Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Wyze
CVE vulnerability IoT Memory Cards Remote Code Execution Vulnerability and Exploits. Wyze

For Three Years, the Flaws in Wyze Cam Devices Have Gone Unpatched

 

Several vulnerabilities have been uncovered in popular Wyze Cam devices, as per new research from cybersecurity firm Bitdefender. The vulnerabilities have been enabling threat actors unlimited access to video feeds and SD cards stored on local memory cards, and have been unfixed for nearly three years.

Wyze was told by Bitdefender it planned to expose the vulnerabilities in September 2021, and on January 29, 2022, the team released a firmware update to fix the SD card issue. Remote users may acquire the contents of the SD card in the camera via a website operating on port 80 without requiring authentication, as per flaw. 

  • CVE-2019-9564, a remote control execution problem caused by a stack-based buffer overflow provides threat actors complete control of a device, such as the ability to control its mobility, disable recording, turn on or off the camera, and more. 
  • Unauthenticated access to the contents of an SD card all affected Wyze Cam lines.
  • CVE-2019-9564 does not allow users to watch the live audio and video feed, but when paired with CVE-2019-12266, exploitation is "relatively straightforward". 

Once users insert an SD card into the Wyze Cam IoT, the webserver creates a symlink to it in the www directory, which is hosted by the webserver but has no access restrictions. The SD card usually includes video, photos, and audio recordings, but it can also contain other types of data manually saved on it. The device's log files, which include the UID (unique identifying number) and the ENR, are also stored on the SD card (AES encryption key). Such revelation could lead to unrestricted remote access to the device. 

Wyze Cam version 1 has been retired and will no longer get security updates, however Wyze Cam Black version 2 and Wyze Cam version 3 have been updated to address the flaws. Wyze published an upgrade for its Cam v2 devices on September 24, 2019, which fixed CVE-2019-9564. By November 9, 2020, Wyze had issued a fix for CVE-2019-12266. Although most Internet-connected devices are used with a "set and forget" mentality, most Wyze Cam owners may still be executing a vulnerable firmware version. 

The security updates are only for Wyze Cam v2 and v3, which were published in February 2018 and October 2020, in both, and not for Wyze Cam v1, which was released in August 2017. The older model were phased out in 2020, and because Wyze didn't solve the problem till then, such devices will be open to exploitation indefinitely. 

If you're using a Wyze device it's still being actively supported, be sure to install any available firmware upgrades, deactivate your IoTs when they're not in use, and create a separate, isolated network just for them.
Read more »
malware
Banking Trojan Email Hijacking Exchange Server malware

Hackers Exploit Microsoft Exchange for IcedID Reply-Chain Hijacking Attacks

 

Cybersecurity researchers at Intezar, an Israeli security firm have identified a brand-new electronic mail phishing campaign employing the conversation hijacking strategy to ship the IcedID info-stealing malware onto compromised devices by making use of vulnerable Microsoft Change servers. 

"The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," researchers Joakim Kennedy and Ryan Robinson explained. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate." 

The most recent wave of attacks, spotted in mid-March 2022, is believed to have targeted businesses within the energy, healthcare, law, and pharmaceutical sectors. IcedID, (also known as BokBot) is a banking trojan-type malware that has advanced to turn into an entry-level for more refined threats, together with human-operated ransomware and the Cobalt Strike adversary simulation device. 

The banking trojan has the capability of communicating with a remote server and downloading next-stage implants and software that allow malicious actors to perform follow-on activities and move laterally throughout impacted networks to spread additional malware. 

Last year in June 2021, American enterprise security company Proofpoint revealed an evolving strategy within the cybercrime panorama whereby preliminary access brokers were spotted invading target networks via first-stage malware payloads equivalent to IcedID to deploy Egregor, Maze, and REvil ransomware payloads. 

Previously IcedID campaigns employed website contact forms to deliver malware-laced links to organizations, the present model of the campaign banks on susceptible Microsoft Change servers to ship the lure emails from a hijacked account, indicating a further evolution of the social engineering scheme.

"The payload has also moved away from using Office documents to the use of ISO files with a Windows LNK file and a DLL file," researchers added. "The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user." 

To make the phishing emails seem more legitimate, the victim’s email address is used to send fraudulent replies to an already existing email thread plundered from the compromised individual’s account. 

