Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVE vulnerability. Show all posts
Hackers
CVE CVE exploits CVE vulnerability Cyber Security data security Data Theft Hacker attack Hackers

Hackers Exploit ThinkPHP and ownCloud Vulnerabilities from 2022 and 2023

 

Hackers are increasingly exploiting outdated security flaws in poorly maintained systems, with vulnerabilities from 2022 and 2023 seeing a surge in attacks. According to threat intelligence platform GreyNoise, malicious actors are actively targeting CVE-2022-47945 and CVE-2023-49103, affecting the ThinkPHP Framework and the open-source ownCloud file-sharing solution. 

Both vulnerabilities are critical, allowing attackers to execute arbitrary commands or steal sensitive data, such as admin credentials and license keys. CVE-2022-47945 is a local file inclusion (LFI) flaw in ThinkPHP versions before 6.0.14. If the language pack feature is enabled, unauthenticated attackers can remotely execute operating system commands. 

Akamai reported that Chinese threat groups have exploited this flaw since late 2023, and GreyNoise recently detected 572 unique IPs actively attacking vulnerable systems. Despite having a low Exploit Prediction Scoring System (EPSS) rating of just 7% and not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVE-2022-47945 remains under heavy assault. 

The second vulnerability, CVE-2023-49103, impacts ownCloud’s file-sharing software. It stems from a third-party library that leaks PHP environment details through a public URL. After its disclosure in November 2023, hackers began exploiting the flaw to steal sensitive data. A year later, it was named one of the FBI, CISA, and NSA’s top 15 most exploited vulnerabilities. 

Even though a patch was released over two years ago, many ownCloud systems remain unpatched and exposed. GreyNoise recently observed malicious activity from 484 unique IPs targeting this vulnerability. To defend against these active threats, users are strongly advised to upgrade to ThinkPHP 6.0.14 or later and ownCloud GraphAPI 0.3.1 or newer. 

Taking vulnerable systems offline or placing them behind a firewall can significantly reduce the attack surface and prevent exploitation. As hackers continue to leverage older, unpatched vulnerabilities, staying vigilant with timely updates and robust security practices remains crucial in protecting critical systems and sensitive data.
Read more »
RCE
Aviatrix critical vulnerabilities CVE exploits CVE vulnerability Cyber Security Data Exfiltration data security RCE

Critical Command Injection Vulnerability Found in Aviatrix Network Controller (CVE-2024-50603)

 


Jakub Korepta, Principal Security Consultant at Securing, has discovered a critical command injection vulnerability in the Aviatrix Network Controller, identified as CVE-2024-50603. This flaw, impacting versions 7.x through 7.2.4820, has been assigned the highest possible CVSS severity score of 10.0. It allows unauthenticated attackers to remotely execute arbitrary code, posing a severe threat to enterprises utilizing Aviatrix’s cloud networking solutions.

The root of this vulnerability lies in improper input handling within the Aviatrix Controller's API. While certain input parameters are sanitized using functions like escapeshellarg, others—most notably the cloud_type parameter in the list_flightpath_destination_instances action—remain unprotected. This oversight permits attackers to inject malicious commands into API requests, leading to remote code execution (RCE).

Jakub Korepta demonstrated this flaw by crafting a malicious HTTP request that redirected sensitive system files to an attacker-controlled server. By appending harmful commands to the vulnerable parameter, attackers can gain unauthorized access and execute arbitrary code on the targeted system.


In a proof-of-concept attack, Korepta successfully extracted the contents of the /etc/passwd file, highlighting the potential for data theft. However, the threat extends beyond data exfiltration. Exploiting this vulnerability could allow attackers to:
  • Execute Remote Code: Attackers can run commands with full system privileges, gaining complete control over the Aviatrix Controller.
  • Steal or Manipulate Data: Sensitive data stored on the system can be accessed, stolen, or altered.
  • Compromise Entire Networks: Successful exploitation could lead to lateral movement within enterprise networks, escalating the attack's impact.

Research uncovered 681 publicly exposed Aviatrix Controllers accessible via the Shodan search engine. These exposed systems significantly increase the risk, providing attackers with easily identifiable targets for exploitation.

