Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Risk. Show all posts
Vulnerability
CyberCrime Cyberhackers Cybersecurity CyberThreat Internet of Things Password Privacy Security Security Risk Vulnerability

Default Password Creates Major Security Risk for Apartment Complexes

 


Under research conducted by security researchers, it was discovered that a widely used door access control system includes an inherently insecure default password. Thousands of buildings across the country have insecure default passwords that can be accessed easily and remotely by anyone. It was discovered by Eric Daigle that there is still a lot of residential and commercial properties in North America that have not yet modified the default passwords for their access control systems, many of them are not even aware that this is a good idea.   

When security researcher Eric Daigle examined an apartment building’s access control panel, he inadvertently discovered one of the most concerning security issues in recent years while inspecting the access control panel. Initially, a routine observation while waiting for a ferry led to the discovery of a critical security flaw affecting hundreds of residential buildings across the country, which caused a widespread financial loss for thousands of people.

In late last year, Eric Daigle became interested in the system when he noticed an unusual access control panel on his normal daily activities. He conducted a short online search for “MESH by Viscount” and found a sales page for its remote access capability, followed by the discovery of a PDF installation guide available for download. It is typical for access control systems to be configured with a default password, which administrators are supposed to change to match their credentials. 

However, Daigle observed that the installation manual did not provide clear instructions regarding how these credentials were to be modified. It was later revealed, after further investigation into the user interface's login page title, that multiple publicly accessible login portals are available for this product. Alarmingly, as a result of this research, he was able to access the first one with default credentials, which highlights a critical security vulnerability. 

The Enterphone MESH door access system is currently owned by Hirsch, and Hirsch has announced that to address this security vulnerability, a software patch will be released shortly that will require users to change their default password, as soon as possible. An internet-connected device will often have a default password, which is often included in the product manual to facilitate the initial setup process. 

There is, however, a significant security risk in requiring end users to manually update these credentials, since if they fail to do so, their systems can be vulnerable to unauthorized access. Hirsch’s door access solutions are not prompted to customers when they are installed, nor are they required to modify the default passwords, leaving many systems at risk of unauthorized access. This vulnerability had been discovered by security researcher Eric Daigle, based on the findings he made, according to his findings. 

The vulnerability has been designated as CVE-2025-26793 as a result of his findings. Modern building security systems have become increasingly integrated with the Internet of Things (IoT) technology, especially in apartment complexes seeking a more advanced alternative to traditional phone-line-based access control systems. Among these key fob systems, Hirsch Mesh features a web-based portal that enables the use of key fobs throughout a large building to be tracked and logged, as well as allowing remote access to various entry points also within the building to be controlled remotely. 

The accessibility of the system's default login credentials, however, raises a crucial security concern because they are openly published in the installation manual, which is easily accessible via an online search, as the installer provides a list of the default login credentials. While waiting at a bus stop for his bus, Eric Daigle made a quick internet search based on the name of the product displayed on the security terminal of the apartment complex across the street. He located the manual in just a few minutes, which identified a way to circumvent the building's security measures. This highlighted a significant flaw in the system's design, leading to a serious risk of abuse. 

The default password that is set on internet-connected devices has historically posed a significant security threat because unauthorized individuals can gain access under the guise of legitimate users, leading to data breaches or the possibility of malicious actors hijacking these devices to carry out large-scale cyberattacks. In recent years, there have been several governments, including the UK, Germany, the US, and other countries, which have been encouraging technology manufacturers to adopt more robust security measures to avoid the security risks associated with using default credentials that were considered insecure in the first place. 

Having been rated as highly vulnerable by the FBI as a result of its ease of exploit, Hirsch's door entry system has been rated as a high threat as well with a severity rating of 10. Exploiting the flaw involves a minimal amount of effort. There is a public documentation available on Hirsch's website, which contains the installation manual for the system, which can be used to obtain the default password. An affected building is vulnerable to unauthorized access if individuals with these credentials log in to the login window of the building's system through the login portal; this highlights a critical security flaw in the system.
Read more »
Technology
AI Artificial Intelligence ChatGPT Data protection data vulnerability new update Security Risk Technology

New ChatGPT Update Unveils Alarming Security Vulnerabilities – Is Your Data at Risk?

 

The recent enhancements to ChatGPT, such as the introduction of the Code Interpreter, have brought about heightened security issues, as per the investigations conducted by security expert Johann Rehberger and subsequently validated by Tom's Hardware. Notably, the vulnerabilities in ChatGPT stem from its newly added file-upload feature, a component of the recent ChatGPT Plus update.

