Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Patch. Show all posts
Symbolic
Backdoor Cyber Attacks FortiGate devices Security Patch Symbolic

Over 16,000 Fortinet Devices Infected With the Symlink Backdoor

 

Over 16,000 internet-connected Fortinet devices have been identified as having a new symlink backdoor that permits read-only access to sensitive data on previously compromised systems. 

The Shadowserver Foundation, a threat monitoring platform, has stated that 14,000 machines were exposed. Earlier this week, Shadowserver's Piotr Kijewski told a local media source that the cybersecurity firm now recognises 16,620 devices affected by the newly discovered persistence method. 

Last week, Fortinet notified customers that they had found a new persistence mechanism employed by a threat actor to maintain read-only remote access to files in the root filesystem of previously hacked but now patched FortiGate devices. 

Fortinet stated that this was not due to the exploitation of new vulnerabilities, but rather to attacks beginning in 2023 and continuing into 2024, in which a threat actor used zero days to compromise FortiOS devices. 

After gaining access to the devices, they made symbolic connections to the root file system on SSL-VPN-enabled devices in the language files folder. Even after the initial vulnerabilities were fixed, the threat actor could still access the root file system by browsing to the language files, which are publically available on FortiGate devices with SSL-VPN enabled. 

"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection," Fortinet stated. 

"Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations.” 

Earlier this month, Fortinet began discreetly notifying customers via email about FortiGate devices that FortiGuard discovered as being infected with this symlink backdoor. In order to identify and eliminate this malicious symbolic link from compromised devices, Fortinet has released an improved AV/IPS signature.

Additionally, the firmware has been updated to the most recent version in order to detect and remove the link. The upgrade also stops the integrated web server from serving unrecognised files and folders. Finally, if a device was identified as hacked, it is probable that the threat actors had access to the latest configuration files, including credentials.
Read more »
Vulnerabilities and Exploits
Data Privacy Locked Device Security Patch Tech Giant Vulnerabilities and Exploits

Apple Patches Zero-Day Flaw allowing Third-Party Access to Locked Devices

 

Tech giant Apple fixed a vulnerability that "may have been leveraged in a highly sophisticated campaign against specific targeted individuals" in its iOS and iPadOS mobile operating system updates earlier this week.

According to the company's release notes for iOS 18.3.1 and iPadOS 18.3.1, the vulnerability made it possible to disable USB Restricted Mode "on a locked device." A security feature known as USB Restricted Mode was first introduced in 2018 and prevents an iPhone or iPad from sending data via a USB connection if the device hasn't been unlocked for seven days. 

In order to make it more challenging for law enforcement or criminals employing forensic tools to access data on those devices, Apple announced a new security feature last year which triggers devices to reboot if they are not unlocked for 72 hours. 

Based on the language used in its security update, Apple suggests that the attacks were most likely carried out with physical control of a person's device, implying that whoever exploited this vulnerability had to connect to the person's Apple devices using a forensics device such as Cellebrite or Graykey, two systems that allow law enforcement to unlock and access data stored on iPhones and other devices. Bill Marczak, a senior researcher at Citizen Lab, a University of Toronto group that studies cyberattacks on civil society, uncovered the flaw.

However, it remains unclear who was responsible for exploiting this vulnerability and against whom it was used. However, there have been reported instances in the past in which law enforcement agencies employed forensic tools, which often exploit zero-day flaws in devices such as the iPhone, to unlock them and access the data inside.

Amnesty International published a report in December 2024 detailing a string of assaults by Serbian authorities in which they utilised Cellebrite to unlock the phones of journalists and activists in the nation before infecting them with malware. According to security experts, the Cellebrite forensic tools were probably used "widely" on members of civil society, Amnesty stated.
Read more »
Vulnerabilities and Exploits
Business Security firewall exploits Security Patch SonicWall Vulnerabilities and Exploits

Thousands of SonicWall Devices Vulnerable to Critical Security Threats

 

Thousands of SonicWall network security devices are currently exposed to severe vulnerabilities, with over 20,000 running outdated firmware that no longer receives vendor support. This puts countless organizations at risk of unauthorized access and potential data breaches.

Key Findings of the Study

  • A Bishop Fox study identified more than 25,000 SonicWall SSLVPN devices exposed to the internet, making them easy targets for cybercriminals.
  • The research analyzed over 430,000 SonicWall devices globally and found that 39% of the exposed devices were running Series 7 firewalls, many of which lacked the latest security patches.
  • Over 20,000 devices were found to be running software versions no longer supported by SonicWall, with older Series 5 and Series 6 devices being the most at risk.

