Search This Blog

Showing posts with label Vulnerability and Exploits.. Show all posts

Hackers can Overcome Air-Gapped Systems to Steal Data


What are air gaped systems?

An air gap is a safety feature that isolates a computer or network and prevents it from connecting to the outside world. A computer that is physically isolated and air-gapped is unable to communicate wirelessly or physically with some other computers or network components. 

Data must first be copied on a removable media device, like a USB drive, and then physically transported to the air-gapped system from the computer or network. Only a select group of trusted users should be able to access the air-gapped system in situations where security is of the utmost importance.

New Technique 

Researchers at Ben-Gurion University of the Negev's Department of Software and Information Systems Engineering have developed a novel method for breaching air-gapped systems that takes advantage of the computer's low-frequency electromagnetic radiation.

According to Mordechai Guri, director of research and development at the Cyber Security Research Center at Ben Gurion University, "the attack is very evasive because it executes from a regular user-level process, does not require root capabilities, and is successful even within a Virtual Machine."

The COVID-bit technique makes use of on-device malware to produce electromagnetic radiation in the 0–60 kHz frequency region, which is then transmitted and detected by a covert receiving device in close vicinity.

After SATAn, GAIROSCOPE, and ETHERLED, which are intended to hop across air-gaps and extract private data, COVID-bit is the most recent method developed by Dr. Guri this year.

By utilizing electromagnetic emissions from a component known as a switched-mode power supply (SMPS) and encoding the binary data using a technique known as frequency-shift keying (FSK), the virus uses the COVID-bit, one of these covert channels, to communicate information.

The research article advises employing antivirus software that can recognize strange CPU patterns in addition to limiting the frequencies that some CPUs can use in order to protect air-gapped computers from this kind of attack.

Twitter's Brussels Staff Sacked by Musk 

After a conflict on how the social network's content should be regulated in the Union, Elon Musk shut down Twitter's entire Brussels headquarters.

Twitter's connection with the European Union, which has some of the most robust regulations controlling the digital world and is frequently at the forefront of global regulation in the sector, may be strained by the closing of the company's Brussels center. 

Platforms like Twitter are required by one guideline to remove anything that is prohibited in any of the EU bloc's member states. For instance, tweets influencing elections or content advocating hate speech would need to be removed in jurisdictions where such communication is prohibited. 

Another obligation is that social media sites like Twitter must demonstrate to the European Commission, the executive arm of the EU, that they are making a sufficient effort to stop the spread of content that is not illegal but may be damaging. Disinformation falls under this category. This summer, businesses will need to demonstrate how they are handling such positions. 

Musk will need to abide by the GDPR, a set of ground-breaking EU data protection laws that mandate Twitter have a data protection officer in the EU. 

The present proposal forbids the use of algorithms that have been demonstrated to be biased against individuals, which may have an influence on Twitter's face-cropping tools, which have been presented to favor youthful, slim women.

Twitter might also be obligated to monitor private conversations for grooming or images of child sexual abuse under the EU's Child Sexual Abuse Materials proposal. In the EU, there is still discussion about them.

In order to comply with the DSA, Twitter will need to put in a lot more effort, such as creating a system that allows users to flag illegal content with ease and hiring enough moderators to examine the content in every EU member state.

Twitter won't have to publish a risk analysis until next summer, but it will have to disclose its user count in February, which initiates the commission oversight process.

Two lawsuits that might hold social media corporations accountable for their algorithms that encourage dangerous or unlawful information are scheduled for hearings before the US Supreme Court. This might fundamentally alter how US businesses regulate content. 

BianLian Ransomware Rising Across Networks

The invasion of command-and-control (C2) infrastructure this month by the developers of the newly discovered cross-platform BianLian ransomware is a sign that the firm's operational pace is picking up.

Researchers at Cyble Research Labs claim that BianLian has grown in popularity since it was originally discovered in mid-July and shared details on their analysis of the ransomware in a blog post last week.

It's important to note that the double extortion ransomware family is unrelated to an Android banking virus of the same name that preys on bitcoin and mobile banking apps to steal sensitive data.

