Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Vulnerabilities and Exploit. Show all posts

Italian Firm Trains Pakistani Navy Officers in Cybersecurity, Raising Concerns


Recently, it has come to light that individuals responsible for state-sponsored cyberattacks, reportedly backed by Pakistan, underwent advanced training by an Italian security firm. Documents shared with The Sunday Guardian indicate that Pakistani Navy officers, including those with high ranks like colonel, lieutenant colonel, and major, participated in a 13-week training course on Malware Development for various operating systems in Rome, Italy. 

The Italian firm, CY4Gate, a part of the Elettronica group, confirmed the training program in response to a request from Commander Muhammad Nadeem Ilyas of the Pakistan Directorate Naval Intelligence. The syllabus covered Cyber Advanced technical topics, with dedicated areas in CY4Gate's specialised laboratories for theoretical and practical sessions. 

Notably, a surge in state-sponsored cyberattacks against India has been reported, with a 278% increase between 2021 and September 2023. Government agencies experienced a 460% rise in targeted cyberattacks, while startups and SMEs saw an alarming increase of 508%. These findings raise concerns about the potential impact on national security and the need for heightened cybersecurity measures. 

Newly obtained internal documents provided insights on the cybersecurity training provided by Italian firm Elettronica and CY4Gate to Pakistani Navy officers. The syllabus includes instructions on bypassing popular antivirus software like Kaspersky, Avast, Bit Defender, Quick Heal, Windows Defender, and eSet Nod32, along with techniques to inject disruptive payloads into protected systems. 

Training Details

- Duration: 13 weeks (January to March 2023)
- Location: CY4GATE training laboratory, Via Coponia, Rome 
- Participants: One colonel, two lieutenant colonels, and seven majors 
- Accommodation: Hotel Adagio, Via Damiano Chiesa, Rome 

Concerns for India

Elettronica and CY4Gate, implicated in training Pakistani officers, also operated in India since 2008. A Memorandum of Understanding (MoU) signed with Bharat Electronics Limited (BEL) in 2019 raises concerns about potential security implications. 

Global Impact

The rise in Pakistan's investment in disruptive cyber methods signifies a growing trend in military hacking, similar to tactics employed by North Korea. Potential targets include institutions in India, Israel, the United States, the Netherlands, and Sweden, with financial gains as a motive. These skills may also be used against political parties and individuals deemed anti-establishment in Pakistan. 

G20 Summit Cyberattacks

Highlighting the severity, during the G20 Summit, the government's official website faced relentless cyberattacks, averaging 16 lakh attacks per minute or 26,000 attacks per second. 

Response from Elettronica

Efforts to obtain clarity from Elettronica regarding these developments have proven futile, as the company remains unresponsive to inquiries. This lack of response adds to the uncertainty surrounding the situation.


Laptops with Windows Hello Fingerprint Authentication Vulnerable

 


Microsoft’s Windows Hello security, which offers a passwordless method of logging into Windows-powered machines may not be as secure as users think. Microsoft Windows Hello fingerprint authentication was evaluated for security over its fingerprint sensors embedded in laptops. This led to the discovery of multiple vulnerabilities that would allow a threat actor to bypass Windows Hello Authentication completely. 

As reported by Blackwing Intelligence in a blog post, Microsoft's Offensive Research and Security Engineering (MORSE) had asked them to conduct an assessment of the security of the three top fingerprint sensors embedded in laptops, in response to a recent request. 

There was research conducted on three laptops, the Dell Inspiron 15, the Lenovo ThinkPad T14, and the Microsoft Surface Pro Type Cover with Fingerprint ID, which were used in the study. It was discovered that several vulnerabilities in the Windows Hello fingerprint authentication system could be exploited by researchers working on the project.

In addition, The document also reveals that the fingerprint sensors used in Lenovo ThinkPad T14, Dell Inspiron 15, Surface Pro 8 and X tablets made by Goodix, Synaptics, and ELAN were vulnerable to man-in-the-middle attacks due to their underlying technology. 

A premier sensor enabling fingerprint authentication through Windows Hello is not as secure as manufacturers would like. It has been discovered that there are several security flaws in many fingerprint sensors used in many laptops that are compatible with the Windows Hello authentication feature due to the use of outdated firmware. 

It was discovered by researchers at Blackwing Intelligence, a company that conducts research into the security, offensive capabilities, and vulnerability of hardware and software products. The researchers found weaknesses in fingerprint sensors embedded in the devices from Goodix, Synaptics, and ELAN, all of which are manufactured by these manufacturers. 

Using fingerprint reader exploits requires users to already have fingerprint authentication set up on their targeted laptops so that the exploits can work. Three fingerprint sensors in the system are all part of a type of sensor that is known as "match on chip" (MoC), which includes all biometric management functions in the integrated circuit of the sensor itself.