Aviatrix has responded promptly by releasing version 7.2.4996, which addresses this vulnerability through enhanced input sanitization. This update effectively neutralizes the identified risk. All users are strongly urged to upgrade to this patched version immediately to secure their systems and prevent exploitation. Failure to apply this update leaves systems vulnerable to severe attacks.

Recommended actions for organizations include:
  • Immediate Patch Deployment: Upgrade to version 7.2.4996 or later to eliminate the vulnerability.
  • Network Access Controls: Restrict public access to Aviatrix Controllers and enforce strict network segmentation.
  • Continuous Monitoring: Implement robust monitoring systems to detect unauthorized activity or anomalies.

Lessons in Proactive Security

This incident underscores the critical need for proactive cybersecurity measures and routine software updates. Even advanced networking solutions can be compromised if proper input validation and security controls are neglected. Organizations must remain vigilant, ensuring that both internal systems and third-party solutions adhere to stringent security standards.

The discovery of CVE-2024-50603 serves as a stark reminder of how overlooked vulnerabilities can escalate into significant threats. Timely updates and consistent security practices are vital to protecting enterprise networks from evolving cyber risks.
Read more »
Spam
critical vulnerabilities CVE CVE vulnerability CVEs Cyber Security Plugin Flaws plugin security Plugins RCE Spam

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.
Read more »
Security Issues
CISO CVE vulnerability CVEs Cyber Security Hacking News Information Security IT Security Security Issues

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.
Read more »
SQL
2FA CVE CVE vulnerability CVEs Cyber Security E-Commerce Websites Patchstack PII Plugin Plugin Flaws SQL

Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes 100K+ Sites to SQL Attacks

 

A critical vulnerability in the widely-used TI WooCommerce Wishlist plugin has been discovered, affecting over 100,000 WordPress sites. The flaw, labeled CVE-2024-43917, allows unauthenticated users to execute arbitrary SQL queries, potentially taking over the entire website. With a severity score of 9.3, the vulnerability stems from a SQL injection flaw in the plugin’s code, which lets attackers manipulate the website’s database. This could result in data breaches, defacement, or a full takeover of the site. As of now, the plugin remains unpatched in its latest version, 2.8.2, leaving site administrators vulnerable. 

Cybersecurity experts, including Ananda Dhakal from Patchstack, have highlighted the urgency of addressing this flaw. Dhakal has released technical details of the vulnerability to warn administrators of the potential risk and has recommended immediate actions for website owners. To mitigate the risk of an attack, website owners using the TI WooCommerce Wishlist plugin are urged to deactivate and delete the plugin as soon as possible. Until the plugin is patched, leaving it active can expose websites to unauthorized access and malicious data manipulation. If a website is compromised through this flaw, attackers could gain access to sensitive information, including customer details, order histories, and payment data. 

This could lead to unauthorized financial transactions, stolen identities, and significant reputational damage to the business. Preventing such attacks requires several steps beyond removing the vulnerable plugin. Website administrators should maintain an updated security system, including regular patching of plugins, themes, and the WordPress core itself. Using a Web Application Firewall (WAF) can help detect and block SQL injection attempts before they reach the website. It’s also advisable to back up databases regularly and ensure that backups are stored in secure, off-site locations. Other methods of safeguarding include limiting access to sensitive data and implementing proper data encryption, particularly for personally identifiable information (PII). 

Website administrators should also audit user roles and permissions to ensure that unauthorized users do not have access to critical parts of the site. Implementing two-factor authentication (2FA) for site logins can add an extra layer of protection against unauthorized access. The repercussions of failing to address this vulnerability could be severe. Aside from the immediate risk of site takeovers or data breaches, businesses could face financial loss, including costly recovery processes and potential fines for not adequately protecting user data. Furthermore, compromised sites could suffer from prolonged downtime, leading to lost revenue and a decrease in user trust. Rebuilding a website and restoring customer confidence after a breach can be both time-consuming and costly, impacting long-term growth and sustainability.  

