Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Oracle. Show all posts
zero-day
Clop Ransomware Extortion Campaign Oracle Vulnerabilities and Exploits zero-day

Clop Ransomware Exploits Oracle Zero-Day in Major Extortion Campaign

 

The Clop ransomware gang has orchestrated a massive extortion campaign targeting Oracle E-Business Suite customers by exploiting a critical zero-day vulnerability tracked as CVE-2025-61882. The vulnerability, which carries a CVSS score of 9.8, affects Oracle EBS versions 12.2.3 through 12.2.14 and allows unauthenticated remote code execution without requiring credentials.

Beginning September 29, 2025, Clop operatives sent high-volume extortion emails to executives at numerous organizations, claiming to have stolen sensitive data from their Oracle EBS environments. However, investigations by Google Threat Intelligence Group and Mandiant revealed that active exploitation began much earlier—as early as August 9, 2025, with suspicious activity dating back to July 10, 2025. This means attackers exploited the vulnerability weeks before Oracle released a patch on October 4, 2025.

The vulnerability affects the Concurrent Processing component's BI Publisher integration within Oracle EBS, allowing attackers to execute arbitrary code and gain complete control over compromised servers. Researchers identified multiple distinct exploitation chains targeting various EBS components, including UiServlet and SyncServlet modules. The most probable attack vector involved the SyncServlet module, where attackers injected malicious XSL files into databases via the XDO Template Manager to trigger remote code execution.

The campaign involved sophisticated multi-stage malware frameworks, including GOLDVEIN.JAVA downloader and the SAGE malware family. These tools closely resemble malware families deployed during Clop's previous Cleo software compromise in late 2024, strengthening attribution to the notorious cybercrime group. Attackers successfully exfiltrated significant amounts of data from impacted organizations, affecting dozens of victims according to current assessments.

Clop, also known as TA505 or FIN11, has been active since 2019 and maintains a track record of exploiting zero-day vulnerabilities in enterprise platforms. The group previously targeted Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer systems. This latest campaign demonstrates Clop's continued focus on rapid zero-day exploitation of critical enterprise software for large-scale data extortion operations.

Oracle issued an emergency security alert on October 4, 2025, urging customers to apply the patch immediately. The FBI characterized the zero-day as "an emergency putting Oracle E-Business Suite environments at risk of full compromise". CISA added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog and issued urgent alerts regarding active exploitation for ransomware attacks worldwide.
Read more »
Passwords
Cloud Service Data Breach Oracle Passwords

Oracle Faces Data Leak Claims, Clarifies Cloud Services Remain Safe

 



Oracle has informed its users that a recent cyberattack only affected two outdated servers that are no longer in use. These systems were separate from Oracle’s main cloud services, and the company says that no active customer data or cloud-based accounts were harmed.

In the notice sent to its customers, Oracle clearly stated that its main cloud service, known as Oracle Cloud Infrastructure (OCI), was not targeted or accessed by attackers. They reassured users that no data was viewed, taken, or misused, and there was no interruption in cloud operations.

According to Oracle, the stolen information included usernames from older systems. However, passwords stored on those servers were either scrambled or secured in such a way that they could not be used to break into any accounts. As a result, the hackers were not able to reach any customer platforms or data.

The incident first came to public attention when a hacker began selling what they claimed were millions of user records on an online cybercrime marketplace. Oracle has been under pressure since then to confirm whether or not its systems were breached. While the company continues to deny that their modern cloud platform was affected, cybersecurity experts say that the older systems— though no longer active - were once part of Oracle’s cloud services under a different name.

Some security specialists have criticized Oracle’s choice of words, saying the company is technically correct but still avoiding full responsibility by referring to the older system as separate from its current services.

Reports suggest that the hackers may have broken into these old systems as early as January 2025. The intruders allegedly installed harmful software, allowing them to collect data such as email addresses, usernames, and coded passwords. Oracle described the stolen data as outdated, but some of the records being shared online are from late 2024 and early 2025.

