Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Bug. Show all posts
Vulnerabilities and Exploits
CISA Netwrix Auditor RCE Security Bug Vulnerabilities and Exploits

Netwrix Auditor RCE Bug Abused in Truebot Malware Campaign

 

A severe remote code execution (RCE) vulnerability in the Netwrix Auditor software was used in attacks against organisations across the United States and Canada, according to a warning issued today by CISA and the FBI. These assaults targeted organisations in the United States and Canada. 

Unauthorised attackers can run malicious code with the privileges of the SYSTEM user thanks to a security flaw that affects the Netwrix Auditor server and the agents installed on monitored network systems (tagged as CVE-2022-31199). 

Since December 2022, TA505 hackers (connected with the FIN11 organisation) have exploited TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to install Clop ransomware on compromised networks. 

After installing TrueBot on compromised networks, the hackers install the FlawedGrace Remote Access Trojan (RAT), which is likewise affiliated with the TA505 group and allows them to escalate privileges and establish persistence on the compromised systems. 

Hackers will also deploy Cobalt Strike beacons hours after the initial breach, which might potentially be exploited to perform various post-exploitation tasks such as data theft and delivering other malware payloads such as ransomware. 

"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies explained in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.

"As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organisations in the U.S. and Canada."

Based on the nature of Truebot operations documented thus far, the primary purpose of attackers behind Truebot is to acquire confidential data from compromised systems for monetary gain.

Following the guidelines laid out in joint advisory, security teams are advised to search for evidence of malicious activity pointing to a Truebot infection.

If they find any indicators of compromise (IOCs) within their organization's network, they should immediately implement the mitigation and incident response steps suggested in the advisory and report the incident to CISA or the FBI.
Read more »
User Security
BIMI Data Leak Privacy Data Safety email security Mobile Security Security Bug User Security

Security Expert's Tweet Prompts Significant Modification to Google Email Authentication

 

Google stated last month that Gmail users would start noticing blue tick marks next to brand logos for senders taking part in the program's Brand Indicators for Message Identification. BIMI and its blue tick mark were intended to take a stand against email impersonation and phishing by giving clients further assurance that branded senders are who they say they are.

Less than a month after the launch of BIMI, scammers managed to get beyond its security measures and successfully impersonate companies, sending emails to Google users that claimed to be from the logistics firm UPS. 

Now Google claims that it is tightening its BIMI verification procedure and is blaming an unknown "third-party" for enabling the usage of its services in ways that evaded its security protections and sent faked messages to inboxes. The eye-watering intricacy of the contemporary email environment is demonstrated by the fact that experts claim email providers, including Microsoft, may still be facilitating this kind of behaviour and are not doing enough to solve it. 

Security researchers argue that the way BIMI is being used makes it possible for bad actors to use the system to more effectively spoof well-known businesses, increasing the likelihood that end users may click on a malicious link or open a dubious attachment as part of a phishing assault. 

 
According to the 2023 Verizon Data Breach Investigations Report, phishing accounts for about half of all social engineering attacks and causes tens of millions of dollars in losses each year. A number of protocols, including SPF, DKIM, and others, have been implemented over time to solve email sender verification, but these protocols are insufficient answers that deal with diverse facets of a complicated issue.

By displaying in Gmail the "validated logos" of participating brands and "increasing confidence in the source of emails for recipients," BIMI was developed by an industry working group in 2018 and first adopted by Google in July 2021. The company stated this in its roll-out. The concept was that by requiring the DMARC, SPF, or DKIM email authentication standards, BIMI would provide brand senders an extra level of recognition and confidence. 

It's not surprising that scammers are targeting BIMI, according to Alex Liu, a cybersecurity expert and PhD candidate at the University of California, San Diego, who has investigated the flaws in email verification systems. According to Liu, historically, con artists have been the first to adopt new protocols. She added that it is now the responsibility of companies like Microsoft to secure their mail servers and make sure that BIMI isn't misused.

The controversy over how BIMI is being implemented started with a series of tweets from Chris Plummer, a cybersecurity expert from New Hampshire, who called Google's BIMI implementation potentially "catastrophic" and warned that it could increase the likelihood that users will act on the contents of a message that has been incorrectly verified.

“It was clear in the headers of the message I received that there was some obvious subversion, and Google was not looking far enough back in the delivery chain to see that,” Plummer stated. 

