Search This Blog

Showing posts with label Vulnerability and Exploits. Show all posts

Apple Launched a Safety Fix for a Zero-day Flaw

 

Apple released an emergency patch for iPhone, Mac, and iPad early last month that addressed two zero-day vulnerabilities in the various operating systems. Now, just days after the launch of iOS 15.5, Apple is asking Mac and Apple Watch owners to upgrade. 

Zero-day vulnerabilities are defects in software that the vendor is ignorant of and has not yet patched. Before a fix is released, this type of vulnerability may have publicly available proof-of-concept hacks or be actively exploited in the wild. Apple stated in security warnings released on Monday that they are aware of reports this security flaw "may have been actively exploited."

CVE-2022-22675 is a bug in AppleAVD, an audio and video extension that allows programs to run arbitrary code with kernel privileges. Apple patched the flaw in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with enhanced bounds checking after unknown researchers reported it. Apple Watch Series 3 or later, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD are all among the affected. 
  • In 2022, Apple had five zero-day vulnerabilities. Apple patched two more zero-day vulnerabilities in January, allowing hackers to execute arbitrary code with kernel privileges (CVE-2022-22587) and track online surfing habits and user identities in real-time (CVE-2022-22594). 
  • Apple also issued security upgrades to address a new zero-day vulnerability (CVE-2022-22620) that was used to compromise iPhones, iPads, and Macs.
  •  Two more actively exploited zero-days in the Intel Graphics Driver (CVE-2022-22674) and the AppleAVD media decoder were discovered in March (CVE-2022-22675). The latter is also backported in older macOS versions, including watchOS 8.6 and tvOS 15.5. 

Apple did not previously disclose specifics about the flaw to prevent hackers from using the knowledge. While, throughout last year, Apple fixed a slew of zero-day vulnerabilities that had been discovered in the wild and targeted iOS, iPadOS, and macOS devices. 

How do I upgrade my Mac? 
  • In the corner of the screen, select the Apple menu, and 'System Preferences' will appear. 
  • Click 'Software Update' in the following menu. 
  • Then select 'Update Now' or 'Upgrade Now' from the menu. 
If you're still using an older version of the operating system, such as Big Sur, click 'Upgrade Now' to upgrade to the most recent version. Monterey is approximately 12GB in size. 

How to manually update your Apple Watch: 
  • Open the Apple Watch app on your iPhone, then tap the 'My Watch' tab. 
  • Select 'Software Update' from the General menu. 
  • Install the update. If your iPhone or Apple Watch passcode is requested, enter it. 
  • On your Apple Watch, wait for the progress wheel to display. The update could take anything from a few minutes to an hour to finish.

Google: Two Major Pixel Vulnerabilities Patched

 

Google has published updates for Android 10, 11, 12, and 12L which include Pixel security patches. The Android Security Bulletin for May offers information about security flaws could affect Android devices. 
 
The Pixel Update Bulletin offers information about security flaws and functional enhancements for concerned Pixel devices. Google Pixel phones are "pure Android" devices. The two bulletins identify significant vulnerabilities as follows : 

  • CVE-2022-20120—Bootloader [Critical] The bootloader has a remote code execution (RCE) flaw. The bootloader on Android is a software program that loads the operating system every time users turn on the phone. It can only load software which has been signed by Google by default. If users unlock the bootloader, though, it will run whatever software you specify. The precise problem hasn't been revealed yet, but based on the scale of access required to exploit it, it may be very serious.
  • CVE-2022-20117— Titan-M[Critical] Titan M has an information disclosure (ID) flaw. Titan M is a security management chip designed specifically for Pixel phones to protect the most sensitive data and os version on the device. Titan M aids the bootloader in ensuring users running the correct Android version. . However, being able to steal data from the portion which is supposed to protect the most sensitive information does not look well. 
  • CVE-2021-35090: Qualcomm[Moderate] Qualcomm chips are the most extensively used in Android smartphones. 9.3 out of 10 for CVSS. Qualcomm has recognized this race condition in Kernel as a Time-of-check Time-of-use (TOC TOU). A potential hypervisor memory corruption owing to a TOC TOU race scenario when changing address mappings was also mentioned. A TOC TOU occurs whenever a resource is tested for a specific value, such as whether or not a file exists, and then the value alters before the asset is utilized, invalidating the check's results. When multiple threads have access to shared data and attempt to update it at the same time, a race condition occurs.
  • CVE-2022-20119 Display/Graphics[High] 
  • CVE-2022-20121 USCCDMService[High] 

The most serious of these issues, according to Google, is a highly secure vulnerability in the Framework component which might lead to local elevation of privilege (EoP) with user execution rights required, although the company does not specify which of the four candidates it is. 

