Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Exploits. Show all posts
Vulnerability
CISO Cyber Attacks Data Exploits Ransomware Safety Security Vulnerability

This Ransomware Targets Several English-Speaking Nations

 

According to findings by Cisco Talos, a group of researchers, a fresh variant of ransomware is suspected to be employed in a series of attacks on entities situated in China, Vietnam, Bulgaria, and a number of English-speaking nations. 

The cybersecurity experts disclosed on Monday that they have come across a hitherto unidentified threat actor, reportedly based in Vietnam, who has been launching these attacks since as far back as June 4.

This newly identified malware is a modified version of the Yashma ransomware. It's worth noting that the Yashma strain had become significantly less active following the release of a decryption tool last year.

“Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, ‘nguyenvietphat,’ has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas,” the researchers said in a report.

“The threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.”

The perpetrator's ransom note closely resembles that of WannaCry, a notorious ransomware that gained widespread attention in 2017 due to its high-profile attacks. The ransom note is available in multiple languages, including English, Bulgarian, Vietnamese, and Chinese.

If victims fail to make the payment within three days, the ransom amount will double. The attackers have provided a Gmail address for communication. Interestingly, the ransom note lacks a specified ransom amount, and the Bitcoin account shared in the note doesn't contain any funds, suggesting that the operation might still be in its early stages.

Upon encrypting victim systems, the wallpaper is changed to display a message asserting that all files have been encrypted.

According to Cisco Talos, the Yashma ransomware is essentially a rebranded version of Chaos ransomware, which first emerged in May 2022. After a thorough examination of Yashma's features by BlackBerry security researchers last year, Cisco Talos observed that the new variant mostly retains the core elements of the original ransomware.

One significant change highlighted by Cisco Talos is that this new variant no longer embeds the ransom note within the ransomware itself. Instead, it retrieves the ransom note from a GitHub repository controlled by the threat actors. This modification is intended to evade endpoint detection solutions and antivirus software, which typically detect ransom note strings embedded in the binary.

Another noteworthy characteristic preserved in this variant is Yashma's anti-recovery capability. This involves wiping the content of the original unencrypted files, replacing them with a single character '?' before deleting the file altogether. This tactic complicates efforts by incident responders and forensic analysts to recover deleted files from the victim's hard drive.

Various organizations monitoring ransomware attacks have noted a substantial increase in the emergence of different strains. FortiGuard Labs reported a significant uptick in the growth of ransomware variants, largely attributed to the adoption of Ransomware-as-a-Service (RaaS).

Ransomware expert Allan Liska from Recorded Future pointed out that many so-called "new" ransomware strains are essentially variations of previously released versions. Data gathered by his team demonstrated that fewer than 25% of the supposed 328 "new" ransomware variants are genuinely novel.
Read more »
Zenbleed Vulnerability
AMD Zen 2 CPUs CVE-2023-20593 Exploits Microsoft’s Xbox Series S and Series X PlayStation 5 Vulnerabilities and Exploits vulnerability patch vzeroupper Zenbleed Zenbleed Vulnerability

Zenbleed: Security Flaw Steals Data from AMD Zen 2 CPUs


After initially disclosing the flaw to AMD on May 15, Google security researcher Tavis Ormandy published an overview of it on his blog. Because of the Zenbleed vulnerability, AMD’s entire Zen 2 product line is said to be affected.

The flaw apparently enables attackers to take control of private information stored in the AMD Zen 2 class CPUs – which includes PS5, XBox, and desktop and data center computers – such as encryption keys and logins. Remote attackers can use website Javascript to exploit Zenbleed, according to cloud infrastructure provider Cloudflare.

AMD Zen 2 CPU

AMD’s Zen 2 CPU, launched in 2019, is the third generation of the company’s Ryzen processors. The processors include Ryzen 4000U/H desktop chips, Ryzen 5000U for mobile applications, Threadripper 3000 for high-performance workstations, and Ryzen 4000G Accelerated Processing Unit (APU) system-on-a-chip.