In a study released earlier this year, Liu and a group of co-authors described how mechanisms designed to stop the spoofing of sender domains struggle when confronted with emails that have been forwarded, a technique frequently used by major organisations that rely on BIMI to send bulk emails. 

Plummer discovered the BIMI vulnerability after receiving an email appearing to be from UPS in his Gmail inbox. Something didn't feel right, he told a local news source, and Plummer confirmed that the email was not from UPS. On May 31, he filed a bug complaint with Google, but the firm "lazily" closed it as "won't fix - intended behaviour," Plummer tweeted. "How is a scammer impersonating @UPS in such a convincing way 'intended,'" Plummer wrote in the tweet, which has since been viewed almost 155,000 times.

“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer explained in a subsequent tweet. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly.”

The next day, after Plummer filed an appeal, Google switched direction and informed him that it was reviewing his report again. "Thank you so much for pressing on for us to take a closer look at this!" a company wrote in a note, designating the bug a "P1" priority. 

“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are,” a Google spokesperson told CyberScoop, a cybersecurity news portal, in an email Monday. “To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.” 

According to a Google representative, the DKIM requirement should be fully implemented by the end of the week. This is a change from the previous policy, which demanded either DKIM or a different standard called the Sender Policy Framework. Both of these standards are used by email providers, among other things, to determine whether incoming email is likely to be spam and to theoretically authenticate that a sender is who they claim to be. Google appreciates Plummer's efforts to draw their notice to the issue, the spokeswoman continued. 

Jonathan Rudenberg, a security researcher, reproduced the BIMI problem using Microsoft 365 by sending counterfeit emails from a Microsoft email system to a Gmail account after Plummer first brought it to their attention on Twitter. Rudenberg then filed a bug report with Microsoft. 

Microsoft, meanwhile, maintains that it is Google's obligation to resolve the issue, not its own. In response to Rudenberg's bug report, Microsoft's Security Response Centre informed Rudenberg that the problem did not pose an immediate threat that requires urgent attention and that the "burden" of guaranteeing security rests with the end-user's email provider, in this case, Google.
Read more »
User Safety
AI Tool Data Breach Data Leak Data Safety Security Bug User Privacy User Safety

Users' Private Info Accidentally Made Public by ChatGPT Bug

 

After taking ChatGPT offline on Monday, OpenAI has revealed additional information, including the possibility that some users' financial information may have been compromised. 

A redis-py bug, which led to a caching problem, caused certain active users to potentially see the last four numbers and expiration date of another user's credit card, along with their first and last name, email address, and payment address, the business claims in a post. Users might have also viewed tidbits of other people's communication histories. 

It's not the first time that cache problems have allowed users to view each other's data; in a famous instance, on Christmas Day in 2015, Steam users were sent pages containing data from other users' accounts. It is quite ironic that OpenAI devotes a lot of attention and research to determining the potential security and safety repercussions of its AI, yet it was taken by surprise by a fairly well-known security flaw. 

The firm claimed that 1.2 percent of ChatGPT Plus subscribers who used the service on March 20 between 4AM and 1PM ET may have been impacted by the payment information leak. 

According to OpenAI, there are two situations in which payment information might have been exposed to an unauthorised user. During that time, if a user visited the My account > Manage subscription page, they might have seen information about another ChatGPT Plus customer who was actively utilising the service. Additionally, the business claims that certain membership confirmation emails sent during the event were sent to the incorrect recipient and contained the final four digits of a user's credit card information. 

The corporation claims it has no proof that either of these events actually occurred before January 20th, though it is plausible that both of them did. Users who may have had their payment information compromised have been contacted by OpenAI. 

It appears that caching had a role in how this whole thing came about. The short version is that the company uses a programme called Redis to cache user information. In some cases, a Redis request cancellation would result in damaged data being delivered for a subsequent request, which wasn't supposed to happen. The programme would typically get the data, declare that it was not what it had requested, and then raise an error.

Yet, the software determined everything was good and presented it to them if the other user was requesting for the same type of data — for example, if they were trying to view their account page and the data was someone else's account information. 

Users were being fed cache material that was originally intended to go to someone else but didn't because of a cancelled request, which is why they could see other users' payment information and conversation history. It also only affected individuals who were actively using the system for that reason. The software wouldn't cache any data for users who weren't actively using it. 

