Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Exploitation. Show all posts
Exploitation
backdoor vulnerability Cisco Cisco Security CVE exploits CVE vulnerability Cyber Security Exploitation

Cisco CVE-2024-20439: Exploitation Attempts Target Smart Licensing Utility Backdoor

 

A critical vulnerability tracked as CVE-2024-20439 has placed Cisco’s Smart Licensing Utility (CSLU) in the spotlight after cybersecurity researchers observed active exploitation attempts. The flaw, which involves an undocumented static administrative credential, could allow unauthenticated attackers to remotely access affected systems. While it’s still unclear whether the vulnerability has been weaponized in ransomware attacks, security experts have noted suspicious botnet activity linked to it since early January, with a significant surge in mid-March. 

The vulnerability, according to Cisco, cannot be exploited unless the CSLU is actively running—a saving grace for systems not using the utility frequently. However, many organizations rely on the CSLU to manage licenses for Cisco products without requiring constant connectivity to Cisco’s cloud-based Smart Software Manager. This increases the risk of exposure for unpatched systems. Johannes Ullrich, Dean of Research at the SANS Technology Institute, highlighted that the vulnerability effectively acts as a backdoor. 

In fact, he noted that Cisco has a history of embedding static credentials in several of its products. Ullrich’s observation aligns with earlier research by Nicholas Starke, who published a detailed technical analysis of the flaw, including the decoded hardcoded password, just weeks after Cisco issued its patch. This disclosure made it easier for potential attackers to identify and exploit vulnerable systems. In addition to CVE-2024-20439, Cisco addressed another critical flaw, CVE-2024-20440, which allows unauthenticated attackers to extract sensitive data from exposed devices, including API credentials. 

This vulnerability also affects the CSLU and can be exploited by sending specially crafted HTTP requests to a target system. Like the first flaw, it is only active when the CSLU application is running. Researchers have now detected attackers chaining both vulnerabilities to maximize impact. According to Ullrich, scans and probes originating from a small botnet are testing for exposure to these flaws. Although Cisco’s Product Security Incident Response Team (PSIRT) maintains that there’s no confirmed evidence of these flaws being exploited in the wild, the published credentials and recent scan activity suggest otherwise. 

These types of vulnerabilities raise larger concerns about the use of hardcoded credentials in critical infrastructure. Cisco has faced similar issues in the past with other software products, including IOS XE, DNA Center, and Emergency Responder. 

As always, the best defense is prompt patching. Cisco released security updates in September to address both flaws, and organizations running CSLU should immediately apply them. Additionally, any instance of the CSLU running unnecessarily should be disabled to reduce the attack surface. With exploit attempts on the rise and technical details now public, delaying mitigation could have serious consequences.
Read more »
Vulnerability and Exploits
Chinese Hackers Cyber Hackers CyberCrime Cybersecurity Exploitation VMware Vulnerability and Exploits

Undetected Threat: Chinese Hackers' Long-Term VMware Exploitation

 


CVE-2023-34048 is a pathogen that can be exploited remotely by an attacker who has network access to execute arbitrary code remotely due to an out-of-bounds write flaw found in VMware’s DCERPC implementation, which can be tracked as CVE-2023-34048 (CVSS 9.8). 

As a result of the severity of the problem and the lack of workaround, VMware released patches for this vulnerability in October, noting that the patch was also available for versions of its products that had reached the end-of-life period (EOL). 

There has been some reported exploitation of CVE-2023-34048 in the wild since last week, according to the virtualization technology company's advisory, but it does not provide any specific details on the attacks observed. 

A zero-day vulnerability in VMware and Fortinet devices has been exploited by Chinese state-sponsored hackers named UNC3886 for years, experts have revealed, indicating that they have long exploited this vulnerability. 

Earlier this week, Mandiant issued a report alleging that a group was exploiting the vulnerability to deploy malware, steal credentials, and ultimately exfiltrate sensitive information. The security patch was released in late October of 2023, and it carries a severity rating of 9.8/10 (critical). 

The flaw is described as an out-of-bounds write flaw that can allow attackers who have access to the VirtualCenter Server to execute code remotely. Cyberspies took advantage of this to gain access to their targets' vCenter servers and to use the compromised credentials to install maliciously crafted vSphere Installation Bundles (VIBs) on ESXi hosts with VirtualPita and VirtualPie backdoors via maliciously crafted backdoors. 

Next, the attackers exploited a VMware Tools authentication bypass flaw in CVE-2023-20867 to gain access to guest virtual machines, harvest files, and exfiltrate them. Although Mandiant was not yet certain how the attackers acquired privileged access to victims' VMware servers, a VMware service crash minutes before the backdoors were deployed made it evident that the link was established by a VMware service crash, which closely coincided with the exploit of CVE-2023-34048 in late 2023.

It has been revealed by Mandiant that the zero-day attacker targeting VMware has been exploiting CVE-2023-34048 as a zero-day weaponized by them, allowing them to gain privileged access to the vCenter system, enumerate all VMware ESXi hosts and their virtual machines which they are connected to, and gain access to the vCenter server. 

Next, the adversary will be able to connect directly to the hosts by retrieving the cleartext "vpxuser" credentials for the hosts and connecting to them directly to install the malware VIRTUALPITA and VIRTUALPIE, allowing them to interact with them directly. 