This comes shortly after another reported incident involving Oracle’s healthcare division, formerly called Cerner. That breach affected hospitals in the U.S., and a hacker is now reportedly demanding large payments to prevent the release of private medical information.

Even though Oracle insists its main cloud platform is secure, these incidents raise questions about how clearly companies communicate data breaches. Users who are concerned have been advised to reach out to Oracle’s support team for more information.


Read more »
Passwords
Cyber Security Login Credentials Oracle Passwords

Hacker Claims Oracle Cloud Breach, Threatens to Leak Data

 



A hacker who goes by the name “Rose87168” is claiming to have broken into Oracle Cloud systems and is now threatening to release or sell the data unless their demands are met. According to security researchers, this person says they’ve gained access to information from over 140,000 accounts, with a total of 6 million records.

Oracle has not confirmed that any such breach took place. At first, the company denied the claims. Since then, they’ve chosen not to respond to questions about the situation. However, cybersecurity experts are beginning to find signs that support the hacker’s story.

One group of researchers believes that the attack may have happened through a flaw in how users log in. They suggest that the hacker may have found a hidden security weakness or a problem in Oracle's login system, which let them get in without needing a password. This could be tied to a previously reported vulnerability in Oracle’s software, which has been labeled a high risk by experts. That earlier issue allowed anyone with internet access to take over accounts if not fixed.

The hacker claims the stolen material includes sensitive information like login credentials, passwords for internal systems, and private security keys. These are all crucial for keeping accounts and data secure. If leaked, this information could lead to unauthorized access to many companies’ services and customer details.

Researchers have examined some of the data provided by the hacker and say it appears to be genuine. Another security group, Trustwave SpiderLabs, also looked into the case. They confirmed that the hacker is now offering the stolen data for sale and allowing buyers to choose what they want to purchase based on specific details, like company names or encrypted passwords.

Experts from both teams say the evidence strongly suggests that the breach is real. However, without a statement from Oracle, nothing is officially confirmed.

This situation is a reminder of how critical it is for companies to keep their systems up to date and to act quickly when possible flaws are discovered. Businesses that use cloud services should check their security settings, limit unnecessary access, and apply all software updates as soon as they are available.

Staying alert and following good cybersecurity habits can reduce the chances of being affected by incidents like this.


Read more »
User Data
Data Breach Data Leak Oracle Oracle Cloud User Data

Oracle Cloud Confirms Second Hack in a Month, Client Log-in Data Stolen

 

Oracle Corporation has warned customers of a second cybersecurity incident in the last month, according to Bloomberg News. A hacker infiltrated an older Oracle system and stole login credentials from client accounts, some of which date back as recently as 2024. 

The tech company reportedly informed clients that an attacker had gained access to a legacy environment—a system that had not been in active operation for roughly eight years. Although Oracle told clients that the environment had been dormant, the data retrieved included valid login credentials, which might pose a security concern, especially if users had not updated or deleted their accounts. 

This follows a prior hack last month, in which an anonymous individual attempted to sell stolen Oracle data online, prompting internal investigations. That incident, too, involved data stolen from Oracle's cloud servers in Austin, Texas. 

The FBI and cybersecurity firm CrowdStrike Holdings are presently looking into the most recent incident, Oracle informed some of its clients. According to individuals who spoke to Bloomberg, the attacker is thought to have demanded an extortion payment. Interestingly, Oracle has declared that there is no connection between the two incidents. 

According to the firm, this breach occurred due to an outdated, dormant system, whereas the previous one affected specific clients in the healthcare sector. Oracle has not yet released a statement to the public, but according to Reuters, the company told customers directly and stressed that the impact is minimal because of how old the system in question is. 

Last month, Oracle also notified clients last month of a compromise at the software-as-a-service (SaaS) company Oracle Health (formerly Cerner), which affected many healthcare organisations and hospitals in the United States.

