Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerability and Exploits. Show all posts
Vulnerability and Exploits
Airport Security SQL Injection TSA Bug User Security Vulnerability and Exploits

Security Experts Detect SQL Injection to Bypass Airport TSA Security Checks

 

Security experts discovered a flaw in a critical air transport security system, allowing unauthorised personnel to possibly bypass airport security screenings and get access to aircraft cockpits.

Researchers Ian Carroll and Sam Curry uncovered the security vulnerability in FlyCASS, a third-party web-based service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). KCM is a Transportation Security Administration (TSA) project that lets pilots and flight attendants bypass security screening, whereas CASS allows authorised pilots to use jump seats in cockpits while flying. 

ARINC, a Collins Aerospace subsidiary, runs the KCM system, which uses an online platform to authenticate airline personnel' credentials. Access is granted without a security screening by scanning a KCM barcode or inputting an employee number, which is subsequently cross-checked with the airline's database. Likewise, when pilots need to commute or travel, the CASS system authenticates them for access to the cockpit jumpseat. 

The researchers observed that FlyCASS's login mechanism was vulnerable to SQL injection, which allows hackers to enter SQL commands into malicious database queries. By leveraging this flaw, they could log in as an administrator for a partnering airline, Air Transport International, and change personnel data in the system. 

The attackers also created a fictional employee named "Test TestOnly," and gave this account access to KCM and CASS, allowing them to "skip security screening and then access the cockpits of commercial airliners.” 

"Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners," Carroll stated. 

The researchers promptly contacted the Department of Homeland Security (DHS) on April 23, 2024, after recognising the gravity of the situation. The researchers chose not to contact the FlyCASS site directly since it appeared to be managed by a single individual, and they were concerned that the disclosure would alarm them. 

The DHS responded by acknowledging the severity of the vulnerability and confirming that FlyCASS was unplugged from the KCM/CASS system on May 7, 2024, as a preventative step. Soon after, FyCASS's vulnerability was addressed. However, efforts to organise a safe disclosure of the vulnerability were thwarted when the DHS stopped answering to their emails. 

The researchers also received a response from the TSA press office denying the gravity of the vulnerability and claiming that the system's vetting procedure would stop unauthorised access. The TSA also discreetly removed information that contradicted its claims from its website after being notified by the researchers.

"After we informed the TSA of this, they deleted the section of their website that mentions manually entering an employee ID, and did not respond to our correction. We have confirmed that the interface used by TSOs still allows manual input of employee IDs," Carroll added.
Read more »
Zero-day Flaw
Browser Chrome User Security Vulnerability and Exploits Zero-day Flaw

'0.0.0.0 Day' Vulnerability Puts Chrome, Firefox, Mozilla Browsers at Risk

 

A critical security bug known as "0.0.0.0 Day" has shook the cybersecurity world, leaving millions of users of popular browsers such as Chrome, Firefox, and Safari vulnerable to future assaults. This vulnerability allows malicious actors to possibly gain access to files, messages, credentials, and other sensitive data saved on a device within a private network, specifically "localhost.” 

What is 0.0.0.0 day flaw?

The term "0.0.0.0 Day" refers to a new vulnerability identified by Israeli cybersecurity startup Oligo that hackers can exploit before a fix is released. The zeroes indicate a lack of prior information or awareness of flaws. This makes it especially risky because users and developers are taken completely off guard. 

According to the research, the exploit consists of fraudulent websites luring browsers into allowing them to interface with APIs (Application Programming Interfaces) running on a user's local PC. These APIs are primarily intended for internal communication within applications and should not be available from other sources, such as websites. Attackers that exploit the 0.0.0.0 Day vulnerability could possibly get unauthorised access to sensitive information saved on a user's device, steal data, or even launch malware. 

Impact on key browsers 

The security ramifications of this issue are extensive. Here's a closer look at the possible impact on major browsers. 

