Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security flaw. Show all posts
Threat Intelligence
Cyber Security FBI Security flaw Tech Firms Threat Intelligence

Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.
Read more »
User Privacy
Chrome Extension Manifest V3 Mobile Security Security flaw SquareX User Privacy

Chrome Extensions Continue to Pose a Threat, Even With Google's Manifest V3

 

Users have always found browser extensions to be a useful tool for increasing productivity and streamlining tasks. They have, however, become a prime target for malicious actors attempting to exploit flaws, impacting both individual users and companies. 

Despite efforts to boost security, several of these extensions have found ways to exploit vulnerabilities in Google's latest extension framework, Manifest V3 (MV3). SquareX's recent research explained how these rogue extensions can continue to evade crucial security protections, exposing millions of users to risks such as data theft, malware, and unauthorised access to sensitive information. 

Google has always had troubles with Chrome addons. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before being removed. 

Google's previous extension framework, Manifest Version 2 (MV2), was notoriously unstable. It frequently granted excessive rights to extensions and allowed scripts to be introduced without user knowledge, making it less complicated for cybercriminals to steal data, access sensitive information, and install malware.

In response, Google launched Manifest V3, which intended to improve security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was supposed to address the vulnerabilities found in MV2, SquareX's study indicates that it falls short in important areas. 

Malicious extensions built on MV3 can still circumvent security measures and grab live video streams from collaboration services such as Google Meet and Zoom Web without requiring specific permission. They can even add unauthorised contributors to private GitHub repositories and send users to phishing pages masquerading as password managers. 

Furthermore, these malicious extensions, like their MV2 counterparts, can access browser history, cookies, bookmarks, and download history by displaying a fake software update pop-up that dupes users into downloading the malware. 

Once the malicious extension is installed, individuals and businesses are unable to notice its activity, leaving them vulnerable. Endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are examples of security solutions that cannot dynamically assess potential risks in browser extensions. 

SquareX has created a number of solutions targeted at enhancing browser extension security in order to address these issues. Their strategy includes customised rules that let administrators choose which extensions to accept or ban depending on user ratings, reviews, update history, and extension permissions.

This system can prevent network requests from extensions in real time using policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a customised Chromium browser on its cloud server, which will provide greater insights into the behaviour of potentially malicious extensions.
Read more »
Wordpress Vulnerability
brute-force protection CVE-2024-50550 Cyber Security LiteSpeed Cache plugin Patchstack plugin security role simulation Security flaw Unauthorized access update LiteSpeed Cache Wordpress Vulnerability

Critical Security Vulnerability Found in LiteSpeed Cache Plugin: Urgent Update Advised for WordPress Users

 

A significant security flaw has been uncovered in the LiteSpeed Cache plugin, used by over 6 million WordPress sites, which could allow unauthorized visitors to gain administrator-level access. The vulnerability stems from a weakness in the plugin's role simulation feature, making it possible for attackers to bypass security and install harmful plugins.

The LiteSpeed Cache plugin, popular for site performance enhancements, is compatible with widely-used WordPress plugins like WooCommerce, bbPress, and Yoast SEO.

According to cybersecurity firm Patchstack, this vulnerability results from weak hash checks, which can be exploited under certain administrator-defined configurations. The issue is particularly pronounced when high run durations and minimal load limits are applied within the plugin's Crawler feature.

Listed as CVE-2024-50550, the vulnerability is concerning due to its susceptibility to brute-force attacks, enabling attackers to bypass essential security mechanisms.

Specific configurations that make this vulnerability more likely include:
  • Enabling the Crawler feature with run durations between 2500-4000 seconds
  • Setting the server load limit to 0
  • Activating role simulation for administrator-level users
  • Recommended Actions to Mitigate the Risk
  • In response, LiteSpeed has removed the role simulation feature and enhanced hash generation processes. The company has also shared plans with Patchstack to introduce more sophisticated random value generation in future updates to further safeguard against brute-force exploits.
Patchstack recommends that all LiteSpeed Cache users update to version 6.5.2 or later to mitigate these risks.

"This vulnerability underscores the importance of strong, unpredictable values for security hashes or nonces," Patchstack noted, adding that features like role simulation should always include robust access controls.

Additionally, administrators are advised to review plugin settings, optimizing configurations like Crawler run duration and load limits to strengthen security.
Read more »
Zero-day Flaw
Hash Password Security flaw Security Patch Vulnerabilities and Exploits Zero-day Flaw

Unofficial Patches Published for New Windows Themes Zero-Day Exploit

 

Free unofficial fixes are now available for a new zero-day flaw in Windows Themes that allows hackers to remotely harvest a target's NTLM credentials.

NTLM has been extensively exploited in NTLM relay attacks, in which threat actors force susceptible network devices to authenticate against servers under their control, and in pass-the-hash attacks, in which attackers exploit system vulnerabilities or deploy malicious software to steal NTLM hashes (hash passwords) from target systems. 

Once they acquire the hash, the attackers can impersonate the affected user, gaining access to sensitive data and expanding laterally throughout the now-compromised network. Microsoft indicated a year ago that it will drop the NTLM authentication technology in Windows 11. 