Even though the company has not publicly reported the event, threat analysts confirmed that patient data was stolen during the attack, as evidenced by private contacts between Oracle Health and impacted clients, as well as talks with people involved. Oracle Health reported that the breach of legacy Cerner data transfer servers occurred on February 20, 2025, and that the perpetrators accessed the systems using compromised client credentials after January 22, 2025.
Read more »
Zero-day Flaw
Data Breach Data Leak Oracle User Privacy Zero-day Flaw

Oracle Finally Acknowledges Cloud Hack

 

Oracle is reportedly trying to downplay the impact of the attack while quietly acknowledging to clients that some of its cloud services have been compromised. 

A hacker dubbed online as 'rose87168' recently offered to sell millions of lines of data reportedly associated with over 140,000 Oracle Cloud tenants, including encrypted credentials. The hacker initially intended to extort a $20 million ransom from Oracle, but eventually offered to sell the data to anyone or swap it for zero-day vulnerabilities.

The malicious actor has been sharing a variety of materials to support their claims, such as a sample of 10,000 customer data records, a link to a file demonstrating access to Oracle cloud systems, user credentials, and a long video that seems to have been recorded during an internal Oracle meeting.

However, Oracle categorically denied an Oracle Cloud hack after the hacker's claims surfaced, stating, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

However, multiple independent reports suggest Oracle privately notified concerned customers and confirmed a data incident. On the other hand, specifics remain unclear, and there appears to be some conflicting information. 

Bloomberg has learned from people familiar with the matter that Oracle has started privately informing users of a data leak involving usernames, passkeys and encrypted passwords. The FBI and CrowdStrike are reportedly investigating the incident.

Security firm CyberAngel learned from an unknown source that ‘Gen 1’ cloud servers were attacked — newer ‘Gen 2’ servers were not — that the exposed material is at least 16 months old and does not include full private details. 

“Our source, who we are not naming as requested, is reporting that Oracle has allegedly determined an attacker who was in the shared identity service as early as January 2025,” Cyber Angel said. “This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a webshell along with malware. The malware specifically targeted the Oracle IDM database and was able to exfil data.” 

“Oracle allegedly became aware of a potential breach in late February and investigated this issue internally,” it added. “Within days, Oracle reportedly was able to remove the actor when the first demand for ransom was made in early March.” 

Following the story, cybersecurity expert Kevin Beaumont discovered from Oracle cloud users that the tech firm has simply verbally notified them; no written notifications have been sent. According to Beaumont, "Gen 1" servers might be a reference to Oracle Classic, the moniker for earlier Oracle Cloud services. Oracle is able to deny that Oracle Cloud was compromised thanks to this "wordplay," as Beaumont refers to it.
Read more »
Web Services
AI tools Artificial Intelligence Chatbots Cyber Security Healthcare Data Oracle Web Services

Oracle and Cohere Collaborate for New Gen AI Service

 

During Oracle's recent earnings call, company founder Larry Ellison made an exciting announcement, confirming the launch of a new generation AI service in collaboration with Cohere. This partnership aims to deliver powerful generative AI services for businesses, opening up new possibilities for innovation and advanced applications.

The collaboration between Oracle and Cohere signifies a strategic move by Oracle to enhance its AI capabilities and offer cutting-edge solutions to its customers. With AI playing a pivotal role in transforming industries and driving digital transformation, this partnership is expected to strengthen Oracle's position in the market.

Cohere, a company specializing in natural language processing (NLP) and generative AI models, brings its expertise to the collaboration. By leveraging Cohere's advanced AI models, Oracle aims to empower businesses with enhanced capabilities in areas such as text summarization, language generation, chatbots, and more.

One of the key highlights of this collaboration is the potential for businesses to leverage the power of generative AI to automate and optimize various processes. Generative AI has the ability to create content, generate new ideas, and perform complex tasks, making it a valuable tool for organizations across industries.

