Search This Blog

Showing posts with label Vulnerability. Show all posts

Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature

Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. 

Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability. Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” 

There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical. The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. 

The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key. This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. 

Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library. Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. 

If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt. The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. 

If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success. Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. 

Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. 

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.

Researcher Demonstrated How Tesla Key Card Feature Can be Exploited to Steal Cars

 

A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle. 

Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in Bluetooth security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle. 

The researcher discovered that when a Tesla is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key. The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob. 

Findings by the researcher: 

During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted. According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X. At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted. 

In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own. The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem. 
Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability. 

According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.

Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.

 New Confluence Remote Code Execution Flaw is Exploited by Cryptocurrency Miners

 

Atlassian has issued a security advisory on a severe unpatched remote code execution vulnerability that affects Confluence Server and Data Center products and is being actively abused in the field, according to the company. The CVE-2022-26134 vulnerability was found as an extensively exploited zero-day towards the end of May, and the vendor issued a patch on June 3, 2022. 

Several proof-of-concept (PoC) exploits for the CVE-2022-26134 bug have been made public. Following the disclosure of the RCE, Check Point Research (CPR) researchers observed a large number of exploitation attempts, with some of the malicious payloads used in the attacks being used as part of the same campaign carried by a crypto mining gang known as the "8220 gang" by doing bulk net scans to discover vulnerable Windows and Linux endpoints to plant miners. 

Miners are special-purpose programs that mine cryptocurrency like Monero for the threat actor using the host's available computational capabilities. Reduced server performance, increase hardware wear, greater operating costs, and even business disruption are all direct consequences of this action. These actors can also improve their attack at any time and dump more potent payloads because they have access to the system.

Multiple infection chains are used to target Linux and Windows operating systems. The attack starts with a specially crafted HTTP request which exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware injects script and a Windows child process spawner. Both scenarios try to set up reboot persistence, then delete all current devices before activating the miner. 

The miner will deplete all system resources in both circumstances, therefore the "8220 gang" is aiming for maximum profit until the malware is uprooted, rather than silently mining on infected servers and attempting to remain undiscovered by using only a portion of the available processing capacity. Eventually, the Linux script looks for SSH keys on the host in an attempt to expand to other computers nearby. 

The web shell is believed to have been used to distribute two further web shells to disk, namely China Chopper and a bespoke file upload shell for exfiltrating arbitrary files to a remote server. The news comes within a year of another severe remote code execution issue in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively exploited in the open to install cryptocurrency miners on compromised servers (CVE-2021-26084, CVSS score: 9.8). 

"Attackers can get direct access to highly valuable systems by exploiting such type of vulnerability," Volexity stated. "Furthermore, because they lack the necessary monitoring or logging capabilities, these systems can be difficult to investigate."

Mitigating Software Security Flaws with Automation

 

A group of UTSA researchers is investigating how a new automated approach could be used to prevent software security vulnerabilities. The team intended to create a deep learning model that could train the software on how to automatically extract security policies. 

Unlike traditional software development models, the agile software development process is intended to deliver software more quickly, eradicating the requirement for lengthy paperwork and changing software requirements. The only required documentation is user stories, which are specifications that define the software's requirements. However, the fundamental practises of this method, such as frequent code changes, restrict the capacity to perform security assurance evaluations.

Ram Krishnan, associate professor in the UTSA Department of Electrical and Computer Engineering stated, “The basic idea of addressing this disconnect between security policies and agile software development came from happenstance conversation with software leaders in the industry.” 

Before arriving on a deep learning strategy that can handle several formats of user stories, the researchers looked at various machine learning approaches. To conduct the prediction, the model is composed of three parts: access control classifications, named entity recognition, and access type classification. The software uses access control classification to determine whether or not user stories contain access control information. The actors and data objects in the storey are identified by a named entity. The link between the two is determined by the access type classification. To evaluate their approach, the researchers used a data collection of 21 online applications, each with 50-130 user stories (a total of 1,600). 

Krishnan stated, “With a dataset of 1,600 user stories, we developed a learning model based on transformers, a powerful machine learning technique. We were able to extract security policies with good accuracy and visualize the results to help stakeholders better refine user stories and maintain an overview of the system’s access control.” 