What made matters worse was that, on the morning of March 20, OpenAI made a change to their server that unintentionally increased the amount of Redis queries that were aborted, increasing the likelihood that the issue would return an irrelevant cache to someone.

As per OpenAI, the fault that only affected a very specific version of Redis has been addressed, and the team members have been "great collaborators." It also claims that it is changing its own software and procedures to ensure that something similar doesn't occur again. Changes include adding "redundant checks" to ensure that the data being served actually belongs to the user making the request and decreasing the likelihood that its Redis cluster will experience errors when under heavy load.
Read more »
Vulnerabilities and Exploits
Old Flaws Ransomware ransomware attacks Security Bug threat report Vulnerabilities and Exploits

Most Ransomware Attacks in 2022 Took Advantage of Outdated Bugs

 

In the 2022 attacks, ransomware operators took advantage of a number of outdated vulnerabilities that allowed the attackers to become persistent and migrate laterally to complete their objectives. 

A report from Ivanti released last week stated that the flaws, which are prevalent in products from Microsoft, Oracle, VMware, F5, SonicWall, and several more companies, pose a clear and present danger to organisations who haven't yet remedied them. 

Old bugs are still popular

Ivanti's study is based on data analysis from teams at Securin, Cyber Security Works, and Cyware as well as from its own threat intelligence team. It provides a thorough examination of the flaws that criminals frequently used in ransomware attacks in 2022. 

In attacks last year, ransomware operators used a total of 344 different vulnerabilities, up 56 from 2021, according to Ivanti's analysis. A stunning 76% of these bugs were from 2019 or before. Three remote code execution (RCE) defects from 2012 in Oracle's products, CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment, were the oldest flaws in the group. 

Ivanti's chief product officer, Srinivas Mukkamala, claims that while the data indicates that ransomware operators leveraged new vulnerabilities quicker than ever last year, many still relied on older vulnerabilities that are still present on enterprise systems.

"Older flaws being exploited is a byproduct of the complexity and time-consuming nature of patches," Mukkamala stated. "This is why organisations need to take a risk-based vulnerability management approach to prioritise patches so that they can remediate vulnerabilities that pose the most risk to their organisation." 

Critical flaws 

Ivanti identified 57 vulnerabilities as affording threat actors the ability to complete their whole goal, making them among the vulnerabilities that pose the most risk. These flaws gave an attacker the ability to acquire initial access, maintain persistence, elevate privileges, get around security measures, access credentials, find resources they might be looking for, move laterally, gather information, and carry out the intended task. 

There were 25 vulnerabilities in this category that were dated 2019 or earlier, including the three Oracle flaws from 2012. Scanners are not presently picking up exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products made by ConnectWise, Zyxel, and QNAP, respectively. 

Inadequate input validation was the cause of the majority (11) of the vulnerabilities in the list that presented a full attack chain. Path traversal flaws, OS command injection, out-of-bounds write errors, and SQL injection were some more frequent causes of vulnerabilities. 

The most common flaws are broadly prevalent 

Moreover, ransomware authors have a tendency to favour defects that affect a variety of items. CVE-2018-3639, a form of speculative side-channel vulnerability that Intel disclosed in 2018, was one of the most well-known of them. According to Mukkamala, the flaw affects 345 goods from 26 vendors. Other instances include the famed Log4Shell hole, CVE-2021-4428, which at least six ransomware gangs are presently using as an attack vector. The weakness was one of many that Ivanti discovered threat actors were using as recently as December 2022. At least 176 products from 21 different manufacturers, including Oracle, Red Hat, Apache, Novell, and Amazon, contain it. 

The Linux kernel vulnerability CVE-2018-5391 and the critical elevation of privilege hole in Microsoft Netlogon CVE-2020-1472 are two further flaws that ransomware developers like to exploit because of their widespread availability. The vulnerability has been utilised by at least nine ransomware gangs, including those responsible for Babuk, CryptoMix, Conti, DarkSide, and Ryuk, and it is growing in popularity with other groups as well, according to Ivanti. 

A total of 118 vulnerabilities that were leveraged in ransomware attacks last year were discovered, according to the security research.

According to Mukkamala, "threat actors are particularly interested in defects that are present in most products." 