Moreover, the processors also powers Sony’s PlayStation 5, Microsoft’s Xbox Series S and Series X, and Steam’s Steam Deck. Zen 2 CPUs are also used across a number of standalone computers and data center servers.

The CPUs, as mentioned earlier are now affected by Zenbleed – labeled as CVE-2023-20593 – which relies on an error in the way how CPUs execute a process known as speculative execution.

CPU Misprediction 

Modern CPUs are designed such that they increase processing speed, by preloading a number of alternatives, to predict what it needs to do next so that the CPU does not have to wait for them to load after finishing the current instruction. This technique is known as speculative execution.

While, the predictions that are eventually of no use are eliminated using a command called vzeroupper, that rolls back the guess by "zeroing out" the memory space, known as a YMM register, that had been prepared for those predictions.

However, Tavis Ormandy discovered that the chip does not always delete the data stored in the YMM register—which are also used by regular CPU instructions that move and copy data—when Zen 2 CPUs predict the next instruction will be vzeroupper, and it turns out to be a misprediction.

He further notes that the memory space may include sensitive data like passwords, credit-card details, encryption keys, etc. and well executed exploit can dupe the CPU into recovering in a way that it will enable threat actors to steal data from affected systems at a speed of 30KB per core/second.

Since the flaw related to the normal operation of the CPU, it operates regardless of the operating system, programs, virtual machines, or security tools that are installed on the system.

Patching the Underlying Vulnerability

Ormandy, in his post has recently released the exploit code along with a PoC exploit, that has already been published. This flaw is said to be simpler to exploit than other recent CPU bugs like Spectre and Meltdown.

Moreover, AMD has released a temporary patch that will be applied to the affected systems’ core chips and is also planning to release a full update on the equipment manufacturers by October. 

Cloudflare announced that it is "patching [its] entire fleet of potentially impacted servers with AMD's microcode." 

Citrix has provided a patch, and the developers of the Linux operating systems Debian and Red Hat have also responded. Red Hat has categorized the vulnerability as having "moderate impact" and has cautioned that an appropriate solution is not currently available.

Security experts have further advised companies to assess their impact by the bug, by reviewing use of their systems based on Zen 2 CPUs. They also advise businesses to be mindful of other, related hardware bugs like RAMBleed that allow data to be read straight from CPU and memory hardware.  

Read more »
Vulnerabilities
Affiliates Cyber Crime Cyberattacks Exploits Vulnerabilities

The Professionalization of Cybercrime: Exploits and Experts


Your adversaries are doing exactly, what you are doing in terms of keeping up with the latest news, tools, and thought leadership. This will enable them to defend your organization against cyber criminals. Their efforts mainly focus on networking on forums, evaluating the latest software tools, interacting with potential buyers, and searching for ways to outsmart your security systems. 

Considering their capabilities reveals that they can outmaneuver well-funded security teams and corporate security tools, especially when compared with legacy solutions such as signature-based antivirus solutions. As a result, several security operation centers (SOCs) fail to prioritize the real threats but instead waste their time and energy on solving problems that, realistically, they will never be able to address at scale. 

To effectively defend against cyberattacks, security experts need to move beyond the mental image they tend to associate with the lone hooded figure sitting in a dimly lit basement where cigarette smoke seeps from a filthy ashtray. Consider the state of cybercrime in the modern world as it stands today: strategic, commoditized, and collaborative (especially in a world where there is money to be made). 

Every attack is backed by strategic intent

Every time a piece of malware is released, there is a purpose for it. There is always a plan for what the malware will do. First and foremost, cybercriminals spy on your environment to gain access to it. They are looking for something they can steal and potentially re-sell to another person or organization. Once an attacker gains access to your environment, they quickly recognize the value that can be accessed as soon as they become aware of it. This is even if they do not know what they may do with it.

During reconnaissance, these attackers may exploit misconfigurations or open ports. This is often facilitated by the known CVE databases and free network scanners, which make this task easier. There is also a possibility that a breach can be facilitated at the beginning by stealing the credentials of a user to gain access to the environment. This process can sometimes be a lot simpler than identifying assets later. 