With the unique BianLian virus, threat actors have so far targeted a wide range of businesses, including those in media and entertainment, manufacturing, education, healthcare, banking, financial services, and insurance (BFSI), among other industries.

According to Cyble, the media and entertainment industry has suffered the greatest number of BianLian attacks—25% of victims to date—along with 12.5% each in the professional services, manufacturing, healthcare, energy and utilities, and education industries.

Ransomware operation 

The ProxyShell Microsoft Exchange Server vulnerabilities are successfully exploited to get initial access to victim networks and to drop a web shell or a ngrok payload for subsequent actions.

The BianLian actors' display dwells lengths of up to six weeks between the time of initial access and the actual encryption event, a duration that is significantly longer than the median intruder dwell time of 15 days reported in 2021.

The group is known to use a bespoke implant as a backup method for preserving persistent access to the network in addition to utilizing living-off-the-land (LotL) tactics for network profiling and lateral migration.

The main objective of the backdoor is to download arbitrary payloads from a remote server, load them into memory, and then execute them. Similar to Agenda, BianLian can boot servers in Windows safe mode so that it can run its file-encrypting malware while evading detection by the system's security tools.

According to reports, the first C2 server connected to BianLian became live in December 2021. However, since then, the infrastructure has experienced a troubling expansion, surpassing 30 active IP addresses.

BianLian is also another example of cybercriminals' persistent efforts to use hopping techniques to evade detection. It also increases the threat level associated with the use of the fundamental language Go, giving adversaries the ability to quickly modify a single codebase that can subsequently be produced for several platforms.



CISA Updates its Database With 10 New Actively Exploited Vulnerabilities

 

A high-severity security vulnerability impacting industrial automation software from Delta Electronics was among 10 new actively exploited vulnerabilities that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed in its Known Exploited Vulnerabilities (KEV) Database on Friday.

FCEB agencies are required to address the vulnerabilities by the deadline in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, in order to safeguard their networks from attacks that take advantage of the flaws in the catalog.

Private firms should analyze the Catalog and fix any infrastructure weaknesses, according to experts.

The problem, which has a CVSS score of 7.8, affects DOPSoft 2 versions 2.00.07 and earlier. It is listed as CVE-2021-38406. A successful exploit of the issue could result in the execution of arbitrary code.

Delta Electronics DOPSoft 2's incorrect input validation causes an out-of-bounds write that permits code execution, according to a CISA notice. "Delta Electronics DOPSoft 2 lacks sufficient validation of user-supplied data when parsing specified project files," the alert stated.

Notably, CVE-2021-38406 was first made public as part of an industrial control systems (ICS) advisory that was released in September 2021.

It is crucial to emphasize that the impacted product is no longer being produced and that there are no security updates available to solve the problem. On September 15, 2022, Federal Civilian Executive Branch (FCEB) organizations must abide by the directive.

The nature of the attacks that take advantage of the security issue is not well known, but a recent analysis by Palo Alto Networks Unit 42 identified instances of in-the-wild assaults that took place between February and April 2022.

The development supports the idea that attackers are becoming more adept at using newly reported vulnerabilities as soon as they are made public, which encourages indiscriminate and opportunistic scanning attempts that intend to benefit from postponed patching.

Web shells, crypto miners, botnets, remote access trojans (RATs), initial access brokers (IABs), and ransomware are frequently used in a precise order for the exploitation of these assaults.

CVE-2021-31010 (CVSS score: 7.5), an unpatched hole in Apple's Core Telephony component that could be used to get around sandbox constraints, is another high-severity flaw added to the KEV Catalog. In September 2021, the tech giant corrected the flaw.

The IT giant appears to have quietly updated its advisory on May 25, 2022, to add the vulnerability and clarify that it had actually been utilized in attacks, even though there were no signs that the hole was being exploited at the time.

The iPhone manufacturer said that it was aware of a claim that this flaw might have been extensively exploited at the time of release. Citizen Lab and Google Project Zero were credited with making the finding. 

Another noteworthy aspect of the September update is the patching of CVE-2021-30858 and CVE-2021-30860, both of which were used by NSO Group, the company behind the Pegasus spyware, to circumvent the security measures of the operating systems.