According to Krishnan, this unique new method will be a valuable tool in the modern agile software development life cycle. A manual method of extracting security policies would be error-prone and costly because agile software development focuses on incremental modifications to code. It is just another area where machine learning and artificial intelligence have proven to be effective. 

He further added, “We recognize that there is little additional information about access control that can be extracted or determined directly from user stories in a fully automated approach. That means it is difficult, or impossible, to determine a software’s exact access control from user stories without human involvement. We plan to extend our approach to make it interactive with stakeholders so that they can help refine the access control information.”

Hackers Exploit Log4j Flaw to Attack Belgium Defense Ministry

 

The Belgian Ministry of Defense has stated that the Log4j vulnerability was used in a cyberattack on its networks. 

The Defense Ministry said in a statement that an attack on its computer network with internet access was identified on Thursday. They didn't disclose whether the attack was ransomware, but they did state that "quarantine measures" were swiftly implemented to "contain the affected elements." 

The Defense Ministry stated, "Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners." 

"This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage." 

Government hacking groups all across the world are using the Log4j vulnerability, according to multiple reports from firms like Google and Microsoft. State-sponsored hackers from China, Turkey, Iran, and North Korea, according to Microsoft, have begun testing, exploiting, and abusing the Log4j issue to spread a range of malware, including ransomware. 

According to multiple sources, since the vulnerability was found over two weeks ago, cybercriminal organisations have attempted to exploit it not only to acquire a foothold in networks but also to sell that access to others. 

To avoid attacks and breaches, governments around the world have advised agencies and companies to fix their systems or devise mitigation strategies. Singapore conducted emergency meetings with vital information infrastructure sectors to prepare them for potential Log4j-related threats, and the US' Cybersecurity and Infrastructure Security Agency instructed all federal civilian agencies to fix systems before Christmas. 

Katrien Eggers, a spokesperson for the Centre for Cybersecurity Belgium, told ZDNet that the organisation had also issued a warning to Belgian companies about the Apache Log4j software issue, stating that any organisation that had not already taken action should "expect major problems in the coming days and weeks." 

The Centre for Cybersecurity Belgium stated, adding that any affected organizations should contact them. "Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale. It goes without saying that this is a dangerous situation."

Dridex Banking Malware is Now Being Installed Using a Log4j Vulnerability

 

The Log4j vulnerability is presently being leveraged to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter, according to Cryptolaemus, a cybersecurity research firm. Dridex, also known as Bugat and Cridex, is a type of malware that specializes in obtaining bank credentials through a system that uses Microsoft Word macros. This malware targets Windows users who open an email attachment in Word or Excel, enabling macros to activate and download Dridex, infecting the computer and potentially exposing the victim to banking theft.

The major objective of this software is to steal banking information from users of infected PCs in order to conduct fraudulent transactions. Bank information is used by the software to install a keyboard listener and conduct injection attacks. The theft perpetrated by this software was estimated to be worth £20 million in the United Kingdom and $10 million in the United States in 2015. Dridex infections have been linked to ransomware assaults carried out by the Evil Corp hacker gang. 

Log4j, an open-source logging library widely used by apps and services on the internet, was revealed to have a vulnerability. Attackers can breach into systems, steal passwords and logins, extract data, and infect networks with harmful software if they are not fixed. Log4j is widely used in software applications and internet services around the world, and exploiting the vulnerability needs no technical knowledge. As a result, Log4shell may be the most serious computer vulnerability in years. 

Threat actors use the Log4j RMI (Remote Method Invocation) exploit version, according to Joseph Roosen, to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. When the Java class is launched, it will first attempt to download and launch an HTA file from several URLs, which will install the Dridex trojan, according to BleepingComputer. If the Windows instructions cannot be executed, the device will be assumed to be running Linux/Unix and a Python script to install Meterpreter will be downloaded and executed. 

