Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero Day. Show all posts

Empowering Global Cybersecurity: The Future with Dianoea Darwis Honeypot

 

The digital world, vast and interconnected, demands robust cybersecurity measures that can keep pace with rapidly evolving threats. The Dianoea Darwis Honeypot and the initiatives of the Cyber Security and Privacy Foundation are pivotal in shaping this future. This final section explores the broader impact of these efforts and the global call to action for enhanced cybersecurity. 
 
A Global Network in Need of Protection In our digitally interconnected world, a threat to one is a threat to all. The Dianoea Darwis Honeypot isn't just a tool for individual organizations; it's a guardian for the global digital network. Its ability to identify and analyze cyber threats has far-reaching implications, helping to safeguard not just individual systems but entire infrastructures. 
 
The Significance of Collaboration in Cybersecurity 
 
The challenges posed by cyber threats are too vast for any single entity to tackle alone. The Foundation's initiative highlights the importance of collaboration in cybersecurity. By providing tools like the Dianoea Darwis Honeypot and its analysis API, they are fostering a community-oriented approach where shared knowledge leads to stronger defenses for everyone. 
 

Preparing for the Future 

 
As we look towards the future, the role of technologies like the Dianoea Darwis Honeypot becomes increasingly significant. Cybersecurity is an ever-evolving field, and staying ahead requires tools that are not only advanced but also adaptable. The Foundation's ongoing efforts to enhance and update the honeypot ensure that it remains a potent weapon against cyber threats. 
 

Join the Cybersecurity Revolution 

 
The journey to a safer digital world is a collective effort. The Dianoea Darwis Honeypot and the Foundation's free analysis API are open to use, inviting everyone to play a role in this revolution. Whether you're a cybersecurity expert, part of an organization, or an individual with an interest in the field, your involvement can make a difference. 
 

A Unified Stand Against Cyber Threats 

 
The Cyber Security and Privacy Foundation's initiative, highlighted by the Dianoea Darwis Honeypot, is more than just a technological advancement; it's a call to arms in the digital realm. As we embrace these tools and join forces in the fight against cybercrime, we forge a path towards a more secure and resilient digital future for all. 

Written by Founder, Cyber Security And Privacy Foundation

Adopting ChatGPT Securely: Best Practices for Enterprises

As businesses continue to embrace the power of artificial intelligence (AI), chatbots are becoming increasingly popular. One of the most advanced chatbots available today is ChatGPT, a language model developed by OpenAI that uses deep learning to generate human-like responses to text-based queries. While ChatGPT can be a powerful tool for businesses, it is important to adopt it securely to avoid any potential risks to sensitive data.

Here are some tips for enterprises looking to adopt ChatGPT securely:
  • Conduct a risk assessment: Before implementing ChatGPT, it is important to conduct a comprehensive risk assessment to identify any potential vulnerabilities that could be exploited by attackers. This will help organizations to develop a plan to mitigate risks and ensure that their data is protected.
  • Use secure channels: To prevent unauthorized access to ChatGPT, it is important to use secure channels to communicate with the chatbot. This includes using encrypted communication channels and secure APIs.
  • Monitor access: It is important to monitor who has access to ChatGPT and ensure that access is granted only to authorized individuals. This can be done by implementing strong access controls and monitoring access logs.
  • Train employees: Employees should be trained on the proper use of ChatGPT and the potential risks associated with its use. This includes ensuring that employees do not share sensitive data with the chatbot and that they are aware of the potential for social engineering attacks.
  • Implement zero-trust security: Zero-trust security is an approach that assumes that every user and device on a network is a potential threat. This means that access to resources should be granted only on a need-to-know basis and after proper authentication.
By adopting these best practices, enterprises can ensure that ChatGPT is used securely and that their data is protected. However, it is important to note that AI technology is constantly evolving, and businesses must stay up-to-date with the latest security trends to stay ahead of potential threats.

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

Microsoft Accepts Breach of Two Zero Day Vulnerabilties

Exchange Server Vulnerabilities

Microsoft accepted that it knows about the two Exchange Server zero-day vulnerabilities that have been compromised in targeted cyberattacks. GSTC, a cybersecurity agency from Vietnam, reports finding attacks comprising two latest Microsoft Exchange zero-day vulnerabilities. It thinks that the attacks, which first surfaced in August and aimed at crucial infrastructure, were orchestrated by Chinese threat actors. 

Technical details about the vulnerabilities have not been disclosed publicly yet, however, GSTC says that the attacker's exploitation activities following the attack include the installation of backdoors, deployment of Malware, and lateral movement. 