This suggests that CVE-2021-31010 may have been linked to the previously described two issues as part of an attack chain to get past the sandbox and execute arbitrary code.



Atlassian Bitbucket: Vulnerability Spotted Inside Data Center

Bitbucket Server and Data Center users are being alerted by Atlassian about a major security vulnerability that may allow attackers to run arbitrary code on weak systems.

The most updated vulnerability that involves command injection affects several software product API endpoints and is identified as CVE-2022-36804. Given that it has a CVSS severity score of 9.9 out of a possible 10.0,  it can be concluded that the vulnerability is critical and needs to be fixed immediately.

According to an advisory from Atlassian, "A hacker with access to a public Bitbucket repository or with r permissions to a private one can execute arbitrary code by sending a malicious HTTP request."

Bitbucket is a Git-based code hosting service connected with Jira and a part of the business' DevOps solution. Bitbucket offers both free and paid options and supports an infinite number of private repositories.

All Bitbucket versions issued after 6.10.17 are impacted, thus "all instances that are operating any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," according to Atlassian, which also alleges that the flaw was introduced in version 7.0.0 of Bitbucket.

Atlassian advises disabling public repositories using 'feature.public.access=false' as a temporary solution in situations where the patches cannot be applied immediately to stop unauthorized users from taking advantage of the problem.

It warned that "this can not be regarded a complete mitigation as an attacker with a user account could still succeed,", implying that hackers who already have legitimate credentials obtained through other ways could take advantage of it. 

It is advised that users of the affected software versions update as soon as possible to the most recent version in order to reduce security risks.

Max Garrett, a security researcher, disclosed CVE-2022-36804 to Atlassian via the company's bug bounty program on Bugcrowd and was rewarded with $6,000 for his discovery.

The teenage researcher tweeted yesterday that he will publish a proof-of-concept (PoC) attack for the problem in 30 days, allowing system administrators plenty of time to implement the now available remedies.

There is no guarantee that the significant RCE weakness won't be actively exploited more frequently before the PoC is released, but it is inevitable. Reverse engineering Atlassian's patch, according to Garrett, shouldn't be too challenging for knowledgeable hackers.

The motivation is there because remote code execution is the most dangerous type of vulnerability, allowing attackers to cause significant harm while evading all security protocols.

As a result, users of Bitbucket Server and Data Center are urged to install any security updates or mitigations as soon as they become available.


Bug Discovered in DrayTek Vigor Routers by Trellix

The widely used series of DrayTek Vigor routers for small businesses have been found to have a significant, pre-authenticated remote code execution (RCE) vulnerability. Researchers caution that if it is exploited, it may enable total device takeover as well as access to a larger network.

The DrayTek Vigor series of business routers has 29 variants that are vulnerable, according to threat detection company Trellix. Although other versions that share the same codebase are also affected, the problem was initially identified in a Vigor 3910 device.

In under 30 days from the time, it was discovered, the Taiwan-based maker delivered firmware patches to fix the flaw. 

The vulnerability CVE-2022-3254 could enable a remote, unauthenticated attacker to run arbitrary code and seize total control of a susceptible device. The hacker might get hold of breach private data, spy on network activity, or use the exploited router to run a botnet. Denial of service (DoS) conditions can result from unsuccessful exploitation efforts.

DrayTek Vigor devices benefited from the "work from home" trend during the pandemic to gain a reputation. Over 700,000 online devices were found in a Shodan search, with the majority being in the UK, Vietnam, Netherlands, and Australia. This is susceptible to attack without user input.

The vulnerability can be exploited without the need for user input or passwords thanks to the default device configuration, which allows for both LAN and internet access.

At least 200,000 of the discovered routers were determined by the researchers to expose the vulnerable service on the internet, making them easily exploitable without user input or any other specific requirements. The attack surface is reduced because many of the remaining 500,000 are considered vulnerable using one-click attacks, but only via LAN.

Although Trellix has not detected any evidence of this vulnerability being exploited in the wild, threat actors frequently employ DrayTek routers as a target for their hacks, therefore it's crucial that customers apply the patch as soon as they can.

There have been no indications of CVE-2022-32548, although as CISA recently highlighted, state-sponsored APTs from China and others frequently target SOHO routers.