On Windows, the Java class will download and open an HTA file, resulting in the creation of a VBS file in the C:ProgramData folder. This VBS program is the primary downloader for Dridex and has previously been spotted in Dridex email campaigns. When run, the VBS code will examine numerous environment variables to determine whether or not the user is a member of a Windows domain. If the user is a domain member, the VBS code will download and run the Dridex DLL with Rundll32.exe.

Hackers Use Insulin Pump Management Vulnerability To Compromise Device

 

A recent study by Lyrebirds, a cybersecurity consultancy organization from Denmark, reveals that a design protocol vulnerability in the Insulet Omnipod Insulin Management System, aka Omnipod Eros, allows a hacker to take command of the device and send programming commands, which includes instant insulin injection. The flaw was found in the communication protocol, that makes it possible for a threat attacker to cut the signal through jamming or via sending messages after the nonce transmission, without the nonce being invalidated by the device. 

The nonce, alone, isn't linked to the device, meaning it can be used for any command the threat actor would like to execute and lets both devices to return to the anticipated, instant program flow, meanwhile continuing to send or set the harmful tactics. The controller and its pump communicate above 433 MHz radio with three packaging layers that exist on top of radio communication, which includes command and respond message and packet. The controller sends an order to the pump and it replies. The programming commands need a 4-byte nonce as the first parameter. 

Upon setting off a pump, the pump and the controller exchange the LOT and serial identification of the pump used for seeding a pseudo-random generator within both the pump and the controller. Once paired, the generators stay in synchronization for the lifetime of a pump. If it gets out of sync, a re-sync process is done but the new seed depends on the identification number sent during pump setup. The device needs a message with a serial number to deliver any packet, but it doesn't involve encryption within the system comes. 

Experts say that the information sent between controller and device isn't encrypted. As a result, the information in the message and packet headers can be exposed. "For example, the report shows a passive observer could parse the needed information from the pump status before a scheduled time. An attacker could also extract the data directly from the headers they’re trying to exploit from the programming command," SC Media.

Linux Kernel Detected With New Side-Channel Vulnerability

 

The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers. 

As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it. 

Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.

As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade. 

The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels. 

Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers. 

According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete. 

This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.

Cisco Vulnerability Damages the Firewall

 

Positive Technologies threat experts have warned that a defect identified this week in Cisco's Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls could potentially contribute to denial-of-service (DoS) attacks. 

As per Positive Technologies expert Nikita Abramov, the high-severity bug (CVE-2021-34704) does not demand elevated privileges or specific access to attack. An attacker only needs to create a demand wherein one of the portions is larger than the device expects. 

According to Cisco, the flaw is the consequence of poor input validation while parsing HTTPS queries. The problem, if abused, might allow an attacker to compel the device to restart, culminating in a DoS circumstance, according to the vendor. 

This has the potential to have a significant effect on the business., noted Abramov. “If attackers disrupt the operation of Cisco ASA and Cisco FTD, a company will be left without a firewall and remote access,” he wrote in a research note. 

“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from outside will be restricted. At the same time, firewall failure will reduce the protection of the company.” 

Cisco has already fixed the flaw in the most recent versions of its ASA and FTD firmware. 

Positive Technologies further advises concerned clients to use security information and event management (SIEM) solutions to prevent and identify breaches.

The vendor addressed a bug in its Firepower Devices Manager (FDM) and On-Box software in August, allowing the researcher to take complete control of the company's Firepower next-generation firewalls. 

The vulnerability, identified by Abramov and threat researcher Mikhail Klyuchnikov, received a severity score of 6.3 on the standard vulnerability ranking methodology. 

The vulnerability exploited another flaw in Cisco's FDM On-Box representational state transfer (REST) API, allowing intruders to execute arbitrary code on a compromised device's operating system.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” Abramov wrote. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”

Linux Foundation Patches Critical Critical Code Vulnerability

 

CVE-2021-43267 vulnerability is detailed as a heap overflow Transparent Inter-Process Communication (TIPC) module shipping with Linux kernels to let nodes in a group communicate with each other in a fault-proof way. 'While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation "makes this a dangerous vulnerability" for those that use it in their networks," reports Security Week. 