Among the various additions to ChatGPT Plus, the Code Interpreter stands out, allowing the execution of Python code and file analysis, along with DALL-E image generation. However, these updates have inadvertently exposed security flaws in the system. The Code Interpreter operates within a sandbox environment that, unfortunately, proves susceptible to prompt injection attacks.

A long-standing vulnerability in ChatGPT has been identified, wherein an attacker could manipulate the system by tricking it into executing instructions from an external URL. This manipulation prompts ChatGPT to encode uploaded files into URL-friendly strings and send the data to a potentially malicious website. 

While the success of such an attack depends on specific conditions, like the user actively pasting a malicious URL into ChatGPT, the potential risks are worrisome. This security threat could materialize through scenarios such as compromising a trusted website with a malicious prompt or utilizing social engineering tactics.

Tom's Hardware conducted testing to gauge the extent of user vulnerability to this attack. The test involved creating a fabricated environment variables file and using ChatGPT to process and inadvertently transmit this data to an external server. 

The effectiveness of the exploit varied across sessions, but the overall findings raise considerable security concerns. Particularly troubling is ChatGPT's capability to read and execute Linux commands, as well as handle user-uploaded files within a Linux-based virtual environment.

Despite the seemingly unlikely nature of this security loophole, its existence is noteworthy. Ideally, ChatGPT should refrain from executing instructions from external web pages, but the discovered vulnerabilities challenge this expectation. Mashable sought a response from OpenAI on these findings, but as of the report, no immediate response had been received.
Read more »
Vulnerabilities and Exploits
Cobalt Strike cryptomining malware RCE Security Risk Vulnerabilities and Exploits

Attackers Exploit Telerik Vulnerabilities to Deploy Cobalt Strike

 

A hacker called ‘Blue Mockingbird’ is exploiting Telerik UI flaws to breach servers, install Cobalt Strike beacons, and deploy cryptomining malware. 

The vulnerability tracked as CVE-2019-18935 with a critical severity score (CVSS v3.1: 9.8), impacts the Telerik UI library for ASP.NET AJAX and is a high-risk deserialization security bug that can lead to remote code execution. 

Blue Mockingbird was also identified in May 2020 targeting susceptible Microsoft IIS servers that employed Telerik UI, even though it had been a year after the vendor had published security patches. Earlier this week, Sophos researchers revealed that Blue Mockingbird is leveraging the same flaw to launch new cyberattacks. 

To exploit CVE-2019-18935, the hackers must secure the encryption keys that guard Telerik UI’s serialization on the target. This may be done by using CVE-2017-11317 and CVE-2017-11357 or abusing another vulnerability in the target web app. 

Since multiple web apps were used as projects that embedded the Telerik UI framework version at the time of development and later were discontinued, they are still legitimate targets accessible for exploitation. Once the keys are acquired, the hackers can compile a malicious DLL containing the code to be executed during deserialization and launch it in the context of the ‘w3wp.exe’ process. 

According to the researchers, in recent assaults, Blue Mockingbird employed a readily available proof-of-concept (PoC) vulnerability to manage the encryption logic and automate the DLL compilation. The payload used in the recent assaults is a Cobalt Strike beacon, a stealthy, legitimate penetration testing tool hacker exploits for executing encoded PowerShell commands. 

Persistence is achieved by Active Directory Group Policy Objects (GPOs), which manufacture scheduled tasks in a new registry entry that contains base64-encoded PowerShell. To mitigate Windows Defender detection, the script employs typical AMSI-bypassing methodologies to download and load a Cobalt Strike DLL into memory. 

The second-stage program (‘crby26td.exe’) is an XMRig Miner, a common open-source cryptocurrency miner for Monero, one of the least detected cryptocurrencies. Notably, this was the primary goal of the threat actor’s 2020 campaign; therefore, the attack chain, methodologies, and goals haven’t altered significantly. 

On the other hand, Cobalt Strike allows for simple lateral movement within an exploited network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware. It remains unclear whether Blue Mockingbird is interested in investigating these possibilities; for the time being, or they’re only focused on Monero mining.
Read more »
Web Services
Cyber Security Default Access Port Exposed Servers Security Risk Web Services

Over 3.6M MySQL Servers Found Unguarded Online

 

Researchers at The Shadowserver Foundation have unearthed over 3.6 million MySQL susceptible MySQL servers on the internet, making them a lucrative target to attackers and extortionists. 