Zero-day Exploitable Bug in Atlassian Confluence

 

Researchers are alerting the public that an important Atlassian Confluence vulnerability that was published last week is currently being aggressively exploited. 

Researchers claim that Confluence Server 7.18.0 is affected by the significant unauthorized, remote code execution vulnerability CVE-2022-26134, and they believe that both Confluence Server and Data Center versions 7.4.0 are at risk.

Atlassian advises clients to disable access to their servers using one of two methods because there are no updates available:
  • Preventing access to the internet for Confluence Server and Data Center instances.
  • Confluence Server and Data Center instances can be disabled.
The hard-coded details were published on Twitter after the real-world exploitation, which prompted the Australian software business to give it the top priority in its patching schedule.

It's important to remember that the flaw only manifests itself when the Questions for Confluence app is turned on. However, since the created account is not automatically deleted after the Questions for Confluence program has been uninstalled, doing so does not fix the problem.

Federal organizations must stop all internet access to Confluence servers by June 3. The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its 'Known Exploited Vulnerabilities Catalog' and ordered federal entities to comply.

The development also occurs in the wake of Palo Alto Networks' discovery that threat actors begin looking for weak endpoints within 15 minutes following the public announcement of a new security defect in its 2022 Unit 42 Incident Response Report.



SAP Security Patch for July: Six High Priority Notes

The July 2022 patch release from SAP was released in addition to 27 new and updated SAP Security Notes. The most serious of these problems is information disclosure vulnerability CVE-2022-35228 (CVSS score of 8.3) in the BusinessObjects Business Intelligence Platform's central administration console.

Notes for SAP Business One 

The three main areas that are impacted by the current SAP Security Notes are as follows, hence Onapsis Research Labs advises carefully reviewing all the information:
  • In integration cases involving SAP B1 and SAP HANA, with a CVSS score of 7.6(CVE-2022-32249), patches a significant information release vulnerability. The highly privileged hackers take advantage of the vulnerability to access confidential data that could be used to support further exploits.
  • With a CVSS rating of 7.5 (CVE-2022-28771),  resolves a vulnerability with SAP B1's license service API. An unauthorized attacker can disrupt the app and make it inaccessible by sending bogus HTTP requests over the network if there is a missing authentication step.
  • A CVSS score of 7.4(CVE-2022-31593), is the third High Priority note. This notice patches SAP B1 client vulnerability that allowed code injection. An attacker with low privileges can use the vulnerability to manipulate the application's behavior.
On July 20, 2022, SAP announced 17 security notes to fix vulnerabilities of medium severity, the bulk of which affect the NetWeaver Enterprise Portal and Business Objects.

Cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal were addressed in six security notes that SAP published, each of which had a CVSS score of 6.1. Medium-severity problems in Business Objects are covered by five more security notes.

The SAP July Patch Day illustrates the value of examining all SAP Security Notes prior to applying patches. 

A SQL Injection bug Hits the Django web Framework

 

A serious vulnerability has been addressed in the most recent versions of the open-source Django web framework. 

Updates decrease the risk of SQL Injection

Developers are advised to update or patch their Django instances as soon after the Django team issues versions Django 4.0.6 and Django 3.2.14 that fix a high-severity SQL injection vulnerability. 

Malicious actors may exploit the vulnerability, CVE-2022-34265, by passing particular inputs to the Trunc and Extract methods.

The issue, which can be leveraged if untrusted data was used as a kind/lookup name value, is said to be present in the Trunc() and Extract() database functions, according to the researchers. It is feasible to lessen the danger of being exploited by implementing input sanitization for these functions.

Bugfixes 

Django's main branch and the 4.1, 4.0, and 3.2 release branches have all received patches to fix the problem. 

"This security update eliminates the problem, but we've found enhancements to the Database API methods for date extract and truncate that should be added to Django 4.1 before its official release. Django 4.1 releases candidate 1 or newer third-party database backends will be affected by this until they can be updated to the new API. We apologize for the trouble," Django team stated.