The joint efforts of Oracle and Cohere are expected to result in the development of state-of-the-art AI models that can revolutionize how businesses operate and innovate. By harnessing the power of AI, organizations can gain valuable insights from vast amounts of data, enhance customer experiences, and streamline operations.

This announcement comes in the wake of Oracle's recent acquisition of Cerner, a healthcare technology company, further solidifying Oracle's commitment to revolutionizing the healthcare industry through advanced technologies. The integration of AI into healthcare systems holds immense potential to improve patient care, optimize clinical processes, and enable predictive analytics for better decision-making.

As the demand for AI-powered solutions continues to rise, businesses are seeking comprehensive platforms that can deliver sophisticated AI services. With Oracle and Cohere joining forces, organizations can benefit from an expanded suite of AI tools and services that can address a wide range of industry-specific challenges.

The collaboration between Oracle and Cohere highlights the growing importance of AI in driving innovation and digital transformation across industries. As businesses increasingly recognize the value of AI, partnerships like this one are crucial for pushing the boundaries of what AI can achieve and bringing advanced capabilities to the market.

The partnership between Oracle and Cohere signifies a significant step forward in the realm of AI services. The collaboration is expected to deliver powerful generative AI solutions that can empower businesses to unlock new opportunities and drive innovation. With Oracle's expertise in enterprise technology and Cohere's proficiency in AI models, this collaboration holds great promise for businesses seeking to leverage the full potential of AI in their operations and strategies.
Read more »
Vulnerabilities and Exploits
Cloud Data Cloud Security cloud storage Exploits Oracle Vulnerabilities and Exploits

Vulnerability in OCI Could Have Put the Data of Customers Exposed to the Attacker

 

A vulnerability called 'AttatchMe', discovered by a Wiz engineer could have allowed the attackers to access and steal the OCI storage volumes of any user without their permission. 

During an Oracle cloud infrastructure examination in June, Wiz engineers disclosed a cloud isolation security flaw in Oracle Cloud Infrastructure. They found that connecting a disk to a VM in another account can be done without any permissions, which immediately made them realize it could become a path for cyberattacks for threat actors. 

Elad Gabay, the security researcher at Wiz made a public statement regarding the vulnerability on September 20. He mentioned the possible severe outcomes of the exploitation of the vulnerability saying this could have led to “severe sensitive data leakage” for all OCI customers and could even be exploited to gain code execution remotely. 

To exploit this vulnerability, attackers need unique identifiers and the oracle cloud infrastructure's environment ID (OCID) of the victim, which can be obtained either through searching on the web or through low-privileged user permission to get the volume OCID from the victim's environment. 

The vulnerability 'AttachMe' is a critical cloud isolation vulnerability, which affects a specific cloud service. The vulnerability affects user data/files by allowing malicious actors to execute severe threats including removing sensitive data from your volume, searching for cleartext secrets to move toward the victim's environment, and making the volume difficult to access, in addition to partitioning the disk that contains the operating system folder. 

The guidelines of OCI state that volumes are a “virtual disk” that allows enough space for computer instances. They are available in the two following varieties in OCI: 

1. Block volume: it is detachable storage, allowing you to expand the storage capacity if needed. 

2. Boot volume: it is a detachable boot volume device containing the image used to boot a system such as operating systems, and supporting systems. 

As soon as Oracle's partner and customer Wiz announced the vulnerability, Oracle took immediate measures to patch the vulnerability while thanking wiz for disclosing the security flaw and helping them in resolving it in the last update advisory of receiving the patch for the vulnerability.
Read more »
Oracle
cryptocurrency cryptomining Cryptomining News Docker Engine API malware Malware Campaign Oracle

Malware Targets Weblog Servers And Dockers APIs For Cryptomining

Malicious malware known as Kinsing is using both recently discovered and legacy vulnerabilities in Oracle WebLogic Server to boost cryptocurrency mining malware. 
  