The closely watched Known Exploited Vulnerabilities (KEV) database maintained by the US Cybersecurity and Infrastructure Security Agency does not contain 131 of the 344 weaknesses that ransomware attackers exploited last year. The database includes information on software weaknesses that threat actors are actively exploiting and that CISA deems to be particularly hazardous. According to CISA, federal entities must prioritise and usually respond to vulnerabilities listed in the database within two weeks. 

Because many businesses use the KEV to prioritise patches, Mukkamala argues it's crucial that these aren't in the CISA KEV. This demonstrates that, although being a reliable resource, KEV does not give a comprehensive overview of all the vulnerabilities that are employed in ransomware attacks. 

57 vulnerabilities that were leveraged in ransomware attacks last year by organisations including LockBit, Conti, and BlackCat have low- and medium-severity rankings in the national vulnerability database, according to Ivanti. The risk, according to the security provider, is that enterprises who utilise the score to prioritise patching may get complacent as a result.
Read more »
Technical Issue
Cyber Security Eurostar Eurostar rail service Password Security Bug Technical Issue

Eurostar: Users Forced Into Resetting Passwords, Then Fails and Locks Them Out


Eurostar, the International high-speed rail operator has recently been emailing its customers this week, enticing them into resetting their account passwords in a bid to “upgrade” security. 

But, when users click the password reset link, "technical issues" are apparently keeping them from changing their passwords or logging into their accounts. 

Eurostar Password Reset Bug is Locking Passengers Out 

The company, renowned for linking countries like the UK to France, Belgium, and the Netherlands with most of its trains crossing the Channel Tunnel, has been emailing customers where the railway operator would claim to be “busy” upgrading the account security for its customers. 

Apparently, the email would read “Dear customer, we’ve been busy upgrading our security to protect your account and your personal details. To continue using your Eurostar account, you’ll need to reset your password. If you also use the Eurostar mobile app, you’ll need to update it to the latest version.” 

Nevertheless, clicking the "reset password" link and following the navigation is ineffective. Users instead encounter the following error message: "Sorry, we're having a few technical problems so we can't send the email at the moment. Please try again a little later." 

That bug has caused immense frustration among Eurostar passengers and users around the globe who are now effectively locked out of their accounts. 

Users are shown the password reset interstitial after each successful login attempt, which prevents them from accessing their accounts until they reset their passwords. However, owing to the aforementioned technical problem, the password reset never occurs. 

In regards to the issue, a user tweets “@Eurostar how to tell your customers you hate them without saying it: lock everyone’s account and make it impossible to reset their password.” Moreover, it was observed that the perplexed users, were mistaking Eurostar’s legitimate email for a phishing attempt. 

Ongoing Maintenance to Blame? 

In a lengthy Twitter thread on Friday, Eurostar acknowledged that users were experiencing problems accessing their Club Eurostar accounts and attributed this to ongoing maintenance. Yet, this was before the business started sending out emails for password resets. 

Among many instances, customers have complained that their reservations and data were "lost" from their accounts. 

The railway operator, at the time, advised users to clear their browser cookies or re-attempt registration with the same email address. Although, nobody seems to benefit from this as a solution. 

The last time a comprehensive password reset was implemented by Eurostar was in 2018 following a data breach, as The Telegraph at the time reported. 

It is still unclear whether the forced password reset is really Eurostar's attempt to increase account security or if it is a response to a cybersecurity issue like system compromise or data breach. 

In regards to the situation, a Eurostar spokesperson addresses the issue with the statement, “our customers were contacted to reset their password following an update to our customer authentication system. The sudden volume of customers who attempted to do this caused some technical difficulties and we are working to resolve this as soon as possible. We apologize for any inconvenience this has caused.”  

Read more »
Zero Day exploit
Mobile Security Security Bug User Security Zero Day exploit

Google Patched the Eighth Actively Abused Chrome Zero Day This Year

 

The eighth zero-day vulnerability affecting the Chrome browser on Windows, Mac, Linux, and Android platforms has been acknowledged by Google. You can force-update your browser right away, but an urgent remedy for this one problem is currently being rolled out. There will shortly be upgrades for other Chromium-powered browser clients as well. 

When a Google Chrome update fixed a single security issue, it used to happen very infrequently and only when a vulnerability was actively being utilized by attackers in the wild before a fix was ready. Updates covering a total of eight of these zero days were released in 2022. 