"The use of conversation hijacking is a powerful social engineering technique that can increase the rate of a successful phishing attempt. By using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products,” the researchers concluded.
Read more »
Vulnerability and Exploits
Bugs Chrome Flaw Google Microsoft Vulnerabilities and Exploits Vulnerability and Exploits

V8 Type Confusion Vulnerability Hits Google Chrome & Microsoft Edge Browser

 

Following the discovery of a V8 vulnerability in Chrome and Edge that has been exploited in the wild, ZDNet recommends that users running Windows, macOS, or Linux update their Chrome builds to version 99.0.4844.84, as an out-of-band security update was recently released by Google to address the issue. 

Concerning the V8 Vulnerability:

There isn't much information available about this recently discovered vulnerability, as Google stated that it will wait for the bulk of users to update their browsers before acting. As per Google, “Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.” 

What is known is that the bug in question has been assigned CVE-2022-1096, which is a zero-day "type confusion in V8" bug and was reported on March 23, 2022, by an "anonymous" researcher. V8 is a JavaScript engine that is completely free and open-source. The Chromium Project created it for Google Chrome and Chromium web browsers. 

Lars Bak is the person who came up with the idea for the project. It's worth noting that the first version of Firefox was released in 2008, almost simultaneously with the initial version of Chrome. Because the V8 vulnerability affected Edge as well, Microsoft Office issued a statement on the subject, stating that the issue had been resolved in Edge version 99.0.1150.55. 

Microsoft’s notice reads, “The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.”
Read more »
WhatsApp
CVE vulnerability Facebook iMessage Phishing Attack PoC Exploit Code Protonmail URL hijacking Vulnerability and Exploits. WhatsApp

For Three Years, Leading Messaging Servers were Scammed Using a URL Rendering Method

 

A complex URL rendering method has now been revealed as the source of global phishing attacks on several popular messaging and email systems.  Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal were all popular platforms. Over three years, this allegedly allowed some malicious attackers to create realistic-looking phishing texts. 

Experts feel the unexpected finding has arrived at precisely the right time. Furthermore, researchers claim so by injecting right to left override, these rendering issues generate a vulnerability in the application's interface by displaying wrong URLs (RTLO). 

Unicode Control Characters with these names render all clients more vulnerable to URI spoofing attacks. When an RTLO character is injected into a string, it enables the string to be shown right-to-left instead of left-to-right in a browser or messenger app. The majority of the time, this character is used to display Arabic or Hebrew messages. 

The majority of individuals are prime targets, with the final goal of acquiring access to phishing attempts by spoofing several well-known domains. A handful of these flaws have been awarded a CVE which affects a wide variety of IM program versions. 

  • CVE-2020-20093 — Facebook Messenger 227.0 or earlier on iOS and 228.1.0.10.116 or earlier on Android 
  • (CVE-2020-20093) CVE-2020-20094 — Instagram version 106.0 or earlier on iOS, and version 107.0.0.11 or earlier on Android C
  • CVE-2020-20095 — iOS 14.3 or older with iMessage
  • CVE-2020-20096 — WhatsApp 2.19.80 or earlier (iOS) and 2.19.222 or earlier (Android) 

Signal, thankfully, does not have a CVE because the exact attack method was made evident to them. 
The CVE IDs are  ancient as the vulnerabilities were first discovered in August 2019 by a researcher  named 'zadewg.' 

When two independent URLs are concatenated to look like a single entity, for example, if they are judged to be two different URLs. And if a person clicks on the URL on the left, they will be led to one website, whilst clicking on the URL on the right will take them to another. 

According to research, the rendering problem does not work as effectively on email platforms such as Outlook.com, ProtonMail, or Gmail. However, many people might predict a series of attacks on other IM or email apps. 

The one-liner PoC is freely available and simple to use, even for those with no technical knowledge or no hacking expertise. In fact, even when more advanced technical principles are involved, there is ample evidence of RTLO-based misuse in the field. 

Several more IM and email programs are likely vulnerable to the same exploit, but only those listed above have been proven as vulnerable. As a result, users of the listed apps should be vigilant when receiving messages with URLs, always click on the left side, and keep an eye out for app security upgrades which may fix the problem.
Read more »
Vulnerability and Exploits
Botnet Critcal Bug security threat Vulnerabilities and Exploits Vulnerability and Exploits

Muhstik Botnet Targeting Redis Servers by Exploiting Recently Published Bug

 

The Muhstik botnet infamous for spreading via web application exploits, has been spotted targeting and exploiting a Lua sandbox escape flaw (CVE-2022-0543) in Redis severs after a proof-of-concept exploit was publicly released. 