Details about zero-day vulnerabilities

Microsoft was informed about vulnerabilities through the Zero Day Initiative (ZDI), by Trend Micro. Microsoft posted a blog telling its customers that the company is looking into two reported zero-day vulnerabilities. As per Microsoft, one flaw is a server-side request forgery (SSRF) issue, identified as CVE-2022-41040 and the second flaw is an RCE (remote code execution) flaw identified as CVE-2022-41082. The security loopholes seem to affect Exchange Server 2013, 2016, and 2019. 

According to Microsoft, it is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. 

Microsoft fixing the issue

Microsoft is currently working on an accelerated timeline to fix the vulnerabilities. For the time being, it has given detailed guidelines to protect against the vulnerability. It believes that its products should identify post-exploitation malware and any malicious activities related to it. Microsoft Online Exchange users don't have to do anything. 

"Security researcher Kevin Beaumont has named the vulnerabilities ProxyNotShell due to similarities with the old ProxyShell flaw, which has been exploited in the wild for more than a year. In fact, before Microsoft confirmed the zero-days, Beaumont believed it might just be a new and more effective variant of the ProxyShell exploit, rather than an actual new vulnerability," reports Security Week.

Project Zero- Exploited Flaws in H1 2022 Variants of Previous Flaws

Project Zero

Google Project Zero says that in H1 2022, around half of the Zero-day vulnerabilities exploited in attacks were linked to old flaws not appropriately patched. Maddie Stone, a researcher in Google Project Zero posted a blog post continuing part of her speech at the First conference held in June 2022, her presentation is called "0-day In The Wild Exploitation in 2022...so far." 

Stone disclosed that 9 out of 18 zero-day vulnerabilities identified and revealed as exploited in-the-wild in 2022 are variants of earlier patched vulnerabilities. 

"As of June 15, 2022, 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests.” said Stone in her blog. “On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months after the original in-the-wild 0-day patched, attackers came back with a variant of the original bug.” It suggests that the attacks in most incidents weren't sophisticated and the players that exploited the flaws returned and triggered the known vulnerability via a different technique. 

For instance, the Follina Windows vulnerability found recently, known as CVE-2022-30190, is another variant for CVE-2021-40444. 

"When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take action to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, and they must develop a brand new exploitation method.” writes Stone. "To do that effectively, we need correct and comprehensive fixes." 

To deal properly with Zero-day vulnerabilities, Google experts suggest platform security teams and other freelance security experts invest in root cause analysis, patch analysis, variant analysis, and exploit technique analysis. 

University of California Researchers Develop a Technique to Discover Inconsistencies in Smart Contracts


Researchers from the University of California, Santa Barbara, presented a "scalable technique" to check smart contracts and minimize state-inconsistency bugs, finding forty-seven zero-day vulnerabilities on the Ethereum blockchain during the process. Smart contracts are programs stored on the blockchain that are executed automatically when default conditions are met, depending on the encoded terms of the agreement. 

These programs let authorized transactions agreements be used by unknown parties without having the need of a central authority. In simple terms, the code is in itself a final party of the trade it is presenting, the program controls all the execution aspects, also provides an immutable evidentiary audit chain of transactions, both irreversible and trackable. As per the paper and researchers, "since smart contracts are not easily upgradable, auditing the contract's source pre-deployment, and deploying a bug-free contract is even more important than in the case of traditional software."

About Sailfish 

It aims to find inconsistencies in smart contracts, that allows an attacker to meddle with execution order or transactions, affecting control flow in a single transaction, for instance, reentrancy. Sailfish is a tool that converts a contract into a dependency graph, capturing control and data flow relations between state-changing instructions and storage variables of a smart contract. The tool helps to find potential inconsistencies. The researchers analyzed Sailfish on 89,853 contracts retrieved from Etherscan. 

Finding forty-seven zero-day vulnerabilities that can be exploited to extract Ether and might also comprise application-specific metadata. This will include vulnerable contracts implementing a house tracker that may be exploited so that house owners can do multiple active listings. "This is not the first time problematic smart contracts have attracted attention from academia. In September 2020, Chinese researchers designed a framework for categorizing known weaknesses in smart contracts with the goal of providing a detection criterion for each of the bugs," reports the hacker news.

Remotely Exploitable Zero-Day Vulnerability In MacOS Allows Code Execution

 

A zero-day security flaw in the macOS Finder system in Apple might enable remote attackers to deceive users to perform unauthorized commands, however, a silent patch didn't resolve that, states researchers. 

The macOS Finder is the standard file manager and the GUI front-end used in all Macintosh operating systems. This is the first item users see when booting, and it regulates the activation of additional programs and overall user management of file, disc, and network volume. In other terms, it is the master program for all the other things on the Mac. 