The flaw can be abused either locally or via remote code execution within a network framework to get kernel privileges, which allows a hacker to exploit an entire system. Experts discovered a bug in most attacks that used Microsoft's CodeQL, an open-source semantic code analysis engine that assists to identify security flaws. As per the experts, the flaw surfaced in the Linux kernel in September last year, after a MSG_CTYPTO (a new message type) was included to let actors distribute cryptographic codes. 

While investigating the code, expert Van Amerongen discovered a “clear-cut kernel heap buffer overflow," along with remote code execution hints. , Vulnerable TIPC module is loaded with main Linux distributions, however, it requires loading in order to trigger the vulnerability and enable the protocol. A patch was shipped by Linux foundation on October 29, confirming the existing vulnerability which affects kernel variants between 5.10 and 5.15. 

As per cybersecurity firm Sentinel One, it hasn't found any proof of vulnerability exploits in the wild. “This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports. As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” says cybersecurity expert Van Amerongen.

Latest Microsoft Exchange Server Feature Mitigates High-Risk Bugs

 

One of the prominent targets for hackers is Microsoft Exchange, and the attack vector typically involves a popular vulnerability which the organization hasn't recently patched. A new solution by Microsoft aims at providing urgent protection after several attacks over the last year that used zero-days against on-site versions of Microsoft Exchange servers. 

Microsoft has implemented a new Exchange Server capability that automatically implements interim mitigations to protect on-site systems against incoming cyberattacks, against high-risk (and probably regularly exploited) security vulnerabilities, and allows administrators to deploy security upgrades. 

This update comes following a series of zero-day vulnerabilities detected in Microsoft Exchange, which was used to infiltrate servers by state-supported hacker organizations with no patch or mitigation information accessible for administrators. 

Built on the Microsoft Emergency Exchange Mitigation (EM), which was launched in March to limit the attack surface, exposes the ProxyLogon vulnerabilities, the new Exchange Server component, suitable for the Microsoft exchange Emergency Mitigation (EM) service. EM is operating on Exchange Mailbox servers as a Windows service. 

After implementing the September 2021 (or later) CU on Exchange Server 2016 or Exchange Server 2019 it will be installed automatically on servers having the Mail Box role. It detects Exchange Servers susceptible to one or many known threats and provides provisional mitigation until security updates can be installed by administrators. 

Automatically deployed EM service mitigation is temporary until the security update could be loaded that resolves the issue and does not supersede Exchange SUs. 

"This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before installing applicable SUs," the Exchange Team explained. 

EM is an EOMT variant created in an Exchange server that can download from and defend against high-risk issues with existing mitigation using the cloud-based Office Config Service (OCS). Admins may deactivate the EM service unless Microsoft would like to automatically implement attenuations to its Exchange servers. They may also manage applied mitigation strategies via PowerShell cmdlets or scripts that allow mitigations to be seen, reapplied, blocked, or removed. 

"Our plan is to release mitigations only for the most severe security issues, such as issues that are being actively exploited in the wild," the Exchange Team added. "Because applying mitigations may reduce server functionality, we plan on releasing mitigations only when the highest impact or severity issues are found."

Telegram's Encryption Protocol Detected with Vulnerabilities

 

A multinational computer team claimed on Friday that the popular encrypted chat app Telegram is detected with four cryptographic vulnerabilities by their researchers. 

The vulnerabilities, based on the security study, range from technically trivial and easy to use to advanced and of theoretical interest. But in the end, it is demonstrated by ETH Professor Kenny Paterson, who was a member of the team that exposed the vulnerability, that the four important aspects could be done better, more secure, and more efficiently using a standard approach to cryptography. 

Telegram's a cloud-based free, open-source instant messaging app on cross-platform. This program also provides encoded video calling, VoIP, file sharing, and various other functions from one end to the next. It was launched in August 2013 for iOS and in October 2013 for Android. 

The greatest vulnerability found by researchers is what they call the vulnerability "crime pizza." An attacker could modify the sequence of messages from a client to a telegram-operated cloud server in this easily. 

“For example, if the order of the messages in the sequence ‘I say “yes” to’, ‘pizza’, ‘I say “no” to’, “crime” was altered then it would appear that the client is declaring their willingness to commit a crime,” according to the universities.