Lua sandbox escape flaw was uncovered in the open-source, in-memory, key-value data store in February 2022 and could be exploited to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 on the severity scale. 

"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu explained in an advisory released last month. 

The attacks exploiting the new flaw started on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and implement the botnet binaries from another server, Juniper Threat Lab researchers explained. 

According to Chinese security firm Netlab 360, the Muhstik botnet is known to be active since March 2018 and is monetized for performing coin mining activities and staging distributed denial-of-service (DDoS) attacks. 

The botnet propagates by exploiting home routers, but researchers noticed multiple attempted exploits for Linux server propagation. The list of compromised routers includes GPON home router, DD-WRT router, and the Tomato router. The vulnerabilities exploited by Muhstik over the years are as follows – 

• CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware 
• CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability 
• CVE-2019-2725 (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability 
• CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and 
• CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell) 

"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force," Juniper Threat Labs researchers said in a report published last week. In light of active exploitation of the critical security loophole, users are strictly advised to act quickly to patch their Redis services to the latest version.
Read more »
Security
Crypto Crypto Scam cryptocurrency Cyber Fraud Safety Scam Security

One arrested in ₹1,200-Crore Crypto Fraud Case, 900 Investors Scammed

 

The Enforcement Directorate announced on Tuesday that it had arrested a suspect in connection with a money-laundering investigation into a Kerala-based businessman who is suspected of scamming more than 900 investors out of Rs 1,200 crore in exchange for bitcoin. 

Abdul Gafoor, one of the most prominent stockists of the 'Morris Coin Cryptocurrency,' was arrested on March 24, according to the source. The next day, he was taken into prison by the Enforcement Directorate (ED) and held until March 31. Mr Gafoor was accused of not complying with the investigation and of being extremely evasive in his responses, according to the federal investigation agency. 

The agency stated, "Considering the fact that Abdul Gafoor is one of the directors of Stoxglobal Brokers Pvt. Ltd. and has played an active role in facilitating the placement and layering of proceeds of crime, he has been placed under arrest on March 24," 

The ED case arose from an FIR filed by the Kerala Police (Malappuram crime branch unit) against the case's main accused, businessman Nishad K. The agency alleged Nishad K "cheated several investors by accepting investments, under a Ponzi scheme, through his three Bengaluru based firms-- Long Reach Global, Long Reach Technologies and Morris Trading by offering high returns of dividend such as 3-5 per cent per day." 

According to the police complaint, "more than 900 investors were cheated to the tune of ₹ 1,200 crore." The investigation discovered that "Nishad, the main accused person, had appointed those persons as pin stockists who had invested a minimum of ₹ 10 lakh in Nishad's scheme and Nishad promised them that he would give five per cent as commission on the investment.” 

The ED stated, "They made aggressive enrolment of new members into an illegal money circulation scheme under the garb of multi-level marketing, resorted to the fraudulent practice of investing the money received from the investors in the Morris Coin cryptocurrency plan run by Nishad and others". 

It alleged that this resulted in the viral growth of the scheme network, resulting in significant unjust gain at the cost of investors. It had previously stated that the deposits taken from the general public were illegal and did not require any regulatory approval. It had attached Nishad K's assets worth ₹ 36.72 crore, as well as those of his colleagues, including the Indian Rupee equivalent of cryptocurrencies purchased with proceeds of crime by a close associate, in January.
Read more »
Personal Details
cybercriminals Data Breach FBI New York New York Police Department (NYPD) Personal Details

Cyberattack in New York City, Sensitive Data of 820,000 Students was Exposed

After a digital education network used by dozens of city schools revealed hackers acquired access to confidential information of 820,000 present and former classmates during a January breach, the mayor of New York City and several education officials expressed strong outrage. 

The incident occurred in January, according to the city's Department of Education, when an internet grading system and attendance system utilized by many public schools was hijacked. 

Hackers might have gotten names, nationalities, birthdays, first languages, and student ID numbers from those platforms, as well as sensitive data including whether children used special education or free lunch programs.