ACROS security experts uncovered the new Windows Themes zero-day (which has yet to be assigned a CVE ID) while working on a micropatch for a flaw tracked as CVE-2024-38030 that might reveal a user's credentials (reported by Akamai's Tomer Peled), which was itself a workaround for another Windows Themes spoofing vulnerability (CVE-2024-21320) fixed by Microsoft in January. 

According to Peled, "when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such a theme file would be viewed in Windows Explorer.”

"This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action," ACROS Security CEO Mitja Kolsek stated. 

Even though Microsoft fixed CVE-2024-38030 in July, ACROS Security discovered another vulnerability that attackers may use to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2. 

"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file," Kolsek added. 

The firm is now offering free and unofficial security updates for this zero-day flaw via its 0patch micropatching service for all affected Windows versions until official patches from Microsoft are available, which have already been applied to all online Windows systems running the company's 0patch agent.

To install the micropatch on your Windows device, first create a 0patch account and then install the 0patch Agent. If no specific patching policy prevents it, the micropatch will be applied immediately without the need for a system restart once the agent is activated. 

However, it is crucial to remember that in this case, 0patch only delivers micropatches for Windows Workstation, as Windows Themes does not work on Windows Server until the Desktop Experience feature is deployed.
Read more »
User Privacy
iPhone Security flaw Security Update Technology User Privacy

Apple's Latest iPhone Update: Bad News for Millions of Google Users

 

If the latest reports are correct, Apple consumers have just over a fortnight to wait until the launch of iOS 18.1 and the belated arrival of Apple Intelligence, the flagship feature in the latest iOS release. Until then the most significant update is still RCS, the even more belated upgrade of stock SMS on iPhones. 

As security experts commented before, Apple’s RCS upgrade has a lot of security flaws—no end-to-end encryption is the key one, with its lack being a major step back, but there’s also patchy carrier adoption, no full iMessage integration, and no end in sight for those dreaded green bubbles.

But Google campaigned hard for years, cajoling Apple into making this move as its own Android Messages app lost ever more ground to WhatsApp and other over-the-tops, while Apple seemingly brushed away any concerns, with its critical US user base continuing to iMessage between themselves. 

And, while Google has teased Apple over their flawed RCS implementation, it has also made it clear how welcome this is. But there was always the chance that Google and its consumers would not see the equal playing field they desired, and that risk appears to be coming true. 

Android Authority recently claimed that "iPhone users are not as into RCS as their Android buddies would have liked." There are some clear barriers to better adoption, particularly carrier support. But the underlying issue is much simpler: WhatsApp. This long-awaited partial integration of iMessage and Google Messages has been so delayed that WhatsApp has effectively locked down every significant market outside of the United States (and China). 

With Apple's iMessage security being one of its main selling points, security and privacy have grown so central to the iPhone and its user base that an update that abandons all of that appears counter-intuitive in every sense. The fact that even Google is unable to view user content due to its extensive usage of end-to-end encryption throughout its own platform—which is akin to Apple's—makes this situation worse. However, all of that disappears when using cross-platform RCS texting.,
Read more »
Threat Landscape
Linux malware Misconfiguration Security flaw Threat Landscape

Stealthy Malware Has Infected Thousands of Linux Systems Since 2021

 

Aqua Security researchers have raised concerns about a newly identified malware family that targets Linux-based machines in order to get persistent access and control resources for crypto mining. The malware, known as perfctl, purports to exploit over 20,000 different types of misconfigurations and known vulnerabilities and has been active for over three years. 

Aqua Security uncovered that perfctl uses a rootkit to hide itself on compromised systems, runs as a service in the background, is only active when the machine is idle, communicates via a Unix socket and Tor, installs a backdoor on the infected server, and attempts to escalate privileges. The malware's handlers have been detected deploying more reconnaissance tools, proxy-jacking software, and a cryptocurrency miner. 

The attack chain begins with the exploitation of a vulnerability or misconfiguration, followed by the deployment and execution of the payload from a remote HTTP server. Next, it copies itself to the temporary directory, terminates the old process, deletes the initial binary, and runs from the new location. 

The payload contains an attack for CVE-2021-4043, a medium-severity Null pointer dereference vulnerability in the open source multimedia framework Gpac, which it uses to get root access. The flaw was recently uploaded to CISA's Known Exploited Vulnerabilities database. 

In addition to the cryptominer, the malware was observed copying itself to numerous additional locations on the computers, dropping a rootkit and popular Linux applications modified to function as userland rootkits. It uses a Unix socket to handle local communications and the Tor anonymity network for external command-and-control (C&C). 

"All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defence mechanisms and hinder reverse engineering attempts," the company said. 

Furthermore, the malware monitors specific files and, if a user logs in, it suspends activities to conceal its presence. It also ensures that user-specific configurations are executed in Bash contexts, allowing the server to run normally. 

For persistence, perfctl alters a script such that it is executed before the server's legitimate workload. It also attempts to terminate the processes of any additional malware it detects on the infected PC. 

The deployed rootkit hooks into various functions and modifies their functionality, including changes that allow "unauthorised actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behaviour of authentication mechanisms," according to Aqua Security. 