In scans conducted last week, researchers identified 3.6 million exposed MySQL servers using the default port, TCP port 3306. Out of 3.6 million, 2.3 million of these servers are linked over IPv4, while 1.3 million devices are connected over IPv6.

"While we do not check for the level of access possible or exposure of specific databases, this kind of exposure is a potential attack surface that should be closed," explains the report from Shadow Server.

The country with the most accessible IPv4 servers is the United States (at more than 740,000), followed by China (just shy of 300,000), and Germany (at roughly 175,000). 

The US also leads when it comes to accessible IPv6 MySQL servers (with close to 461,000 instances) followed by the Netherlands (at over 296,000), and Singapore (at 218,000). A detailed explanation of the results of the scan is mentioned below:  

• Total exposed population on IPv4: 3,957,457 
• Total exposed population on IPv6: 1,421,010 
• Total "Server Greeting" responses on IPv4: 2,279,908 
• Total "Server Greeting" responses on IPv6: 1,343,993 
• MySQL services can be accessed through the internet in 67% of cases. 

According to researchers, it is common for web services and applications to connect to remote databases. To mitigate the risks, servers should be guarded properly so only authorized devices can connect to them. 

Furthermore, public server exposure should always be accompanied by strict user policies, altering the default access port (3306), enabling binary logging, monitoring all queries closely, and enforcing encryption. Administrators are also recommended to keep their MySQL servers updated at all times especially since attacks targeting MySQL servers are not uncommon. 

"It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface)," Shadowserver explained in a post regarding the MySQL findings. "If you do receive a report on your network/constituency, take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server." 

Failing to secure MySQL database servers can result in data breaches, ransom demands, remote access trojan (RAT) infections, or even Cobalt Strike compromises.
Read more »
Zero-day Flaw
APT APT Campaigns Security Risk Vulnerabilities and Exploits Zero-day Flaw

Organizations are More Susceptible to Known Vulnerabilities in Comparison to Zero-Day Flaw

 

A study of APT hacking campaigns conducted from 2008 to 2020 by University of Trento security researchers indicates enterprise IT security admins should worry most about fixing their systems for known vulnerabilities, rather than chasing a patch for every zero-day flaw that emerges. 

The researchers analyzed the impact of 86 APTs and 350 attack campaigns and debunked the belief that all APTs are highly sophisticated and prefer targeting zero-day flaws rather than ones that have already been patched. 

“Contrary to common belief, most APT campaigns employed publicly known vulnerabilities,” researchers Giorgio Di Tizio, Michele Armellini, and Fabio Massacci wrote in the report published on the pre-print server arXiv. 

Indeed, out of the 86 APTs they examined, only eight – known respectively as Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor – exploited CVEs were not used by anybody else. This demonstrates that not all the APTs are as sophisticated as many thinks, as the groups “often reuse tools, malware, and vulnerabilities,” researchers wrote. 

Faster updates minimize the threat 

The study showed that organizations that apply software updates as soon as they're published face the lowest odds of being compromised. However, the need to do regression testing before applying an update means that entities often take far longer to update their software. 

It typically takes more than 200 days for an organization to align 90 percent of their machines with the latest software patches due to regression testing, which ensures that updated systems function properly after the update, researchers found. Such behavior is rational because not all vulnerabilities are always exploited in the wild. However, to combat APTs, slow updates do not seem appropriate. 

The study conducted by University of Trento researchers specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment. 

"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers added.
Read more »
Security Risk
Cyber Security data security Password Password Management Security Risk

Nearly Half of Security Enterprises Store Passwords in Office Documents

 

A new survey conducted by identity management vendor Hitachi ID discovered that nearly 46% of IT and security enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It indicates that IT leaders aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

“It raises an important question about how effective password management training is when nearly half the organizations are still storing passwords in spreadsheets and other documents, and 8% write them on sticky notes,” stated Nick Brown, CEO at Hitachi ID. Insecure passwords are still a leading cause of cyberattacks, and education alone is clearly not enough. More companies need to follow the lead of the 30% who report that they store passwords in a company-provided password manager.” 

The worrying thing is that many enterprises know their secrets and password management isn’t up to par. Question marks were also raised about the risks posed by departing employees. Only 5% say they were extremely confident that wasn’t possible. If they have to urgently terminate an employee, only 7% of enterprises were confident they can transfer passwords and credentials, terminate access, and maintain business continuity. 