The hack affected both present and former public school pupils dating back to the 2016-17 scholastic year. 

Officials from the California-based firm behind the system, Illuminate Education, have lambasted it for allegedly falsifying its cybersecurity measures. The corporation hasn't said what, if anything, was done with the information. The Department of Education has requested the NYPD, FBI, and state attorney general examine the incident. 

The regional director of K12 Security Information Exchange, Doug Levin, told the New York Daily News, "It can't remember of another school system which has had a student data leak of magnitude originating from one occurrence." 

The DOE said it will work with Illuminate in the coming weeks to send individualized letters to the families of each of the roughly 820,000 kids affected by the hack, detailing what data was exposed. According to school officials, Illuminate will likely fund a credit-monitoring program for affected kids, and will now be vulnerable to identity theft.

Chancellor of the New York City Schools, David Banks, has asked for a probe of Illuminate Education's cybersecurity safeguards, pushing the state's education agency to inquire into it.
Read more »
WiFi
Leak MENA Privacy User Data User Privacy User Security WiFi

Hotel WiFi Across MENA Compromised, Private Information Leaked

 

Etizaz Mohsin, a Pakistani cybersecurity researcher, was in a hotel room in Qatar when he accidentally discovered a technical vulnerability in the company's internet infrastructure, compromising the personal information of hundreds of hotels and millions of tourists worldwide. 

Mohsin explained, “I discovered that there is an rsync [file synchronisation tool] service running on the device that allows me to dump the device’s files to my own computer. I was able to gain access to all other hotels’ sensitive information that was being stored on the FTP [file transfer protocol] server for backup purposes.” 

He was able to get network configurations for 629 significant hotels in 40 countries, as well as millions of customers' personal information, such as room numbers, emails, and check-in and check-out dates. Information from major hotel chains in Qatar,, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain, as well as the Kempinski, Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain was included in the research. 

The hotels all use AirAngel's HSMX Gateway internet technology, which is a British company. Some of the world's most well-known hotel chains are among its clients. Most hotels, stores, restaurants, and cafés need guests to set up an account and fill out their personal information before they may use the internet. It does, however, have some disadvantages. 

Mohsin added, “A public WiFi network is inherently less secure than the one you use at home. It gives hackers access to critical information like banking credentials and account passwords by allowing them to monitor and intercept data transferred across the network.”

Seven years ago, researchers discovered a flaw in hotel routers that affected 277 devices in hotels and convention centres in the US, Singapore, the United Kingdom, the United Arab Emirates, and 25 other countries.
Read more »
Ukraine-Russia War
Chinese Hacker Cyber Attacks Ukraine Ukraine-Russia War

Chinese Hacker Scarab Targets Ukrainian System, CERT-UA Warns

 

Ukraine’s Computer Emergency Response Team (CERT-UA) released evidence last week regarding a malicious campaign tracked as UAC-0026, which SentinelLabs associated with China-linked Scarab APT. threat actors. 

Scarab APT was first spotted in 2015, but researchers believe it has been active since at least 2012, conducting surgical assaults against multiple nations across the globe, including Russia and the United States. 

Threat actors are targeting the Ukrainian system by distributing malware via phishing messages using weaponized documents that deploy the HeaderTip malware. The phishing texts employ a RAR-archive titled “On the preservation of video recordings of the criminal actions of the army of the Russian Federation.rar” which contains the EXE-file of the same name. The malicious document employed in the campaign spotted by CERT-UA mimics the National Police of Ukraine. 

“Running the executable file will create a lure document ‘# 2163_02_33-2022.pdf’ on the computer (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header ‘officecleaner.dat’ and the BAT file ‘officecleaner’ removed. .bat,’ which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency. The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.” 

The HeaderTip samples employed by Chinese hackers are 32-bit DLL files written in C++. The malware executes backdoor capabilities and is also used as a first-stage malware. CERT-UA, which did not mention China or Scarab in its alert, added that identical attacks were observed in September last year. According to SentinelOne, it was able to tie UAC-0026 to Scarab through an analysis of the malware employed in the assault. 

“Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups,” SentinelOne explained, adding that there is sufficient evidence depicting that the author of the malware is employing the Windows operating system in a Chinese language setting. 