The cybersecurity firm found three download servers linked to the attacks, as well as other websites that were likely hacked by the threat actors, resulting in the finding of artefacts used in the exploitation of vulnerable or misconfigured Linux servers. 

“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company added.
Read more »
Vectra AI
cloud storage vulnerability Cyber Security cybersecurity threat Google Cloud Document AI malware injection Security flaw Sensitive Data Leak Vectra AI

Security Flaw in Google Cloud Document AI Could Expose Sensitive Data, Experts Warn

 

A critical vulnerability in Google Cloud's Document AI service could have allowed cybercriminals to steal sensitive information from users' cloud storage accounts and even inject malware, cybersecurity experts have warned. 

The flaw was first discovered by researchers at Vectra AI, who reported it to Google in April 2024. Document AI is a suite of machine learning tools that automates the extraction, analysis, and processing of documents, converting unstructured files like invoices and contracts into structured data to streamline workflows.

The issue arose during the batch processing of documents, a feature that automates large-scale document analysis. Instead of using the caller’s permissions, the system relied on broader permissions granted to a "service agent," a Google-managed entity responsible for processing tasks. This created a security gap, allowing a malicious actor with access to a project to potentially retrieve and modify any files stored in the associated Google Cloud Storage buckets.

Vectra AI researchers provided a proof of concept to demonstrate how an attacker could exfiltrate and alter a PDF file before reuploading it to its original location. Although Google released a patch and labelled the issue "fixed" soon after, the researchers criticized the initial fix as inadequate.

In response to further pressure, Google implemented a more comprehensive downgrade in September 2024, addressing the vulnerability by limiting access to impacted projects.
Read more »
Zero-day Flaw
remote access Security flaw Veeam Software Vulnerabilities and Exploits Zero-day Flaw

Veeam Software Issues Fixes for Exploitable Security Flaws

 

Security experts recommend all Veeam Backup & Replication software customers to upgrade their software immediately to address a critical, remotely exploitable vulnerability. Veeam first revealed the flaw, dubbed CVE-2024-40711, on Thursday, when it issued fixes to address 18 vulnerabilities across its product range, including five major issues, which are so named because they may be remotely abused to execute arbitrary code. 

The upgrade for the widely used Veeam Backup & Replication software patches security flaws detected in version 12.1.2.172 and all previous version 12 versions. The software is employed for backup and recovery in cloud, virtual, and physical IT settings and is directly compatible with operating systems and environments such as AWS, Azure, Google Cloud, Oracle, SAP Hana, and Broadcom's VMware. 

Veeam Backup & Replication versions that are no longer supported, such as version 11, for which support ended in February, come with a warning from the company stating that they "are not tested, but are likely affected and should be considered vulnerable." 

Threat actors can exploit CVE-2024-40711 to remotely execute code on a Veeam Backup & Replication server without having to first authenticate to the server. The vendor rated the vulnerability 9.8 on the 10-point CVSS scale and credited its discovery to researcher Florian Hauser at cybersecurity service provider Code White. 

The company stated that the vulnerability could be leveraged to enable "full systems takeover" and that it would not immediately release any technical details regarding the flaw "because this might instantly be abused by ransomware gangs." 

Four additional vulnerabilities in Veeam Backup & Replication that were addressed in the Thursday update are classed as high-severity because exploiting them needs an attacker to first achieve a low-privileged role with the software or to have network access. 

Prior to the Veeam Backup & Replication March 2023 patch, Veeam addressed known vulnerabilities in the form of CVE-2023-27532, which has been the target of ransomware and cybercrime groups. Researchers warned that attackers might use that vulnerability to obtain encrypted credentials, which would give them illegal access to the program and possibly allow them to go to other areas of the network.

In July, cybersecurity company Group-IB revealed that, only a few weeks after its public release, groups like EstateRansomware appear to have begun concentrating on CVE-2023-27532. The United States Cybersecurity and Infrastructure Security Agency added CVE-2023-27532 to its Known Exploited Vulnerabilities catalogue in August of last year.
Read more »
Vulnerabilities and Exploits
Data Flaws Patch Safety Security flaw Vulnerabilities and Exploits

CISA Issues Warning on Critical Vulnerabilities in Vonets WiFi Bridge Devices, No Patch Released

 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory highlighting several critical vulnerabilities discovered in Vonets WiFi Bridge devices. These vulnerabilities present significant risks, including the potential for attackers to execute arbitrary code, access sensitive data, or disrupt device operations.

This poses a serious threat to the security of industrial and commercial networks that depend on these devices. Despite the gravity of these issues, Vonets has not responded to CISA’s outreach for collaboration on mitigation efforts, leaving users at risk.