An attacker may detect which of two communications is encrypted by the client, even if particular circumstances are required to do so using one of the more theoretical vulnerabilities. 

Rather than using more common protocols like Transport Layer Security, Telegram uses its MTProto encryption protocol. In the past, too, cryptographers have skeptically eyed MTProto. The recent investigation recalls that while encrypted apps give considerable protection, they are not 100% impermissible to use. 

The flaws in the telegram were reported by cryptographers from ETH Zürich, a public research university in Switzerland, and the Royal Holloway constituent college of the University of London. 

“For most users, the immediate risk is low, but these vulnerabilities highlight that Telegram fell short of the cryptographic guarantees enjoyed by other widely deployed cryptographic protocols,” a university summary states. 

Telegram wrote that it made changes in response to the disclosure “that make the four observations made by the researchers no longer relevant.” 

Further, it has also revealed that there were no critical vulnerabilities. 

“We welcome any research that helps make our protocol even more secure,” Telegram said. “These particular findings helped further improve the theoretical security of the protocol.”

TsuNAME: New DNS Bug could be used to DDoS Authoritative DNS Servers


Security researchers have found extreme domain name system (DNS) fixes that hackers may use to conduct constructive denial-of-service attacks on authoritative DNS servers. The bug they refer to as TsuNAME has been discovered by researchers from SIDN Labs and InternetNZ. The bug is a humongous reflection-based distributed denial of service (DDoS) amplification function attacking authoritative DNS servers. 

Authoritative DNS servers are translated into IP addresses, such as 64.233.160.0, through web domains along like, www.google.com. One must realize the distinction between an authoritative and recursive DNS server to consider the context of the vulnerability and its functions. 

Authoritative DNS servers, like Internet Service Providers (ISPs) and global tech giants, are usually operated by government and private sector organizations. Attackers trying to take advantage of the complexity of TsuNAME DNS target insecure recidivism resolutions to overload reputable servers, including large numbers of malicious DNS queries. 

"Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records," the researchers explain in their security advisory. 

"While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do." 

A potential effect after such an attack could be that authenticated DNS servers are downloaded, which may cause country-wide Internet interruption if a country code top-level domain (ccTLD) is impaired. It could be utilized to perform DDoS attacks on critical DNS infrastructure and services such as large TLDs or ccTLDs, which possibly impact country resources according to primary research materials which makes TsuNAME especially more dangerous. 

"We observed 50% traffic increases due to TsuNAME in production in .nz traffic, which was due to a configuration error and not a real attack," the researchers added. 

TsuNAME also had events affecting an EU-based ccTLD which raised incoming DNS traffic by a factor of 10 due to only two domains that are misconfigured by cyclical dependence. An intruder with access to several fields and a botnet can cause even more damage if their domains are misconfigured and open resolvers are tested. 

The impact of TsuNAME attacks can also be reduced by authoritative server managers using the open-source CycleHunter tool that avoids such incidents, detects, and prevents the pre-emptively fixing of cyclical dependencies in their DNS areas.

40% of all Android Phones Affected by Qualcomm Snapdragon Vulnerability

 

Security scientists who believe that a weakness that can be used to insert malicious code mostly on mobile by using the Android operating system itself as a port of entry has recently been reported as a grave security flaw concerning Qualcomm mobile station modems (MSM). The impacted chip(s) would connect nearly 40% of all smartphones, such as Samsung and other OEM's high-end phones, in the world. 

Qualcomm MSM is a 2G, 3G, 4G, and 5G-capable Chip System (SoC) used by several vendors, such as Samsung, Google, LG, OnePlus, and Xiaomi, for approximately 40 percent of cell phones. 

"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones," as per the Check Point researchers who found the vulnerability tracked as CVE-2020-11292. 

The security vulnerability can also allow attackers to activate the SIM module used to safely store the network authentication information and contact details on mobile devices. 

The criminals have to misuse a stack overflow vulnerability in the Qualcomm MSM Interface (QMI), which is being used by the cellular processors for interface with the software stack, to exploit CVE-2020-11292 and monitor the modem and remotely repair it from the application processor.