As Mandiant revealed in June 2023, this paves the way for exploiting another VMware flaw, (CVE-2023-20867, CVSS score: 3.9). As a consequence, arbitrary commands can be executed on guest VMs and files can be transferred between the guest virtual machines from a compromised ESXi host using this flaw. 

As Mandiant pointed out in their analysis, the same crashes were observed in several UNC3886 intrusions that began in late 2021, suggesting the attacker had access to the vulnerability for approximately one and a half years. As well as removing the 'vmdird' core dumps from the compromised environments, the cybersecurity firm observed that they had also preserved the log entries to cover their tracks. 

With the release of the 8.0U2 update from VMware, the vulnerability found in vCenter version 8.0U2 has been patched. The patches are available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, VCF 3.x, as well as Async vCenter Server Versions 5.x and 4.x.
Read more »
Windows 11
Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.
Read more »
threats
Cyberattacks Cyberfraud Darkweb Data Breach data security Deception Exploitation Fabrication Leaks Misinformation Ransomware threats

Decoding Cybercriminals' Motives for Crafting Fake Data Leaks

 

Companies worldwide are facing an increasingly daunting challenge posed by data leaks, particularly due to the rise in ransomware and sophisticated cyberattacks. This predicament is further complicated by the emergence of fabricated data leaks. Instead of genuine breaches, threat actors are now resorting to creating fake leaks, aiming to exploit the situation.

The consequences of such falsified leaks are extensive, potentially tarnishing the reputation of the affected organizations. Even if the leaked data is eventually proven false, the initial spread of misinformation can lead to negative publicity.

The complexity of fake leaks warrants a closer examination, shedding light on how businesses can effectively tackle associated risks.

What Drives Cybercriminals to Fabricate Data Leaks?

Certain cybercriminal groups, like LockBit, Conti, Cl0p, and others, have gained significant attention, akin to celebrities or social media influencers. These groups operate on platforms like the Dark Web and other shadowy websites, and some even have their own presence on the X platform (formerly Twitter). Here, malicious actors publish details about victimized companies, attempting to extort ransom and setting deadlines for sensitive data release. This may include private business communications, corporate account login credentials, employee and client information. Moreover, cybercriminals may offer this data for sale, enticing other threat actors interested in using it for subsequent attacks.

Lesser-known cybercriminals also seek the spotlight, driving them to create fake leaks. These fabricated leaks generate hype, inducing a concerned reaction from targeted businesses, and also serve as a means to deceive fellow cybercriminals on the black market. Novice criminals are especially vulnerable to falling for this ploy.

Manipulating Databases for Deception: The Anatomy of Fake Leaks

Fake data leaks often materialize as parsed databases, involving the extraction of information from open sources without sensitive data. This process, known as internet parsing or web scraping, entails pulling text, images, links, and other data from websites. Threat actors employ parsing to gather data for malicious intent, including the creation of fake leaks.

In 2021, a prominent business networking platform encountered a similar case. Alleged user data was offered for sale on the Dark Web, but subsequent investigations revealed it was an aggregation of publicly accessible user profiles and website data, rather than a data breach. This incident garnered media attention and interest within the Dark Web community.

When offers arise on the Dark Web, claiming to provide leaked databases from popular social networks like LinkedIn, Facebook, or X, they are likely to be fake leaks containing information already publicly available. These databases may circulate for extended periods, occasionally sparking new publications and causing alarm among targeted firms.

According to Kaspersky Digital Footprint Intelligence, the Dark Web saw an average of 17 monthly posts about social media leaks from 2019 to mid-2021. However, this figure surged to an average of 65 monthly posts after a significant case in the summer of 2021. Many of these posts, as per their findings, may be reposts of the same database.

Old leaks, even genuine ones, can serve as the foundation for fake leaks. Presenting outdated data leaks as new creates the illusion of widespread cybercriminal access to sensitive information and ongoing cyberattacks. This strategy helps cybercriminals establish credibility among potential buyers and other actors within underground markets.

Similar instances occur frequently within the shadowy community, where old or unverified leaks resurface. Data that's several years old is repeatedly uploaded onto Dark Web forums, sometimes offered for free or a fee, masquerading as new leaks. This not only poses reputation risks but also compromises customer security.

Mitigating Fake Leaks: Business Guidelines

Faced with a fake leak, panic is a common response due to the ensuing public attention. Swift identification and response are paramount. Initial steps should include refraining from engaging with attackers and conducting a thorough investigation into the reported leak. Verification of the source, cross-referencing with internal data, and assessing information credibility are essential. Collecting evidence to confirm the attack and compromise is crucial.

For large businesses, including fake leaks, data breaches are a matter of "when," not "if." Transparency and preparation are key in addressing such substantial challenges. Developing a communication plan beforehand for interactions with clients, journalists, and government agencies is beneficial. 

Additionally, constant monitoring of the Dark Web enables detection of new posts about both fake and real leaks, as well as spikes in malicious activity. Due to the automation required for Dark Web monitoring and the potential lack of internal resources, external experts often manage this task.

Furthermore, comprehensive incident response plans, complete with designated teams, communication channels, and protocols, facilitate swift action if such cases arise.

In an era where data leaks continuously threaten businesses, proactive and swift measures are vital. By promptly identifying and addressing these incidents, conducting meticulous investigations, collaborating with cybersecurity experts, and working with law enforcement, companies can minimize risks, safeguard their reputation, and uphold customer trust.
Read more »
Subscribe to: Posts (Atom)