Impact of Vulnerabilities

The study highlighted that many of these devices remain susceptible to exploits, including authentication bypasses and heap overflow bugs disclosed earlier this year. Attackers could use these flaws to gain unauthorized access to networks, particularly when both SSL VPN and administration interfaces are exposed online.

Bishop Fox employed advanced fingerprinting techniques to reverse-engineer the encryption securing the SonicOSX firmware, allowing researchers to pinpoint the vulnerabilities specific to each device version.

Risks Posed by Unsupported Firmware

  • Many Series 5 devices, which are largely unsupported, continue to be exposed to the internet, leaving them highly vulnerable to attacks.
  • Series 6 devices, while better maintained, still include a significant number that have not applied the latest patches.
  • Approximately 28% of evaluated devices were found to have critical or high-severity vulnerabilities.

Recommendations for Companies

Organizations using SonicWall devices must take immediate steps to mitigate these risks:

  • Ensure all firmware is updated to the latest version to address known vulnerabilities.
  • Disable public exposure of SSL VPN and administration interfaces to reduce attack surfaces.
  • Regularly audit network security practices and implement robust patch management protocols.

The findings underscore the urgent need for companies to prioritize cybersecurity measures. Neglecting to update firmware and secure network devices can have severe consequences, leaving systems and sensitive data vulnerable to exploitation.

With threats growing increasingly sophisticated, staying proactive about network security is no longer optional—it’s essential.

Read more »
Vulnerabilities and Exploits
Cleo Server Data Leak File Transfer Tool Security Patch Vulnerabilities and Exploits

Active Exploitation of Cleo Communications' File Transfer Software Exposes Critical Vulnerabilities

 

Cleo Communications' file transfer software is under active attack, with security researchers from Huntress revealing that a recently issued patch fails to address the critical flaws being exploited. This ongoing vulnerability poses a significant threat to sectors relying on Cleo's software for logistics and supply chain operations.

The Vulnerabilities: Autorun Directory and CVE-2024-50623

Hackers are leveraging two key vulnerabilities in Cleo's software:

  • A feature that automatically executes files in the autorun directory.
  • An arbitrary file-write flaw identified as CVE-2024-50623.

On December 3, Huntress reported that Cleo's LexiCom, VLTransfer, and Harmony software solutions are affected by these issues. Despite the company issuing a patch on the same day, Huntress stated that it "does not mitigate the software flaw." This leaves users vulnerable until a new, effective patch is developed.

Cleo’s Response and Planned Mitigations

During a Zoom session with cybersecurity researchers, Cleo's team acknowledged the flaws and committed to designing a second patch. Earlier in the week, Cleo identified an unauthenticated malicious host vulnerability that could lead to remote code execution, although its CVE identifier is still pending.

In a statement, a Cleo spokesperson said the company had launched an investigation with the assistance of external cybersecurity experts. Cleo also informed customers about the issue and provided interim mitigation steps while working on a patch. The spokesperson emphasized that "the investigation is ongoing."

Recommendations for Cleo Users

Until an effective patch is released, Huntress has advised Cleo users to take immediate actions:

  • Erase items from the autorun directory to disrupt attack pathways.
  • Understand that this measure does not address the arbitrary file-write vulnerability, which remains exploitable.

Impacts on Businesses

The exploitation of Cleo's software has significant repercussions, particularly for industries dependent on large-scale logistics and supply chain operations. Researchers reported that:

  • At least 10 businesses have experienced breaches involving Cleo servers.
  • There was a "notable uptick in exploitation" on December 8 around 07:00 UTC.
  • Most incidents have targeted sectors such as consumer products, the food industry, and shipping.

A search on Shodan revealed 436 vulnerable servers, with the majority located in the United States. This underscores the scale of potential exposure and the urgent need for mitigation.

The Attack Chain: From Autorun to Persistent Access

Attackers exploit the autorun directory feature by inserting malicious files that execute automatically. These files allow them to:

  • Run PowerShell commands.
  • Establish persistent access using webshells retrieved from remote servers.

Examples of malicious autorun files include:

  • healthchecktemplate.txt
  • healthcheck.txt

Conclusion: Urgent Need for Robust Security Measures

The active exploitation of Cleo Communications' software highlights the evolving nature of cybersecurity threats and the critical importance of timely, effective patching. Businesses using Cleo's solutions must remain vigilant and implement recommended mitigations to minimize risk until a comprehensive fix is released.