Malicious apps could then use the loophole to mask their activities from the modem chip on its own and effectively invisibly track malicious behavior using Android security features. 

"Going forward, our research can hopefully open the door for other security researchers to assist Qualcomm and other vendors to create better and more secure chips, helping us foster better online protection and security for everyone." 

Following the study, Qualcomm produced security patches to resolve the security problem CVE-2020-11292 and delivered them to all affected vendors in December 2020, two months later. Qualcomm's priorities are the availability of solutions supporting comprehensive safety and privacy. While in December 2020, Qualcomm Technologies provided OEMs with updates and they encourage end-users to upgrade their devices when patches are available. 

As Qualcomm sent the CVE-2020-11292 patches to OEMs last year, it ought to be safe against efforts to jeopardize any modernized devices for Android users with newer devices often receiving security and system updates. Unfortunately, it might not be that lucky for all those who didn't upgrade to a new smartphone promoting newer Android launches over the last few years. 

Given the reality, about 19% of all Android devices run Android Pie 9.0 (launched in August 2018) and over 9% Android 8.1 Oreo (launched in December 2017) as per the Stat Counter data. 

Last year Qualcomm rectified the Digital Signal Processor Chip (DSP), which allows attackers to monitor smartphones, spy on the users, and build immovable malware which can avoid detection, with much more vulnerabilities that could impact Snapdragon. 

KrØØk was also repaired by Qualcomm in July 2020, a security bug that can be used to decipher certain WPA 2 encrypted wireless network packets. In 2019, yet another bug was fixed which enabled access to sensitive data and two faults in the SoC WLAN firmware that permitted over the air compromise of the modem and kernel.

Australian Cyber Security Centre Hit by Cyber Security Attack

 

The Australian Cyber Security Centre is on high alert for the vulnerability lately. The Australian corporate regulator has been the latest high-profile survivor of a hacking attack on the same program that used to target both the New Zealand Reserve Bank and the Allens law firm. On Monday (25th January) evening, a 'cyber safety incident involving a server used by ASIC' was said to have been hit by the Australian Securities and Investments Commission. 

It all started when the Australia Securities Regulator reported that a server that was used to move files, including credit license applications, recently had a data security violation, where possibly some information has been viewed. The ASIC (Australian Securities and Investments Commission) said it became aware of the case on 15 January, but the credit license form(s) or attachments did not seem to have been downloaded, however. 

Furthermore, the ASIC stated that “This incident is related to Accellion software used by ASIC to transfer files and attachments. It involved unauthorized access to a server which contained documents associated with recent Australian credit license applications.” Moreover, the regulator also said that “While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor. At this time ASIC has not seen evidence that any Australian credit license application forms or any attachments were opened or downloaded.” Accellion's file transfer program framework is a two-decade-old product but was revised last year after it heard about system vulnerabilities. The same incident occurred with the file-sharing software provided by Accellion based in California. The same software was also used by the New Zealand Central Bank, which suffered a cyber attack earlier this month. 

The server was disabled and there was no abuse of any other tech infrastructure, added the ASIC, “No other ASIC technology infrastructure has been impacted or breached. ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident.” 

“ASIC’s IT team and cybersecurity advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely,” says the regulator.

The Russian expert point out which smartphones are most vulnerable to surveillance

According to Anton Averin, Deputy Director of the Institute of Information Technologies of the Synergy University, if you wish and need, you can track almost any smartphone, both using standard utilities preinstalled on devices, and with the connection of specialized programs and other vulnerabilities. The most popular surveillance targets are Android devices.

"According to world statistics for 2020, the share of devices running Android OS is 70-71% and this indicator remains almost unchanged since almost all mobile device manufacturers use this operating system in their smartphones. Android devices are in demand among cybercriminals because of the great demand, as well as the availability vulnerabilities,” noted the expert.

With iOS devices, too, not everything is as good as it may seem. Although Apple positions its products as one of the most secure, they also have accidents. For example, there are periodic leaks of user data from the “Cloud".

Mr. Averin added that the more "holes" on the software and hardware, the more vulnerable the device is to attackers. 

