Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Bugs. Show all posts
Password
Bugs Critical Vulnerability Data Breach Enterprise security Organization security Password

Password Management Breached: Critical Vulnerabilities Expose Millions

Password Management Breached: Critical Vulnerabilities Expose Millions

Password management solutions are the unsung heroes in enterprise security. They protect our digital identities, ensuring sensitive info such as passwords, personal details, or financial data is kept safe from threat actors. 

However, in a recent breach, several critical vulnerabilities have been discovered in Vaultwarden, a famous public-source choice for the Bitwarden password management server. The bugs can enable hackers to get illegal access to administrative commands, run arbitrary code, and increase privileges inside organizations using the platform. 

Admin Panel Access via CSRF: CVE Pending (CVSS 7.1)

This flaw allows hackers to enter the Vaultwarden admin panel via a Cross-Site Request Forgery (CSRF) attack. Hackers can send unauthorized requests to the admin panel and adjust its settings by fooling a genuine user into opening a malicious webpage. This needs the DISABLE_ADMIN_TOKEN option to be activated because the authentication cookie will not be sent throughout site boundaries.

Remote Code Execution in Admin Panel: CVE-2025-24364 (CVSS 7.2)

A stronger flaw enables hackers with unauthorized access to the admin panel to run arbitrary code on the server. This bug concerns modifying the icon caching functionality to insert malicious code, which is used to run when the admin interacts with select settings. 

Privilege Escalation via Variable Confusion: CVE-2025-24365 (CVSS 8.1)

The flaw lets hackers widen their privileges inside an organization, they can gain owner rights of other organizations by abusing a variable confusion flaw in the OrgHeaders trait, to potentially access confidential data.

Aftermath and Mitigation

The flaws mentioned in the blog impact Vaultwarden variants <= 1.32.7. Experts have advised users to immediately update to the patched version 1.33.0 or later to fix these issues.

Vaultwardens’s user base must take immediate action to minimize potential threats as it has more than 1.5 million downloads and 181 million Docker pulls, which is a massive figure. 

Breaches at this scale could have a severe impact because password management solutions are the backbone of enterprise security. Businesses using Vaultwarden should immediately conduct threat analysis to analyze their exposure and implement vital updates. Experts also advise reviewing access controls, using two-factor authentication, and looking for any fishy activity.

Read more »
virus
Android Bugs malware Soumnibot virus

Soumnibot Malware Abuses Bugs to Escape Detection


Soumnibot Malware

A new Android banking virus called 'SoumniBot' employs a less prevalent obfuscation technique, attacking flaws in the Android manifest extraction and parsing method.

The approach allows SoumniBot to bypass typical Android security safeguards and steal information.
Kaspersky researchers found and researched the virus, providing technical details on how it exploits the Android procedure to parse and extract APK manifests.

Fooling Android’s Parser

Manifest files ('AndroidManifest.xml') are located in each app's root directory and contain information about components (services, broadcast receivers, content providers), permissions, and app data.

While malicious APKs can employ multiple compression strategies to confuse security programs and elude inspection, Kaspersky analysts discovered that SoumniBot uses three separate methods to bypass parser tests, all of which entail manipulating the manifest file's compression and size.

How the virus works?

First, while unpacking the APK's manifest file, SoumniBot utilizes an erroneous compression number that differs from the normal values (0 or 8) anticipated by the Android 'libziparchive' library assigned to the role.

Rather than rejecting these numbers, the Android APK parser defaults to accepting the data as uncompressed due to a flaw, allowing the APK to evade protection and keep executing on the device.

The second way includes misreporting the size of the manifest file in the APK, providing a value that is greater than the true figure.

Since the file was tagged as uncompressed in the previous step, it is copied directly from the archive, with rubbish "overlay" data filling in the gaps.

According to Kaspersky, while this extra data does not immediately affect the device because Android is configured to disregard it, it does play an important role in misleading code analysis tools.

The third evasion tactic is to use excessively long strings as the names of XML namespaces in the manifest file, making it impossible for automated analysis tools to examine them, as they frequently lack enough capacity to parse them.

Google has been notified by Kaspersky that APK Analyzer, the official analysis tool for Android, cannot handle files that use the aforementioned evasion techniques.

The danger of SoumniBots

At the moment of activation, SoumniBot communicates the infected device's carrier, number, and other profile information, and asks its configuration options from a hardcoded server address.

Next, it creates a malicious service that sends stolen data from the victim every 15 seconds and restarts every 16 minutes if it is interrupted.

