Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label VulnCheck. Show all posts
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Four-Fait Routers VulnCheck Vulnerabilities and Exploits

Critical Security Issue Hits Four-Faith Routers

 


According to VulnCheck, a critical vulnerability identified as CVE-2024-12856 has been discovered in Four-Faith industrial routers, specifically affecting the F3x24 and F3x36 models, as well as users’ machines. Evidence suggests active exploitation of this vulnerability in the wild, raising significant security concerns for industrial and enterprise users. The flaw resides in the router’s system time adjustment function, where a post-authentication vulnerability allows attackers to execute remote commands on compromised devices.

Technical Details of the Vulnerability

The routers, running firmware version 2.0, are susceptible to an authenticated remote command execution flaw via the HTTP endpoint apply.cgi. Attackers can manipulate the system time parameter using POST requests, enabling arbitrary command execution. Additionally, the firmware is configured with default credentials that, if left unchanged, can escalate the vulnerability to allow unauthenticated remote OS command injection.

Data provided by VulnCheck indicates that approximately 15,000 internet-facing routers may be affected by this issue. Exploitation campaigns have been observed since at least November 2024, with attackers altering system parameters remotely. The attacks appear to originate from multiple IP addresses and utilize Mirai-like payloads to compromise the devices. VulnCheck notes that some payloads share similarities with those used to exploit a prior vulnerability (CVE-2019-12168), although the underlying components differ.

Security researchers have identified attack patterns involving two primary IP addresses, including 178.215.238.91, as sources of active exploitation campaigns. User-Agent strings from these attacks match earlier campaigns documented in November 2024, with new payload variations targeting the identified flaw. While the attacks remain low-scale, they demonstrate a high level of persistence.

Censys data corroborates VulnCheck’s findings, suggesting that the vulnerability has been exploited consistently since its initial observation. Despite this, an official from Bains, speaking to The Hacker News, emphasized that the attacks are not widespread and appear to involve a small number of attackers using spamming techniques at a low frequency.

Mitigation Recommendations

As of now, there is no confirmation regarding the availability of security patches for the affected firmware. VulnCheck disclosed the vulnerability to Four-Faith on December 20, 2024, and awaits a response. In the interim, researchers strongly advise users to take the following measures to mitigate potential risks:

  • Immediately change default credentials on affected devices.
  • Restrict network exposure by placing routers behind firewalls or VPNs.
  • Monitor device activity for unusual or unauthorized behavior.
  • Implement detection rules, such as the Suricata rule provided by VulnCheck, to identify suspicious HTTP POST requests indicative of the attack.

Impact and Implications

By exploiting this vulnerability, attackers can gain full control over affected devices, including executing reverse shell commands to maintain persistent access while concealing their identities. Such control poses a severe threat to organizations reliant on Four-Faith routers for critical operations.

The absence of immediate patches has prompted security researchers to highlight the importance of adopting proactive measures. Organizations are advised to strengthen their defenses against suspicious activity while awaiting updates from Four-Faith. VulnCheck, adhering to responsible disclosure policies, has withheld additional technical details and information about patches until a response from the manufacturer is received.

This incident underscores the critical need for robust firmware security practices, including eliminating default credentials and ensuring timely patch management, to protect against emerging threats in industrial environments.

Read more »
Vulnerabilities and Exploits
CVE-2023-27350 LockBit ransomware gangs log file detection PaperCut Sysmon-based detections VulnCheck Vulnerabilities and Exploits

New Way to Exploit PaperCut Vulnerability Detected


Cybersecurity professionals have recently discovered a new way to exploit a new critical vulnerability in PaperCut servers in a way that gets past all current detections. 

The flaw, tracked as CVE-2023-27350 (CVSS score 9.8), which affects PaperCut MF or NG versions 8.0 or later, is a critical severity unauthenticated remote code execution bug that has been used in ransomware campaigns.

The flaw, discovered in March 2023 apparently enabled threat actors to execute code through PaperCut’s built-in scripting interface. While the flaw was later patched, an update on the advisory was released in April, warning it has been actively exploited in attacks.

Since then, a variety of threat actors, including ransomware operators, have exploited the vulnerability, and post-exploitation activities have resulted in the execution of PowerShell instructions used to deliver extra payloads.

Researchers soon released PoC exploits for the RCE flaw, and Microsoft later confirmed that the Clop and LockBit ransomware gangs had used it to gain initial access. In response, several security firms have provided detection guidelines for PaperCut attacks and indicators of compromise, including Sysmon, log files, and network signatures.

However, a new attack technique, identified by VulnCheck researchers, can bypass current detections, enabling attackers to exploit CVE-2023-27350 without hindrance. "This report shows that detections that focus on one code execution method, or that focus on a small subset of techniques used by one threat actor, are doomed to be useless in the next round of attacks," explains VulnCheck.

Bypassing Detection 

According to VulnCheck, Sysmon-based detections that rely on process creation analysis have already been defeated by existing PoCs that employ different child process creation methods.

In regards to the log file detection, it notes that they cannot be trusted as an accurate indicator for vulnerability exploits, since they only flag normal admin user logging. Moreover, there is a way to exploit CVE-2023-27350 without leaving entries in the log files.

In place of a built-in scripting interface, the recently released PoC exploits the "User/Group Sync" feature in PaperCut NG, enabling an admin user to define a custom program for user authentication.

VulnCheck's PoC uses "/usr/sbin/python3" for Linux and "C:\Windows\System32\ftp.exe" for Windows and provides the malicious input that will perform code execution in the credentials during a login attempt.

Since this method does not create direct child processes or generate distinctive log entries, Sysmon and Log File detections are bypassed. In the case of network signature detection methods, they can be easily bypassed if the threat actor modifies the HTTP request by adding a slash or any random changes to it.

Although VulnCheck did not offer alternative detection techniques that are effective for all PoCs, they did issue a warning that hackers closely monitor detection techniques used by defenders and also modify their attacks to become undetected.

Thus, the best method to combat this attack is by applying the recommended security patches, which are for PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and later.  

Read more »
Subscribe to: Posts (Atom)