In addition, recently the head of the IT Department of the software developer Reksoft, Yevgeny Chertok, called a way to disable surveillance on a smartphone. According to him, if you delete a number of applications, you will be able to disable surveillance by those who collect user information by default for advertising purposes. At the same time, the expert stressed that it will not be possible to completely exclude the possibility of surveillance by the special services.

The Union Government To Come Up With National Cyber Security Strategy 2020

National Security Adviser Ajit Doval announced that the Union government is set to come up with National Cyber Security Strategy 2020 for guaranteeing a safe, secured, trusted, and resilient cyberspace. 

The proposed strategy toward uniting all cybersecurity agencies for making sure about, reinforcing, and synergizing the cybersecurity ecosystem by closely connecting with businesses, citizens, and beyond.

That endeavors were being made by adversaries to exploit the crisis in the wake of the pandemic through different misinformation, fake news, and social media campaigns. 

"For our adversaries, the huge data floating around in cyberspace is a goldmine for extracting information to undermine the privacy of our citizens and add to the vulnerability of protecting data of our critical information infrastructure, “Mr. Doval said.

He said that phishing campaigns utilizing the Coronavirus theme targeted banks, defence, and critical infrastructure during this period. 

Mr. Doval drew attention to how various conspicuous UPI IDs and web portals were produced while fake Arogya Setu applications propped up to misuse individuals' data only hours after the Prime Minister announced the launch of the PM Cares fund. 

He stated, "Malicious domains and websites to the tune of around 5,000 were registered in a short span of time. We have also witnessed an increase of 500% in cybercrime owing to people’s limited awareness and poor cyber hygiene. Financial frauds have also increased tremendously owing to the increased reliance on digital payment platforms...”

He regretted that absence of indigenous digital solutions like information-sharing facilities and social media platforms had antagonistically influenced the country's self-reliance and cybersecurity. 

He encouraged new start-ups to think of solutions linked with the nation's requirements and build-up ability to guarantee that the country's critical cyber assets were being monitored by skillful native professionals in resonance with the Prime Minister's take for Atmanirbhar.

All Windows Versions Hit By A Vulnerability; Attackers Take Full Control Over Computer




A vulnerability that existed in every single current Window versions allowing an attacker to misuse the Windows Group Policy feature to assume full control over a computer was recently dealt with by Microsoft. The administrators of the multinational technology can remotely deal with the entirety of the Windows devices on a system through the Group Policy feature.

This element permits the administrators to make a centralized global configuration policy for their organization that is pushed out to the entirety of the Windows devices on their network. The vulnerability was quite a serious one as it was capable enough to influence all Windows variants since Windows Server 2008.

These Group Policies allow an administrator to control how a computer can be utilized, like 'disabling settings in apps, prohibiting apps from running, enabling and disabling Windows features, and even deploying the same wallpaper on every Windows computer.'


To appropriately apply these new policies, the gpsvc service or 'Group Policy Client' service, is configured to run with 'system' privileges, which gives the same rights and permissions from the Administrator account.

However, Microsoft has already fixed the 'CVE-2020-1317 | Group Policy Elevation Privilege Vulnerability' discovered by cybersecurity firm CyberArk, who found a symlink attack against a file utilized for Group Policy updates to have access to elevated privileges.

"This vulnerability permits an unprivileged user in a domain environment to perform a file system attack which in turn would allow malicious users to evade anti-malware solutions, bypass security hardening, and could lead to severe damage in an organization network. This vulnerability could impact any Windows machine (2008 or higher), to escalate its privileges in a domain environment," CyberArk state in their report.

When playing out a group policy update that applies to the entirety of the devices in an organization, Windows will compose the new policies to a computer in a subfolder of the %LocalAppData% folder that any user, including a standard user, has permission.

Having full access to a file that is known to be utilized by a procedure with SYSTEM privileges, CyberArk found that they could come up with a symbolic link between the file to an RPC command that executes a DLL.

As the Group Policy Client service runs with SYSTEM privileges, when they endeavor to apply the policies in that file, it will rather execute any DLL the attackers need with SYSTEM privileges.