All problems in these bulletins are addressed in security patch versions 2022-05-05 or later for Google and other Android devices. Check and update one Android version to discover how to check a device's security patch level. Experts advise all Android users to update to the most recent version. 

This week, the Pixel 3a and Pixel 3a XL series will acquire its final security updates. When it comes to support, they then reach the End-of-Life (EOL)

Synology Alerts Users of Severe Netatalk Bugs in Multiple Devices

Synology warned its customers that few of its network-attached storage (NAS) appliances are vulnerable to cyberattacks compromising various critical Netatalk vulnerabilities. Various vulnerabilities allow remote hackers to access critical information and may execute arbitrary code through a vulnerable variant of Synology Router Manager and DiskStation Manager (DSM). 

Netatalk is an Apple Filing Protocol (AFP) open-source platform that lets devices running on *NIX/*BSD work as AppleShare file servers (AFP) for Mac OS users for viewing files stored on Synology NAS devices. 

The development team of Netatalk fixed the patches in version 3.1.1, issued in March, following the Pwn2Own hacking competition in 2021. The vulnerabilities were first found and exploited in the competition. The EDG team of the NCC group exploited the vulnerability rated 9.8/10 severity score and tracked as CVE-2022-23121 to deploy remote code execution without verification on a Western Digital PR4100 NAS that runs on My Cloud OS firmware during the Pwn2Own competition. Synology mentioned three vulnerabilities in the latest warning- CVE-2022-23125, CVE-2022-23122, CVE-2022-0194, all three having high severity ratings. 

They are also letting malicious hackers deploy arbitrary codes on unfixed devices. The Netatalk development team released the security patches to resolve the issues in April, even then according to Synology, the releases for some affected devices are still in process. The NAS maker hasn't given any fixed timeline for future updates, according to Synology, it usually releases security patches for any impacted software within 90 days of publishing advisories. "

QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company's cloud-optimized NAS operating system. Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 4.5.4.2012 build 20220419 and later," reports Bleeping Computers.

V8 Type Confusion Vulnerability Hits Google Chrome & Microsoft Edge Browser

 

Following the discovery of a V8 vulnerability in Chrome and Edge that has been exploited in the wild, ZDNet recommends that users running Windows, macOS, or Linux update their Chrome builds to version 99.0.4844.84, as an out-of-band security update was recently released by Google to address the issue. 

Concerning the V8 Vulnerability:

There isn't much information available about this recently discovered vulnerability, as Google stated that it will wait for the bulk of users to update their browsers before acting. As per Google, “Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.” 

What is known is that the bug in question has been assigned CVE-2022-1096, which is a zero-day "type confusion in V8" bug and was reported on March 23, 2022, by an "anonymous" researcher. V8 is a JavaScript engine that is completely free and open-source. The Chromium Project created it for Google Chrome and Chromium web browsers. 

Lars Bak is the person who came up with the idea for the project. It's worth noting that the first version of Firefox was released in 2008, almost simultaneously with the initial version of Chrome. Because the V8 vulnerability affected Edge as well, Microsoft Office issued a statement on the subject, stating that the issue had been resolved in Edge version 99.0.1150.55. 

Microsoft’s notice reads, “The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.”

Muhstik Botnet Targeting Redis Servers by Exploiting Recently Published Bug

 

The Muhstik botnet infamous for spreading via web application exploits, has been spotted targeting and exploiting a Lua sandbox escape flaw (CVE-2022-0543) in Redis severs after a proof-of-concept exploit was publicly released. 