That lack of confidence has real-world implications. Some 29% of respondents say they’ve experienced an incident in the past year where they lost access to product systems after an employee left the organization. Last year, it emerged that a former employee at a credit union destroyed 21GB of corporate data, including 20,000 files and almost 3500 directories in retaliation for being fired. 

According to Ian Reay, VP, Product Management at Hitachi ID, it is estimated that each employee might have as many as 70-100 passwords and “decentralized secrets” that could be exploited by attackers to gain access to and move through an organization. 

“In the midst of the Great Resignation, every organization should be extremely confident that passwords will stay in the company regardless of which employees come and go,” Reay concluded.
Read more »
Security Risk
Cyber Attacks Cybersecurity Agencies IT Service Security Alert Security Risk

Five Eyes Agencies Warn Managed Service Providers of Cyber Attacks

 

The Five Eyes alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand, and Canada last week published a joint advisory warning of threats targeting managed service providers (MSPs) and their customers. 

The advisory recommends customers of MSPs in the member nations on how to guard sensitive details and reassess security posture and contractual agreements with their service providers based on individual risk tolerance. MSPs are a prime target for cybercriminals and nation-state actors–because attacking an MSP can lead to additional downstream victims (as we witnessed with Kaseya and the SolarWinds assaults.)

"As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA) stated. 

"We know that MSPs that are vulnerable to exploitation significantly increase downstream risks to the businesses and organizations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain," she added. 

The alert is the result of a collaborative effort among the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation in the U.S.; the National Cyber Security Centers in the United Kingdom and New Zealand; the Australian Cyber Security Center; and the Canadian Center for Cyber Security. 

Mitigation tips 

In the advisory issued on the second day of the NCSC's Cyber UK conference, where several senior figures from the cybersecurity agencies have met to discuss the issue of global cyber threats, the authorities recommend that MSP customers ensure that their MSPs implement the following measures and controls: 

• To counter initial assault, enhance the security of vulnerable devices, protect internet-facing services and defend against brute-force and phishing attacks. 
• Improve monitoring and logging processes for the delivery infrastructure activities used to provide services to the customer. 
• Enable multifactor authentication across all customer services and products. 
• Periodically erase obsolete accounts and infrastructure and apply updates to the infrastructure whenever available and necessary. 
• Develop incident response and recovery plans. 
• Understand and proactively manage supply chain risk. 
• Adopt transparent processes and, at the same time, manage account authentication and authorization.
Read more »
Vulnerabilities and Exploits
Geerman Firms JavaScript NPM Package Security Risk Vulnerabilities and Exploits

German Firms Targeted by Malicious NPM Packages

 

JFrog researchers have uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults. 

"Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers said in a new report. 

According to the DevOps company, the evidence discovered suggests it is either the work of a sophisticated hacker or a "very aggressive" penetration test. Four maintainers— bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm— have been associated with all the rogue packages; most of the packages have been taken down from the repository.

The finding points out that the hackers are trying to copy legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker. Some of the package names are distinct, which makes it likely that the adversary managed to trace the libraries hosted in the companies’ internal repositories to launch a dependency confusion attack. 

The findings are based on a report from Snyk late last month that detailed one of the malicious packages, "gxm-reference-web-auth-server," noting that the malware is targeting an unknown firm that has the same package in their private registry.

"The attacker(s) likely had information about the existence of such a package in the company's private registry," the Snyk security research team said. According to researchers at Reversing Labs, who independently examined the hacks, the rogue modules uploaded to NPM featured elevated version numbers than their private counterparts to force the modules onto target environments.

"The targeted private packages for the transportation and logistics firm had versions 0.5.69 and 4.0.48, while the malicious, public versions were identically named, but used versions 0.5.70 and 4.0.49," the cybersecurity firm explained. 

Calling the implant an "in-house development," JFrog pointed out that the malware contains two components, a dropper that sends information about the infected machine to a remote telemetry server before decrypting and executing a JavaScript backdoor. The backdoor, while lacking a persistence mechanism, is designed to receive and execute commands sent from a hard-coded command-and-control server, evaluate arbitrary JavaScript code, and upload files back to the server. 

Earlier this week, a German penetration testing company named Code White has owned up to uploading the malicious packages in question, adding it was an attempt to "mimic realistic threat actors for dedicated clients."
Read more »
Subscribe to: Posts (Atom)