrote that it made changes in response to the disclosure “that make the four observations made by the researchers no longer relevant.” 

Further, it has also revealed that there were no critical vulnerabilities. 

“We welcome any research that helps make our protocol even more secure,” Telegram said. “These particular findings helped further improve the theoretical security of the protocol.”

TsuNAME: New DNS Bug could be used to DDoS Authoritative DNS Servers


Security researchers have found extreme domain name system (DNS) fixes that hackers may use to conduct constructive denial-of-service attacks on authoritative DNS servers. The bug they refer to as TsuNAME has been discovered by researchers from SIDN Labs and InternetNZ. The bug is a humongous reflection-based distributed denial of service (DDoS) amplification function attacking authoritative DNS servers. 

Authoritative DNS servers are translated into IP addresses, such as 64.233.160.0, through web domains along like, www.google.com. One must realize the distinction between an authoritative and recursive DNS server to consider the context of the vulnerability and its functions. 

Authoritative DNS servers, like Internet Service Providers (ISPs) and global tech giants, are usually operated by government and private sector organizations. Attackers trying to take advantage of the complexity of TsuNAME DNS target insecure recidivism resolutions to overload reputable servers, including large numbers of malicious DNS queries. 

"Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records," the researchers explain in their security advisory. 

"While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do." 

A potential effect after such an attack could be that authenticated DNS servers are downloaded, which may cause country-wide Internet interruption if a country code top-level domain (ccTLD) is impaired. It could be utilized to perform DDoS attacks on critical DNS infrastructure and services such as large TLDs or ccTLDs, which possibly impact country resources according to primary research materials which makes TsuNAME especially more dangerous. 

"We observed 50% traffic increases due to TsuNAME in production in .nz traffic, which was due to a configuration error and not a real attack," the researchers added. 

TsuNAME also had events affecting an EU-based ccTLD which raised incoming DNS traffic by a factor of 10 due to only two domains that are misconfigured by cyclical dependence. An intruder with access to several fields and a botnet can cause even more damage if their domains are misconfigured and open resolvers are tested. 

The impact of TsuNAME attacks can also be reduced by authoritative server managers using the open-source CycleHunter tool that avoids such incidents, detects, and prevents the pre-emptively fixing of cyclical dependencies in their DNS areas.

40% of all Android Phones Affected by Qualcomm Snapdragon Vulnerability

 

Security scientists who believe that a weakness that can be used to insert malicious code mostly on mobile by using the Android operating system itself as a port of entry has recently been reported as a grave security flaw concerning Qualcomm mobile station modems (MSM). The impacted chip(s) would connect nearly 40% of all smartphones, such as Samsung and other OEM's high-end phones, in the world. 

Qualcomm MSM is a 2G, 3G, 4G, and 5G-capable Chip System (SoC) used by several vendors, such as Samsung, Google, LG, OnePlus, and Xiaomi, for approximately 40 percent of cell phones. 

"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones," as per the Check Point researchers who found the vulnerability tracked as CVE-2020-11292. 

The security vulnerability can also allow attackers to activate the SIM module used to safely store the network authentication information and contact details on mobile devices. 

The criminals have to misuse a stack overflow vulnerability in the Qualcomm MSM Interface (QMI), which is being used by the cellular processors for interface with the software stack, to exploit CVE-2020-11292 and monitor the modem and remotely repair it from the application processor.

Malicious apps could then use the loophole to mask their activities from the modem chip on its own and effectively invisibly track malicious behavior using Android security features. 

"Going forward, our research can hopefully open the door for other security researchers to assist Qualcomm and other vendors to create better and more secure chips, helping us foster better online protection and security for everyone." 

Following the study, Qualcomm produced security patches to resolve the security problem CVE-2020-11292 and delivered them to all affected vendors in December 2020, two months later. Qualcomm's priorities are the availability of solutions supporting comprehensive safety and privacy. While in December 2020, Qualcomm Technologies provided OEMs with updates and they encourage end-users to upgrade their devices when patches are available. 

As Qualcomm sent the CVE-2020-11292 patches to OEMs last year, it ought to be safe against efforts to jeopardize any modernized devices for Android users with newer devices often receiving security and system updates. Unfortunately, it might not be that lucky for all those who didn't upgrade to a new smartphone promoting newer Android launches over the last few years. 

Given the reality, about 19% of all Android devices run Android Pie 9.0 (launched in August 2018) and over 9% Android 8.1 Oreo (launched in December 2017) as per the Stat Counter data. 

Last year Qualcomm rectified the Digital Signal Processor Chip (DSP), which allows attackers to monitor smartphones, spy on the users, and build immovable malware which can avoid detection, with much more vulnerabilities that could impact Snapdragon. 

KrØØk was also repaired by Qualcomm in July 2020, a security bug that can be used to decipher certain WPA 2 encrypted wireless network packets. In 2019, yet another bug was fixed which enabled access to sensitive data and two faults in the SoC WLAN firmware that permitted over the air compromise of the modem and kernel.

Australian Cyber Security Centre Hit by Cyber Security Attack

 

The Australian Cyber Security Centre is on high alert for the vulnerability lately. The Australian corporate regulator has been the latest high-profile survivor of a hacking attack on the same program that used to target both the New Zealand Reserve Bank and the Allens law firm. On Monday (25th January) evening, a 'cyber safety incident involving a server used by ASIC' was said to have been hit by the Australian Securities and Investments Commission. 

It all started when the Australia Securities Regulator reported that a server that was used to move files, including credit license applications, recently had a data security violation, where possibly some information has been viewed. The ASIC (Australian Securities and Investments Commission) said it became aware of the case on 15 January, but the credit license form(s) or attachments did not seem to have been downloaded, however. 

Furthermore, the ASIC stated that “This incident is related to Accellion software used by ASIC to transfer files and attachments. It involved unauthorized access to a server which contained documents associated with recent Australian credit license applications.” Moreover, the regulator also said that “While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor. At this time ASIC has not seen evidence that any Australian credit license application forms or any attachments were opened or downloaded.” Accellion's file transfer program framework is a two-decade-old product but was revised last year after it heard about system vulnerabilities. The same incident occurred with the file-sharing software provided by Accellion based in California. The same software was also used by the New Zealand Central Bank, which suffered a cyber attack earlier this month. 

The server was disabled and there was no abuse of any other tech infrastructure, added the ASIC, “No other ASIC technology infrastructure has been impacted or breached. ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident.” 

“ASIC’s IT team and cybersecurity advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely,” says the regulator.