Lua sandbox escape flaw was uncovered in the open-source, in-memory, key-value data store in February 2022 and could be exploited to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 on the severity scale. 

"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu explained in an advisory released last month. 

The attacks exploiting the new flaw started on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and implement the botnet binaries from another server, Juniper Threat Lab researchers explained. 

According to Chinese security firm Netlab 360, the Muhstik botnet is known to be active since March 2018 and is monetized for performing coin mining activities and staging distributed denial-of-service (DDoS) attacks. 

The botnet propagates by exploiting home routers, but researchers noticed multiple attempted exploits for Linux server propagation. The list of compromised routers includes GPON home router, DD-WRT router, and the Tomato router. The vulnerabilities exploited by Muhstik over the years are as follows – 

• CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware 
• CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability 
• CVE-2019-2725 (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability 
• CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and 
• CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell) 

"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force," Juniper Threat Labs researchers said in a report published last week. In light of active exploitation of the critical security loophole, users are strictly advised to act quickly to patch their Redis services to the latest version.

Microweber Creators Patched XSS Flaw in CMS Software

 

Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.

Several Dell Systems are Affected by New BIOS Bugs

 

Active exploitation of all of the identified problems cannot be detected by firmware integrity monitoring systems, as per Firmware Insyde Software's InsydeH2O and HP Unified Extensible Firmware Interface (UEFI), which discovered the vulnerabilities. As previously stated, secure remote health attestation systems are unable to detect compromised systems due to technical limitations. 

The high-severity vulnerabilities are identified as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421 on the CVSS scoring system. 

All of the weaknesses are related to poor input validation vulnerabilities in the firmware's System Management Mode (SMM), permitting a local privileged attacker to execute arbitrary code via the management system interrupt (SMI). System Management Mode in x86 microcontrollers is a special-purpose CPU mode for performing system-wide functions like power efficiency, hardware and system control, temperature monitoring, and other exclusive manufacturer-developed code. 

A non-maskable interrupt (SMI) is activated at runtime whenever one of these tasks is requested, and SMM code installed by the BIOS is executed. The method is ripe for misuse because SMM code runs at the greatest privilege level and is transparent to the underlying operating system, making it ideal for implanting persistent firmware. A variety of Dell products are affected, including the Alienware, Inspiron, Vostro, and Edge Gateway 3000 Series, with the Texas-based PC company advising customers to replace their BIOS as soon as possible. 

"The ongoing identification of these vulnerabilities demonstrates what we call repeatable failures' around input cleanliness or, in general, insecure coding habits," according to Binarly researchers. "These errors are directly related to the codebase's complexity or support for legacy components which receive less security attention but are nevertheless frequently used in the field. In many cases, the same vulnerability can be addressed numerous times, yet the attack surface's complexity still leaves open gaps for malicious exploitation." 

Dell SupportAssist is a program which manages support functions such as troubleshooting and recovery on Windows-based Dell workstations. The BIOSConnect feature can be used to restore a corrupted operating system as well as upgrade firmware. 

The functionality does this by connecting to Dell's cloud infrastructure and pulling required code to a user's device. 

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug

 

The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.

This Linux Flaw in Netfilter Firewall Module Enables Attackers Gain Root Access

 

A local adversary might use a newly reported security vulnerability in the Linux kernel to acquire higher privileges on affected systems and execute arbitrary code, escape containers, or cause a kernel panic. 

Nick Gregory, a senior threat researcher at Sophos, uncovered the flaw. The vulnerability, identified as CVE-2022-25636 (CVSS score: 7.8), affects Linux kernel versions 5.4 through 5.6.10 and is caused by a heap of out-of-bounds written in the kernel's netfilter subcomponent. 

"This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat stated in an advisory published on February 22, 2022. Similar warnings have been released by Debian, Oracle Linux, SUSE, and Ubuntu. 

Netfilter is a Linux kernel framework that allows for packet filtering, network address translation, and port translation, among other networking-related tasks. CVE-2022-25636 is a vulnerability in the framework's handling of the hardware offload function, which might be exploited by a local attacker to cause a denial-of-service (DoS) or execute arbitrary code. 