It was discovered by Trend Micro, that a financially-motivated cyber attack group behind the malware was making use of the vulnerability to run Python scripts that could disable Operating System (OS) security features such as Security-Enahnced Linux (SELinux), and many more. 
 
Kinsing malware has a history of acquiring vulnerable servers to co-opt into botnet devices such as Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence vulnerability (CVE-2022-26134). The malware has also reportedly been involved in campaign container environments via misconfigured open Docker Daemon API ports instigating crypto mining and spreading the malware to other containers am host devices. 
 
In the latest wave of attacks, the malicious actor weaponized a two-year-old Remote Code Execution (RCE) bug, dubbed CVE-2020-14882 (CVSS score 9.8), against unpatched vulnerabilities to seize control of the servers and cause harm to the victims through malicious payloads. 
 
The exploitation of the bug further involved deploying a shell script responsible for various actions, such as removing the var/log/syslog/systemlog, disabling security functions and cloud service agents from conglomerates like Alibaba and Tencent – killing competing crypto mining processes.  
 
It is then followed by the shell script downloading the Kinsing malware from a remote server, along with taking steps to ensure persistence through a cron job. 
 
“The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform plethora of malicious activities on the affected systems” Trend Micro said. “This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.”
 
TeamTNT malwares makes comeback
 
Researchers at Aqua Security, a cloud-native security company, have linked three new attacks to another “vibrant” cryptojacking group called "TeamTNT", which eventually stopped functioning in November 2021.  
 
“TeamTNT has been scanning for microconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to C2 server”, stated Aqua Security researcher Assaf Morag. 

The attack chain appears to be designed to crack SECP256K1 encryption, which if successful could give the malicious actor the ability to compute the keys for each cryptocurrency wallet. Thus, using high but illegal processing power of its targets to run the ECDLP solver and acquire the key. The other two attacks carried out by the threat group involve exploiting exposed Redis servers and misconfigured Docker API to provide cryptominers and Tsunami binaries. 
 
The targeting of Docker REST APIs by TeamTNTs has been well-documented over the past years. But in an operational security blunder observed by Trend Micro, credentials connected with two of the attacker-controlled DockerHub accounts have been uncovered. 

The accounts namely 'alpineos' and 'sandeep078' are said to have been used to distribute numerous malicious payloads like rootkits, Kubernetes exploits kits, credential stealers, XMTig Monero miners, and even the Kingsing malware. 
 
“The account alpineos was used in exploitation attempts on out honeypots three times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” stated Nitesh Surana, a researcher at Trend Micro. 
 
As estimated by Trends Micro, alpineos image has been downloaded more than 150,000 times. This further notified Docker about these accounts. 
 
The cybersecurity platform recommends organizations configure the exposed RESR API with TLS to steer clear of the adversary-in-the-middle (AiTM) attacks, along with using credential stores and helpers to host user credentials.
Read more »
TikTok
Cyber Security Microsoft Oracle TikTok

TikTok owner Chinese company clarifies to Microsoft that it would not be its new owner

 

Following President Donald Trump's executive order that labeled the video-sharing application TikTok as a "national emergency", its owner has a September 15 deadline decided to either sell the app to a US company or see the service banned completely banned from the US market.

Be that as it may, Microsoft had already stepped in the race before the official announcement came from the president, saying it was interested in taking up TikTok and incorporate "world-class security, privacy, and digital safety protections" to the app if it did. 

By uniting with Walmart to co-bid for the Chinese company's US, Canadian, Australian, and New Zealand operations. 

Microsoft authorities dubbed the conversations as "preliminary", highlighting that it was not planning to give any further updates on the discussions until there was a definitive result. ByteDance, the Chinese multinational internet technology, said it would exclude TikTok's algorithm as a feature of the sale, as per a South China Morning Post report, and further clarified to Microsoft that it would not be its new owner.

Sunday's blog post emphasized what Microsoft has expressed right from the beginning - that the potential procurement would have required "significant changes" to the application's present status. 