In conclusion, to safeguard against the CVE-2024-43917 vulnerability, it is critical for website owners to deactivate the TI WooCommerce Wishlist plugin until a patch is released. Administrators should remain vigilant by implementing strong security practices and regularly auditing their sites for vulnerabilities. The consequences of neglecting these steps could lead to serious financial and reputational damage, as well as the potential for legal consequences in cases of compromised customer data. Proactive protection is essential to maintaining business continuity in the face of ever-evolving cybersecurity threats.
Read more »
Fortra
CVE CVE vulnerability CVEs Cyber Security Cyber Vulnerabilities cybersecurity research Fortra

New Windows Vulnerability CVE-2024-6768 Triggers Blue Screen of Death on All Versions of Windows 10 and 11

 

A recently uncovered Windows vulnerability, known as CVE-2024-6768, has raised alarm among cybersecurity experts due to its potential to cause widespread disruption by triggering the dreaded blue screen of death (BSOD) on a range of Windows operating systems. Discovered by cybersecurity researchers from Fortra, this vulnerability impacts all versions of Windows 10 and Windows 11, as well as Windows Server 2022, even if they have received the latest security patches. 

The flaw lies within the common log file system (CLFS) driver, which, when improperly validated, can result in a system crash by initiating the KeBugCheckEx function, causing the infamous BSOD. The vulnerability is significant because it can be exploited by a user with no administrative privileges. By using a specially crafted file, a malicious actor can crash the system, leading to potential data loss and disruption of services. Although the attack vector is local rather than remote, the ease with which the vulnerability can be exploited raises concerns about its potential impact. The vulnerability is graded as medium risk due to the requirement for local access, but the consequences of exploitation—especially in environments with multiple users—are severe. 

The discovery of CVE-2024-6768 dates back to December 2023, when Fortra initially reported the issue to Microsoft, providing a proof-of-concept (PoC) exploit. Despite Fortra’s efforts to demonstrate the vulnerability across various systems, including those with the latest security updates, Microsoft was unable to reproduce the flaw and therefore did not prioritize a fix. Fortra continued to provide evidence, including screenshots, videos, and memory dumps, but Microsoft remained unresponsive, ultimately closing the case in February 2024. In June 2024, frustrated by the lack of progress, Fortra announced its intention to pursue a Common Vulnerabilities and Exposures (CVE) designation and publish its findings. 

The vulnerability was officially cataloged as CVE-2024-6768 in July 2024, and Fortra planned to release its research publicly in August 2024. The report highlights the vulnerability’s potential to be exploited by low-privileged users to crash systems, which could be particularly damaging in multi-user environments or where system stability is crucial. Microsoft, for its part, has downplayed the severity of the issue, stating that the vulnerability does not meet its criteria for immediate servicing. The company noted that an attacker would need to have already gained code execution capabilities on the target machine and that the vulnerability does not grant elevated permissions. 

However, the lack of a workaround or mitigation has left many organizations concerned about the potential impact of this flaw. While the average Windows user may not be significantly affected by CVE-2024-6768, the vulnerability poses a serious risk to businesses and organizations that rely on stable and secure systems. The possibility of a low-privileged user crashing a system without warning could lead to significant operational disruptions, especially in environments where uptime is critical. For these organizations, the absence of a timely fix from Microsoft is a cause for concern, and they may need to take additional precautions to safeguard their systems. 

In conclusion, the discovery of CVE-2024-6768 underscores the ongoing challenges in maintaining the security and stability of widely used operating systems. As Microsoft considers whether to release a fix, the vulnerability serves as a reminder of the importance of proactive cybersecurity measures and the need for organizations to remain vigilant in the face of evolving threats.
Read more »
Zero-day Flaw
Cisco CVE vulnerability Vulnerabilities and Exploits Zero-day Flaw

Cisco Patches NX-OS Zero-Day Exploited by Chinese Attackers

 

Cisco patched a NX-OS zero-day, identified as CVE-2024-20399 (CVSS score of 6.0), which the China-linked group Velvet Ant used to deploy previously unidentified malware as root on vulnerable switches. 

The bug exists in the CLI of Cisco NX-OS Software; an authenticated, local attacker can exploit it to execute arbitrary commands as root on the underlying operating system of the affected device. 

“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.” reads the advisory issued by Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.” 