Concept Of Vulnerability Match On Chip As reported by Cyber Security News, this vulnerability is due to a flaw within the concept of the "match on chip" type sensors. Microsoft removed the option of storing some fingerprint templates on the host machine and replaced it with a "match on chip" sensor.  This means that the fingerprint templates are now stored on the chip, thus potentially reducing the concern that fingerprints might be exfiltrated from the host if the host becomes compromised, which could compromise the privacy of your data. 

Despite this, this method has a downside as it does not prevent malicious sensors from spoofing the communication between the sensor and the host, so in this case, an authorized and authenticated user who is using the sensor can easily be fooled. 

There have been several successful attempts at defeating Windows Hello biometric-based authentication systems in the past, but this isn't the first time. This month, Microsoft released two patches (CVE-2021-34466, CVSS score: 6.1), aimed at patching up a security flaw that was rated medium severity in July 2021, and that could allow an adversary to hijack the login process by spoofing the target's face. 

The validity of Microsoft's statement as to whether they will be able to find a fix for the flaws is still unclear; however, this is not the first time Windows Hello, a biometric-based system, has been the victim of attacks. A proof of concept in 2021 showed that by using an infrared photo of a victim with the facial recognition feature of Windows Hello, it was possible to bypass the authentication method. Following this, Microsoft fixed the issue to prevent the problem from occurring again.

Log4j Attack Target SolarWinds and ZyXEL

 

According to reports published by Microsoft and Akamai, cybercriminals are targeting SolarWinds devices with the Log4Shell vulnerability, and ZyXEL is known to use the Log4j library in their software.

Attacks have been reported on SolarWinds and ZyXEL devices using the log4j library, according to Microsoft and Akamai reports. CVE-2021-35247 has been assigned to the vulnerability, which has been paired with a zero-day in the SolarWinds Serv-U file-sharing service.

According to Microsoft's Threat Intelligence Center (MSTIC), the SolarWinds vulnerability, dubbed CVE-2021-35247, is a data validation hole that might allow attackers to compose a query based on some data and send it across the network without sanitizing. 

Jonathan Bar-Or, a Microsoft security researcher, is credited with identifying the flaw, which affects Serv-U versions 15.2.5 and earlier. In Serv-U version 15.3, SolarWinds patched the vulnerability. "A closer look helped discover the feed Serv-U data and it generates an LDAP query using the user unsanitized input!" he claimed. Not only might this be included in log4j attacks but it also is used for LDAP injection. 

SolarWinds claimed in its advisory, the Serv-U online log-in screen for LDAP authentication is  permitting symbols that are not appropriately sanitized and it had modified the input method "to do further validation and sanitization." The attacker cannot log in to Serv-U, according to a SolarWinds official, and the Microsoft researcher is referring to failed attempts because Serv-U doesn't use Log4J code. 

The unverified remote code execution (RCE) vulnerability in Log4j – identified as CVE-2021-44228 – has also been repurposed to infect and assist in the dissemination of malware used for the Mirai botnet by targeting Zyxel networking equipment, according to Akamai researchers. When researchers intended to access the Java payload class, the LDAP server in which the exploit was located was no longer active. It's claimed that Zyxel was particularly singled out since published an article claiming to have been hit by the log4j flaw. 

The scenario surrounding the Log4Shell breach has remained unchanged since last month, and threat actors looking to get access to corporate networks continue to target and exploit the vulnerability. Threat actors including ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets have all been reported to have exploited the vulnerability in the past. Although the Apache Software Foundation has issued patches for the Log4j library, threats against applications using it are likely to persist because not all of these apps have published a set of security updates, abandoning many systems vulnerable and creating a breeding soil for exploitation that will last for years.

Log4j 2.17.1 Is Out, And Fixes Yet Another Code Execution Flaw.

 

Apache has published Log4j version 2.17.1, which fixes CVE-2021-44832, a newly found code execution flaw. Prior to that, the most recent version of Log4j, 2.17.0, was considered the safest release to update, however that advice has since changed the Log4j vulnerability resource center to reflect current download trends and statistics for 2.17.1.

CheckMarx researchers have revealed details about the vulnerability in Log4j version 2.17.0, which was just released. Apache released this version a few days after two other patches that addressed the major Log4Shell attack and related problems. By altering the Log4j logging configuration file, attackers might execute remote code on a variety of servers or apps. It's one of the most well-known security weaknesses on the internet, affecting enterprise and government customers who use Log4j versions 2.0 through 2.14.1 in their environments.

Last month, a security researcher discovered yet another zero-day vulnerability in the Apache Log4j Java-based logging library, which threat actors may use to execute malicious code on compromised frameworks. This week, Apache released another version (Log4j rendition 2.17.1) that aims to fix the remote code execution (RCE) flaw in v2.17.0. 

Log4j is a well-known Java library built by the Apache Software Foundation, which is open-source. Designers use it to log error messages in large commercial systems and cloud administrations such as Minecraft, Steam, and Apple iCloud. 