IP addresses, contact lists, account information, SMS messages, images, videos, and digital certificates for online banking are among the exfiltrated data.

The techniques by which SoumniBot infiltrates smartphones are unknown, however, they could range from distribution through dubious websites and unofficial Android marketplaces to upgrading legitimate programs in trustworthy repositories with malicious code.

Kaspersky offers a concise collection of compromise indications, comprising malware hashes and two domains utilized by malware operators for command and control operations.

Read more »
Windows
Bugs Credentials cyber threat malware RAT Windows

QWIXXRAT: A Fresh Windows RAT Emerges in the Threat Landscape

 

In early August 2023, the Uptycs Threat Research team uncovered the presence of a newly identified threat, the QwixxRAT, also referred to as the Telegram RAT. This malicious software was being promoted and distributed via platforms such as Telegram and Discord.

The QwixxRAT operates as a remote access trojan, capable of surreptitiously gathering sensitive information from targeted systems.

This ill-gotten data is then surreptitiously transmitted to the attacker's Telegram bot, granting them unauthorized access to the compromised user's confidential details. The process is facilitated by the threat actors who can manipulate and oversee the RAT's activities through the same Telegram bot.

“Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.”reads a new report published by security firm Uptycs.

“To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot. This allows the attacker to remotely control the RAT and manage its operations.” 

Experts have identified the QwixxRAT as a meticulously engineered threat, specifically crafted to extract a wide spectrum of sensitive data. Its repertoire includes the theft of browser histories, credit card particulars, screenshots, keystrokes, FTP credentials, messenger conversations, and data linked to the Steam platform.

Uptycs, the cybersecurity company behind the discovery, underscored that the QwixxRAT is available for purchase on the criminal market. Interested parties can acquire a weekly subscription for 150 rubles or opt for a lifetime subscription priced at 500 rubles. Additionally, a limited free version has been noted by the researchers.

Technically, the QwixxRAT is coded in C# and takes the form of a compiled binary, functioning as a 32-bit executable tailored for CPU operations. With a total of 19 distinct functions, the malware exhibits a diverse set of capabilities.

In order to evade scrutiny, the malware incorporates various anti-analysis features and evasion tactics. Notably, the RAT employs a sleep function to introduce delays, serving as a mechanism to detect potential debugging activities. Furthermore, the malicious code performs checks to ascertain if it is running within a sandbox or virtual environment.

The QwixxRAT establishes persistence by creating a scheduled task tied to a concealed file located at "C:\Users\Chrome\rat.exe". Additionally, the malware possesses a self-destruct mechanism that can be triggered for the C# program's termination.

A unique characteristic of the QwixxRAT is its incorporation of a clipper code, enabling the capture of data copied to the clipboard. This technique is adeptly employed to extract cryptocurrency wallet information pertaining to Monero, Ethereum, and Bitcoin.

The researchers have taken a proactive step by publishing a YARA detection rule tailored to identify this particular threat.
Read more »
Vulnerabilities and Exploits
Bugs Flaws Hackers Proof of concept Safety Security Vulnerabilities and Exploits

New Exploit Unleashed for Cisco AnyConnect Bug Granting SYSTEM Privileges

Proof-of-concept (PoC) exploit code has been released for a significant vulnerability found in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw allows attackers to elevate their privileges to the SYSTEM level. Cisco Secure Client is a VPN software that enables employees to work remotely while ensuring a secure connection and providing network administrators with telemetry and endpoint management capabilities.

The vulnerability, identified as CVE-2023-20178, enables authenticated threat actors to escalate their privileges to the SYSTEM account without requiring complex attacks or user interaction. Exploiting this flaw involves manipulating a specific function within the Windows installer process.

To address this security issue, Cisco issued security updates on the previous Tuesday. The company's Product Security Incident Response Team (PSIRT) stated that there was no evidence of any malicious activities or public exploit code targeting the vulnerability at that time.

The fix for CVE-2023-20178 was included in the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

Recently, security researcher Filip Dragović discovered and reported the Arbitrary File Delete vulnerability to Cisco. This week, Dragović published a PoC exploit code, which was tested against Cisco Secure Client (version 5.0.01242) and Cisco AnyConnect (version 4.10.06079).

Dragović explains that when a user establishes a VPN connection, the vpndownloader.exe process starts in the background and creates a directory in the format "<random numbers>.tmp" within the c:\windows\temp directory. By taking advantage of default permissions, an attacker can abuse this behavior to perform arbitrary file deletion using the NT Authority\SYSTEM account.