Chrome zero-Day vulnerability: Google Chrome, the world's most popular browser, is an obvious target for attackers. A successful exploit of the 0.0.0.0 Day bug could allow criminals to get beyond Chrome's security measures and get access to a user's local network. This could expose sensitive information kept on a user's PC, compromise corporate networks if a user works remotely, or even aid in the installation of malware. 

Firefox zero-day vulnerability: Although Firefox is not as extensively used as Chrome, it is a popular choice for many consumers. A successful exploit of the 0.0.0.0 Day vulnerability may have similar repercussions for Firefox users. Attackers could potentially obtain access to local networks, steal data, or carry out malware attacks. 

Safari Zero-Day vulnerability: The 0.0.0.0 Day vulnerability could also affect Apple's Safari browser, which is the default browser on all Apple devices. While Apple has a reputation for strong security, this vulnerability underlines the ongoing need for vigilance. A successful exploit can allow attackers access to a user's local network on a Mac or iOS device, possibly compromising private information or aiding new assaults. 

The disclosure of the 0.0.0.0 Day vulnerability underlines the ongoing challenge of ensuring browser security in an increasingly complicated threat ecosystem. Browser developers must continue to invest in R&D to remain ahead of thieves. Users must also be cautious and follow best practices to safeguard themselves from emerging risks.
Read more »
Zero Day
Browser Data Google Chrome Vulnerability and Exploits Zero Day

Google Issues Emergency Update for New Chrome Vulnerability

 



Google has announced an urgent security update for its Chrome browser to fix a newly discovered vulnerability that is actively being exploited. This recent flaw, identified as CVE-2024-5274, is the eighth zero-day vulnerability that Google has patched in Chrome this year.

Details of the Vulnerability

The CVE-2024-5274 vulnerability, classified as high severity, involves a 'type confusion' error in Chrome's V8 JavaScript engine. This type of error occurs when the software mistakenly treats a piece of data as a different type than it is, potentially leading to crashes, data corruption, or allowing attackers to execute arbitrary code. The vulnerability was discovered by Google security researcher Clément Lecigne.

Google has acknowledged that the flaw is being exploited in the wild, which means that malicious actors are already using it to target users. To protect against further attacks, Google has not yet disclosed detailed technical information about the flaw.

To address the issue, Google has released a fix that is being rolled out via the Chrome Stable channel. Users on Windows and Mac will receive the update in versions 125.0.6422.112/.113, while Linux users will get the update in version 125.0.6422.112. Chrome typically updates automatically, but users need to relaunch the browser for the updates to take effect. To ensure the update is installed, users can check their Chrome version in the About section of the Settings menu.

Ongoing Security Efforts

This marks the third actively exploited zero-day vulnerability in Chrome that Google has fixed in May alone. Earlier this year, Google adjusted its security update schedule, reducing it from twice weekly to once weekly. This change aims to close the patch gap and reduce the time attackers have to exploit known vulnerabilities before a fix is released.

Previous Zero-Day Vulnerabilities Fixed This Year

Google has been actively addressing several critical vulnerabilities in Chrome throughout 2024. Notable fixes include:

1. CVE-2024-0519: An out-of-bounds memory access issue in the V8 engine, which could lead to heap corruption and unauthorised data access.

2. CVE-2024-2887: A type confusion vulnerability in the WebAssembly standard, which could be exploited for remote code execution.

3. CVE-2024-2886: A use-after-free bug in the WebCodecs API, allowing arbitrary reads and writes, leading to remote code execution.

4. CVE-2024-3159: An out-of-bounds read in the V8 engine, enabling attackers to access sensitive information.

5. CVE-2024-4671: A use-after-free flaw in the Visuals component, affecting how content is rendered in the browser.

6. CVE-2024-4761: An out-of-bounds write issue in the V8 engine.

7. CVE-2024-4947: Another type confusion vulnerability in the V8 engine, risking arbitrary code execution.

Importance of Keeping Chrome Updated

The continuous discovery and exploitation of vulnerabilities surfaces that it's imperative to keep our softwares up to date. Chrome’s automatic update feature helps ensure users receive the latest security patches without delay. Users should regularly check for updates and restart their browsers to apply them promptly.