Apache acknowledged the issue in an advisory, describing the moderate-severity flaw (CVSS 6.6) as follows – Attribution link: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI, which can execute remote code, in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4).

The new Log4j CVE "only applies if an attacker can already edit the Log4j config file," according to security researcher Kevin Beaumont. "An attacker already owns your web app or host if they can edit your Log4j config file."

One of the most important lessons learned from the events surrounding Log4j is that it is humanly impossible for open source project maintainers to cover every possible attack vector while also correcting known vulnerabilities. This is why community-led vulnerability research and reporting is a benefit to open source. However, if not done properly, it can rapidly become a nuisance. 

"Irresponsible disclosures jeopardize the work of open source projects and their maintainers, and if not handled, this problem will only get worse." 

Another crucial point to note is that unlike the previous four Log4j CVEs revealed thus far, no one was credited with identifying CVE-2021-44832 according to Apache's official warning.

Magnitude Exploit Kit Adds Rare Chrome Attack Chain to Target Chrome Users

 

The handlers of the Magnitude exploit kit (EK) have added two new exploits in their arsenal, capable of targeting chromium-based browsers operating on Windows systems. It is a very rare sight since the very few exploit kits that are still active have mainly focused on Microsoft’s Internet Explorer over the past few years. 

Security experts with Avast uncovered a new chain of exploits for attacks on users of the Chrome browser. The two new exploits CVE-2021-21224 and CVE-2021-31956 affect the Google Chrome browser and Microsoft Windows platform, respectively.

The first exploit in the chain CVE-2021-21224, which Google patched in April 2021, is a type confusion vulnerability in the V8 rendering engine that allows remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page.

The second exploit CVE-2021-31956 is a privilege escalation vulnerability in Windows that leads attackers to bypass Chrome’s sandbox and secure system privileges. The vulnerability was addressed in June 2021. The two flaws were previously chained in malicious activity that Kaspersky named PuzzleMaker, but it couldn’t be linked to any known adversary. 

“The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1–20H2). Build 19043 (21H1) is not targeted. The exploit for CVE-2021-31956 contains hardcoded syscall numbers relevant just for these builds. For the time being, the activity doesn’t appear to involve the use of a malicious payload, although it does lead to the victim’s Windows build number being exfiltrated,” Avast said. 

“Since Magnitude typically tests newly implemented exploits in this manner, it’s likely that malicious attacks will follow soon, likely deploying the Magniber ransomware,” Avast added. First discovered in 2017, Magniber was attributed right from the start with Magnitude, and was believed to be developed by the EK’s handlers. 

While the discovery of Avast is important because of a rare sighting of an exploit kit going after Chrome and Chromium-related browsers, other questions still remain, such as how the “half-dead” EK group got its hands on such a high-grade exploit chain and how effective is the exploit chain, to begin with. Fortunately, the Windows exploit is not universal and will only work against a small number of Windows 10 versions.

PoC Exploit Code Published for macOS Gatekeeper Bypass Vulnerability

 

Cybersecurity researcher Rasmus of F-Secure has published a proof-of-concept (PoC) exploit code for a macOS Gatekeeper bypass vulnerability that Apple fixed earlier this year in April. 

The PoC exploit code targets CVE-2021-1810, a flaw that can lead to the bypass of all three protections that Apple executed against downloading malicious files in macOS – file quarantine, Gatekeeper, and notarization. 

The vulnerability was spotted in the Archive Utility component of macOS Big Sur and Catalina and can be abused via a specially designed ZIP file. To successfully exploit the flaw, an attacker must trick a user into installing and opening an archive to implement malicious code inside. 

By exploiting the flaw, the attacker can implement unsigned binaries on macOS devices, even if the Gatekeeper enforces code signing or warn user of the malicious code implementation . According to Sten, the flaw is related to the way in which the Archive Utility handles file paths. Particularly, for paths longer than 886 characters, the com.apple.quarantine extended attribute would no longer apply, resulting in a Gatekeeper bypass for the files. 

While researching edge cases with long path filenames, the researcher identified that some macOS components acted surprisingly when the total path length reached a certain limit. Finally, Sten identified that it was feasible to design an archive with a hierarchical structure for which the path length was long enough so that Safari would call Archive Utility to unpack it and that Archive Utility would not apply the com.apple.quarantine attribute, but short enough to be browsable using Finder and for macOS to execute the code within. 

“In order to make it more appealing to the user, the archive folder structure could be hidden (prefixed with a full stop) with a symbolic link in the root which was almost indistinguishable from a single app bundle in the archive root,” the researcher explained in his blog post. 

The researcher also published a video demo of the exploit that creates the archive with the path length necessary to bypass CVE-2021-1810, along with a symbolic link to make the ZIP file look normal. The flaw was addressed with the release of macOS Big Sur 11.3 and Security Update 2021-002 for Catalina.