Cyber weapons' black market is maturing at a rapid pace


There is an underground marketplace managed by cybercriminals that have developed over the years. The evolution of tools from relatively inexpensive and low-tech products to more advanced capabilities that are delivered using business models familiar to legitimate consumers, such as software as a service (SaaS), has helped improve their accessibility to legitimate consumers. The commoditization of hacking tools is a phenomenon that threat hunters have been experiencing recently. 

There was a time when phishing kits, pre-packaged exploits, and website cloning tools were very common and used by several people. This tool is designed to simulate the login pages used by many websites for authentication purposes. For example, Microsoft Office 365 or Netflix has been pretty effective at collecting passwords from the user for many years. There has been a considerable amount of response to this type of activity over the past 20 years. This response includes pattern recognition, URL crawling, and the sharing of threat intelligence tools. Through tools such as VirusTotal, it has become almost instantaneous for data on malicious files to be shared with the security community. This is within a few days of discovery. As a result, adversaries have adapted to these conditions and are well aware of their presence.

Phishing: A New Methodology 

By taking advantage of the rise of multi-factor authentication (MFA), today's adversaries have also been able to steal the verification process to benefit their activities. 

The EvilProxy phishing scam is a new type of phishing scam that has emerged. In the same way as previous kits, this kit mimics the login page on the user's website to trick them into providing their login credentials. In contrast to the one-off purchases of phishing kits of the past, these updated methodologies are sold by companies specializing in access compromise and operate via a rental model where the company rents out space on its server to conduct fraud campaigns. 

This company hosts a proxy server that works similarly to a SaaS model in terms of how it operates. To access the service for ten days, it costs about $250. It enables SaaS providers to earn more money, as well as gives them the possibility to analyze the information they collect. This will make them able to publish it on forums for hackers. In this way, they will be able to market their products and compete against other sellers who sell similar products. 

As part of the redesigned model, several built-in protections are included to protect the phishing environment against an uninvited visitor. To prevent web crawlers from indexing their sites, they implement bot protection to block crawlers. As well as using nuanced virtualization detection technology to ward off reconnaissance teams using virtual machines (VMs), the security operations team also relies on automation detection to avoid security researchers crawling their kit websites from different angles by using automation detection. 

A scenario is known as "Adversary in the Middle" 


Serving as a reverse proxy to authenticate login page content created by bypassing MFA presents several problems for detecting phishing attacks. Using the reverse proxy server, the adversary can acquire access to sensitive information such as the username, password, and session cookie. This information was previously set by MFA between the user and the target website. By replaying the session, the user can then access the website and assume the role of the user at the destination they are visiting. 

At first, everything appears normal to the user. A cybercriminal can create the impression that the website is authentic by using slight variations in the names in the URLs. This will disguise the fact that everything works as it should. As a result, they have gained unauthorized access through that user. After gaining unauthorized access to the website, they may be able to exploit it or sell it for profit to the highest bidder. 

What is the business model of the adversary? 

Malware is being sold illegally over the Internet, and new phishing techniques are also. The malware is sold in a gray area, near the line between legal and illegal. It is one of many companies offering security software like BreakingSecurity.net, which aims to provide enterprises with remote surveillance tools. 

The price point associated with each malware is intended to motivate it to achieve some results. The results of these attacks have a clear business intent in mind. This is whether it's stealing credentials, generating cryptocurrency, requesting a ransom, or gaining spy capabilities to snoop around a network's infrastructure to steal information. 