The IT giant emphasised that only hackers with Administrator privileges can successfully exploit this vulnerability on a Cisco NX-OS system. In April 2024, researchers informed the Cisco Product Security Incident Response Team (PSIRT) that the vulnerability was actively exploited in the wild. Sygnia, a cybersecurity firm, discovered the attacks in April 2024 and reported them to Cisco. The bug impacts the following devices: 

  • MDS 9000 Series Multilayer Switches (CSCwj97007) 
  • Nexus 3000 Series Switches (CSCwj97009) 
  • Nexus 5500 Platform Switches (CSCwj97011) 
  • Nexus 5600 Platform Switches (CSCwj97011) 
  • Nexus 6000 Series Switches (CSCwj97011) 
  • Nexus 7000 Series Switches (CSCwj94682) * 
  • Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009) 

Cisco recommends that customers keep track of the credentials used by administrative users network-admin and vdc-admin. Cisco offers the Cisco Software Checker to help customers assess whether their devices are susceptible to this issue. 

In late 2023, Sygnia researchers responded to a critical organization's problem, which they traced to the same China-linked threat actor 'Velvet Ant.' The cyberspies used customised malware on F5 BIG-IP appliances to get persistent access to the target organization's internal network and steal sensitive data.
Read more »
Ransomware Threat
2024 cyber crimes Chainalysis Coveware CVE CVE vulnerability Cyber Security Ransomware attack Ransomware Threat

Drop in ransomware payment, 2024 Q1 sees a record low of 28%

 

Ransomware actors have encountered a rocky start in 2024, as indicated by statistics from cybersecurity firm Coveware. Companies are increasingly refusing to acquiesce to extortion demands, resulting in a record low of only 28% of companies paying ransom in the first quarter of the year. This figure marks a notable decrease from the 29% reported in the previous quarter of 2023. Coveware's data underscores a consistent trend since early 2019, showing a diminishing rate of ransom payments. 

The decline in ransom payments can be attributed to several factors. Organizations are implementing more sophisticated protective measures to fortify their defenses against ransomware attacks. Additionally, mounting legal pressure discourages companies from capitulating to cybercriminals' financial demands. Moreover, ransomware operators frequently breach promises not to disclose or sell stolen data even after receiving payment, further eroding trust in the extortion process. 

Despite the decrease in the payment rate, the overall amount paid to ransomware actors has surged to unprecedented levels. According to a report by Chainalysis, ransomware payments reached a staggering $1.1 billion in the previous year. This surge in payments is fueled by ransomware gangs targeting a larger number of organizations and demanding higher ransom amounts to prevent the exposure of stolen data and provide victims with decryption keys. 

In the first quarter of 2024, Coveware reports a significant 32% quarter-over-quarter drop in the average ransom payment, which now stands at $381,980. Conversely, the median ransom payment has seen a 25% quarter-over-quarter increase, reaching $250,000. This simultaneous decrease in the average and rise in the median ransom payments suggest a shift towards more moderate ransom demands, with fewer high-value targets succumbing to extortion. Examining the initial infiltration methods used by ransomware operators reveals a rising number of cases where the method is unknown, accounting for nearly half of all reported cases in the first quarter of 2024. 

Among the identified methods, remote access and vulnerability exploitation play a significant role, with certain CVE flaws being widely exploited by ransomware operators. The recent disruption of the LockBit operation by the FBI has had a profound impact on the ransomware landscape, reflected in Coveware's attack statistics. This law enforcement action has not only disrupted major ransomware gangs but has also led to payment disputes and exit scams, such as those witnessed with BlackCat/ALPHV. 

 Furthermore, these law enforcement operations have eroded the confidence of ransomware affiliates in ransomware-as-a-service (RaaS) operators, prompting many affiliates to operate independently. Some affiliates have even opted to exit cybercrime altogether, fearing the increased risk of legal consequences and the potential loss of income. Amidst these developments, one ransomware strain stands out as particularly active: Akira. 

This strain has remained the most active ransomware in terms of attacks launched in the first quarter of the year, maintaining its position for nine consecutive months. According to the FBI, Akira is responsible for breaches in at least 250 organizations and has amassed $42 million in ransom payments. Implementing robust protective measures, staying informed about emerging threats, and fostering collaboration with law enforcement agencies are essential strategies for mitigating the risks posed by ransomware attacks and safeguarding sensitive data from malicious actors.
Read more »
Subscribe to: Posts (Atom)