Gregory said, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails. Additionally, while nftables requires CAP_NET_ADMIN, we can unshare into a new network namespace to get this as a (normally) unprivileged user." 

"This can be turned into kernel [return-oriented programming]/local privilege escalation without too much difficulty, as one of the values that are written out of bounds is conveniently a pointer to a net_device structure," Gregory added.

Multiple Security Bugs Identified in Software Package Managers

 

Cybersecurity researchers at SonarSource have unearthed multiple security bugs in popular package managers including Pip, Yarn, Composer, and others. The vulnerabilities can be exploited to run arbitrary code and access sensitive details, including source code and access tokens, from vulnerable devices. 

However, it is worth noting that the security bugs require threat actors to use one of the vulnerable package managers to handle a malicious package.

"This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files," Paul Gerste, a researcher at SonarSource explained. "But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?" 

Package managers are systems or a collection of tools that automate the installation, upgrade, and deal with the configuration of third-party dependencies required for designing applications. 

Multiple security bugs in various package managers indicate that they could be exploited by malicious actors to trick victims into running malicious code. The vulnerabilities have been discovered in the following package managers –

 • Composer 1.x < 1.10.23 and 2.x < 2.1.9 • Bundler < 2.2.33 • Bower < 1.8.13 • Poetry < 1.1.9 • Yarn < 1.22.13 • pnpm < 6.15.1 • Pip (no fix), and • Pipenv (no fix) 

The most severe flaw is a command injection bug in Composer's browse command that could be exploited to execute arbitrary code by adding a URL to a malicious package that has already been published. If threat actors employ typosquatting or dependency confusion methodologies, it is possible that invoking the browse command for the library may lead to the retrieval of a next-stage payload, which can subsequently be used to launch further cyber assaults, researchers explained.

Following responsible disclosure of vulnerabilities in September last year, patches for the security bugs were fixed in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were released. However, Composer, Pip, and Pipenv, which are all impacted by the untrusted search path bug, have chosen not to patch the vulnerability. 

"Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code," Gerste concluded. "Compromising them allows attackers to conduct espionage or to embed malicious code into a company's products. This could even be used to pull off supply chain attacks."

Unit 42 Publishes New Techniques to Mitigate Vulnerabilities in GKE Autopilot

 

Last year in June, the Unit 42 threat research team discovered multiple bugs in Google Kubernetes Engine (GKE). The vulnerabilities primarily impacted GKE Autopilot, and the latest offering by Google Cloud for managing Kubernetes clusters.

Earlier this week, Unit 42 researchers published details regarding these vulnerabilities and attack techniques to help organizations understand potential threats in securing Kubernetes and how they can be patched.

Kubernetes also known as K8s, is an open-source system for automating deployment, managing, and scaling of containerized applications. The yearly survey conducted by the Cloud Native Computing Foundation highlighted that the majority of firms (83% percent) run Kubernetes in production.

The shift to the cloud benefited multiple organizations but also attracted threat actors. Researchers at Unit 42 discovered several pieces of malware designed to attack Kubernetes. Therefore, it is vital that organizations, cloud security vendors, and the cybersecurity industry continue to work together to address issues like vulnerabilities and misconfigurations in order to help secure work in the cloud. 

The bugs in GKE Autopilot permitted malicious attackers with a restricted initial foothold to escalate privileges and gain access to an entire cluster. This allowed threat actors to covertly exfiltrate secrets, install malware and cryptominers, or disrupt workloads, while the victim remains unknown of the attacker’s activity.

As the adoption of Kubernetes continues to rise, simple misconfigurations and flaws are becoming less common, forcing attackers to launch more sophisticated assaults. According to Unit 42, even a small bug in Kubernetes can amount to very impactful attacks. Only a comprehensive cloud-native security platform can empower defenders and protect clusters against similar threats. 

How to mitigate the risks? 

Following the discovery of vulnerabilities and attack techniques in Google Kubernetes Engine, Google automatically pushed patches across GKE to Autopilot clusters. No customer action is needed. Researchers encourage Kubernetes administrators to enable policy and audit engines that monitor for, detect and prevent suspicious activity and privilege escalation in their clusters.