Key Vulnerabilities and Their Impacts:

The vulnerabilities identified in the Vonets devices vary in severity and include:

  • CVE-2024-41161 (CVSSv4 8.7): This flaw involves the use of hard-coded credentials, allowing unauthorized users to bypass authentication and gain full device access using pre-set administrator credentials that cannot be disabled. This makes it a particularly dangerous vulnerability.
  • CVE-2024-29082 (CVSSv4 8.8): An issue with improper access control permits attackers to bypass authentication and perform a factory reset on the device through unprotected endpoints, leading to potential service disruptions and loss of configuration data.
  • CVE-2024-41936 (CVSSv4 8.7): A directory traversal vulnerability that enables attackers to read arbitrary files on the device, bypassing authentication and exposing sensitive information.
  • CVE-2024-37023 (CVSSv4 9.4): OS command injection vulnerabilities allow authenticated attackers to execute arbitrary operating system commands on the device, potentially giving them control over its operation.
  • CVE-2024-39815 (CVSSv4 8.7): A flaw in the handling of exceptional conditions could lead to a denial-of-service (DoS) scenario when attackers send specially crafted HTTP requests to the device.
  • CVE-2024-39791 (CVSSv4 10): The most severe vulnerability, a stack-based buffer overflow, allows remote attackers to execute arbitrary code, potentially gaining full control of the device without needing authentication.
  • CVE-2024-42001 (CVSSv4 6.1): An issue with improper authentication enables attackers to bypass authentication by sending specially crafted requests during an active user session.

CISA’s Recommendations

In light of Vonets' lack of response, CISA has issued several recommendations to help organizations mitigate the risks associated with these vulnerabilities:

  • Minimize Network Exposure: Ensure that control system devices and networks are not directly accessible from the internet to reduce the risk of unauthorized access.
  • Isolate Control Systems: Position control system networks and remote devices behind firewalls and separate them from business networks to prevent cross-network attacks.
  • Secure Remote Access: When remote access is necessary, use secure methods like Virtual Private Networks (VPNs). However, it's crucial to keep VPNs updated and ensure the security of connected devices.
CISA stresses the importance of conducting thorough impact analysis and risk assessments before implementing any defensive measures to avoid unintended operational disruptions.

While no public exploitation of these vulnerabilities has been reported yet, the critical nature of these issues demands immediate attention. Organizations and individuals must act swiftly to safeguard their networks and reduce the risk of potential attacks
Read more »
Security Flaws
Android Android App Android App Safety Android Applications Android Apps Cyber Security Microsoft Security flaw Security Flaws

Microsoft Uncovers Major Security Flaw in Android Apps with Billions of Downloads

 

Microsoft recently made a troubling discovery regarding the security of numerous Android applications, including some of the most widely used ones, each boasting over 500 million installations. After uncovering a common security weakness, Microsoft promptly notified Google's Android security research team, prompting Google to release new guidance aimed at helping Android app developers identify and rectify the issue. 
 
Among the applications found to be vulnerable were Xiaomi Inc.'s File Manager, boasting over 1 billion installations, and WPS Office, with around 500 million downloads. Although Microsoft confirms that the vendors of these products have since addressed the issue, they caution that there may be other apps out there still susceptible to exploitation due to the same security flaw. 
 
The vulnerability in question pertains to Android applications that share files with other apps. To enable secure sharing, Android employs a feature known as "content provider," which essentially serves as an interface for managing and exposing an app's data to other installed applications on the device. 
 
However, Microsoft's research uncovered a significant oversight in many cases: when an Android app receives a file from another app, it often fails to adequately validate the content. Particularly concerning is the practice of using the filename provided by the sending application to cache the received file within the receiving application's internal data directory. This oversight creates an opportunity for attackers to exploit the system by sending a file with a malicious filename directly to a receiving app, without the user's knowledge or consent. 
 
Typical targets for such file sharing include email clients, messaging apps, networking apps, browsers, and file editors. If a malicious filename is received, the receiving app may unwittingly initialize the file, triggering processes that could lead to compromise. 
 
The potential consequences vary depending on the specific implementation of the Android application. In some scenarios, attackers could exploit the vulnerability to overwrite an app's settings, leading to unauthorized communication with attacker-controlled servers or the theft of user authentication tokens and other sensitive data. In more severe cases, attackers could inject malicious code into a receiving app's native library, enabling arbitrary code execution. 
 
Microsoft and Google have both offered guidance to developers on how to address this issue, emphasizing the importance of validating file content and ensuring the secure handling of shared files. Meanwhile, end users can mitigate the risk by keeping their Android apps up to date and exercising caution when installing apps from sources they trust.
Read more »
WordPress Plugin
Avada Builder Plugin Avada Theme Patchstack Security flaw Vulnerabilities and Exploits WordPress Plugin

Avada Theme and Plugin Witnesses Critical Vulnerabilities


Several vulnerabilities have been discovered in the popular Avada theme and its companion Avada Builder plugin by security researcher Rafie Muhammad from Patchstack, who revealed that many WordPress websites are vulnerable to these flaws. 

Avada Theme and Plugin

Avada theme – the most popular theme in WordPress – is the top-selling theme in ThemeForest, selling over 900,000 copies. The theme is paired with an Avada Builder plugin, developed by ThemeFusion.

This theme calls itself "The Complete WordPress Website Building Toolkit," and is geared for premium website builders. Without ever writing a single line of code, it can create everything from one-page business websites to an online marketplace.