To trigger this vulnerability, a local attacker could execute the gpupdate.exe program, which plays out a manual group policy synchronization, and this command would then trigger the policy update and run an attacker's malevolent DLL.

As indicated by CyberArk, the full steps to ‘exploit’ this vulnerability would be as per the following:

  1. List the group policy GUIDs you have in C:\Users\user\AppData\Local\Microsoft\Group Policy\History\ 
  2. If you have multiple GUIDs check which directory was updated recently 
  3. Go inside this directory and into the sub-directory, which is the user SID. 
  4. Look at the latest modified directory; this will vary in your environment. In some cases, it can be the Printers directory. 
  5. Delete the file, Printers.xml, inside the Printers directory. 
  6. Create an NTFS mount point to \RPC Control + an Object Manager symlink with Printers.xml that points on C:\Windows\System32\whatever.dll 
  7. Open your favorite terminal and run gpupdate. 

"There you have it; an arbitrary create on arbitrary locations, you can also delete and modify system protected files by using this exploit. There is a small change in behavior that goes on based on your GPO objects (printers, devices, drives). Alas, all of them end up in EoP," CyberArk explains.

As this vulnerability affects millions, if not conceivably a billion devices, it's a very serious security flaw that ought to be addressed to by all Windows administrators as soon as possible.


Hackers abuse Sophos Firewall Zero Day Vulnerability


Sophos, a UK cybersecurity company famous for its anti-virus products has released an emergency security update this Saturday to combat a Zero-Day vulnerability exploited by hackers in its XG enterprise firewall product.


They became aware of the vulnerability on Wednesday after one of their customers reported "a suspicious field value visible in the management interface." And they released an update containing the patch for the vulnerability.

The Vulnerability- SQL INJECTION BUG

"The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," Sophos said.

The miscreant hackers attacked Sophos XG Firewall devices whose administration or user portal control panel were exposed on the internet. The hackers used the SQL Injection Vulnerability in XG firewall devices and downloaded a play-load on the device to steal data like passwords and usernames for the firewall device admin, portal admins, and user accounts for remote access, the firewall's license and serial number.

Sophos says that during its investigation, it did not find any proof that the hackers accessed anything beyond the firewall as well as no devices were accessed by the malware. They named the malware Asnarok.

 Patches already updated in user devices 

The company already pushed the patches in an automatic update in all XG Firewall devices that had the auto-update feature enabled. "This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack," it said. The update also shows a message to the user if their device was compromised or not in their Firewall control panel.

Sophos recommends some steps to take for the companies who had their device hacked mainly focused on resetting passwords and reboots:


  1.   Reset portal and device administrator accounts.
  2.   Reboot the infected firewall device. 
  3.   Reset all passwords of user accounts.


"Sophos also recommends that companies disable the firewall's administration interfaces on the internet-facing ports if they don't need the feature", writes zdnet.

Critical Security Vulnerability Patched By VMware


VMware Inc. a publicly-traded software company recently fixed a critical security vulnerability that permitted the malicious attackers to access sensitive data.

The vulnerability as indicated by them resides in the VMware Directory Service (vmdir) which is a part of vCenter Server version 6.7 on Windows and virtual appliances. Known and tracked as CVE-2020-3952, it is evaluated as critical and gets a CVSSv3 score of 10.

In certain conditions, the vmdir doesn't actualize appropriate security controls, which permits attackers with network access to get to the sensitive data.

By utilizing the obtained information the attacker can compromise vCenter Server or various other services that rely upon vmdir for authentication.

In March VMware tended to high severity privilege escalation and DoS in the Workstation, Fusion, VMware Remote Console and Horizon Client and furthermore published KB article 78543 for additional details if a vCenter Server 6.7 deployment is influenced in any way.

 It is recommended for the user on the off chance that they are utilizing vCenter Server version 6.7, to update with 6.7u3f to fix the aforementioned critical vulnerability.


Here is the example log to check with influenced deployments.

2020-04-06T17:50:41.860526+00:00 data vmdird t@139910871058176: leg tendon MODE: Heritage  

VMware lastly mentioned that “Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected.”