Powerful pods are still common in production clusters and are usually installed by the underlying Kubernetes platform or introduced through popular open-source add-ons. Unit 42 researchers recommend using Taints, NodeAffinity, or PodAntiAffinity rules to separate powerful pods from untrusted or publicly exposed ones, ensuring they do not run on the same node. 

Single Packets Launching DDoS Attacks in the Wild

 

Cybersecurity experts from Akamai, Cloudflare, Mitel, Netscour, Lumen Black Lotus Labs, The ShadowServer foundation, Telus, and Team Cymru have revealed a DDoS (denial of service attack) with an intensity ratio crossing 4 billion to one and it can be deployed using a single pocket. Termed as CVE-2022-26143, the vulnerability exists around 2600 incorrect provisional Mitel MiCollab and MiVoice Business Express systems that work as a PBX to internet gateways, going through a test mode that shouldn't be exposed on the internet. 

"The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," ShadowServer blog post writes. You should also note that single packet attention initiation has the capability of precluding network operator traceback of the spoofed attack initiator traffic. It helps to hide the origin of the attack infrastructure, which makes it less possible for the origin of the attack to be identified compared to other UDP reflection/amplification DDoS attack vectors. 

A driver in the Mitel system includes a command platform command that executes a stress test of status update packets, thereby theoretically producing 4,294,967,294 packets within 14 hours at a maximum possible prize of 1,184 bytes. ShadowServer further explains "this would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length." The results mean around 2,200,288,816:1 unimaginable amplification ratio. 

It indicates a multiplier of 220 Billion percent, caused by a single packet. Fortunately, the Mitel system only processes one command at a time, this means that if a system is compromised by DDoS attacks, the users may think about why the outbound connection is getting disrupted and not available. According to ZDNet, "the first attacks using the exploit began on February 18, these were reflected mainly onto ports 80 and 443, and targeted ISPs, financial institutions, and logistics companies."

PROPHET SPIDER is Abusing Citrix ShareFile Remote Code Execution Bug to Deploy Webshell

 

Security researchers at CrowdStrike Intelligence have examined an incident in which PROPHET SPIDER abused a remote code execution (RCE) bug affecting Citrix ShareFile Storage Zones Controller to exploit one of Microsoft Internet Information Services (IIS) webservers. Threat actors exploited the flaw to install a web shell that enabled the downloading of additional weapons. 
 
Last year in September, Citrix discovered a relative path-traversal bug in ShareFile Zones Storage Controller, tracked CVE-2021-22941. The vulnerability allows malicious actors to overwrite an existing file on a target server via an upload id parameter passed in an HTTP GET request.  
 
On Jan. 10, 2022, CrowdStrike received HTTP POST request from PROPHET SPIDER on its Falcon® platform customer. Threat actors requested to upload three web requests:  
 
●Targeting upload.aspx 
●Containing encoded strings for ../ and ConfigService\Views\Shared\Error.cshtml in the URL parameters 
●And, contain &bp=123&accountid=123 if the attacker has not customized the payload  
 
The URI endpoint /upload.aspx is used for ShareFile uploads and usually comes with parameters to define upload object specifications, such as uploadid, cid or batched.   
 
Once the webshell is set, it can be accessed by sending an HTTP request to /configservice/Home/Error with one or two URL parameters. ASP.NET will direct these requests to Error.cshtml, which usually contains a simple HTML header saying “Sorry, an error occurred while processing your request.” Due to the exploit, the contents have been replaced with the C# code block and will invoke Process.Start(cmd.arg) using the URL parameter(s) passed in the GET request.  
 
According to cybersecurity researchers, PROPHET SPIDER has been active since at least May 2017, and primarily target victims by exploiting vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. This recent CVE-2021-22941 exploitation demonstrates how PROPHET SPIDER is expanding and refining its tradecraft while continuing to exploit known web-server vulnerabilities.  
 