The company moreover explained in a blog post, "ByteDance let us know today they would not be selling TikTok's US operations to Microsoft, we are confident our proposal would have been good for TikTok's users while protecting national security interests." 

"To do this, we would have made significant changes to ensure the service met the highest standards for security, privacy, online safety, and combatting disinformation, and we made these principles clear in our August statement.." 

Nonetheless, following Microsoft's bid, Oracle has also started holding discussions with ByteDance, indicating its interest in the video-sharing application. 


The Wall Street Journal on Monday morning revealed that Oracle would soon be announced as TikTok's "trusted tech partner" and that the video-sharing platform's sale would not actually be organized as an acquisition. 

Meanwhile, Tik Tok affirms that it would launch a lawsuit against the US government concerning its ban. Any possible lawsuit, however, would not keep the company from being constrained to auction the application in the US market.
Read more »
User Privacy
Data Breach Online Oracle Technology User Privacy

One Of Tech Giant Oracle’s Many Start-ups Uses Tracking Tech to Follow Users around the Web


The multinational computer technology corporation Oracle has spent almost 10 years and billions of dollars purchasing startups to fabricate its own one of a kind ‘panopticon’ of users' browsing data.

One of those startups which Oracle bought for somewhat over $400 million in 2014, BlueKai, is scarcely known outside marketing circles; however, it amassed probably the biggest bank of web tracking data outside of the federal government.

By utilizing website cookies and other tracking tech to pursue the user around the web, by knowing which sites the user visits and which emails they open, BlueKai does it all.

BlueKai is supposedly known to depend intensely on vacuuming up a 'never-ending' supply of information from an assortment of sources to comprehend patterns to convey the most exact ads to an individual's interests.

The startup utilizes increasingly clandestine strategies like permitting websites to insert undetectable pixel-sized pictures to gather data about the user when they open the page — hardware, operating system, browser, and any data about the network connection.

Hence it wouldn't be wrong to say that the more BlueKai gathers, the more it can infer about the user, making it simpler to target them with ads that may lure them to that 'magic money-making click'.

Marketers regularly utilize this immense amount of tracking data to gather as much about the user as could reasonably be expected — their income, education, political views, and interests to name a few — so as to target them with ads that should coordinate their apparent tastes.

But since a server was left unsecured for a time, that web tracking data was spilling out onto the open internet without a password and at last ended up uncovering billions of records for anybody to discover.

Luckily security researcher Anurag Sen found the database and detailed his finding to Oracle through an intermediary — Roi Carthy, chief executive at cybersecurity firm Hudson Rock and former TechCrunch reporter.

Oracle spokesperson Deborah Hellinger says, “Oracle is aware of the report made by Roi Carthy of Hudson Rock related to certain BlueKai records potentially exposed on the Internet. While the initial information provided by the researcher did not contain enough information to identify an affected system, Oracle’s investigation has subsequently determined that two companies did not properly configure their services. Oracle has taken additional measures to avoid a reoccurrence of this issue.”

Subsequent to reviewing into the information shared by Sen, names, home addresses, email addresses, and other identifiable data was discovered in the database.

The information likewise uncovered sensitive users' web browsing activity — from purchases to newsletter unsubscribes.

While Oracle didn't name the companies or state what those additional measures were and declined to respond to the inquiries or comment further. In any case, it is clearly evident that the sheer size of the exposed database makes this one of the biggest security 'lapses' by this year.

Read more »
Sensitive data
Cyber Security Oracle Sensitive data

Security Flaws Impacting Oracle’s iPlanet Web Server Discovered By Researchers



Cyber Security Experts discover two security defects affecting Oracle's iPlanet Web Server that could cause sensitive data exposure and limited injection attacks. 

Tracked as CVE-2020-9315 and CVE-2020-9314, discovered by experts at Nightwatch Cybersecurity on January 19, 2020, the two flaws are said to reside in the web administration console of the enterprise server management server. 