This time the flaw resides in the handling of the macOS Finder, as per an SSD Secure Disclosure Notice.Inetloc files. Inettloc files may be used to open files remotely in a browser on someone's Mac by utilizing the "file:/" format (instead of http://) as shortcodes to the Internet destination (such as an RSS feed or a telnet site). The last function, experts argued, is at stake with day zero. 

Independent Park Minchan security researcher revealed the SSD vulnerability, stating that the problem affects the macOS Big Sur version as well as all the previous ones. In reply, Apple decided not to declare a CVE and repaired the matter discreetly instead. But, experts claimed, the patch was bungled. 

The .Inetloc files can also be particularly developed with contained instructions for the exploitation scenario for the flaw. The manufactured data may then be linked, researchers noted, too (or connected to) hostile e-mails. If people are socially engineered to click these, the instructions inside them immediately run in stump mode without the warning or consent of the victims. 

“A vulnerability in the way macOS processes. Inetloc files cause it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning/prompts,” according to the advisory. 

New macOS (like Big Sur) versions reportedly banned the file:/ prefix… They stated that they did the case matching causing File:/ or fIle:/ to circumvent the inspection. 

“We…have not received any response from them since the report has been made,” according to the advisory. “As far as we know, at the moment, the vulnerability has not been patched.” 

Whether it is used in the wild or not, no information is out there. Meanwhile, Apple did not respond to the comment request.

Solid Edge: Solid Modeling Software Affected by Vulnerabilities

 

Siemens published a consumer notice on Tuesday 25th of May concerning several serious vulnerabilities impacting its Solid Edge product. The faults are generated using the software of the fourth party, which many other organizations often use. 

“The Solid Edge installation package includes a specific version of the third-party product KeyShot from Luxion, which may not contain the latest security fixes provided by Luxion. Siemens recommends updating KeyShot according to the information in the Luxion Security Advisory LSA-394129,” read the advisory released by Siemens. 

Security researcher Andrea Micalizzi, who has detected numerous flaws in industrial systems in recent years, also discovered the problems in Siemens Solid Edge last year. The vulnerability problems have been reported by the Zero Day Initiative (ZDI) of Trend Micro and the US Cybersecurity and Infrastructure Security Agency (CISA). 

Solid Edge is a software for solid modeling in 3D CAD, parametric and synchronous technology. It operates on Microsoft Windows and offers mechanical engineers solid modeling, assembly modeling, and 2D orthographic viewing functions. 

Micalizzi found that five vulnerabilities harm the product, comprising four serious memory corruption flaws which allow remote code implementation and one medium-sized XXE problem that could provide for the exposure of information. The vulnerabilities can indeed be triggered through the processing of malicious CATPart, 3DXML, STP, PRT, or JT files by the potential customer. 

A vulnerability-focused study indicated that they were developed by the use of KeyShot, a 3D rendering and animation solution produced by Luxion. More studies indicated that Datakit CrossCad / Ware, a library that KeyShot uses to import different CAD (computer-aided design) files, actually introduces the problems. 

CrossCAD /Ware has been used by a wide variety of different products, even though only Siemens, KeyShot, and CISA have published warnings for the issues. 

On 12 May, ZDI also published advisories with a "0day" status on each of the vulnerabilities because they were reportedly not patched. 

The Zero Day notice read as “This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Solid Edge Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. A specific flaw exists within the parsing of JT files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process.” 

Datakit nevertheless reported that they had resolved the issues in April with version 2021.2 of CrossCAD/Ware. The company has encouraged providers of software to upgrade to version 2021.2 – previous versions are still impacted. The company also proposed to avoid untrusted files from unverified senders to users of impacted applications. 

Luxion published KeyShot 10.2, which contains the patched version of the Datakit library, and Siemens has urged users in Solid Edge to upgrade KeyShot according to the security advisory instructions given by Luxion.

Zoom Zero-Day Allowed Remote Code Execution, Patch Issued


Video and audio conferencing software, Zoom patched a zero-day vulnerability that was affecting users running old versions of Windows: Windows 7, Windows Server 2008 R2 and earlier. The flaw was detected on Thursday and later published in a blog post by security research organization ACROS Security.

The vulnerability that was previously unknown, allowed a remote attacker to execute arbitrary code on targeted user’s system on which one of the supported versions of Zoom Client for Windows is installed; in order to set the attack into motion, the attacker manipulates the victim into carrying out some typical action (Opening a received doc. file) and reportedly, there is no security warning displayed to the user as the attack takes place.