Security Flaws

Among the many vulnerabilities exhibited in the Avada Builder plugin, the first is the Authentic SQL Injection(CVE-2023-39309). By exploiting this flaw, the threat actors may enable authentication access, followed by compromising sensitive data and may execute remote code. 

The second vulnerability, named ‘Reflected Cross-Site Scripting (XSS)’ vulnerability (identified as CVE-2023-39306) enables unauthenticated attackers to steal sensitive data and perhaps elevate their privileges on affected WordPress sites.

Additionally, Patchstack found a number of flaws in the Avada theme. A Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307) is the first among them. In this case, Contributors are given the authority to upload whatever file they choose, including potentially harmful PHP scripts, allowing remote code execution and jeopardizing the integrity of the site.

The discovery of a similar Author+ bug (CVE-2023-39312) is also significant. Here, Authors are given the option to post malicious zip files, potentially introducing the website as susceptible to vulnerabilities and remote code execution.

Also, this series of vulnerabilities include the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). This flaw allows Contributors to send requests to internal WordPress services, which could lead to illegal actions or data access within the organizational structure.

The vulnerabilities were first discovered and reported to the Avada vendor on July 6, 2023, following which patched versions were made available on July 11. The security alert was made public on August 10, 2023, and Patchstack added the flaws to their database of vulnerabilities.

In order to address the flaws, users are advised to update their Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2, ensuring website security.

Read more »
Security research
AI AI bots Artificial Intelligence ChatGPT Check Point Cyber Security Google Bard keylogger Law Enforcement Phishing emails Security flaw Security research

Forget ChatGPT, Google Bard may Possess Some Serious Security Flaws


A latest research claims that Google’s AI chatbot, Google Bard may let its users to use it for creating phishing emails and other malicious content, unlike ChatGPT.

At one such instances, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code, by using the Redmond giant’s AI tool.

Using the AI tool of the Redmond behemoth, cybersecurity researchers Check Point were able to produce phishing emails, keyloggers, and some basic ransomware code.

The researchers' report further noted how they set out to compare Bard's security to that of ChatGPT. From both sites, they attempted to obtain three things: phishing emails, malicious keyloggers, and some simple ransomware code.

The researchers described that simply asking the AI bots to create phishing emails yielded no results, however asking the Bard to provide ‘examples’ of the same provided them with plentiful phishing mails. ChatGPT, on the other hand, refused to comply, claiming that doing so would amount to engaging in fraudulent activity, which is illegal.

The researchers further create malware like keyloggers, to which the bots performed somewhat better. Here too, a direct question did not provide any result, but a tricky question as well yielded nothing since both the AI bots declined. However, answers for being asked to create keyloggers differed in both the platforms. While Bard simply said, “I’m not able to help with that, I’m only a language model,” ChatGPT gave a much detailed explanation.

Later, on being asked to provide a keylogger to log their keys, both ChatGPT and Bard ended up generating a malicious code. However, ChatGPT did provide a disclaimer before doing the aforementioned.

The researchers finally proceeded to asking Bard to run a basic ransomware script. While this was much trickier than getting the AI bot to generate phishing emails or keylogger, they finally managed to get Bard into the game.

“Bard’s anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT[…]Consequently, it is much easier to generate malicious content using Bard’s capabilities,” they concluded.

Why Does it Matter? 

The reason, in simpler terms is: Malicious use of any new technology is inevitable.

Here, one can conclude that these issues with the emerging generative AI technologies are much expected. AI, as an extremely developed tool has the potential to alter an entire cybersecurity script.

Cybersecurity experts and law enforcements have already been concerned for the same and have been warning against the AI technology for it can be well used in increasing the ongoing innovation in cybercrime tactics like convincing phishing emails, malware, and more. The development in technologies have made it accessible to users in such a way that now a cybercriminal can deploy a sophisticated cyberattack by only having minimal hand in coding.

While regulators and law enforcement are doing their best to impose limits on technology and ensure that it is utilized ethically, developers are working to do their bit by educating platforms to reject being used for criminal activity.

While generative AI market is decentralized, big companies will always be under the watch of regulatory bodies and law enforcements. However, smaller companies will remain in the radar of a potential cyberattack, especially the ones that are incapable to fight against or prevent the abuse.

Researchers and security experts suggests that the only way to improve the cybersecurity posture is to fight with full strength. Even though AI is already being used to identify suspicious network activity and other criminal conduct, it cannot be utilized to make entrance barriers as high as they once were. There is no closing the door ever again.

Read more »
zero Day vulnerability
Mobile Security Security flaw Security Patch Spyware User Security zero Day vulnerability

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.
Read more »
Vulnerabilities and Exploits
Application Security Security flaw Threat Intelligence Unpatched Flaws Vulnerabilities and Exploits

Online Thieves Exploits Vulnerability in Microsoft Visual Studio

 

Security professionals are alerting users regarding a vulnerability in the Microsoft Visual Studio installer that enables hackers to distribute harmful extensions to application developers while posing as a trusted software vendor. From there, they may sneak into development environments and seize control while contaminating code, stealing very valuable intellectual property, and doing other things. 