Today, developers of these tools have partnered with buyers through affiliate programs to create a connection between these two parties. The affiliate marketing scheme functions very similarly to a multi-level marketing scheme. The affiliate will be told to come to the affiliate company when they have an affiliate product that they wish to sell. They will even give them product guarantees and 24/7 customer support if they decide to split profits with them. By doing so, they can build a hierarchy and scale their business.
Read more »
Vulnerabilities and Exploits
Bug Bugs Exploits open Patch Fix patch fixes Security patches Vulnerabilities and Exploits

Dex: ID Service Patches Bug that Allows Unauthorized Access to Client Applications

 

The renowned OpenID Connect (OIDC) identity service, Dex has detected and patched a critical vulnerability. The bug allows a threat actor access to the victim's ID tokens via intercepted authorization code, potentially accessing clients’ applications without authorization. The vulnerability was patched by Sigstore developers Hayden Blauzvern, Bob Callaway, and ‘joernchen', who initially reported the bug. 

The open-source sandbox project of Cloud Native Computing Foundation, Dex utilizes an identification layer on top of OAuth 2.0, providing authentication to other applications.  

Dex acts as a portal to other identity providers through certain ‘connectors’, ranging from authentication to LDAP servers, SAML providers, or identity providers like GitHub, Google, and Active Directory. As a result, Dex claims 35.6 million downloads to date. As stated in the Developer's notification, the bug affects “Dex instances with the public clients (and by extension, clients accepting tokens issued by those Dex instances.” 

As per the discovery made by security researchers, the threat actor can steal an OAuth authentication code by luring the victim to enter a malicious website and further, leading him into the OIDC flow. Thence the victim is tricked into exchanging the authorization code for a token, which allows access to applications that accept the token. As the exploit can be used multiple times, the threat actor can get a new token every time the old one expires.  

The bug thus comes into existence because the authentication process instigates a persistent “connector state parameter" as the request ID to look up the OAuth code. 

“Once the user has successfully authenticated, if the webserver is able to call /approval before the victim’s browser calls /approval, then an attacker can fetch the Dex OAuth code which can be exchanged for an ID token using the /token endpoint,” the advisory stated. The users are advised to update to version 2.35.0, as the vulnerability, having the CVSS rating of 9.3, affects versions 2.34.0 and older.  

The bug was fixed by introducing a hash-based message authentication (HMAC) code, that utilizes a randomly generated per-request secret, oblivious to the threat actor, and is persisted between the initial login and the approval request, making the server request unpredictable.
Read more »
Zero Day
Atlassian CISA Critical Flaw Exploits Flaws Microsoft Exchange Microsoft Exchange Server Vulnerabilities and Exploits Zero Day

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”
Read more »
Vulnerabilities and Exploits
BIND Bugs Exploits Flaws Software Vulnerabilities and Exploits

BIND Updates Patch High-Severity Flaws

The Internet Systems Consortium (ISC) announced this week the availability of patches for six remotely exploitable vulnerabilities in the widely used BIND DNS software. 

Four of the fixed security vulnerabilities have a severity rating of 'high.' All four have the potential to cause a denial-of-service (DoS) condition. The first of these is CVE-2022-2906, which affects "key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions," according to ISC's advisory. 

A remote attacker could use the flaw to gradually deplete available memory, resulting in a crash. Because the attacker could exploit the vulnerability again after restarting, "there is the potential for service denial," according to ISC.

The second flaw, tracked as CVE-2022-3080, may cause the BIND 9 resolver to crash under certain conditions when crafted queries are sent to the resolver. According to ISC, CVE-2022-38177 is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm that can be triggered by a signature length mismatch.

“By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources,” ISC explains.

CVE-2022-38178, a memory leak affecting the DNSSEC verification code for the EdDSA algorithm that can be triggered by malformed ECDSA signatures, is the fourth high-severity bug addressed in BIND 9. BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 all received updates (Extended Support Version). As per ISC, no public exploits targeting these vulnerabilities are known.

The US Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators on Thursday to review ISC's advisories for these four security holes and apply the available patches as soon as possible.

Read more »
Vulnerabilities and Exploits
Cloud Data Cloud Security cloud storage Exploits Oracle Vulnerabilities and Exploits

Vulnerability in OCI Could Have Put the Data of Customers Exposed to the Attacker

 

A vulnerability called 'AttatchMe', discovered by a Wiz engineer could have allowed the attackers to access and steal the OCI storage volumes of any user without their permission. 