This incident serves as a reminder for all organizations to prioritize cybersecurity, particularly in industries that handle sensitive data and depend on seamless file transfer operations.

Read more »
Vulnerabilities and Exploits
Critical Flaw Fortinet IT Flaw Security Patch threat report Vulnerabilities and Exploits

New Flaws in Fortinet, SonicWall, and Grafana Pose Significant Threats

 

Cyble Research and Intelligence Labs (CRIL) has discovered new IT vulnerabilities that affect Fortinet, SonicWall, Grafana Labs, and CyberPanel, among others. 

The report for the week of October 23-29 identifies seven security flaws that require immediate attention from security teams, especially given the large number of exposed devices. The most recent discoveries show that vulnerabilities in Fortinet, SonicWall, and Grafana Labs affect over 1 million web-facing assets.

Notably, two critical vulnerabilities in CyberPanel have already been exploited in huge ransomware assaults. Organisations are recommended to quickly investigate their environments for these vulnerabilities and apply the relevant fixes and mitigations. 

Cyble's researchers have detailed the following top vulnerabilities, emphasising their potential impact on IT security: 

CVE-2024-40766: SonicWall SonicOS 

CVE-2024-40766 indicates an improper access control flaw within the administrative interface of SonicWall's SonicOS, with a severity rating of 9.8. This vulnerability has piqued the interest of managed security organisations such as Arctic Wolf, who report that ransomware gangs such as Fog and Akira are exploiting it in SSL VPN setups to breach networks. 

CVE-2024-9264: Grafana labs 

The 9.4-rated vulnerability, CVE-2024-9264, affects Grafana Labs' open-source analytics and monitoring platform's SQL Expressions capability. This flaw allows for command injection and local file inclusion since user input in 'duckdb' queries is not properly sanitised. 

CVE-2024-46483: Xlight FTP server

This critical integer overflow bug impacts the Xlight FTP Server, allowing hackers to exploit packet parsing logic and cause heap overflows. With the accessibility of public Proof of Concepts (PoCs), this vulnerability could be used in a variety of attack tactics. 

Prevention tips 

  • Ensure that all software and hardware systems receive the most recent patches from official vendors. 
  • Use an organised approach to inventory management, patch assessment, testing, deployment, and verification. 
  • To reduce the attack surface, isolate key assets with firewalls, VLANs, and access controls. 
  • Establish and maintain an incident response strategy, which should be evaluated on a regular basis to respond to emerging threats. 
  • Employ complete monitoring technologies to discover and analyse suspicious actions in real time. Keep up with vendor, CERT, and other sources' alerts to promptly fix issues.
Read more »
Zero-day Flaw
Hash Password Security flaw Security Patch Vulnerabilities and Exploits Zero-day Flaw

Unofficial Patches Published for New Windows Themes Zero-Day Exploit

 

Free unofficial fixes are now available for a new zero-day flaw in Windows Themes that allows hackers to remotely harvest a target's NTLM credentials.

NTLM has been extensively exploited in NTLM relay attacks, in which threat actors force susceptible network devices to authenticate against servers under their control, and in pass-the-hash attacks, in which attackers exploit system vulnerabilities or deploy malicious software to steal NTLM hashes (hash passwords) from target systems. 

Once they acquire the hash, the attackers can impersonate the affected user, gaining access to sensitive data and expanding laterally throughout the now-compromised network. Microsoft indicated a year ago that it will drop the NTLM authentication technology in Windows 11. 

ACROS security experts uncovered the new Windows Themes zero-day (which has yet to be assigned a CVE ID) while working on a micropatch for a flaw tracked as CVE-2024-38030 that might reveal a user's credentials (reported by Akamai's Tomer Peled), which was itself a workaround for another Windows Themes spoofing vulnerability (CVE-2024-21320) fixed by Microsoft in January. 

According to Peled, "when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such a theme file would be viewed in Windows Explorer.”

"This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action," ACROS Security CEO Mitja Kolsek stated. 

Even though Microsoft fixed CVE-2024-38030 in July, ACROS Security discovered another vulnerability that attackers may use to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2. 

"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file," Kolsek added. 

The firm is now offering free and unofficial security updates for this zero-day flaw via its 0patch micropatching service for all affected Windows versions until official patches from Microsoft are available, which have already been applied to all online Windows systems running the company's 0patch agent.