The attacker can further leverage this Windows installer behavior and the fact that a client update process is executed after each successful VPN connection to spawn a SYSTEM shell, thus escalating their privileges. The technique for privilege escalation is described in detail.

It's worth noting that in October, Cisco urged customers to patch two additional security flaws in AnyConnect, which had public exploit code available and had been fixed three years earlier due to active exploitation. Furthermore, in May 2021, Cisco patched an AnyConnect zero-day vulnerability with public exploit code, following its initial disclosure in November 2020.

Read more »
Theft
Bugs Cyber Attacks Cybercrimes Digital Assets Google Workspace Mitigate Security Theft

"Securing Your Digital Assets: Uncovering the Untraceable Data Theft Bug in Google Workspace's Drive Files"

 


Security consultants say hackers can steal information from Google Drive accounts through a method known as password mining. It is all done to conceal the fact that they have taken away a lot of information without leaving any trace behind. 

Google Workspace has been found vulnerable to a critical security flaw revealed in the past few days. Thousands of files on people's drives are at risk of silent theft by hackers due to this vulnerability. Due to the current trend of increased remote working and digital collaboration, and as a result of this alarming vulnerability, immediate attention must be given to ensuring the security and privacy of sensitive information. 

Mitiga Security researchers discovered a security vulnerability in Google Workspace that was previously unknown. The attacker could use this technique to exfiltrate data from Google Drive without leaving a trace. Due to a forensic vulnerability, this vulnerability allows a user to exfiltrate data from an application. This is without leaving a trail for anyone to see what they did. 

There is a security issue pertaining specifically to actions taken by users without a Google Workspace enterprise license. This makes it a particularly serious issue. There will be no documentation for the actions carried out on private drive-by users without a paid Google Workspace license. 

When hackers cancel their paid license and switch to a free "Cloud Identity Free" license, they can disable logging and recording on their computers. 

A great collaboration tool that Google offers is Google Workspace. There are, however, several security holes that exist in its security system. There is no such thing as an untouchable threat when it comes to data. When there is a lot of connectivity between things, cloud services can be extremely risky. An entire department's work can be overturned by one wrong link in a chain of documents that are all dependent on one another. 

There is a "Cloud Identity Free" license available by default to all Google Drive users. There are no logs kept in the system regarding actions performed by a user on their private drive. This is unless an administrator assigns a paid license to the user. In this environment, due to the lack of visibility, threat actors can manipulate or steal data without being detected. Two different methods can be used to exploit security vulnerabilities in a computer system. 

As a first method, a threat actor compromises a user's account, manipulates the license of that user, and allows the threat actor access to and download private files through the user's account. The only thing that is preserved during license revocation and reassignment is the logs that accompany the process. During the revoking of a paid license, the second method targets employees who are involved in the process. Despite being revoked, a license can still be useful for downloading sensitive files from a private drive if the account is not disabled before the license is revoked. 

A threat actor could easily revoke a cloud storage account's paid license by following a few simple steps, thereby reverting an account to the free "Cloud Identity Free" license if the account is compromised by a threat actor.

There is no record-keeping or logging functionality in the system, so this would turn it off. Once that was done, they could exfiltrate any files they wanted, without leaving any trace of what they did behind. As far as an administrator is concerned, all they may notice later is the fact that someone has revoked a paid license. 

A company called Mitiga says it notified Google that it had found the information, but the company has not responded. An important step of any post-mortem or hacking forensics process is to identify which files have been taken during a data breach so you can conduct your investigation accordingly. It can assist victims in determining what types of information were taken and, as a consequence, if there is a need to worry about identity theft, wire fraud, or something similar, help them establish if they are in danger. 

In addition to logging, one of the standard methods by which IT teams keep track of potential intrusions before causing severe damage is to ensure that all activity is logged appropriately. Google Drive accounts, on the other hand, are often left without adequate controls by hackers, which makes it easier for them to steal data undetected.

It is also imperative that cloud storage providers take more robust steps to protect user data to prevent vulnerabilities like this from occurring in the future. Even though Google has yet to reply to Mitiga's findings, the company will likely address this problem shortly. It will result in an enhanced level of security for its platform as a result. 

The users should remain vigilant while they are awaiting the emergence of the attacks and make sure they are protecting their data. It is also recommended that they regularly monitor their Google Drive accounts to make sure that there are no suspicious activities or unauthorized access. Further, it must be noted that strong passwords must be used and two-factor authentication must be used to prevent unauthorized access from happening. 