During an Oracle cloud infrastructure examination in June, Wiz engineers disclosed a cloud isolation security flaw in Oracle Cloud Infrastructure. They found that connecting a disk to a VM in another account can be done without any permissions, which immediately made them realize it could become a path for cyberattacks for threat actors. 

Elad Gabay, the security researcher at Wiz made a public statement regarding the vulnerability on September 20. He mentioned the possible severe outcomes of the exploitation of the vulnerability saying this could have led to “severe sensitive data leakage” for all OCI customers and could even be exploited to gain code execution remotely. 

To exploit this vulnerability, attackers need unique identifiers and the oracle cloud infrastructure's environment ID (OCID) of the victim, which can be obtained either through searching on the web or through low-privileged user permission to get the volume OCID from the victim's environment. 

The vulnerability 'AttachMe' is a critical cloud isolation vulnerability, which affects a specific cloud service. The vulnerability affects user data/files by allowing malicious actors to execute severe threats including removing sensitive data from your volume, searching for cleartext secrets to move toward the victim's environment, and making the volume difficult to access, in addition to partitioning the disk that contains the operating system folder. 

The guidelines of OCI state that volumes are a “virtual disk” that allows enough space for computer instances. They are available in the two following varieties in OCI: 

1. Block volume: it is detachable storage, allowing you to expand the storage capacity if needed. 

2. Boot volume: it is a detachable boot volume device containing the image used to boot a system such as operating systems, and supporting systems. 

As soon as Oracle's partner and customer Wiz announced the vulnerability, Oracle took immediate measures to patch the vulnerability while thanking wiz for disclosing the security flaw and helping them in resolving it in the last update advisory of receiving the patch for the vulnerability.
Read more »
Vulnerabilities and Exploits
Exploits Flaws remote access Vulnerabilities Vulnerabilities and Exploits

New vulnerabilities in Dataprobe are Invading The Devices Remotely

 

Researchers from Team82 uncovered critical flaws in Dataprobe’s iBoot power distribution unit. As a result of the flaws, the threat actors were able to control and cut off the electric power to the systems or other connected devices, potentially impacting the targeted firms.
 
Team82 is the research division of Claroty, an industrial cybersecurity firm, that found seven vulnerabilities. One of these vulnerabilities is responsible for granting access to malicious actors invading systems to execute some malicious source codes.
 
The iboot power distribution unit is a cloud service that allows its users real-time control of the outlets from any location through web interfaces, Telnet, and SNMP.
 
According to Census Report 2021, over 2000 power distributing units were connected to the internet, with Dataprobe devices accounting for 31% of the total.
 
The iBoot power distribution unit was mentioned in the report by Team82, which can be managed remotely through web interfaces if the device is not connected directly to the internet, or through a cloud-based infrastructure that allows access to the device's management page if the device is not directly connected to the internet.
 
Cyber attackers exploited this feature and gained access to platforms such as web connections and the cloud to remotely exploit vulnerabilities. Such exploitation of the vulnerabilities also permitted the attackers to bypass Network Address Translation (NAT) and firewalls and invade businesses through smart connectivity channels.
 
The CISA, U.S.-based cybersecurity and infrastructure security agency, circulated an advisory to the organization, which included information about these seven vulnerabilities, such as the deployment of these critical flaws all across the world, including in the manufacturing sector. 
 
The CVE identifier assigned to the seven vulnerabilities is CVE-2022-3183 through CVE-2022-3189. The issue involves OS command injection, path traversal, sensitive information exposure, improper access control, incorrect authorization, and server-side request forgery (SSRF).
 
A new firmware version of the issue has been released by the vendors, 1.42.06162022, to describe the problem. There was a recommendation from Dataprobe for all users to update the firmware to the latest version and also to disable the Simple Network Management Protocol (SNMP), which is used to monitor the network.
Read more »
Subscribe to: Posts (Atom)