Last month, BlackBerry Research & Intelligence and Incident Response teams discovered evidence correlating attacks from Prophet Spider with the exploitation of the Log4J bug in VMware Horizon. Additionally, the researchers unearthed mass deployments of cryptocurrency mining software and Cobalt Strike beacons but also identified "an instance of exploitation containing tactics, techniques, and procedures relating to the Prophet Spider IAB."  
 
"When an access broker group takes interest in a vulnerability whose scope is so unknown, it's a good indication that attackers see significant value in its exploitation," Tony Lee, vice president of global services technical operations at BlackBerry explained. "It's likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it's an attack vector against which defenders need to exercise constant vigilance."

 'Dirty Pipe' Kernel Bug Enables Root Patched via Linux Distros

 

Dirty Pipe is a Linux local privilege escalation problem that has been found and publicly released, together with proof-of-concept vulnerability. The 'Dirty Pipe' vulnerability was responsibly disclosed by security researcher Max Kellermann, who indicated it impacts Linux Kernel 5.8 and later versions, as well as Android devices. 

CVE-2022-0847 is a weakness in the Linux kernel which was introduced in version 5.8 and resolved in versions 5.16.11, 5.15.25, and 5.10.102.

Kellerman discovered the flaw while investigating a bug that was causing one of his customer's web server access records to be corrupted. The vulnerability, according to Kellerman, is similar to the Dirty COW vulnerability (CVE-2016-5195), which was addressed in 2016.

A bug in the kernel's pipe handling code allows a user program to rewrite the information of the page cache, which ultimately makes its way into the file system, thanks to a refactoring error. It is identical to Dirty COW, but it is relatively easier to use. 

While using Linux, check for and install security updates from the distro. Wait for Google (and maybe your maker and/or carrier) to send you an update if you're using Android; because it runs a kernel older than 5.8, the current version of Android for the Google Pixel 6 and the Samsung Galaxy S22 is currently in jeopardy. 

Kellerman revealed a proof-of-concept (PoC) vulnerability as part of the Dirty Pipe disclosure which essentially allows users to inject their own content into sensitive read-only files, removing limitations or modifying settings to provide wider access than they would normally have. 

However, security researcher BLASTY disclosed an improved vulnerability today which makes gaining root privileges easier by altering the /usr/bin/su command to dump a root shell at /tmp/sh and then invoking the script. 

Starting on February 20th, 2022, the vulnerability was responsibly revealed to several Linux maintainers, including the Linux kernel security team and the Android Security Team. Despite the fact that the defect has been resolved in Linux kernels 5.16.11, 5.15.25, and 5.10.102, numerous servers continue to use outdated kernels, making the release of this vulnerability a major concern for server admins. 

Furthermore, due to the ease with which these vulnerabilities may be used to acquire root access, it will only be a matter of time before threat actors start exploiting the vulnerability in upcoming attacks. The malware had previously used the comparable Dirty COW vulnerability, which was more difficult to attack.  

This flaw is particularly concerning for web hosting companies that provide Linux shell access, as well as colleges that frequently provide shell access to multi-user Linux systems. It has been a difficult year for Linux, with a slew of high-profile privilege-escalation flaws exposed.

Decade-Old Critical Vulnerabilities Might Affect Infusion Pumps

 

According to scans of over 200,000 infusion pumps located on the networking of healthcare providers and hospitals, increasing numbers of gadgets are vulnerable to six critical-severity issues (9.8 out of 10) reported in 2019 and 2020.

According to Palo Alto Networks experts, 52% of scanned devices are vulnerable to two significant security issues discovered in 2019: CVE-2019-12255 (CVSS score of 9.8) and CVE-2019-12264 (CVSS score of 9.8). (CVSS score of 7.1) In a research report, the business stated over 100,000 infusion pumps were vulnerable to older, medium-severity issues (CVE-2016-9355 and CVE-2016-8375). 

"While some of these vulnerabilities and alerts may be difficult for attackers to exploit unless it is physically present in an organization," the researchers added, "all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations where threat actors may be motivated to devote additional resources to attacking a target." 

Wind River, the company which supports VxWorks RTOS, has patched all URGENT/11 concerns since July 19, 2019. However, in the embedded device world, large delays in applying patches or not applying them at all are well-known issues. The last five critical-severity bugs that were discovered in June 2020, affect items made by the American healthcare corporation Baxter International. 