Google: 5-year-old Apple Flaw Exploited

 

Google Project Zero researchers have revealed insights into a vulnerability in Apple Safari that has been extensively exploited in the wild. The vulnerability, known as CVE-2022-22620, was first patched in 2013, but experts identified a technique to overcome it in 2016. 

Apple has updated a zero-day vulnerability in the WebKit that affects iOS, iPadOS, macOS, and Safari and could have been extensively exploited in the wild, according to CVE org. 

In February, Apple patched the zero-day vulnerability; it's a use-after-free flaw that may be accessed by processing maliciously generated web content, spoofing credentials, and resulting in arbitrary code execution ."When the issue was first discovered in 2013, the version was patched entirely," Google Project Zero's Maddie Stone stated. "Three years later, amid substantial restructuring efforts, the variant was reintroduced. The vulnerability remained active for another five years before being addressed as an in-the-wild zero-day in January 2022." 

While the flaws in the History of API bug from 2013 and 2022 are fundamentally the same, the routes to triggering the vulnerability are different. The zero-day issue was then reborn as a "zombie" by further code updates made years later. 

An anonymous researcher discovered the flaw, and the corporation fixed it with better memory management. Maddie Stone examined the software's evolution over time, beginning with the code of Apple's fix and the security bulletin's description of the vulnerability, which stated that the flaw is a use-after-free flaw. 

“As an offensive security research team, we can make assumptions about the main issues that current software development teams face: Legacy code, short reviewer turn-around expectations, under-appreciation and under-rewarding of refactoring and security efforts, and a lack of memory safety mitigations” the report stated. 

"In October, 40 files were modified, with 900 additions and 1225 removals. The December commit modified 95 files, resulting in 1336 additions and 1325 removals," Stone highlighted. 

Stone further underlined the need of spending appropriate time to audit code and patches to minimize instances of duplication of fixes and to understand the security implications of the modifications being made, citing that the incident is not unique to Safari.

For Three Years, the Flaws in Wyze Cam Devices Have Gone Unpatched

 

Several vulnerabilities have been uncovered in popular Wyze Cam devices, as per new research from cybersecurity firm Bitdefender. The vulnerabilities have been enabling threat actors unlimited access to video feeds and SD cards stored on local memory cards, and have been unfixed for nearly three years.

Wyze was told by Bitdefender it planned to expose the vulnerabilities in September 2021, and on January 29, 2022, the team released a firmware update to fix the SD card issue. Remote users may acquire the contents of the SD card in the camera via a website operating on port 80 without requiring authentication, as per flaw. 

  • CVE-2019-9564, a remote control execution problem caused by a stack-based buffer overflow provides threat actors complete control of a device, such as the ability to control its mobility, disable recording, turn on or off the camera, and more. 
  • Unauthenticated access to the contents of an SD card all affected Wyze Cam lines.
  • CVE-2019-9564 does not allow users to watch the live audio and video feed, but when paired with CVE-2019-12266, exploitation is "relatively straightforward". 

Once users insert an SD card into the Wyze Cam IoT, the webserver creates a symlink to it in the www directory, which is hosted by the webserver but has no access restrictions. The SD card usually includes video, photos, and audio recordings, but it can also contain other types of data manually saved on it. The device's log files, which include the UID (unique identifying number) and the ENR, are also stored on the SD card (AES encryption key). Such revelation could lead to unrestricted remote access to the device. 

Wyze Cam version 1 has been retired and will no longer get security updates, however Wyze Cam Black version 2 and Wyze Cam version 3 have been updated to address the flaws. Wyze published an upgrade for its Cam v2 devices on September 24, 2019, which fixed CVE-2019-9564. By November 9, 2020, Wyze had issued a fix for CVE-2019-12266. Although most Internet-connected devices are used with a "set and forget" mentality, most Wyze Cam owners may still be executing a vulnerable firmware version. 

The security updates are only for Wyze Cam v2 and v3, which were published in February 2018 and October 2020, in both, and not for Wyze Cam v1, which was released in August 2017. The older model were phased out in 2020, and because Wyze didn't solve the problem till then, such devices will be open to exploitation indefinitely. 

If you're using a Wyze device it's still being actively supported, be sure to install any available firmware upgrades, deactivate your IoTs when they're not in use, and create a separate, isolated network just for them.