The most recent is CVE-2022-4135, a high-severity heap buffer overflow flaw in the Chromium GPU. The National Institute of Standards and Technology (NIST) national vulnerability database entry states that the zero-day, which was disclosed by Clement Lecigne of Google's own Threat Analysis Group, could allow an attacker to circumvent the security sandbox (using a malicious HTML website). 

The zero-day has not received any additional information from Google. This is not uncommon with such a vulnerability so as to enable a majority of users to install the update and gain protection before other attackers try their hands. All Google has said is that it is "aware that an exploit for CVE-2022-4135 exists in the wild." 

Update Your Google Chrome Browser Immediately 

Google has already started rolling out security updates will continue in the coming days. However, users are recommended to force the update process, given that malicious hackers are known to have exploited code already. This is particularly important for those users who maintain large numbers of open tabs and rarely restart the browser, as the update is only effective following a restart. 

Head for settings in the chrome browser and scan if you have the latest version and if not, then a download and installation will start automatically. The security update takes Chrome to version 107.0.5304.121 or.122 for Windows, version 107.0.5304.121 for Mac and Linux, and version 107.0.5304.141 for Android.
Read more »
Vulnerabilities and Exploits
Apache Commons Text Application Security Log4Shell Security Bug Vulnerabilities and Exploits

Rapid7 Researchers are Closely Monitoring Critical Bug in Apache Commons Text

 

A remote code execution vulnerability in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ flaw that surfaced in the widely used open-source component Log4j last year.

Tracked as CVE-2022-42889, the Commons Text bug centers on an unsafe execution of the library’s variable interpolation functionality. The hacker can exploit the bug to trigger code execution when processing malicious input in the library’s default configuration. 

The Rapid7 researchers who discovered and reported the Commons Text flaw in March have downplayed its comparative effect. 

The susceptible StringSubstitutor interpolator is comparatively less utilized than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely communicating with such a well-designed string as in Log4Shell. 

“The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison.” reads the technical published by Rapid7 researchers. “The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.” 

Apache’s security team also confirmed that the scope of the flaw is not as serious as Log4Shell, explaining that the string interpolation is a documented feature. 

“The vulnerability is indeed very similar. The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allow script lookups – both could lead to RCE. The impact is, therefore, very high," the researchers explained. 

Preventive measures 

The Apache Commons Text versions are 1.5 through 1.9, and all JDK versions, and has been fixed in version 1.10. However, it is still recommended that users should upgrade Apache Commons Text to 1.10.0, which disables the problematic interpolators by default. 

The users should install these patches as soon they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable.
Read more »
Windows
Backdoor Security Bug Shellcode Vulnerabilities and Exploits Windows

Rozena Backdoor Deployed by Abusing the Follina Vulnerability

 

A newly discovered phishing campaign is exploiting the Follina security vulnerability to deploy a private backdoor, named Rozena on the Windows systems. 

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Cara Lin, a researcher at Fortinet FortiGuard Labs stated in a report published this week. 

Tracked as CVE-2022-30190, the security bug is related to the Microsoft Support Diagnostic Tool (MSDT) that impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The vulnerability came to light in late May 2022 but the root cause of the flaw has been known for at least a couple of years. 

The latest attack chain is a weaponized Office document that, when opened, links to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, triggers the diagnostic utility employing a PowerShell command to download next-stage payloads from the same CDN attachment space. 

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy. 

The primary function of the Rozena backdoor is to inject a shellcode that launches a reverse shell to the hacker’s device (“microsofto.duckdns[.]org”), in this way the malicious actor can secure full control of the system. 

The exploitation of the Follina security bug is done by distributing the malware via malicious word documents. The word documents act as a dropper and are distributed through emails that contains a password-encrypted ZIP as an attachment, an HTML file, and a link to download, in the body of the email. Multiple malware such as Emotet, QBot, IcedID, and Bumblebee are then injected into the victim’s device. 

According to researchers, the assaults discovered in early April primarily featured Excel files with XLM macros. Microsoft's decision to block macros by default around the same time is said to have forced the hackers to shift to alternative techniques like HTML smuggling as well as .LNK and .ISO files. 

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware through an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog, we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat,” the researcher concluded.
Read more »
Subscribe to: Posts (Atom)