Overall, Google’s quick response to these vulnerabilities highlights the critical need for robust security measures and careful practices in maintaining up-to-date software to protect against potential cyber threats.


Read more »
Vulnerability and Exploits
Chinese Hackers Cyber Hackers CyberCrime Cybersecurity Exploitation VMware Vulnerability and Exploits

Undetected Threat: Chinese Hackers' Long-Term VMware Exploitation

 


CVE-2023-34048 is a pathogen that can be exploited remotely by an attacker who has network access to execute arbitrary code remotely due to an out-of-bounds write flaw found in VMware’s DCERPC implementation, which can be tracked as CVE-2023-34048 (CVSS 9.8). 

As a result of the severity of the problem and the lack of workaround, VMware released patches for this vulnerability in October, noting that the patch was also available for versions of its products that had reached the end-of-life period (EOL). 

There has been some reported exploitation of CVE-2023-34048 in the wild since last week, according to the virtualization technology company's advisory, but it does not provide any specific details on the attacks observed. 

A zero-day vulnerability in VMware and Fortinet devices has been exploited by Chinese state-sponsored hackers named UNC3886 for years, experts have revealed, indicating that they have long exploited this vulnerability. 

Earlier this week, Mandiant issued a report alleging that a group was exploiting the vulnerability to deploy malware, steal credentials, and ultimately exfiltrate sensitive information. The security patch was released in late October of 2023, and it carries a severity rating of 9.8/10 (critical). 

The flaw is described as an out-of-bounds write flaw that can allow attackers who have access to the VirtualCenter Server to execute code remotely. Cyberspies took advantage of this to gain access to their targets' vCenter servers and to use the compromised credentials to install maliciously crafted vSphere Installation Bundles (VIBs) on ESXi hosts with VirtualPita and VirtualPie backdoors via maliciously crafted backdoors. 

Next, the attackers exploited a VMware Tools authentication bypass flaw in CVE-2023-20867 to gain access to guest virtual machines, harvest files, and exfiltrate them. Although Mandiant was not yet certain how the attackers acquired privileged access to victims' VMware servers, a VMware service crash minutes before the backdoors were deployed made it evident that the link was established by a VMware service crash, which closely coincided with the exploit of CVE-2023-34048 in late 2023.

It has been revealed by Mandiant that the zero-day attacker targeting VMware has been exploiting CVE-2023-34048 as a zero-day weaponized by them, allowing them to gain privileged access to the vCenter system, enumerate all VMware ESXi hosts and their virtual machines which they are connected to, and gain access to the vCenter server. 

Next, the adversary will be able to connect directly to the hosts by retrieving the cleartext "vpxuser" credentials for the hosts and connecting to them directly to install the malware VIRTUALPITA and VIRTUALPIE, allowing them to interact with them directly. 

As Mandiant revealed in June 2023, this paves the way for exploiting another VMware flaw, (CVE-2023-20867, CVSS score: 3.9). As a consequence, arbitrary commands can be executed on guest VMs and files can be transferred between the guest virtual machines from a compromised ESXi host using this flaw. 

As Mandiant pointed out in their analysis, the same crashes were observed in several UNC3886 intrusions that began in late 2021, suggesting the attacker had access to the vulnerability for approximately one and a half years. As well as removing the 'vmdird' core dumps from the compromised environments, the cybersecurity firm observed that they had also preserved the log entries to cover their tracks. 

With the release of the 8.0U2 update from VMware, the vulnerability found in vCenter version 8.0U2 has been patched. The patches are available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, VCF 3.x, as well as Async vCenter Server Versions 5.x and 4.x.
Read more »
Vulnerability and Exploits
Cyber Threats Cyberattacks Vulnerabilities and Exploits Vulnerability and Exploits

Ransomware Group DEV-0569 Exhibits Remarkable Innovation, Microsoft Issues a Warning

 


There are many types of ransomware and they generally start with spam and then move to infect the system with ransomware. 