Malicious misuse of software security flaws might put human lives in danger, according to the firm. Infusion pumps are used to give medications and fluids to patients, and the company cautioned how malicious exploitation of software security flaws could put human lives at risk. The majority of the discovered flaws can be used to leak sensitive information and gain unauthorized access. Bugs that lead to the release of sensitive information harm not only infusion pumps, but also other medical devices, and may affect credentials, operational information, and patient-specific data.

Another area of concern is the use of third-party modules which may have security flaws. CVE-2019-12255 and CVE-2019-12264, for example, are significant vulnerabilities in the IPNet TCP/IP stack utilized by the ENEA OS of Alaris Infusion Pumps, according to the researchers. 

"Overall, most of the typical security alerts triggered on infusion systems imply avenues of attack which the device owner should be aware of," the security experts told. "For example, via internet access or default login and password usage."Given some infusion pumps are utilized for up to ten years, healthcare practitioners seeking to protect the security of devices, data, and patient information should consider the following.

How a Simple Vulnerabilty Turned Out to be University Campus 'Master Key'

When Erik Johnson couldn't make his university's mobile student ID app work properly, he found a different way to get the job done. The app seems to be important, as it lets students in the university paying meals, get into events, and lock/unlock dormitory rooms, labs, and other facilities across campus. The app is known as getting Mobile, made by CBORD, it is a tech company that assists hospitals and universities by bringing access control and payment systems. 

However, Johnson, and other students who gave the app "1 star" due to poor performance, said that it was very slow in terms of loading time. It can be improvised. After studying the app's network data while unlocking his dorm room door, Johnson realized a way to mirror the network request and unlock doors via a one-tap shortcut button on the iPhone. To make it work, the shortcut needs to send an accurate location with the door unlock request, or the doors won't open. For security purposes, students have to be in certain proximity for unlocking doors via the app. 

It is done to avoid accidental door openings on the campus. To make it even better, Johnson decided to take his talents elsewhere too. CBORD has a list of API commands that can be used via student credentials. (API allows two things to interact, in our case, it's a mobile app and university servers that store data). Johnson identified a problem, here the API wasn't checking in case of valid student credentials. It meant that anyone could interact with the API and take control of other students' accounts, without having the need for passwords. 

As per Johnson, the API only looked for student ID (unique). Tech Crunch reports "Johnson described the password bug as a “master key” to his university — at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present — simply by sending back the approximate coordinates of the lock itself." As the bug was discovered in the API, it could affect other universities too. Johnson found a way to report the bug to CBORD, and it was resolved after a short time.

Apple Awards Bounty of $100,500 for Finding Flaws in MacBook

In 2021, Apple patched a set of MacOs vulnerabilities exposing the Safari browser to attack and letting threat actors hack users' online accounts, cameras, and mic. Cybersecurity expert Ryan Pickren, who found these vulnerabilities and reported back to company Apple, was given a $100,500 bug bounty, considering the critical scale of the vulnerabilities. These bugs exploit a set of security issues with iCloud sharing and Safari 15. 

It allows the hacker to control multimedia permissions and gain full access to all sites that the user has opened using the Safari browser. It also includes Gmail, iCloud, PayPal, and Facebook accounts. The problem is primarily concerned with ShareBear, it is an iCloud file-sharing platform that prompts users to open a shared document. Pickren noticed that the prompt doesn't ask the user to open a file after a user opened it once. 

Pickren concluded that this can allow a threat actor to play with the file's components if he has access to the files. "ShareBear will then download and update the file on the victim's machine without any user interaction or notification. 

In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment," explains Pickren in his writeup. In simpler terms, a .PNG format image file can have all its content and extension converted into an executable binary ("evil.dmg") once the user has opened the file. 

After this, one can launch the binary, which triggers exploit chain vulnerabilities that influence extra bugs found in Safari to control a system's mic and camera and steal local files stored in the device. It is not the first time Pickren disclosed bugs in iOS and macOS that allows a threat actor to gain access to a system and control its commands. 