The CVE-2023-28299 spoofing vulnerability was patched by Microsoft as part of its April security release. At the time, the business rated the bug as having a low likelihood of being exploited and categorised the vulnerability as having moderate severity. However, the Varonis researchers who first identified the vulnerability provided a somewhat different perspective on the flaw and its potential consequences in a blog post this week.

According to the researchers, the flaw should be addressed because it is easily exploitable and is present in a product with a 26% market share and more than 30,000 consumers.

"With the UI bug found by Varonis Threat Labs, a threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis security researcher Dolor Taler explained. "Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system." 

Varonis identified a vulnerability that affects several iterations of the Visual Studio integrated development environment (IDE), ranging from Visual Studio 2017 through Visual Studio 2022. The problem is a security restriction in Visual Studio that makes it simple for anyone to get over, preventing users from entering data in the "product name" extension field. 

Taler discovered that an attacker may get around that restriction by opening a Visual Studio Extension (VSIX) package as a.ZIP file, and then manually adding newline characters to a tag in the "extension.vsixmanifest" file. Developers use a newline character to indicate the end of a line of text so that the cursor will move to the start of the following line on the screen.

"And because a threat actor controls the area under the extension name, they can easily add fake 'Digital Signature' text, visible to the user and appearing to be genuine," Taler added.
Read more »
Windows
Online Safety Proof of concept Security flaw Vulnerabilities and Exploits Windows

PoC Published for Windows Win32k Flaw Exploited in Assaults

 

For a Windows local privilege escalation vulnerability that was patched as part of the May 2023 Patch Tuesday, researchers have published a proof-of-concept (PoC) exploit. 

The Win32k subsystem (Win32k.sys kernel driver) controls the operating system's window manager and handles screen output, input, and graphics in addition to serving as an interface for various types of input hardware. Since they usually grant elevated rights or code execution, these kinds of vulnerabilities are often exploited. 

Avast, a company that specialises in cybersecurity, first identified the flaw, which is tracked as CVE-2023-29336. It was given a CVSS v3.1 severity rating of 7.8, as it enables low-privileged users to obtain Windows SYSTEM privileges, the highest user mode privileges in Windows. 

CISA also released a warning and listed it in its database of "Known Exploited Vulnerabilities" in order to inform people about the actively exploited vulnerability and the importance of installing Windows security upgrades. 

Security researchers at Web3 cybersecurity company Numen have now published comprehensive technical information on the CVE-2023-29336 bug and a Proof of Concept exploit for Windows Server 2016 exactly one month after the patch became accessible. 

Re-discovering the vulnerability 

Although the flaw is being actively used against previous versions of Windows, including Windows 8, Windows Server, and earlier versions of Windows 10, Microsoft claims that Windows 11 is unaffected. 

"While this vulnerability seems to be non-exploitable on the Win11 system version, it poses a significant risk to earlier systems," Numen explained in their report. "Exploitation of such vulnerabilities has a notorious track record, and in this in-depth analysis, we delve into the methods employed by threat actors to exploit this specific vulnerability, taking into account evolving mitigation measures."

Win32k only locks the window object but fails to lock the nested menu object, according to Numen's researchers who examined the vulnerability on Windows Server 2016. 

This oversight, which the researchers attribute to out-of-date code being transferred to more recent Win32k versions, makes menu objects susceptible to manipulation or hijacking if attackers change the precise address in the system memory.

Even if the initial step doesn't provide attackers admin-level rights, it serves as a useful stepping stone to enable them to obtain this via the following steps. Controlling the menu object means gaining the same-level access as the programme that launched it. Overall, it can be said that it's not extremely difficult to exploit CVE-2023-29336.

"Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques," the report further reads. "This type of vulnerability heavily relies on leaked desktop heap handle addresses […], and if this issue is not thoroughly addressed, it remains a security risk for older systems." 

System administrators, according to Numen, should watch out for unusual offset reads and writes in memory or connected to window objects, as these could point to active CVE-2023-29336 privilege escalation.

Applying the May 2023 patch is advised for all Windows users as it corrected two additional active zero-day vulnerabilities in addition to the specific issue.
Read more »
Threat actors
Cyber Security Gmail Gmail checkmark system Google Security Feature Security flaw Threat actors

Google: Gmail Users Warned of a Security Flaw in its New Feature


Google has recently issued a warning to its 1.8 billion Gmail users following a security flaw that was discovered in one of its latest security functions.

The feature, Gmail checkmark system was introduced to assist users distinguish between certified businesses and organizations and legitimate emails from potential scammers. This is made possible through a blue checkmark, included in the function.

However, threat actors were able to take advantage of this feature, raising questions about the general security of Gmail.

Chris Plummer, a cybersecurity expert, found that cybercriminals could deceive Gmail into thinking their bogus businesses were real. This way, they shattered the trust Gmail users were supposed to have in the checkmark system.

"The sender found a way to dupe @gmail's authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account to a UK netblock, to O365, to me. Nothing about this is legit," says Plummer.

Prior to these findings, Google dismissed the claims, calling this to be “intended behavior.” But after the issue gained a significant response following Plummer’s tweet related to the flaw, Google finally acknowledged the error.