The first issue, known as CVE-2020-9315, could permit unauthenticated remote attackers to secure the read-only access to any page inside the administration console, without validation, by essentially replacing an admin GUI URL for the target page. 

The vulnerability could bring about the leak of sensitive information, including configuration information and encryption keys. 

While the second tracked as CVE-2020-9314, could be exploited to infuse external images which can be utilized for phishing and social engineering attacks. It lives in the "productNameSrc" parameter of the console. 

An inadequate fix for CVE-2012-0516 XSS validation defect considered this parameter to be abused related to "productNameHeight" and "productNameWidth" parameters for the injection of images into a domain. 

The two vulnerabilities affect Oracle iPlanet Web Server 7.0.x, that is no longer supported. 

At the time it isn't clear if the earlier versions of the application are likewise influenced. As indicated by the experts, the most recent variants of Oracle Glassfish and Eclipse Glassfish share common code with iPlanet, yet they don't appear to be vulnerable. 

“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” concludes the report published by Nightwatch Cybersecurity. ”Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.” 

Following is the timeline for the issues: 
2020-01-19: Initial discovery 
2020-01-24: Initial disclosure sent to the vendor; rejected since the product is not supported 
2020-01-24: Clarification questions sent to the vendor 
2020-01-27: Report again rejected by vendor; referred to MITRE for CVE assignment 
2020-01-29: CVEs requested from MITRE 
2020-02-07: Initial report sent to CERT/CC 
2020-02-17: CVE request rejected by MITRE, resubmitted with more data 
2020-02-18: Response received from CERT/CC 
2020-02-20: CVE assignments received from MITRE 
2020-02-20: CVEs and disclosure plans communicated to the vendor 
2020-05-10: Public disclosure

Read more »
Windows 10
Adobe Apple Coronavirus Cyber Security Hacking macOS Microsoft Oracle Pwn2Own 2020 Safari Security Ubuntu Windows 10

HACKED- Windows 10, macOS, Adobe, VMware, Apple and Oracle at The Pwn2Own 2020!


Pwn2Own is a well-known computer hacking contest which is held once every year at the CanSecWest security conference. In this contest, the contestants are tested on how well they could exploit commonly used software and mobile devices with formerly unheard of vulnerabilities.

An issue as grave as the Coronavirus pandemic has clearly not affected the spirits of the Pwn2Own 2020 hacking competition which got done with its first two days.

On Day 1, security researchers and participants bagged a handsome amount of over $180,000 for exploiting the Windows 10, Ubuntu Desktop and macOS, mention sources.

Reportedly, a “team from the Georgia Tech Systems Software and Security Lab succeeded in exploiting a kernel privilege escalation to execute code on macOS” by way of Safari. The attack mechanism that ended up winning for the team $70,000 was comprised of 6 vulnerabilities.

Per the event page (thezdi.com), Georgia Tech employed a “6 bug chain to pop calc and escalate to root”.

The team that has won several preceding editions of the hacking contest, Team Fluoroacetate, won themselves a victorious $40,000 after they employed a “local privilege escalation exploit” meant for the Windows 10.

Reports mention that one of the two members of the aforementioned team also won himself a smashing amount of $40,000 for yet another privilege escalation exploit pursuing Windows 10.

As per sources, the RedRocket CTF team got themselves a win, owing to it to one of their members, Mafred Paul, who bagged an attractive amount of $30,000 for a local privilege escalation exploit focused on Ubuntu Desktop. The hack was about the manipulation of the ‘Input validation bug’.

On Day 2, The Fluoroacetate successfully targeted the Adobe Reader with a local privilege escalation by employing a pair of UAFs, mentioned sources and grabbed an amount of $50,000.

Per reports, the Synacktiv team targeted the VMware Workstation but unfortunately to no avail in the given duration of time. There also were special demonstrations of the Zero Day Initiative against the Oracle VirtualBox.

This was the very first time the organizers allowed “conditional remote participation” in the Pwn2Own hacking contest, understandably because of the increased concerns of people about traveling due to the Coronavirus outbreak.