The unauthorized access is gained when the victim opens a certain file type. He says "this project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous."

SureMDM Vulnerabilities Expose Organizations to Supply Chain Attacks

A chain of vulnerabilities in 42Gears' SureMDM device management products could have led to a supply chain disruption via the platform. 42Gears, based in Bangalore, was established in 2009 and offers mobile device management and productivity products for organizations with an extensive mobile workforce. 

The website's list consists of major customers, which include Deloitte, Saab, Lufthansa, Thales, Tesco, Intel, etc. Experts at Immersive Labs found and revealed the first flaws to 42Gears on July 6, 2021. A series of extra bugs disclosure along with 'failed' private security patches. 

It means efficient public security fixes were not issued until November 2021 and January 2022. 
"An authentication method can be turned on by the user, but an oversight in the setup allows Linux and Mac devices to bypass the authentication step. This has been fixed in the latest patch, but it is still not the default setting and requires the user to manually enable it," reports Security Week. Earlier in January, 42Gears told Immersive that they continuously applied additional patches beyond the reports by the experts. 

At this moment, Immersive thought that everything necessary for ensuring principles of trustworthy disclosure was done, and they could publicize their discovery. The identified vulnerabilities include a few that affect the 42Gears web console and also other Linux agents. 

But most critical are the web console vulnerabilities. Chaining these will allow a hacker to shut down security tools and enable malware into macOS, Linux, or Android devices that installed SureMDM. The Linux agent flaws can allow an attacker to execute remote code on the systems, mirroring the root user. 

Hackers can use authentication methods against the users via an oversight in the setup that lets Mac and Linux devices evade the authentication level. Security Week reports, "the SureMDM agent vulnerabilities include command injection on the Linux agent. Users with physical access to a device can use a hidden key sequence to launch SureLock (kiosk software included with SureMDM) as the root user. The attacker can then use command injection to gain local privilege escalation."

Unprotected Access to Windows' Centre: Signed Kernel Drivers

 

ESET researchers investigated the misuse of vulnerable kernel drivers in depth saying "Software" drivers are among the different types of kernel drivers that provide particular, non-hardware-related capabilities such as software debugging and diagnostics, as well as system analysis. These have the potential to greatly increase the attack surface. 

Although it is no longer possible to directly load a malicious, unsigned driver in current versions of Windows, and kernel rootkits are deemed obsolete, there are still ways to load malicious code into the kernel, particularly through manipulating legal, signed drivers. There are many drivers available from a variety of hardware and software suppliers that allow you to completely access the kernel with minimal effort. 

The most common vulnerabilities detected in-kernel drivers:
  • Checks that restrict read and write access to critical model-specific registers are disabled (MSRs). 
  • Exposing the ability to read and write from physical memory in user mode. 
  • The ability to read and write to virtual kernel memory from user mode is now enabled. 

"When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so," says Peter Kálnai, Senior Malware Researcher at ESET and one of the report's co-investigators. 

Bring Your Own Vulnerable Driver, or BYOVD, is a technique that has been observed in the wild by both high-profile APT actors and commodity malware, such as the RobbinHood ransomware, which, as commodity malware, aims to reach as many people as possible. As a result, seeing it use a BYOVD approach is uncommon but significant. 


Mitigation strategies that work :
  • Virtualization-based security is a Windows 10 feature that uses hardware virtualization to place the kernel in a sandbox, safeguarding the operating system with various protections.
  • Drivers in recent Windows systems have a valid signature based on an "acceptable" certificate, which can be revoked. Revocation of a vulnerable driver's certificate would be a simple approach to "disarm" it and render it useless. 
  • When the most notoriously susceptible drivers are detected on a system, Microsoft and numerous third-party security product suppliers, including ESET, use driver blocklisting to detect and eliminate them. 
Vulnerable drivers have been exploited by both game cheaters and malware producers, and while significant progress has been made to reduce the impacts, the fight continues. The people responsible for the problem want to remedy it — the vendors who were contacted were quite proactive during the disclosure process, eager to repair the flaws that were discovered. 

The GootLoader Hackers are After Law Firms and Accounting Firms

 

GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
 
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.