For Three Years, Leading Messaging Servers were Scammed Using a URL Rendering Method

 

A complex URL rendering method has now been revealed as the source of global phishing attacks on several popular messaging and email systems.  Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal were all popular platforms. Over three years, this allegedly allowed some malicious attackers to create realistic-looking phishing texts. 

Experts feel the unexpected finding has arrived at precisely the right time. Furthermore, researchers claim so by injecting right to left override, these rendering issues generate a vulnerability in the application's interface by displaying wrong URLs (RTLO). 

Unicode Control Characters with these names render all clients more vulnerable to URI spoofing attacks. When an RTLO character is injected into a string, it enables the string to be shown right-to-left instead of left-to-right in a browser or messenger app. The majority of the time, this character is used to display Arabic or Hebrew messages. 

The majority of individuals are prime targets, with the final goal of acquiring access to phishing attempts by spoofing several well-known domains. A handful of these flaws have been awarded a CVE which affects a wide variety of IM program versions. 

  • CVE-2020-20093 — Facebook Messenger 227.0 or earlier on iOS and 228.1.0.10.116 or earlier on Android 
  • (CVE-2020-20093) CVE-2020-20094 — Instagram version 106.0 or earlier on iOS, and version 107.0.0.11 or earlier on Android C
  • CVE-2020-20095 — iOS 14.3 or older with iMessage
  • CVE-2020-20096 — WhatsApp 2.19.80 or earlier (iOS) and 2.19.222 or earlier (Android) 

Signal, thankfully, does not have a CVE because the exact attack method was made evident to them. 
The CVE IDs are  ancient as the vulnerabilities were first discovered in August 2019 by a researcher  named 'zadewg.' 

When two independent URLs are concatenated to look like a single entity, for example, if they are judged to be two different URLs. And if a person clicks on the URL on the left, they will be led to one website, whilst clicking on the URL on the right will take them to another. 

According to research, the rendering problem does not work as effectively on email platforms such as Outlook.com, ProtonMail, or Gmail. However, many people might predict a series of attacks on other IM or email apps. 

The one-liner PoC is freely available and simple to use, even for those with no technical knowledge or no hacking expertise. In fact, even when more advanced technical principles are involved, there is ample evidence of RTLO-based misuse in the field. 

Several more IM and email programs are likely vulnerable to the same exploit, but only those listed above have been proven as vulnerable. As a result, users of the listed apps should be vigilant when receiving messages with URLs, always click on the left side, and keep an eye out for app security upgrades which may fix the problem.

Microsoft releases patches for 58 vulnerabilities


On Tuesday, Microsoft released fixes for 58 vulnerabilities for more than ten products for Windows and other software in their last Patch Tuesday for this year.

These include vulnerabilities ranging from critical (nine of them), important (forty-six of the flaws were rated important), and moderate (rest three). None of these vulnerabilities or bugs were publicly known or exploited by hackers yet. Both users and administrators should update their systems with these patches as soon as possible. 

Some of these patches include:

22 remote code execution holes have been sealed, according to SANS Technology. These fixed execution holes covered two critical vulnerabilities CVE-2020-17118 and CVE-2020-17121 in Microsoft SharePoint, an acute point for exploitation. 

The second vulnerability, Microsoft said could be used for a network-based attack by infiltrating the network by making a site and installing executive codes.

“In a network-based attack, an attacker can gain access to create a site and could execute code remotely within the kernel. The user would need to have privileges", said Microsoft. 

Microsoft released the patch for yet another critical remote code execution (RCE) vulnerability CVE-2020-17095 , scoring an 8.5 out of 10 on CVSS scale (Common Vulnerability Scoring System). This vulnerability present in Microsoft's Hyper V system (which is used to create Virtual Machine environments ) could be used to hack the Virtual machines by RCE.

 “An attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data,” commented Microsoft on the Hyper V vulnerability. 

Other fixes and updates were released for products including Windows, multiple versions of the Edge browser, Microsoft Office, Visual Studio, as well as other products and services in Microsoft’s portfolio. This month's updates were still on the lower end as compares to last month's where the tech giant rolled out a bundle of 112 fixes.