To install the micropatch on your Windows device, first create a 0patch account and then install the 0patch Agent. If no specific patching policy prevents it, the micropatch will be applied immediately without the need for a system restart once the agent is activated. 

However, it is crucial to remember that in this case, 0patch only delivers micropatches for Windows Workstation, as Windows Themes does not work on Windows Server until the Desktop Experience feature is deployed.
Read more »
Vulnerabilities and Exploits
bare metal provisioning critical vulnerability CVE-2024-44082 Ironic-Python-Agent OpenStack Ironic qemu-img security flaw Security Patch Vulnerabilities and Exploits

OpenStack Ironic Users Advised to Patch Critical Security Vulnerability

 

OpenStack's Ironic project, which is used for provisioning bare metal machines, has been identified with a critical security flaw (CVE-2024-44082) that allows authenticated users to exploit unvalidated image data. This vulnerability impacts multiple versions of Ironic and the Ironic-Python-Agent (IPA), potentially leading to unauthorized access to sensitive information due to improper handling of images processed by qemu-img.

The flaw was discovered by security experts Dan Smith and Julia Kreger of Red Hat, and Jay Faulkner of G-Research. It originates from the lack of validation for image data passed to qemu-img during processing. Authenticated attackers could leverage a specially crafted image to trigger unintended actions, potentially exposing sensitive data.

Affected versions include:

Ironic: Versions prior to 21.4.3, between 22.0.0 and 23.0.2, from 23.1.0 to 24.1.2, and between 25.0.0 and 26.0.1.

Ironic-Python-Agent: Versions before 9.4.2, between 9.5.0 and 9.7.1, from 9.8.0 to 9.11.1, and between 9.12.0 and 9.13.1.

To mitigate the CVE-2024-44082 vulnerability, OpenStack has issued patches for all maintained branches of Ironic and Ironic-Python-Agent, from the Dalmatian development branch to Antelope. These updates include code changes that validate images before passing them to qemu-img, preventing malicious images from executing unauthorized actions.

In cases where the Ironic-Python-Agent cannot be updated, administrators can enable the configuration option `[conductor]conductor_always_validates_images`, which forces all image downloads to be validated through the Ironic conductor. However, this option may lead to performance issues in high-traffic environments.

As part of the remediation, administrators should clear cached images by stopping the Ironic conductor and deleting files from the `[pxe]instance_master_path` directory.

Additionally, a new configuration option `[conductor]permitted_image_formats` has been introduced to restrict the accepted image formats. By default, only raw and qcow2 formats are allowed, as these are the only formats tested and supported by Ironic. Expanding this list is possible but not recommended due to potential security vulnerabilities.

It's crucial to note that the Ironic project does not support using ironic-lib for non-Ironic purposes. Independent use of ironic-lib could expose users to this vulnerability. The Ironic project plans to remove the vulnerable methods from ironic-lib in future releases.
Read more »
Vulnerability management
Cisco Security Security Patch SQL Bug Vulnerabilities and Exploits Vulnerability management

Cisco Firepower Management Center Impacted By a High-Severity Vulnerability

 

Cisco addressed a flaw in the web-based management interface of the Firepower Management Centre (FMC) Software, identified as CVE-2024-20360 (CVSS score 8.8). 

The vulnerability is a SQL injection bug; an intruder can use it to acquire any data from the database, run arbitrary commands on the underlying operating system, and elevate privileges to root. The attacker can only exploit this flaw if they have at least Read Only user privileges. 

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.” reads the advisory. “This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system.” 

“A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials,” the advisory adds. 

According to Cisco, there isn't a fix for this vulnerability. The IT giant confirmed that neither Firepower Threat Defence (FTD) nor Adaptive Security Appliance (ASA) software is impacted by this security vulnerability. The attacks that are taking advantage of this vulnerability in the wild are unknown to the Cisco Product Security Incident Response Team (PSIRT). 

Security patch 

Cisco has published free software upgrades to address the vulnerability stated in the advisory. Customers with service contracts that include regular software updates should receive security fixes through their usual update channels. Customers can only install and get support for software versions and feature sets for which they have acquired a licence. Customers agree to abide by the terms and conditions of the Cisco software licence while installing, downloading, accessing, or using such software upgrades. 

Furthermore, customers may only download software for which they have a valid licence, either directly from Cisco or through a Cisco authorised reseller or partner. In most cases, this will be a maintenance upgrade for already purchased software. Customers that receive free security software updates are not entitled to a new software licence, additional software feature sets, or significant revision upgrades.
Read more »
Subscribe to: Posts (Atom)