Later, Google admitted its mistake and conducted a proper investigation into the matter. The flaw’s security was acknowledged, with Google labeling it as a ‘P1’ fix, which indicates it to be in the topmost priority status.

"After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on […] We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We'll keep you posted with our assessment and the direction that this issue takes," Google said in a statement.

Google’s warning serves as a caution to online users that security features too are vulnerable to flaws, regardless of how much advancement they may attain. Thus it is important to have a vigilant outlook on the ‘safety’ features. Users must also be careful when involving themselves with email communication.  

Read more »
Security flaw
Cyber Attacks Data Leak File Transfer Tool Mass Hack Online Hack Security flaw

Threat Actors Launch a New Wave of Mass-Hacks Against Business File Transfer Tool

 

Security experts are raising the alarm after hackers were detected using a recently identified vulnerability in a well-known file transfer tool that is used by thousands of organisations to start a new wave of massive data exfiltration assaults. 

The flaw affects Progress Software's MOVEit Transfer managed file transfer (MFT) software, which enables businesses to transmit huge files and datasets over the internet. Ipswitch is a subsidiary of Progress Software.

Last week on Wednesday, Progress acknowledged that it had found a vulnerability in MOVEit Transfer that "could lead to escalated privileges and potential unauthorised access to the environment," and it advised customers to turn off internet traffic to their MOVEit Transfer environments. 

All consumers are being urged to promptly apply patches that are now accessible by Progress. 

The U.S. cybersecurity agency CISA is also advising U.S. organisations to implement the required patches, follow Progress' mitigating recommendations, and look for any malicious behaviour. 

The popularity of popular enterprise systems has made corporate file-transfer technologies an increasingly appealing target for hackers who want to steal data from numerous victims. 

The impacted file transfer service is used by "thousands of organisations around the world," according to the company's website, but Jocelyn VerVelde, a representative for Progress through an outside public relations firm, declined to specify how many organisations use it. More than 2,500 MOVEit Transfer servers are visible on the internet, according to Shodan, a search engine for publicly exposed devices and databases. Most of these servers are based in the United States, but there are also many more in the United Kingdom, Germany, the Netherlands, and Canada. 

Security researcher Kevin Beaumont claims that the vulnerability also affects users of the MOVEit Transfer cloud platform. According to Beaumont, some "big banks" are also thought to be MOVEIt customers and at least one disclosed instance is linked to the U.S. Department of Homeland Security. Several security firms claim to have already seen indications of exploitation.

According to Mandiant, "several intrusions" involving the exploitation of the MOVEit vulnerability are under investigation. Charles Carmakal, the chief technical officer of Mandiant, acknowledged that Mandiant had "seen evidence of data exfiltration at multiple victims." 

According to a blog post by cybersecurity firm Huntress, one of its clients has observed "a full attack chain and all the matching indicators of compromise." 

Meanwhile, the security research company Rapid7 said that it has seen indications of data theft and misuse from "at least four separate incidents." According to Rapid7's senior manager of security research, Caitlin Condon, there is evidence that suggests attackers may have started automated exploitation. 

While the exact start date of exploitation is unknown, threat intelligence firm GreyNoise claims to have seen scanning activity as early as March 3. The company advises customers to check their systems for any signs of possible unauthorised access that may have happened during the last 90 days. 

The perpetrator of the widespread MOVEit server exploitation is still unknown. 

The attacker's actions were "opportunistic rather than targeted," according to Rapid7's Condon, who also speculated that this "could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets."
Read more »
Vulnerabilities and Exploits
CISA FDA Illumina medical data stolen Security flaw Stolen Data US Government Vulnerabilities and Exploits

Illumina: FDA, CISA Warns Against Security Flaw Making Medical Devices Vulnerable to Remote Hacking


The US Government has issued a warning for healthcare providers and lab employees against a critical flaw, discovered in the genomics giant Illumina’s medical devices, used by threat actors to alter or steal sensitive patient medical data.

On Thursday, US cybersecurity agency CISA and US Food and Drug Administration FDA released separate advisories to alert organizations of the vulnerabilities affecting the Universal Copy Service (UCS) component used by a number of Illumina's genetic sequencing devices.

The vulnerability flaw, identified as CVE-2023-1968 enables remote access to a vulnerable device via the internet without the need for a password. If exploited, hackers may be able to compromise devices and cause them to generate false, changed, or nonexistent results. 

The advisories also include a second vulnerability, CVE-2023-1966, which is rated 7.4 out of 10 for severity. The flaw might provide hackers access to the operating system level, where they could upload and run malicious programs to change settings and access private information on the impacted product.

The FDA claimed it was unaware of any actual attacks that exploited the flaws, but it did issue a warning that a hacker might use them to remotely control a device or change its settings, software, or data, as well as remotely access the user's network.

“On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability,” states the FDA in its notification. 

The products from Illumina that are vulnerable include iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq, and NovaSeq. These products, which are used all around the world in the healthcare industry, are made for clinical diagnostic use when sequencing a person's DNA for different genetic diseases or research needs.