Many documents and files can be stolen, including confidential business documents, proprietary information, financial records, intellectual property, and personal documentation. Regulatory violations, as well as financial fraud, corporate espionage, reputation damage, and other potential economic repercussions, can result from data breaches on a large scale. This is far beyond a mere failure to recover data. 

Due to the alarming nature of this discovery, you must take immediate action to protect your sensitive data and protect yourself against potentially harmful hacks. 

To improve your organization's security posture, it is recommended you take the following steps: 

Make sure two-factor authentication is enabled in your account. Two-factor authentication on your Google Workspace account adds extra security. As a result, even if your login credentials are compromised, this will apply an additional security layer. This will ensure you cannot access your account until you pass an additional verification step. 

Stay Educated: Make the most of Google Workspace security alerts and advisories and keep up to date on the latest security threats. It is imperative to keep an eye on official sources, including Google's security bulletins and blogs, for more information regarding security threats. 

You need to educate your employees about the risks of phishing attacks. You need to give them the tools to act when interacting with suspicious emails and websites. Educate them about phishing risks and the importance of action when providing login credentials. Reporting suspicious activity promptly should be encouraged as part of organizational culture.
Read more »
Vulnerabilities and Exploits Flaws
Bugs Safety Security Social Media Acoount Takeover Vulnerabilities and Exploits Flaws

A Vulnerability in OAuth Exposed Social Media Logins to Account Takeover

 

As reported by security researchers, a new OAuth-related vulnerability in an open-source application development framework could allow Facebook, Google, Apple, and Twitter users to account takeover, personal data leaking, identity theft, financial fraud, and unauthorized actions on other online platforms. 

The security vulnerability was discovered in the Expo framework, which is used by numerous web businesses to implement the OAuth authentication protocol. CVE-2023-28131 has been assigned to the vulnerability, which is part of the software's social login capability. The vulnerability allows a bad actor to take activities on behalf of compromised online platform accounts. According to Salt Security's API Security Report, users witnessed a 117% rise in API attack traffic in 2016.

OAuth is a standard protocol that allows users to authorize access to private resources on one website or application to another without exposing their login credentials. This is a challenging procedure that can lead to security risks. Researchers from Salt Labs revealed that by altering some phases in the OAuth procedure on the Expo site, they could take control of other accounts and steal sensitive information such as credit card details, private messages, and health records - as well as perform operations online on behalf of other users.

Expo framework is an open-source platform for developing mobile and online applications. The Expo framework is utilized by 650,000 developers at a range of significant enterprises, according to Salt Security researchers.

The platform also enables developers to create native apps with a single codebase and offers a collection of tools, frameworks, and services to make the development process easier. "One of the included services is OAuth, which allows developers to easily integrate a social sign-in component into their website," according to the researchers.

Salt Labs researchers uncovered this vulnerability, which has the potential to compromise hundreds of firms using Expo, in a major online platform, Codecademy.com, which offers free coding education in a dozen programming languages.

On January 24, Salt Security discovered the vulnerability. It was reported to Expo on February 18, and the company immediately produced a hotfix and provided mitigation, but it "recommends that customers update their deployment to deprecate this service to fully remove the risk."

As noted by Aviad Carmel, a Salt Security security researcher, this is the second OAuth vulnerability uncovered in a third-party framework used by hundreds of businesses, and it might have affected hundreds of websites and apps.

The OAuth vulnerability, according to Carmel, was part of the social sign-in process, in which Expo acts as an intermediary and sends user credentials to the destination website.

"Exploiting this vulnerability involves intercepting the flow mentioned above. By doing so, an attacker can manipulate Expo to send the user credentials to his own malicious domain instead of the intended destination," Carmel said.

Carmel recommends organizations understand how OAuth works and which endpoints can receive user inputs to avoid making similar mistakes when using OAuth. Many vendors are reporting an increase in API assaults and vulnerabilities in open-source software at a time when API traffic is quickly increasing as a result of digital transformation programs. The largest breach in 2022 was caused by an API hack at Twitter, which revealed 221 million users' email addresses and other personal information.



Read more »
Vulnerabilities and Exploits
Bugs Flaws Safety Security Twitter Vulnerabilities and Exploits

This Twitter Bug is Making Users Secret Circle Tweets Public

 

Twitter launched Circle in August 2022, allowing you to limit your tweets to a chosen group of users without making your account private. While the function was designed to limit the visibility of your tweets to a group smaller than your number of followers, a recent issue has reportedly exposed your private tweets to many others outside your Circle, even if they do not follow you.