After disclosing the zero-day vulnerability to Zoom, ACROS released a micropatch for its 0patch client in order to safeguard its own clients against attack till the time Zoom came out with an official patch. In the wake of various security flaws, the company halted the production of new features for a while so that the major privacy-related concerns that are threatening user security can be treated with much-needed attention. However, this ‘feature freeze’ period ended very recently i.e., on July 1, last week itself, and the zero-day was detected a few days later.


In conversation with Threatpost, 0patch’s co-founder, Mitja Kolsek said, “Exploitation requires some social engineering – which is practically always the case with user-side remote code execution vulnerabilities,”


“While a massive attack is extremely unlikely, a targeted one is conceivable." “Zoom Client features a fairly persistent auto-update functionality that is likely to keep home users updated unless they really don’t want to be,” he wrote.


“However, enterprise admins often like to keep control of updates and may stay a couple of versions behind, especially if no security bugs were fixed in the latest versions.”


“Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it,” said Zoom, while addressing the issue initially.


A few days later, on July 10, a fix was released by the company and the officials said, "Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”

Kaspersky Lab found a serious vulnerability in Windows

A team of specialists from Kaspersky Lab, an anti-virus company headquartered in Russia, discovered a 0-day vulnerability in Windows systems. Cybercriminals were actively exploiting this security problem in real targeted attacks.

According to Kaspersky Lab experts, they found a previously unknown vulnerability in Windows that was allegedly used to carry out targeted attacks by at least two cyber groups — FruityArmor and the recently discovered SandCat.

Using this vulnerability, an attacker could infiltrate the victim's network or device by attacking Windows 8 and 10. As a result of a successful attack, the cybercriminal got full control over the vulnerable system.

Kaspersky lab promptly notified Microsoft of the problem, which allowed the developers to release a patch that is already available to users.

"The discovery of this exploit shows that such expensive and rare tools are still of great interest to hacker groups. Organizations need to find solutions that can protect against such threats," says Anton Ivanov, Kaspersky Lab anti-virus expert.

Zero-day vulnerability in Internet Explorer discovered

According to security researchers at Chinese web giant Quihoo 360, hackers are using a zero-day vulnerability in Internet Explorer kernel code to infect Windows computers with malware.

The researchers say that an advanced persistent threat (APT) group is using the vulnerability to infect victims on a global scale by sending malicious Office documents to selected targets.


These documents are loaded with what they call a "double-kill" vulnerability, which affects the latest versions of Internet Explorer and any other applications that use IE kernel. When victims open the office document, the bug launches a malicious webpage in the background to deliver malware from a remote server.

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," the researchers wrote in a blog post on the Chinese platform Weibo.

The researchers said that the attack involves the use of a public User Account Control (UAC) bypass, reflective DLL loading, fileless execution, and steganography; they also provided a diagram that roughly outlines the attack, with Chinese annotations.


The company says that it has reported the vulnerability to Microsoft and will be giving them appropriate time to find a patch before it reveals more details about the bug.

Microsoft has neither confirmed nor denied the attacks, but has given the following statement:

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

New 0-day IE exploit discovered and Metasploit module is available


A Security researcher has come across a new zero-day IE exploit while analyzing a malware page that was being used to exploit Java vulnerabilities. According to Metasploit team, the Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7 are vulnerable to this attack.

Eric Romang has discovered a “/public/help” folder on one of the infected servers . He found one flash file(.swf) , two html page (protect.html,exploit.html) and exe file.


When he opened the exploit.html page, it loads the flash file ,which in turn loads the other HTML page( protect.html). Together, they help drop the executable on to the victim's computer.

Image Credits: Alientvault

Metasploit team immediately developed Metasploit module for this exploit.This module exploits a vulnerability found in Microsoft Internet Explorer. When  rendering an HTML page, the CMshtmlEd object gets deleted in an unexpectedly matter, but the same memory is reused again later in a CMshtmlEd::Exec() function, which causes an use-after-free condition.

According to Metasploit researchers, the exploit, which had already been used by malicious attackers in the wild before it was published in Metasploit, is affecting about 41% of Internet users in North America and 32% world-wide.

Since Microsoft has not released a patch for this vulnerability yet,we advice IE users to switch to other browser until a security update becomes available.

Zero-day vulnerability found in hotmail and Microsoft patched it


A critical vulnerability affecting Microsoft's Hotmail has been identified simultaneously by Vulnerability-Lab researchers and Saudi Arabia hackers, that allows a hacker to reset the Hotmail/MSN password. Fortunately,Microsoft patched the vulnerability.

"Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values '+++)-'." explained by vulnerability-lab researchers.

"Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module."

According to the WhiteC0de, the details of the hack got leaked on an underground forum where the hacking service was advertised for $20 (15 EUR) per hacked Hotmail/Live account.

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm


Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .