Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities. Show all posts
Vulnerabilities
Artificial Intelligence ChatGPT cybercriminals Cybersecurity Ransomware Vulnerabilities

Cybercriminals Exploit Psychological Vulnerabilities in Ransomware Campaigns

 


During the decade of 2025, the cybersecurity landscape has drastically changed, with ransomware from a once isolated incident to a full-sized global crisis. No longer confined to isolated incidents, these attacks are now posing a tremendous threat to economies, governments, and public services across the globe. There is a wide range of organizations across all sectors that find themselves exposed to increasingly sophisticated cyber threats, ranging from multinational corporations to hospitals to schools. It is reported in Cohesity’s Global Cyber Resilience Report that 69% of organizations have paid ransom demands to their suppliers in the past year, which indicates just how much pressure businesses have to deal with when such attacks happen. 

The staggering number of cybercrime cases highlights the need for stronger cybersecurity measures, proactive threat mitigation strategies and a heightened focus on digital resilience. With cybercriminals continuously improving their tactics, organizations need to develop innovative security frameworks, increase their threat intelligence capabilities, and foster a culture of cyber vigilance to be able to combat this growing threat. The cybersecurity landscape in 2025 has changed significantly, as ransomware has evolved into a global crisis of unprecedented proportions. 

The threat of these attacks is not just limited to isolated incidents but has become a significant threat to governments, industries, and essential public services. Across the board, companies of all sizes are increasingly vulnerable to cyber threats, from multinational corporations to hospitals and schools. In the last year, Cohesity released its Global Cyber Resilience Report, which revealed that 69% of organizations paid ransom demands, indicating the immense pressure that businesses face in the wake of such threats. 

This staggering figure underscores how urgent it is that we take more aggressive cybersecurity measures, develop proactive threat mitigation strategies, and increase our emphasis on digital resilience to prevent cyberattacks from taking place. Organizations must embrace new security frameworks, strengthen threat intelligence capabilities, and cultivate a culture of cyber vigilance to combat this growing threat as cybercriminals continue to refine their tactics. A persistent cybersecurity threat for decades, ransomware remains one of the biggest threats today. 

However, the first global ransom payment exceeded $1 billion in 2023, marking a milestone that hasn't been achieved in many years. Cyber extortion increased dramatically at this time, as cyber attackers constantly refined their tactics to maximize the financial gains that they could garner from their victims. The trend of cybercriminals developing increasingly sophisticated methods and exploiting vulnerabilities, as well as forcing organizations into compliance, has been on the rise for several years. However, recent data indicates a significant shift in this direction. It is believed that in 2024, ransomware payments will decrease by a substantial 35%, mainly due to successful law enforcement operations and the improvement of cyber hygiene globally.

As a result of enhanced security measures, increased awareness, and a stronger collective resistance, victims of ransom attacks have become increasingly confident they can refuse ransom demands. However, cybercriminals are quick to adapt, altering their strategies quickly to counteract these evolving defences to stay on top of the game. A response from them has been to increase their negotiation tactics, negotiating more quickly with victims, while simultaneously developing stealthier and more evasive ransomware strains to be more stealthy and evasive. 

Organizations are striving to strengthen their resilience, but the ongoing battle between cybersecurity professionals and cybercriminals continues to shape the future of digital security. There has been a new era in ransomware attacks, characterized by cybercriminals leveraging artificial intelligence in increasingly sophisticated manners to carry out these attacks. Using freely available AI-powered chatbots, malicious code is being generated, convincing phishing emails are being sent, and even deepfake videos are being created to entice individuals to divulge sensitive information or transfer funds by manipulating them into divulging sensitive information. 

By making the barriers to entry much lower for cyber-attacking, even the least experienced threat actors are more likely to be able to launch highly effective cyber-attacks. Nevertheless, artificial intelligence is not being used only by attackers to commit crimes. There have been several cases where victims have attempted to craft the perfect response to a ransom negotiation using artificial intelligence-driven tools like ChatGPT, according to Sygnia's ransomware negotiation teams. 

The limitations of AI become evident in high-stakes interactions with cybercriminals, even though they can be useful in many areas. According to Cristal, Sygnia’s CEO, artificial intelligence lacks the emotional intelligence and nuance needed to successfully navigate these sensitive conversations. It has been observed that sometimes artificial intelligence-generated responses may unintentionally escalate a dispute by violating critical negotiation principles, such as not using negative language or refusing to pay outright.

It is clear from this that human expertise is crucial when it comes to managing cyber extortion scenarios, where psychological insight and strategic communication play a vital role in reducing the potential for damage. Earlier this year, the United Kingdom proposed banning ransomware payments, a move aimed at deterring cybercriminals by making critical industries less appealing targets for cybercriminals. This proposed legislation would affect all public sector agencies, schools, local councils, and data centres, as well as critical national infrastructure. 

By reducing the financial incentive for attackers, officials hope to decrease both the frequency and severity of ransomware incidents across the country to curb the number of ransomware incidents. However, the problem extends beyond the UK. In addition to the sanctions issued by the Office of Foreign Assets Control, several ransomware groups that have links to Russia and North Korea have already been sanctioned. This has made it illegal for American businesses and individuals to pay ransoms to these organizations. 

Even though ransomware is restricted in this manner, experts warn that outright bans are not a simple or universal solution to the problem. As cybersecurity specialists Segal and Cristal point out, such bans remain uncertain in their effectiveness, since it has been shown that attacks fluctuate in response to policy changes, according to the experts. Even though some cybercriminals may be deterred by such policies, other cybercriminals may escalate their tactics, reverting to more aggressive threats or increasing their personal extortion tactics. 

The Sygnia negotiation team continues to support the notion that ransom payments should be banned within government sectors because some ransomware groups are driven by geopolitical agendas, and these goals will be unaffected by payment restrictions. Even so, the Sygnia negotiation team believes that government institutions should not be able to make ransom payments because they are better able to handle financial losses than private companies. 

Governments can afford a strong stance against paying ransoms, as Segal pointed out, however for businesses, especially small and micro-sized businesses, the consequences can be devastating if they fail to do so. It was noted in its policy proposal that the Home Office acknowledges this disparity, noting that smaller companies, often lacking ransomware insurance or access to recovery services, can have difficulty recovering from operational disruptions and reputational damage when they suffer from ransomware attacks. 

Some companies could find it more difficult to resolve ransomware demands if they experience a prolonged cyberattack. This might lead to them opting for alternative, less transparent methods of doing so. This can include covert payment of ransoms through third parties or cryptocurrencies, allowing hackers to receive money anonymously and avoid legal consequences. The risks associated with such actions, however, are considerable. If they are discovered, businesses can be subjected to government fines on top of the ransom, which can further worsen their financial situation. 

Additionally, full compliance with the ban requires reporting incidents to authorities, which can pose a significant administrative burden to small businesses, especially those that are less accustomed to dealing with technology. Businesses are facing many challenges in the wake of a ransomware ban, which is why experts believe a comprehensive approach is needed to support them in the aftermath of this ban.

Sygnia's Senior Vice President of Global Cyber Services, Amir Becker, stressed the importance of implementing strategic measures to mitigate the unintended consequences of any ransom payment ban. It has been suggested that exemptions for critical infrastructure and the healthcare industries should be granted, since refusing to pay a ransom may lead to dire consequences, such as loss of life. Further, the government should offer incentives for organizations to strengthen their cybersecurity frameworks and response strategies by creating incentives like these.

A comprehensive financial and technical assistance program would be required to assist affected businesses in recovering without resorting to ransom payments. To address the growing ransomware threat effectively without disproportionately damaging small businesses and the broader economy, governments must adopt a balanced approach that entails enforcing stricter regulations while at the same time providing businesses with the resources they need to withstand cyberattacks.
Read more »
Vulnerability
CISA Critical Exploits cyberattacks trending news News Vulnerabilities Vulnerability

CISA Warns of Critical Exploits in ProjectSend, Zyxel, and Proself Systems


Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has discovered and added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, impacting North Grid Proself, ProjectSend, and Zyxel firewalls, are being actively exploited, posing serious risks of data breaches and operational disruptions to unpatched systems. At the time of publishing, Zyxel acknowledged the issue and advised users to update their firmware promptly and strengthen admin credentials.

Vulnerabilities Identified in North Grid Proself, ProjectSend, and Zyxel Firewalls

North Grid Proself Vulnerability (CVE-2023-45727): A severe XML processing vulnerability in North Grid Proself has been identified, allowing attackers to bypass restrictions and access sensitive server data. Systems running versions older than 5.62, 1.65, and 1.08 are vulnerable to exploitation through maliciously crafted XML requests, which can extract sensitive account information.

ProjectSend Vulnerability (CVE-2024-11680): A critical authentication flaw in ProjectSend, an open-source file-sharing platform, has been flagged with a CVSS severity score of 9.8. Versions prior to r1720 are susceptible to attacks where malicious actors manipulate the options.php file using crafted HTTP requests. This enables them to create unauthorized accounts, upload webshells, and inject harmful JavaScript code. Security researchers from VulnCheck report that attackers are leveraging automated tools such as Nuclei and Metasploit to exploit this vulnerability.

Notably, exploitation attempts are marked by altered server configurations, including random strings in landing page titles—a trend observed since September 2024. Despite a patch being released in May 2023, over 4,000 exposed instances remain vulnerable.

Zyxel Firewall Vulnerability (CVE-2024-11667): Zyxel firewalls running firmware versions between V5.00 and V5.38 are vulnerable to a directory traversal attack. This flaw allows attackers to upload or download files via manipulated URLs within the web management interface, potentially compromising system integrity.

Exploitation Attempts and Mitigation Strategies

ProjectSend instances have been the primary focus of attackers. Public-facing systems have seen unauthorized user registrations—a setting not enabled by default—facilitating access for malicious actors. Webshells uploaded during these attacks are often stored in predictable directories, with filenames tied to timestamps and user data. Organizations are urged to review server logs to identify and address suspicious activities.

Under Binding Operational Directive (BOD) 22-01, federal agencies must prioritize these vulnerabilities, while CISA has recommended that private organizations take immediate action to mitigate the risks. Updating software, reviewing server configurations, and enhancing log analysis are critical steps to safeguard systems from exploitation.

Read more »
Vulnerabilities
CyberCrime Cybersecurity CyberThreat HM Surf macOS Microsoft Privacy Safari Vulnerabilities

HM Surf Bug in macOS Raises Data Privacy Concerns

 


Several vulnerabilities in the Safari web browser for macOS may have left users open to being spied on, having their data stolen, and acquiring other types of malware thanks to this security weakness. Specifically, the vulnerability arises from the special permissions Apple gives to its proprietary apps, and here, it is the browser, as well as the ease with which an attacker can obtain the important configuration files of an app. 

Ultimately, what it allows a user to do is to circumvent the Transparency, Consent, and Control (TCC) security layer on MacBooks that is designed to safeguard sensitive data from an attacker. CVE-2024-44133 has been rated as a "medium" severity vulnerability by the Common Vulnerability Scoring System (CVSS), meaning that it has a 5.5 severity score as per the CVSS. According to the CVE-2024-44133 vulnerability report, attackers can bypass the user data protection methods implemented by the operating system by bypassing Transparency, Consent, and Control (TCC). 

During the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later), the vulnerability, also referred to as CVE-2024-44133, had been fixed. Please take note that this vulnerability will only impact devices that are managed by Mobile Device Management (MDM), not any other device. Typically, MDM managed devices are subject to policies and procedures set by the IT department of an organization, which is responsible for centrally managing and maintaining the devices.


According to Microsoft, the flaw has been named "HM Surf." By exploiting this vulnerability an attacker would be able to bypass macOS' Transparency, Consent, and Control (TCC) features and gain unauthorized access to a user's protected data, which they would have no control over. There is a possibility users may discover Safari's TCC in action while browsing a website that requires access to the camera or microphone when browsing through the website. It was noted by Apple in mid-September that a bug in macOS Sequoia 15 has been fixed by removing the vulnerable code. However, the bug does not seem to affect MDM-managed devices. As stated in the blog post, Microsoft’s Sequoia 15 release only protects Apple’s Safari web browser when it is installed. 

It was also pointed out that browsers like Google Chrome and Mozilla Firefox don't have the same private entitlements as Apple applications, so they cannot bypass TCC checks like Apple applications can. Therefore, once TCC checks are approved, it is up to the app to maintain access to the privacy database as long as people have approved the checks. This vulnerability can be exploited by removing the TCC protection for the Safari browser directory and editing a configuration file in that directory. It is stated in Microsoft's response that it involves gaining access to the user's data, such as browsed pages, the camera, microphone, and location of the device, without the user's knowledge.

Users of macOS are strongly encouraged to apply these security updates as soon as possible so that their system will be protected. Using its behavior monitoring capabilities, Microsoft Defender for Endpoint has detected activities associated with Adload, one of the most prevalent macOS threat families, which may be exploiting this vulnerability in some way. In addition to detecting and blocking CVE-2024-44133 exploitation, Windows Defender for Endpoint also detects and blocks anomalous modifications of the Preferences file through HM Surf or other mechanisms that potentially exploit the vulnerability.

According to Microsoft, it was TCC technology that first enabled them to learn how to bypass the technology when they discovered powerdir's vulnerability. Please remember that TCC, as its name implies, is a technology that prevents apps from accessing users' personal information when they are installed and that this includes services such as location services, camera and microphone devices, download directories, and others, without the user's knowledge or consent. 

In the world of mobile applications, the only legal way for them to gain access to these services is by approving a popup through their user interface, or if they approve per-app access via the settings in their operating system. This vulnerability, known as HM-Surf, may allow attackers to bypass key security features on macOS systems, which gives them a chance to gain access to sensitive data through the use of malicious code. It is possible that users who are not authorized to exploit the flaw could exploit macOS' own security functions, such as the sandboxing mechanisms and restrictions on file access. 

HM-Surf exploit is a vulnerability that allows attackers to gain enhanced privileges, which allows them to access sensitive data and files that would otherwise require a login and password. Initial warnings were raised about this vulnerability because it played a role in adware campaigns, where malicious actors used this loophole to install unwanted software on users' devices in order to profit from the vulnerability. There are, however, a lot more dangers than just adware; though, it is only the beginning. If the same vulnerability were weaponized, then it might even be used for more serious attacks, such as data exfiltration, surveillance, or even as a gateway to further malware infiltration in the near future. There is probably no doubt that HM-Surf's unique ability to bypass Apple's robust security architecture is one of the most troubling aspects of this malware. 

Security macOS is widely regarded as a secure platform, but the recent discovery of the HM-Surf vulnerability shows that even advanced systems are not immune to evolving cyber threats. This finding serves as a crucial reminder for users and organizations to prioritize cybersecurity and adopt proactive measures to protect their digital environments. Microsoft's cybersecurity team uncovered HM-Surf, an exploit posing a serious risk to macOS. Their investigation revealed a program altering Google Chrome settings to grant unauthorized microphone and camera access while collecting user and device data. 

These actions suggested preparations for a second-stage payload that could further compromise the device. The culprit was identified as the well-known macOS adware "AdLoad." This malware hijacks browser traffic, inundates users with ads, harvests data, and transforms infected devices into botnet nodes for further malicious activity. Although Microsoft's findings aligned with HM-Surf techniques, the researchers could not conclusively link AdLoad to actively exploiting the vulnerability. 

Nevertheless, they warned that "attackers using a similar method to deploy a prevalent threat" underscored the need for enhanced protection. The HM-Surf vulnerability illustrates the risks associated with macOS, highlighting that no operating system is invulnerable to sophisticated attacks. Exploiting such weaknesses could lead to severe consequences, including financial losses, reputational damage, and the exposure of sensitive data. The evolving nature of these threats suggests that attackers are continuously refining their methods to bypass security measures.

To address these challenges, organizations must adopt a multi-layered approach to cybersecurity. This includes regular system updates, comprehensive monitoring, and user education on safe practices. Deploying advanced threat detection and real-time monitoring can help detect and mitigate attacks before they cause significant harm. Regular security assessments can also identify and address potential vulnerabilities. In summary, the emergence of the HM-Surf vulnerability is a stark reminder of the dynamic landscape of cybersecurity threats. For macOS users and businesses, this discovery emphasizes the need to act swiftly in strengthening defenses and protecting digital assets against evolving risks.
Read more »
Vulnerabilities
CPS critical Cyber Security Cyberattack Cybersecurity Digital Infrastructure National Security public safety Supply Chain Vulnerabilities

Cyberattacks on Critical Infrastructure: A Growing Threat to Global Security

 

During World War II, the U.S. Army Air Forces launched two attacks on ball bearing factories in Schweinfurt, aiming to disrupt Germany’s ability to produce machinery for war. The belief was that halting production would significantly affect Germany’s capacity to manufacture various war machines.

This approach has a modern parallel in the cybersecurity world. A cyberattack on a single industry can ripple across multiple sectors. For instance, the Colonial Pipeline attack affected American Airlines operations at Charlotte Douglas Airport. Similarly, the Russian NotPetya attack against Ukraine spilled onto the internet, impacting supply chains globally.

At the 2023 S4 Conference, Josh Corman discussed the potential for cascading failures due to cyberattacks. The creation of the Cybersecurity and Infrastructure Security Agency’s National Critical Functions was driven by the need to coordinate cybersecurity efforts across various critical sectors. Corman highlighted how the healthcare sector depends on several infrastructure sectors, such as water, energy, and transportation, to provide patient care.

The question arises: what if a cyber incident affected multiple segments of the economy at once? The consequences could be devastating.

What makes this more concerning is that it's not a new issue. The SQL Slammer virus, which appeared over two decades ago, compromised an estimated one in every 1,000 computers globally. Unlike the recent CrowdStrike bug, Slammer was an intentional exploit that remained unpatched for over six months. Despite differences between the events, both show that software vulnerabilities can be exploited, regardless of intent.

Digital technology now underpins everything from cars to medical devices. However, as technology becomes more integrated into daily life, it brings new risks. Research from Claroty’s Team82 reveals that insecure code and misconfigurations exist in software that controls physical systems, posing potential threats to national security, public safety, and economic stability.

Although the CrowdStrike incident was disruptive, businesses and governments must reflect on the event to prevent larger, more severe cyber incidents in the future.

Cyber-Physical Systems: A Shifting Threat Landscape

Nearly every facility, from water treatment plants to hospitals, relies on digital systems known as cyber-physical systems (CPS) to function. These systems manage critical tasks, but they also introduce vulnerabilities. Today, billions of tiny computers are embedded in systems across all industries, offering great benefits but also exposing the soft underbelly of society to cyber threats.

The Stuxnet malware attack in 2014, which disrupted Iran's nuclear program, was the first major cyber assault on CPS. Since then, there have been several incidents, including the 2016 Russian Industroyer malware attack that disrupted part of Ukraine’s power grid, and the 2020 Iranian attempt to attack Israeli water utilities. Most recently, Chinese hackers have targeted U.S. critical infrastructure.

These incidents highlight how cybercriminals and nation states exploit vulnerabilities in critical infrastructure to understand weaknesses and the potential impact on security. China, for example, has expanded its objectives from espionage to compromising U.S. infrastructure to weaken its defense capabilities in case of a conflict.

The CrowdStrike Bug and Broader Implications

The CrowdStrike bug wasn’t a malicious attack but rather a mistake tied to a gap in quality assurance. Still, the incident serves as a reminder that our dependence on digital systems has grown significantly. Failures in cyber-physical systems—whether in oil pipelines, manufacturing plants, or hospitals—can have dangerous physical consequences.

Although attacks on CPS are relatively rare, many of these systems still rely on outdated technology, including Windows operating systems, which account for over 25% of vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog. Coupled with long periods of technological obsolescence, these vulnerabilities pose significant risks.

What would happen if a nation-state deliberately targeted CPS in critical infrastructure? The potential consequences could be far worse than the CrowdStrike bug.

Addressing the vulnerabilities in CPS will take time, but there are several steps that can be taken immediately:

  • Operationalize compensating controls: Organizations must inventory assets and implement network segmentation and secure access to protect vulnerable systems.
  • Expand secure-by-design principles: CISA has emphasized the need to focus on secure-by-design in CPS, particularly for medical devices and automation systems.
  • Adopt secure-by-demand programs: Organizations should ask the right questions of software vendors during procurement to ensure higher security standards.
Although CPS drive innovation, they also introduce new risks. A failure in one link of the global supply chain could cascade across industries, disrupting critical services. The CrowdStrike bug wasn’t a malicious attack, but it underscores the fragility of modern infrastructure and the need for vigilance to prevent future incidents
Read more »
Vulnerabilities
Baxer CISA Cyber Bugs Cyber Security Cyberattacks CyberCrime Cyberhackers Cyberthreats Mitsubishi Products Vulnerabilities

CISA Identifies Industrial Cybersecurity Bugs in Baxter and Mitsubishi Products

 


A report published recently by the Cybersecurity and Infrastructure Security Agency (CISA) warned about two new ICS vulnerabilities found in products widely used in healthcare, critical manufacturing, and other sectors susceptible to cybercrime activity. Among the affected products are Baxter's Connex Health Portal, as well as Mitsubishi Electric's MELSEC line of programmable controllers for the home and office. 

In response to the vulnerabilities found in the respective technologies, both vendors have released updates to plug the vulnerabilities and recommended mitigations for customers who wish to mitigate risk further. According to CISA's advisory, two vulnerabilities were identified in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that could be remotely exploited and have low attack complexity, which made them suitable for remote attacks. 

The CVE-2024-6795 vulnerability is one of the highest severity (CVSS score of 10.0) SQL injection vulnerabilities that an unauthenticated attacker could exploit to run arbitrary SQL queries on affected systems through one of the vulnerabilities, assignment CVE-2024-6795. It was described by CISA that this vulnerability would allow attackers to view, manipulate, and delete sensitive data, in addition to taking other administrator-level actions, including shutting down the database in some cases. As part of the U.S. 

Cybersecurity and Infrastructure Security Agency (CISA) various advisory letters regarding industrial control systems (ICS) have been released, including one specifically for medical devices as well as two updates. As part of the project, we are developing advisories that serve to provide ICS owners with timely information about security threats, vulnerabilities, and exploits. It had previously been announced that the cybersecurity agency was deploying advisories across critical infrastructure sectors to warn users and technical administrators about ICS vulnerabilities and offer mitigation strategies. 

Hughes Network Systems has identified hardware vulnerabilities in its WL3000 Fusion software equipment that are caused by bugs in the hardware. This report contains updated information on vulnerabilities in Mitsubishi Electric's MELSEC iQ-R, Q, and L Series, as well as the MELSEC iQ-R, iQ-L Series, and the MELIPC Series, which are all produced by Mitsubishi Electric. During the CISA study, the vulnerability in the hardware architecture of the Baxter Connex Health Portal was also identified. 

CISA warned it in an advisory that Hughes' WL3000 Fusion Software deployed across critical infrastructure sectors appears to have several vulnerabilities that are not sufficiently protected such as credentials that are insufficiently protected and sensitive data that are not encrypted. The report states that if these vulnerabilities are exploited successfully, an attacker could gain access read-only to information associated with network configurations and terminal configurations, and otherwise gain access to confidential data. 

It is important to note that credentials for gaining access to device configuration information are stored in flash memory unencrypted. It is also possible with these credentials, to gain read-only access to information about the network configuration and terminal configuration. It has been assigned the designation CVE-2024-39278 as the vulnerability that needs to be addressed. The CVSS v3.1 base score was determined to be 4.2 out of a possible five points, and the CVSS v4 base score was calculated to be 5.1. 

A report by CISA also revealed that credentials for accessing device configurations were being transmitted using an unencrypted protocol that was not secure. These credentials would allow the administrator to access only the data associated with the configuration of the network and the terminals. The vulnerability has been identified as CVE-2024-42495 and it has been assigned a severity of critical. The CVSS v3.1 base score has been determined to be 6.5, and the CVSS v4 base score has also been calculated to be 7.1, based on the CVSS v3.1 and CVSS v4 scores. 

During publishing this advisory, Hughes Networks pointed out that the vulnerabilities had been corrected, which did not require any user action.  There is a risk of remote attackers, unauthenticated and remotely situated, running arbitrary SQL queries anywhere, at any time, including accessing, changing, and deleting sensitive data, as well as performing administrative operations on the database such as halting it. 

Two vulnerabilities in this system are associated with one CVE-2024-6795, and a CVSS v3.1 base score of 10.0 has been calculated for this vulnerability. A CISA report also indicated that the system was not appropriately protecting against an improper access control vulnerability in the application. As a result, an unauthorized user could have access to clinical and sensitive information about patients, as well as be able to change or delete information about the clinic. 

There has been a vulnerability identified as CVE-2024-6796 and it has been assigned a CVSS v3.1 base score of 8.2, which makes it a high vulnerability. As revealed by the advisory, Baxter is unaware of any exploits of these vulnerabilities or any compromises of personally identifiable information or health information related to this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has identified and flagged vulnerabilities in industrial control systems (ICS) used in products from Baxter and Mitsubishi. 

These vulnerabilities, which posed potential cybersecurity risks, were promptly addressed by both companies. Following their discovery, Baxter implemented the necessary patches to rectify the issues. As a result, no further action is required from users at this time. In addition to these remedial actions, CISA has issued general recommendations to mitigate future risks. One of the key suggestions is to minimize network exposure for all control system devices and systems, ensuring that they are not directly accessible from the internet. 

CISA further advises that control system networks and remote devices should be placed behind firewalls and segregated from business networks to enhance security. For instances where remote access is necessary, organizations are encouraged to adopt more secure solutions such as Virtual Private Networks (VPNs). However, CISA stresses the importance of maintaining up-to-date versions of VPN software, as vulnerabilities may exist in older versions. 

It is also emphasized that the overall security of the VPN is dependent on the security of the devices it connects to, underscoring the need for comprehensive security measures across all connected devices. By following these defensive measures, organizations can reduce the likelihood of exploitation and enhance the security of their industrial control systems against potential cyber threats.
Read more »
WordPress
Cache Plugin Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat LitesSpeed Patchstack Vulnerabilities WordPress

Critical LiteSpeed Cache Plugin Flaw CVE-2024-28000 Sparks a Surge in Cyberattacks

 


According to cyber security researchers, there is a critical security flaw in the LiteSpeed Cache plugin for WordPress that users can exploit without authentication to gain administrative privileges on the site. It is an all-in-one site acceleration plugin that features an exclusive server-level cache along with a suite of optimization features designed to make the websites more efficient with LiteSpeed Cache for WordPress. As a WordPress Multisite plugin, LowSide supports a wide range of plugins, including WooCommerce, bbPress, and Yoast SEO, for the best possible experience. 

There is no compatibility issue with ClassicPress when using LiteSpeed Cache for WordPress. In LiteSpeed Cache, which comes bundled with WordPress, there is a critical vulnerability that can allow attackers to take full control of millions of sites once a rogue admin account is created. This is an open-source and almost universally popular WordPress site acceleration plugin with over 5 million active installations, and it also supports WooCommerce, bbPress, ClassicPress, and Yoast SEO. It is available as a free download. 

In LiteSpeed Cache versions 6.3.0.1 and earlier, the plugin's user simulation feature has an unauthenticated privilege escalation vulnerability (CVE-2024-28000). As a result of this vulnerability, the highest bounty has been awarded in the history of bug bounty hunting for WordPress. This researcher has been rewarded USD 14,400 in cash through the Patchstack Zero Day program as part of this award. It would be great if anyone else interested in joining the community as well would be able to benefit from the program. 

This vulnerability has been automatically protected for all Patchstack users who have enabled protection, so they are no longer at risk. For only $5 per site per month, Patchstack offers a free Community account, where users can scan for vulnerabilities and apply protection for only $5 / site per month by creating a PatchStack account. It is the plugin's user simulation feature that is vulnerable to the vulnerability, as it uses a weak security hash as part of its security process. 

It must be said that the hash value is generated by using an insecure random number generator and the value is stored without being salted or related to a particular request made by the user.  The Patchstack security research tool warns that the hash is relatively easy to guess due to the limited number of possible values, which allows attackers to iterate through all possible hashes to discover the appropriate one and to simulate a user who is an administrator. 

This vulnerability affects all versions of the LiteSpeed Cache plugin for WordPress, from version 6.3.0.1 onwards. In addition, the plugin is susceptible to privilege escalation attacks. Certainly! Here is the rewritten information in a formal, expanded, and third-person tone: --- The security vulnerability identified as CVE-2024-28000 in the LiteSpeed Cache plugin has been linked to a critical issue concerning the improper restriction of role simulation functionality. This flaw allows a user with access to a valid hash—discoverable through debug logs or susceptible to brute-force attacks—to alter their current user ID to that of an administrator. 

This, in turn, enables unauthenticated attackers to impersonate an administrator and utilize the `/wp-json/wp/v2/users` REST API endpoint to create a new user account with administrative privileges. The vulnerability is present in all versions of the LiteSpeed Cache plugin up to and including version 6.3.0.1. The vulnerability was addressed in LiteSpeed Cache version 6.4, released on August 13, 2024. Website administrators utilizing the plugin are strongly advised to update to this latest version to prevent exploitation. 

The urgency of this update is underscored by a report from Wordfence, a leading WordPress security provider, which disclosed that over 30,000 attacks targeting CVE-2024-28000 were blocked within a single day. This surge in attacks illustrates the swift adoption of this exploit by cybercriminals, who are leveraging the vulnerability to compromise WordPress installations. Currently, the attacks are predominantly directed at non-Windows-based WordPress sites. This is because the vulnerability exploits a PHP method called `sys_getloadavg()`, which is not available on Windows systems. 

Consequently, while Windows-based WordPress installations are not vulnerable to this specific exploit, other systems remain at significant risk. The flaw was reported to Patchstack's bug bounty program by security researcher John Blackbourn on August 1, 2024. The LiteSpeed development team promptly created and released a patch with LiteSpeed Cache version 6.4 on August 13. Successful exploitation of this vulnerability can grant unauthenticated visitors administrator-level access, potentially allowing them to fully control compromised websites. 

This control includes installing malicious plugins, altering critical settings, redirecting traffic to harmful sites, distributing malware to visitors, or stealing user data. Additionally, in June 2024, the Wordfence Threat Intelligence team reported that a threat actor had compromised at least five plugins on WordPress.org, adding malicious PHP scripts to enable the creation of administrator accounts on affected websites. 

To protect against this vulnerability, Wordfence Premium, Wordfence Care, and Wordfence Response users were provided with a firewall rule effective from August 20, 2024. Users of the free version of Wordfence will receive similar protection starting on September 19, 2024.
Read more »
Vulnerabilities
Cyber Security Digital Communication email security Malware Detection Vulnerabilities

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

In an era where digital communication dominates, email remains a fundamental tool for personal and professional correspondence. However, recent research by web browser security startup SquareX has exposed alarming vulnerabilities in email security. 

The study, titled “Security Bite: iCloud Mail, Gmail, Others Shockingly Bad at detecting malware, Study Finds,” highlights the shortcomings of popular email service providers in safeguarding users from malicious attachments.

The State of Email Security

1. The Persistent Threat of Malicious Attachments

  • Despite advancements in cybersecurity, email attachments continue to be a prime vector for malware distribution.
  • Malicious attachments can carry viruses, trojans, ransomware, and other harmful payloads.
  • Users often unknowingly open attachments, leading to compromised devices and data breaches.

2. The SquareX Study

Researchers collected 100 malicious document samples, categorized into four groups:

  • Original Malicious Documents from Malware Bazaar
  • Slightly Altered Malicious Documents from Malware Bazaar (with changes in metadata and file formats)
  • Malicious Documents modified using attack tools
  • Basic Macro-enabled Documents that execute programs on user devices

These samples were sent via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL.

3. Shockingly Bad Detection Rates

The study’s findings were alarming:

  • iCloud Mail and Gmail failed to deliver any of the malicious samples. Their malware detection mechanisms worked effectively.
  • Outlook, Yahoo! Mail, and AOL delivered the samples, leaving users potentially exposed to threats.

Implications and Recommendations

1. User Awareness and Caution

  • Users must exercise caution when opening email attachments, even from seemingly legitimate sources.
  • Educate users about the risks associated with opening attachments, especially those from unknown senders.

2. Email Providers Must Step Up

  • Email service providers need to prioritize malware detection.
  • Regularly update and enhance their security protocols to prevent malicious attachments from reaching users’ inboxes.
  • Collaborate with cybersecurity experts to stay ahead of evolving threats.

3. Multi-Layered Defense

Implement multi-layered security measures:

  • Attachment Scanning: Providers should scan attachments for malware before delivery.
  • Behavioral Analysis: Monitor user behavior to detect suspicious patterns.
  • User Training: Educate users about phishing and safe email practices.

4. Transparency and Reporting

  • Email providers should transparently report their detection rates and improvements.
  • Users deserve to know how well their chosen service protects them.

What next?

Always think before you click. The SquareX study serves as a wake-up call for email service providers. As the digital landscape evolves, robust email security is non-negotiable. Let’s bridge the gaps, protect users, and ensure that our inboxes remain safe havens rather than gateways for malware.
Read more »
Vulnerabilities
AI workload scaling Anyscale CVE Cyber Security Cybersecurity hacking campaign python Ray Framework ShadowRay Vulnerabilities

Hackers Exploit Flaw in Ray Framework to Breach Servers

 

The Ray framework, a tool for scaling AI and Python workloads in open source, has been found vulnerable to multiple flaws that enable hackers to take control of devices and pilfer sensitive data. Cybersecurity researchers from Oligo disclosed their discoveries about a new hacking campaign named “ShadowRay”.

Operating since early September 2023, ShadowRay targeted various sectors including education, cryptocurrency, and biopharma by exploiting five distinct vulnerabilities in Ray. Four of these vulnerabilities, identified as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, were patched by Anyscale, the developer of Ray. However, the fifth vulnerability, labelled as a critical remote code execution (RCE) flaw and tracked as CVE-2023-48022, remained unaddressed.

Anyscale defended the unpatched vulnerability, stating that it was a deliberate decision rather than a bug, as Ray lacks built-in authentication. They indicated their intention to introduce authentication in a future release as part of a defense-in-depth strategy. Anyscale argued that exploitation of this RCE flaw would only be feasible in deployments deviating from their recommended network environment controls.

In contrast, Oligo criticized Anyscale's stance, highlighting that disputing the CVE left many developers unaware of potential security risks. They termed the unresolved CVE as a "shadow vulnerability", explaining that it could lead to breaches despite not being detected in static scans. 

Oligo observed numerous instances of the CVE-2023-48022 actively exploited in the wild, resulting in compromised Ray servers and the theft of sensitive data, including AI models and production database credentials, along with instances of cryptominer installations.


Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
Vulnerabilities and Exploits
cyber attack Cyberattacks Ivanti system hacked USA VPN Vulnerabilities Vulnerabilities and Exploits

Ivanti US Faces Security Crisis, Threatening Worldwide Systems


In a recent development, a critical server-side request forgery (SSRF) vulnerability has been discovered in Ivanti Connect Secure and Ivanti Policy Secure servers, marked as CVE-2024-21893. Security experts have confirmed that this vulnerability is being actively exploited by multiple attackers, raising concerns over the security of affected systems worldwide. 

Let's Understand SSRF and Its Impact 

SSRF vulnerabilities allow attackers to send crafted requests from the vulnerable server, potentially leading to unauthorized access to internal resources, sensitive data exposure, or even full system compromise. Imagine you have a key to open doors in a building. Now, imagine someone tricks you into using that key to open doors you are not supposed to. That is what happens in an SSRF attack. 

Normally, a website can only talk to the outside world through your web browser. But in an SSRF attack, the bad guys make the website talk to other places it is not supposed to, like secret internal parts of a company's network or even random outside websites. This can lead to big problems. 

For example, if the website connects to a secret part of a company's network, the bad guys might steal important information. Or if it connects to a random website, it might give away sensitive data, like your passwords or credit card numbers. 

Ivanti and the Vulnerabilities 

Ivanti raised the alarm about a critical flaw in the gateway's SAML components on January 31, 2024. This vulnerability, identified as CVE-2024-21893, was immediately classified as a zero-day exploit, indicating that hackers were already taking advantage of it. Initially, the impact seemed limited, affecting only a small number of customers. 

However, the exploitation of CVE-2024-21893 opened the door for attackers to sidestep authentication measures and gain unauthorized access to restricted resources on vulnerable devices, specifically those operating on versions 9.x and 22.x. 

Now, according to the threat monitoring service Shadowserver, the situation has escalated. They have detected numerous attackers capitalizing on the SSRF bug, with a staggering 170 unique IP addresses attempting to exploit the vulnerability. This widespread exploitation poses a significant threat to the security of affected systems and the data they hold. 

The disclosure of CVE-2024-21893 revealed a series of critical vulnerabilities affecting Ivanti Connect Secure and Policy Secure VPN appliances. Alongside CVE-2024-21893, two other zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were also identified on January 10, 2024, prompting Ivanti to release temporary mitigations. 

These vulnerabilities were exploited by the Chinese espionage threat group UTA0178/UNC5221, resulting in the installation of webshells and backdoors on compromised devices. Despite initial mitigations, attackers managed to bypass defenses, compromising even device configuration files. 

What Measures Company is Taking? 

Ivanti postponed firmware patches scheduled for January 22 due to the sophisticated nature of the threat. Given the active exploitation of multiple critical zero-days, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has mandated federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. 

Only devices that have been factory reset and updated to the latest firmware should be reconnected. However, older versions without a patch remain vulnerable. While this directive is not compulsory for private organizations, they are strongly advised to assess the security status of their Ivanti deployments and overall environment, considering the potential risks posed by these vulnerabilities. 

About the Company 

Ivanti is a company based in Utah, USA, that makes different kinds of computer software for things like keeping your computer safe, managing IT services, tracking IT assets, managing all your devices from one place, controlling who has access to what, and managing the supply chain. It was created in 2017 when two companies, LANDESK and HEAT Software, joined together. Later, they also bought another company called Cherwell Software. Ivanti became more famous because of some big problems with the security of the VPN hardware they sell.
Read more »
Vulnerabilities
connected gadgets Cyber Security Cyber Threats Data Privacy IoT Network Security Remote Work Risks Smart Devices Vulnerabilities

Unveiling the Unseen Cybersecurity Threats Posed by Smart Devices

 

The number of smart devices worldwide has surpassed the global population, with a continuous upward trend, particularly amidst remote and hybrid work settings. Ranjit Atwal, Gartner's senior research director, attributes this surge to the increase in remote work. As work mobility grows, the demand for connected devices like 4G/5G laptops rises, crucial for employees to work from anywhere.

Smart devices encompass gadgets connecting to the internet, like smart bulbs, speakers (e.g., Amazon's Alexa), and wearables such as the Apple Watch. They collect data, enhancing user experience but also pose security risks exploited by cybercriminals. Surprisingly, consumers often overlook security when purchasing smart devices, as shown by Blackberry's research.

In response, the European Union proposed the "Cyber Resilience Act" to enforce cybersecurity standards for all connected devices. Failure to comply may result in hefty fines. Margrethe Vestager from the European Commission emphasizes the need for market products to meet robust cybersecurity measures, likening it to trusting CE-marked toys or fridges.

Security vulnerabilities in smart devices pose threats, as seen in TP-Link's smart lightbulb. Exploiting these vulnerabilities could grant hackers access to networks, risking data and enabling potential malware deployment. Even smart homes face numerous entry points for hackers, as illustrated by investigations conducted by Which?, showcasing thousands of hacking attempts in a week.

Mirai botnet targets smart devices, using brute-force attacks to gain access via weak passwords. In a concerning case, a Google Home speaker was turned into a wiretap due to vulnerabilities, highlighting the potential risks associated with unsecured devices.

Securing home networks becomes paramount. Strategies include:

1. Purposeful Device Selection: Opt for devices that suit your needs, avoiding unnecessary interconnected gadgets.
2. Router Security: Update router settings, change default passwords, and enable automatic firmware updates.
3. Password Management:Use password managers to create strong and unique passwords for each account.
4. Multi-Factor Authentication (MFA): Employ MFA to add layers of verification during logins.
5. Wi-Fi Network Segmentation: Create separate networks for different devices to isolate potential threats.
6. Virtual Private Networks (VPNs):Invest in VPNs to encrypt online activities and protect against cyber threats on unsecured networks.

Implementing these measures strengthens overall cybersecurity, safeguarding personal data and devices from potential breaches and threats.
Read more »
Vulnerabilities
Cryptojacking Cryptojacking Campaign Imperva Imperva Threat Research malware Oracle Weblogic Server Threat research TTPs Vulnerabilities

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Read more »
Vulnerabilities
Crypto Currency cryptocurrency Cyberattacks Cybersecurity Data Breach database Gokumarket Vulnerabilities

Massive Data Breach at Gokumarket: Over a Million Users' Information Exposed

 


Several days before the leak, the GokuMarket team found an unprotected MongoDB instance, which was storing information about its users, namely those who bought and sold crypto on the exchange. In GokuMarket's case, it is the details of more than a million customers and admin users of the company that are stored in MongoDB in the form of large chunks of document-oriented information. 

Several users of GokuMarket, the centralized crypto exchange owned by ByteX and operated by its staff, have had their records revealed thanks to an open instance, according to a Cybernews investigation. 

With offices in Canada, the European Economic Area, and India, ByteX is a licensed and regulated CeDeFi platform that offers its services in those countries. It is ByteX's goal to bridge the best of both worlds by providing a KYC-verified platform with a compliant DeFi architecture, thus enabling a smooth transition from traditional to crypto credit infrastructure by reinventing it with transparency. 

The Gokumarket cryptocurrency exchange, one of the world's leading crypto exchanges, recently suffered a massive data breach, resulting in the disclosure of sensitive information belonging to over a million users. This is quite a significant and alarming development. 

In light of this breach, significant concerns are raised regarding the security infrastructure of the platform and the potential implications of the breach on the affected users. As a result of GokuMarket's decision, which had around a million users, denying users the option to withdraw their funds in mid-2022, which was a disastrous year for the crypto markets at the time, the company almost went bankrupt. 

GokuMarket faced the harsh reality of insolvency and financial bankruptcy as a result of the crypto market crash that occurred in early 2018. To assist users in safeguarding and protecting their interests, ByteX provided alternative solutions that were in comparison to what ByteX had originally offered. 

There has been considerable turbulence in the market in the aftermath of the recent collapse of several giants, which has also affected the stability of GokuMarket. In acquiring the platform's custodial users, we are making a conscious decision to safeguard and protect both its assets and its users from further challenges. 

It has been discovered that GokuMarket has a database that has been exposed on the web for a considerable period, which is why it was only detected in October 2023 and secured the next day after researchers sent a responsible disclosure note. However, the database could have been accessed by anyone for a considerable amount of time. 

An extensive user base, encompassing an estimated one million people, has been able to access a substantial repository of sensitive data, previously kept in a secure environment. In addition to IP addresses and geographical locations, the information compiled includes information about the users' dates of birth, their first and last names, as well as their mobile phone numbers. 

The encrypted passwords, the crypto wallet addresses, as well as their cryptocurrency wallet addresses, are all compiled in this study. Concern over the security and privacy of the affected individuals is significant in light of this breach of data. 

A persistent attacker could easily use this information to develop a spear-phishing campaign, which would likely involve draining the user's crypto funds, as the researchers believe that there is more than enough information to do so. There was also a revelation that the database, which had full-admin access, held 35 accounts that contained all sorts of sensitive information, including private Telegram channel IDs, secret exchange tokens, passwords and other highly sensitive information. 

A far more dangerous can of worms arises when attackers exploit admin access details to scam users of other platforms, with the ability to steal en-masse and transfer money to their accounts that would otherwise not be there. This is all possible through credential stuffing attacks, which can take advantage of individual user data to target exposed users. 

Using official Telegram channels for malicious purposes, attackers can manipulate the market if a leak of this nature arises. Although the official GokuMarket Telegram channel has not been active since September 2022, scammers are still attempting to impersonate brands within the crypto community to gain their attention.
Read more »
Vulnerabilities
Breach Threat Cyberattacks CyberCrime Cybersecurity Data Breach Opensource OwnCloud Vulnerabilities

Data Breach Threat: OwnCloud Users Urged to Patch Vulnerabilities Now

 


The maintainers of ownCloud, a popular open-source file-sharing software, have recently issued an alert regarding three critical security flaws that could have severe consequences. The flaws have become known through a recent announcement by ownCloud's maintainers. 

Several vulnerabilities in ownCloud pose a significant risk to the security and privacy of users, as they could allow sensitive information to be exposed and files to be modified unauthorized, compromising the security and privacy of users in ownCloud. 

A CVSS score of 10.0 has been assigned to the first vulnerability, which affects containerized deployments. This vulnerability requires the disclosure of sensitive credentials and configurations in order to exploit it. An important flaw in graphapi versions ranging for 0.2.0 to 0.3.0 has been exploited against graphapi. 

If an attacker is able to access a particular URL, crucial details about a PHP environment, including variables used to control a web server, could be revealed. The environment variables of containerized deployments may contain sensitive data such as the administrator password for the OwnCloud system, the credentials for the email server, and the license key for the software. 

Among the three critical security vulnerabilities that have been discovered in the open source file sharing software ownCloud is a vulnerability that could expose passwords for administrators and credentials for the mail server. 

The OpenSource OwnCloud system is a solution that allows users to sync and share files individually or as a team based on a self-hosted platform that allows users to access and manage files from anywhere. In addition to businesses, educational institutions, government agencies, and individuals who prefer to maintain control over their data, a cloud storage program is also used by businesses and enterprises, educational institutions, government agencies, and individuals who are conscious of their privacy.

In addition to its ownCloud site reporting that 200 million users are using OwnCloud, it also reports 600 enterprise customers. There have been three security bulletins issued by the development team behind OwnCloud this past week stating that the project could be severely compromised due to three different vulnerabilities in the project's components. 

CVE-2023-49103 is the first flaw identified, which has a CVSS v3 score of 10. This flaw allows for the theft of credentials and configuration information in containerized deployments, and it impacts all of the server's environment variables as well. 

OwnCloud recommends that immediate action be taken in order to mitigate this issue, such as deleting a particular file and disabling the PHPinfo function. It is also advised that users should change the password for the ownCloud admin account, their mail server and database credentials, as well as their access codes for Object-Store and Amazon S3. 

In order to resolve this issue, it is recommended that the  ownCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file be deleted, Docker containers should be disabled from executing the phpinfo function, and that secrets such as the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys be changed. 

A second vulnerability, rated 9.8, can be used by malicious actors to bypass WebDAV API authentication using pre-signed URLs, which has a CVSS score of 9.8. As a result of this vulnerability, users have the ability to access, modify, or delete files without their consent when their username is known and their signing key is not configured, but it impacts core versions from 10.6.0 to 10.13.0. 

Lastly, ownCloud has made a warning about a security vulnerability discovered in oauth2 before version 0.6.1 that can bypass the validation process for subdomains. By bypassing the validation code, this vulnerability enables an attacker to redirect callbacks to a top-level domain (TLD) controlled by them, which has a CVSS score of 9.0. 

OwnCloud suggests that as a temporary solution to this issue, you disable the "Allow Subdomains" option and harden the validation code in the OAUTH2 application. In the event that the user's username is known and the sign-key has not been configured (the default setting), attackers can access, edit, or delete any file without authentication. 

It has been published that the pre-signed URLs cannot be used unless a signing key has been set up for the file owner. This can be fixed by denying the use of pre-signed URLs. There is also a third flaw (CVSS v3 score: 9) that affects all versions of the oauth2 library below version 0.6.1, which is a subdomain validation bypass vulnerability. 

The attacker can inject a specially crafted redirect URL into the Oauth2 app that bypasses the validation code, allowing the attacker's callbacks to be redirected to his own domain. As a temporary workaround, a temporary workaround is provided in the bulletin of the Oauth2 application. It is recommended that the validation code be hardened in the Oauth2 application. 

Three security flaws described in the bulletins significantly damage the security and integrity of ownCloud, potentially exposing sensitive information to phishing attacks, stealthy data theft, and other possible malicious activities. Various ransomware groups have been using vulnerabilities in file-sharing platforms to steal data from thousands of companies around the world, and are using them as part of their attacks on companies that use file-sharing platforms. 

As a result of this disclosure, a proof-of-concept (PoC) exploit for a critical remote code execution vulnerability (CVE-2023-43177) has been released for the CrushFTP solution. If exploited by an unauthenticated attacker, the attacker could gain access to files, run arbitrary programs on the host, and obtain plain-text passwords through the application. Converge security researcher Ryan Emmons discovered and reported the issue, and the issue has been resolved since CrushFTP 10.5.2, the version that was released on August 10, 2023, addressed this issue.
Read more »
Vulnerabilities
AutoZone Faces Cyber Attacks CyberCrime Data Breach MOVEit Ransomware Vulnerabilities

AutoZone Faces Data Breach Headache as MOVEit System Compromised

 


Almost 185,000 individuals have been informed that their personal information has been compromised due to the recent data breach at the American car parts company AutoZone. MOVEit Transfer managed file transfer application was exploited by cybercriminals to steal sensitive information including the social security number of its users as well as other private information. 

There have been no reports so far that the exposed information has been used for fraudulent activity as a result of this alarming breach, yet AutoZone has assured its customers that there has been no evidence that such information has been misused. A credit monitoring service and identity protection services are complimentary as a preventative measure for customers who are affected by this issue. 

It has been reported that AutoZone did suffer a data breach due to an attack on the file transfer service Clop MOVEit where they lost data for tens of thousands of its customers. With over 7 140 locations in the U.S., and also in Brazil, Mexico, and Puerto Rico, AutoZone is the country's number one retailer and distributor of automotive spare parts and accessories. 

There are approximately 17.5 billion dollars in revenue generated each year by the company, 119,000 jobs are created by the company, and 35 million monthly users visit the company's online shop, as reported by similarweb.com statistics. It has come to AutoZone's attention that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain information from an AutoZone system supported by the MOVEit application, the company said in a notice published last week. 

The AutoZone company was found on or about August 15, 2023, to be responsible for the exfiltration of certain data as a result of the exploiting of a vulnerability in the MOVEit application." Despite not specifying what type of data has been stolen, the filing with the Maine Attorney General states "full names" and "social security numbers." This information is sufficient for identity theft or even wire fraud to occur.  

An archive of 1.1 gigabytes contains employee names, emails, details about parts supplies, tax information, payroll documents, Oracle databases, and much more, and many other data. The archive seems to have spared customers from this issue. AutoZone has been operating for over 7,000 years and employs close to 120,000 people across the US, making it a major retailer of spare car parts. 

Since late May, a staggering number of organizations have been affected by the MOVEit software vulnerability, which has been tracked as CVE-2023-34362. According to data collected from Huntress with industry collaborators, there have not been any notable exploits of the identified vulnerability since the discovery in late May 2023, as MoveIt found the patch for vulnerability by 31st May 2023.

It is conceivable that a malicious actor equipped with an effective exploit for a service characterized by high availability, making it resistant to swift patching, and commonly accessible from external sources, would persist in capitalizing on this opportunity. However, contrary to this expectation, the broader security community has noted an initial surge in activity, followed by a marked decrease or absence of actions as the calendar transitioned into June. 

In an update issued by cybersecurity firm Emsisoft on November 21, it was reported that over 2,620 organizations, either directly or indirectly, had been impacted by this breach, with an overall count of over 77 million individuals having been affected as a result. 

Many US schools and the state of Maine are among the victims in this extensive list, along with Siemens Energy, Schneider Electric, and Shell, among other big-name energy companies. In the wake of the MOVEit hack, organizations have suffered significant disruptions and financial losses in a variety of industries and sectors as a result.

Keeping vigilance in the face of ever-evolving threats and robust cybersecurity measures is essential for the protection of all data, including AutoZone's, as a stark reminder of the importance of robust cybersecurity measures. 

For businesses that are more reliant on digital tools and technologies, it becomes even more crucial for them to prioritize secure data management, regularly update software, and implement multilayered security protocols to avoid potential breaches of data security. 

As AutoZone has taken immediate action to address this breach, businesses of all sizes should take the opportunity to learn from this incident and strengthen their cybersecurity defences to protect their customers' personal information and prevent future breaches from occurring. To do so, one needs to invest in advanced threat detection systems, conduct regular security audits, and train employees in cybersecurity best practices to prevent future breaches. 

To maintain the trust and confidence of their stakeholders, organizations have to remain vigilant in protecting sensitive data and prioritizing the security of their digital infrastructure to ensure that cyber threats do not increase their level of sophistication.
Read more »
Subscribe to: Posts (Atom)