“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes,” SentinelOne concluded.
Read more »
NVIDIA
Customer Care Cyber Blackmail Data Breach FedEx Hacking Group NVIDIA

Lapsus$ Attackers Gained Access to a Support Engineer's Laptop, as per Okta

 

According to Okta, a quick inquiry into the posting of screenshots that appeared to depict a data breach discovered they are linked to a "contained" security incident that occurred in January 2022. 

After the LAPSUS$ hacking group shared screenshots on Telegram which it claimed were taken after gaining access to "Okta.com Superuser/Admin and several other systems," Okta, an enterprise identity, and access management business, initiated an investigation. 

Lapsus$ is a hacking gang that has risen through the ranks by supposedly breaking into the networks of high-profile companies one by one to collect information and threaten to disclose it online until blackmail payments are made.

Sitel, Okta's third-party provider of customer support services, was hacked by the Lapsus$ data extortion gang. "The Okta Security team was notified on January 20, 2022, a new factor had been added to a Sitel customer service engineer's Okta account. It was a password which served as this factor" Okta explains. "Though this individual approach was unsuccessful, it reset the account and contacted Sitel," says the company, which then hired a top forensic agency to conduct an investigation. 

Okta is a publicly-traded corporation based in San Francisco with thousands of users, including several technology companies. FedEx, Moody's, T-Mobile, JetBlue, and ITV are among the company's top clients. 

"Lapsus$ is infamous for extortion, threatening victims with the publication of sensitive information if demands are not met," said Ekram Ahmed, a Check Point spokesperson. "The gang boasts of infiltrating Nvidia, Samsung, and Ubisoft, among others." The public has never fully understood how the gang was able to penetrate these targets. 

Okta claims it was unaware of the scope of the event in January, believing it to be restricted to a failed account takeover attempt aimed at a Sitel support engineer. Sitel's hiring of a forensics firm to investigate the incident and prepare a report also assured Okta at the moment the situation didn't need to be escalated any further.

The stock price of Okta dropped about 20% in less than a week after the company's clumsy announcement of the January hacking event. At first, Okta CEO Todd McKinnon described the event as an "attempt" by malicious attackers to hack a support engineer's account. However, it was eventually discovered the problem had affected 2.5 percent of Okta's clients (366 in total). Sitel's support engineers have restricted access to Jira requests and support systems, but they are not allowed to download, create, or delete client records. 

According to Okta, the screenshots posted by the Lapsus$ group were taken from a compromised Sitel engineer's account with limited access. Regardless, the corporation voiced dissatisfaction with the amount of time it took for the investigation's findings to be released.
Read more »
User Privacy
cryptocurrency iOS and Android Users Malicious Apps Mobile Security User Privacy

Trojanized Apps are Being Employed to Steal Cryptocurrency From iOS and Android Users

 

ESET, an antivirus manufacturer and internet security firm has unearthed and backtracked a sophisticated malicious cryptocurrency campaign that targets mobile devices using Android or iOS operating systems (iPhones). 

According to ESET, malware authors are distributing malicious apps via fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Subsequently, attackers use ads placed on legitimate websites with misleading articles to promote the fake websites that distribute these malicious wallet apps. 

Additionally, intermediaries have been recruited via Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps. While the primary motive of the campaign is to exfiltrate users' funds, ESET researchers have mainly noticed Chinese users being targeted but with cryptocurrencies becoming more popular, the firm's researchers expect the methodologies used in it to spread to other markets. 

The campaign tracked since May 2021, seems to be controlled by a single criminal group. The malicious cryptocurrency wallet apps are designed in such a manner that they replicate the same functionality of their original counterparts, while also incorporating malicious code changes that enable the theft of crypto assets. 

"These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers' server using an unsecured HTTP connection," Lukáš Štefanko, senior malware researcher at ESET stated. "This means that victims' funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network." 

The Slovak cybersecurity firm said it also uncovered dozens of groups promoting malicious apps on the Telegram messaging app that were, in turn, shared on at least 56 Facebook groups in hopes of landing new distribution partners for the fraudulent campaign. 

The investigation also showed that there are 13 unearthed applications that masquerade as the Jxx Liberty Waller on the Google Play store, all of which have since been removed from the Android app marketplace. However, before the takedown in January, these applications were installed more than 1100 times. "Their goal was simply to tease out the user's recovery seed phrase and send it either to the attackers' server or to a secret Telegram chat group," Štefanko concluded.
Read more »
Subscribe to: Comments (Atom)