According to Illumina spokesperson David McAlpine, Illumina has “not received any reports indicating that a vulnerability has been exploited, nor do we have any evidence of any vulnerabilities being exploited.” Moreover, he declines to comment on whether the company has technical resources that could detect exploitation, nor did he specify the number of devices affected by the vulnerability.

Illumina CTO Alex Aravanis in a LinkedIn post mentions that the company detected the flaw as part of routine efforts to examine its software for potential flaws and exposures.

“Upon identifying this vulnerability, our team worked diligently to develop mitigations to protect our instruments and customers[…]We then contacted and worked in close partnership with regulators and customers to address the issue with a simple software update at no cost, requiring little to no downtime for most,” Aravanis said.  

Read more »
Vulnerabilities and Exploits
Arbitrary code execution Japanese Processor Remote Code Execution Security flaw Vulnerabilities and Exploits

Critical Security Flaws Identified in Popular Japanese Word Processing Software

 

Ichitaro is a widely recognized word processing software in Japan created by JustSystems.

Cisco Talos recently discovered four bugs in it that might result in arbitrary code execution. Ichitaro employs the.jtd file extension and the ATOK input method (IME). In Japan, there is only Microsoft Word that is more widely used as a word processor. 

The researchers identified four flaws that might provide an attacker access to the target machine and the ability to run arbitrary code. In the event that the target accesses a malicious file prepared by the attacker, TALOS-2022-1673 (CVE-2022-43664) might cause the attacker to reuse freed memory, which could result in more memory corruption and even arbitrary code execution. 

Similar effects can also be seen as a result of TALOS-2023-1722 (CVE-2023-22660), except this time the cause is a buffer overflow. 

The two other memory corruption flaws, TALOS-2022-1687 (CVE-2023-22291) and TALOS-2022-1684 (CVE-2022-45115), which can also result in code execution if the target opens a specially prepared, malicious document, are similarly exploitable. 

In accordance with Cisco's vulnerability disclosure policy, Cisco Talos collaborated with JustSystems to ensure that these vulnerabilities were patched and that an update was accessible to customers who were affected. 

Users are advised to update these impacted products as soon as they can: Version 1.0.1.57600 of Ichitaro 2022. This version of the word processor can be abused by these flaws, according to Talos' testing. 

61011, 61012, 61091, 61092, 61163, 61164, 61393 and 61394 are the Snort rules that will catch attempts to exploit this issue. In the absence of new vulnerability information, further rules may be provided in the future, and existing rules may change. Please consult your Cisco Secure Firewall Management Center or Snort.org for the latest up-to-date rule information.
Read more »
Vulnerabilities and Exploits
Advance Tools Russia-Ukraine War Russian Hackers Security flaw Vulnerabilities and Exploits

Winter Vivern Hackers Exploit Zimbra Flaw to Siphon NATO Emails

 

Since February 2023, a Russian hacking group known as TA473, also identified as "Winter Vivern," has been actively stealing the emails of NATO leaders, governments, soldiers, and diplomats by taking advantage of flaws in unpatched Zimbra endpoints.

Sentinel Labs published a report on 'Winter Vivern's' recent operation two weeks ago, detailing how the group propagated malware that poses as a virus scanner by imitating websites run by European organisations that fight online crime. 

The threat actor used Zimbra Collaboration servers to exploit CVE-2022-27926, according to a new report released by Proofpoint today. This vulnerability allowed the threat actor to access the communications of individuals and organisations that are NATO allies.

Taking aim at Zimbra 

Before launching a Winter Vivern attack, the threat actor first uses the Acunetix tool vulnerability scanner to look for unpatched webmail platforms. 

After there, the hackers send a phishing email from a compromised account that is faked to look like it is from a person the target knows or is somehow connected to their business. A link in the emails uses the CVE-2022-27926 vulnerability in the target's compromised Zimbra infrastructure to inject additional JavaScript payloads into the webpage. 

When cookies are received from the hacked Zimbra endpoint, these payloads are then exploited to steal usernames, passwords, and tokens. These details give the threat actors unrestricted access to the targeted' email accounts. 

"These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance," the Proofpoint report reads. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets.In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well."

This particular aspect illustrates the diligence of the threat actors in pre-attack reconnaissance, ascertaining which portal their target utilises before constructing the phishing emails and establishing the landing page function. 

In addition to the three layers of base64 obfuscation used to obfuscate the malicious JavaScript to complicate analysis, "Winter Vivern" also incorporated pieces of the legal JavaScript that runs on a native webmail interface, blending in with regular activities and lowering the risk of detection. 

Ultimately, the threat actors have access to confidential data on the compromised webmails or can keep their hold in place to watch communications over time. In addition, the hackers can utilise the compromised accounts to conduct lateral phishing attacks and further their penetration of the target companies. 

Researchers claim that "Winter Vivern" is not very sophisticated, but they nonetheless employ a successful operating strategy that is effective even against well-known targets who are slow to deploy software updates. In this instance, Zimbra Collaboration 9.0.0 P24, which was released in April 2022, corrected CVE-2022-27926.

The delay in implementing the security update is estimated to have been at least ten months long given that the earliest assaults were discovered earlier this year in February.
Read more »
Subscribe to: Posts (Atom)