Read more »
Ransomware
Cyber Crime Hacking News Oracle Ransomware

Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data



In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.  
Read more »
USA
Amazon Cloud Computing Deap Ubhi JEDI Oracle Pentagon USA

"US’ Giant Military Contract Has a Hitch", Says Deap Ubhi, an Entrepreneur of Indian Descent.





The founder of a local search site “Burrp!”, Deap Ubhi is a lesser known entrepreneur.

He joined Amazon in 2014 and motivated start-ups and other organizations to embrace cloud computing products.

He in less than a couple of years left, on a journey to start a company that furnished technology to restaurants.

Later on, he joined a Pentagon effort to employ techies. He wished to make a super effective search engine and according to what he said, also to help American people.

But as it turns out, Ubhi’s part in the Pentagon has landed him right in midst of one of the most prominent federal IT contracts.

A $10 billion deal of getting cloud computing to Pentagon, attracted the top tech companies when the project was announced in 2017.

Microsoft, Amazon, IBM, Oracle and Google, all wanted to seal the deal in their own ways.



But there was a catch to it all; the contract would go to only ‘one’ cloud vendor. And Amazon happened to close the deal with the capability of fulfilling Pentagon’s demands.

This is where Ubhi came in, especially his ties with Amazon, a place where he now works again.

Oracle, who under no circumstances could have landed the deal, vehemently criticized the one-vendor attitude.

The organization is now fighting in a federal court about Ubhi’s alleged inclination towards Amazon and its effect on the said deal.

Before the suit was filed, Pentagon had no found no suspicious influence of Ubhi and hence kept evaluating the deal despite Oracle’s lawsuit.

Further on, more information about Ubhi was discovered and Pentagon declined a request for disclosing it.

The winner of the deal was to be announced in April. When contacted by Amazon, both Ubhi and Pentagon refused to comment.

Oracle didn’t comment on the issue outside the court but during the proceedings it mentioned Ubhi’s outspoken inclination towards Amazon by providing the proof of a tweet via Ubhi’s handle.

According to the White house press secretary, the president of the US is not a part of this war of the vendors.



President Trump has never been involved in a government contract before so if he as much as even points at something regarding this situation it would be a first.

The cloud contract is being overseen by a Defense Department Procurement Official, commonly known as the Joint Enterprise Defense Infrastructure (JEDI).

The detection of the officials who’s actually chose the winner has not been made yet.

The Pentagon’s transition to cloud computing is being seen to by a team directed by the chief information officer, Dana Deasy.

Cloud computing would contribute a lot in the battlefield and hence the American government is keen on giving the contract to the best.

Reportedly, for some time Ubhi worked on a market research for JEDI while he was working at Pentagon.

Oracle in the court cited the internal documents where Ubhi articulated support towards a single cloud approach.

Oracle also thinks Ubhi had something to do with the decision to select a single cloud provider.



In return, Amazon said that Ubhi worked on JEDI only for seven weeks that too at the early stages and that there were over 70 people involved in the development.

Amazon and Ubhi’s ‘Tablehero’ were to engage in a partnership of which there is no proof as yet. Ubhi hasn’t been replying to the emails of investors either.

Pentagon mentioned that the single cloud would let the movement be faster and ensure more security. This statement was later asserted by the Government Accountability Office.

Both IBM and oracle filed heavy protests against the Government accountability Office which was later denied in Oracle’s case and rejected for IBM.

Oracle, which has a small cloud market shares, then took the issue to the federal courts of the US.

The Oracle lawsuit stands to profit Microsoft as it now has improved capabilities and hence could be a strong competitor to Amazon.

It doesn’t matter whether Ubhi molded the contract. Pentagon’s justifications support its decision to use a single cloud approach.

The major motivation behind the decision has always been helping the defense make better data driven decisions.

Read more »
Subscribe to: Posts (Atom)