Many users have observed that tweets intended for Twitter Circles are reaching all followers rather than just those in the Circle. Amanda Silberling of TechCrunch, who saw another person's ostensibly private tweet, notes that personal posts display under Twitter's newly launched "For You" area.

Because the feature is intended to allow users to tweet secretly, many people use it to express sensitive thoughts and sentiments, as well as restricted media such as naked photographs, and the flaw poses a significant privacy risk to the account that posts all of those private tweets.

For months, Twitter Circle has been buggy. Certain users have reported that their tweets from the Circle have reached other followers outside of it. Meanwhile, some users claim that the tweets are available to anyone other than followers. Affected users discovered the flawed nature of the service when a few strangers responded with tweets intended for the inner circle.

While it's difficult to pinpoint a specific cause for the glitch, it could be related to recent changes to Twitter's recommendation algorithm, which divided the feed into "For You" and "Following" timelines. As the names suggest, For You also displays tweets from users you don't follow.

Elon Musk's private jet was made public on Twitter in October. Musk compared the incident to "doxing" and responded by suspending the @ElonJet account as well as the accounts of journalists who reported on it. 

However, when it comes to users' privacy — despite using a mechanism that ostensibly guarantees it — Musk does not appear to be concerned. Twitter Circle has allegedly been plagued by bugs for several months. These difficulties have not piqued Twitter's interest, despite the digital titan persistently promoting the platform's paid tier, Twitter Blue.

This could be considered a violation of users' permission and a data breach under EU legislation. Any monetary punishment, however, may be subject to interference by US authorities and legislators.


Read more »
Vulnerabilities and Exploits
attacks Bugs Flaws Hackers Safety Security Vulnerabilities and Exploits

Hackers can Open Smart Garage Doors From Anywhere in the World

 

According to findings from a security researcher, hackers can remotely tap into a specific brand of smart garage door opener controllers and open them all over the world due to a number of security weaknesses that the firm, Nexx, has refused to repair. 

The flaws represent a major risk to Nexx users, who have access to wi-fi-connected garage door opener controllers among other things. As per a copy of an email obtained with Motherboard, the researcher who discovered the vulnerability claims that Nexx has not reacted to their attempts to responsibly report the vulnerabilities for months.

“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher, told Motherboard, describing the hack.

Nexx describes its goods as "easy-to-use products that work with things you already own." Its garage product links to a person's existing garage door opener and allows them to remotely activate it via a smartphone app. “Life is complicated enough. Remembering whether or not you left your garage door open should be the least of your worries: Get peace of mind,” the company advertises on its website. Nexx has run campaigns on Kickstarter.

Sabtean demonstrated the hack in a video proof-of-concept. It shows his fist unlocking his own garage door with the Nexx app, as promised. He then accesses a tool that allows him to read communications sent by the Nexx device. Sabetan uses the app to close the door and records the data that the device sends to Nexx's server during this activity.

Sabetan not only receives information on his own device but also messages from 558 other gadgets. According to the video, he can now see the device ID, email address, and name associated with each. He then sends an order to the garage via software rather than the app, and his door opens once more. Sabetan only tested this on his own garage door, but he could have used this technique to open other users' garage doors as well.

Sabetan told Motherboard he could open doors “for any customer.” “That’s the craziest bug. But the disabling alarm and turning on [and] off smart plugs is pretty neat too,” he added, referring to another Nexx product that allows users to control power outlets in their home.

The repercussions of someone weaponizing these vulnerabilities are far-reaching, and might pose a serious security risk to Nexx's clients. A hacker might randomly open Nexx doors all across the world, exposing their garage contents and possibly their homes to opportunistic robbers. Pets could flee. Customers may become irritated if they see someone opening and closing their property without knowing why. In more extreme circumstances, a hacker could exploit the flaws as part of a targeted assault against the particular garage that used Nexx’s security system.

Sabetan and Motherboard have made numerous attempts to contact Nexx about the problems. Sabetan claimed that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) had tried to contact him. The corporation has not responded or fixed the issues. This means that security flaws are still available to hackers who desire to exploit them. As a result, Motherboard will not go to great lengths on them, instead focusing on their influence on customers. On Tuesday, CISA issued its own advisory regarding security issues.

Nexx appears to be purposefully disregarding at least some inquiries attempting to alert them to the vulnerabilities. Sabetan contacted Nexx's support again because Nexx's support email did not react to his vulnerability report, this time stating that he needed assistance with his own Nexx product. According to a copy of the email Sabetan shared with Motherboard, Nexx's support personnel responded at the time.

“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.


Read more »
Subscribe to: Posts (Atom)