As per a report published by the computing giant this week, the DEV-0569 cyberattack group, tracked by Microsoft Security Threat Intelligence, has been spotted enhancing its detection, detection evasion, and post-compromise payloads as it continues to advance its detection capabilities. 

A specific characteristic of DEV-0569 is that it uses malvertising and phishing links in spam emails and fake forum pages to convince the recipient to download a malware downloader masquerading as a software installer or update, the Microsoft researchers added. 

As a result of the group's innovations in just a few months, the Microsoft team was able to observe the group's actions. These included hiding malicious links in contact forms and burying fake installers on legitimate download sites. They also used Google ads to mask the group's malicious activity through their advertising campaigns. 

The Microsoft team explained that the malware payloads for DEV-0569 are encrypted and delivered as signed binaries, according to their report. In recent campaigns, the group has also been seen to use the open-source tool NSUDO in an attempt to disable antivirus solutions, as the group is well-known for relying heavily on defense evasion techniques to get around defenses. 

DEV-0569 has proven successful, and Microsoft Security described the group as a platform where other ransomware operations can use DEV-0569 as an access broker. 

Cyberattacks: How Ingenuity Can Counter Them 

Apart from the new tricks, Mike Parkin, senior technical engineer at Vulcan Cyber, notes that the threat group effectively adjusts its campaign tactics along the edges. Despite this, they depend on users making mistakes during the process. The key to ensuring a successful defense program is to educate the user, according to Mike Parkin. 

Dark Reading reports that the phishing and malvertising attacks reported here entirely depend on the user interacting with the lure to make the attacks successful. As a consequence, when the user does not interact with the system, there is no security threat. 

According to Mike, Security teams need to keep an eye on the latest exploits and malware being deployed in the wild to stay ahead of the game, alongside a certain level of user awareness and education is necessary for the user community to become a solid line of defense instead of being the main attack surface. 

Controls in IAM are important 

IAM controls are an important part of RSA's identity and access management (IAM) team recommendations, according to Robert Hughes, RSA CISO. 

Despite the inability to prevent malware at the human and endpoint level, strong identity and access governance can assist in controlling the spread of malware. This can limit its impact. For instance, Hughes says that it is possible to stop authorized individuals from clicking a link or installing software that they are authorized to install. This is done by preventing them from clicking on a link. Having your data and identities protected from ransomware attacks will help to mitigate the damage that could be caused by such attacks in the future - and it will also make it easier to re-image your endpoints when it comes to resolving the issue. 

As Phil Neray of CardinalOps confirms, we are on the right track. According to him, security teams must also focus on minimizing the fallout after a hacker successfully downloads and executes a ransomware attack. This means that techniques like malicious Google Ads are tough to defend against.

"For instance, if this is the case, Neray recommends making sure the SoC is capable of detecting suspicious or unauthorized behavior, such as privilege escalation and the use of remote management and admin tools like PowerShell that live off the land," Neray says.
Read more »
Vulnerability and Exploits
Chinese Actors Confluence servers Crypto Currency mining Honeypot Linux SSH Vulnerability and Exploits

Chinese Group Botnet Illegally Mine Crypto

 

Linux and cloud app vulnerabilities have been used by the 8220 Group crypto mining gang to expand their botnet to over 30,000 affected systems.

Over the course of just the previous month, SentinelOne researchers reported detecting this notable rise in the number of infected hosts. The malicious botnet, according to analysts, was only active on 2,000 servers worldwide by the middle of 2021.

The 8220 group has been operating at least since 2017. The hackers are China-based and the organization's name is derived from the port 8220 that the miner uses to connect to the C2 servers. 

Operation tactics

According to reports, the growth was spurred by the adoption of Linux, widespread vulnerabilities in cloud applications, and inadequately secured setups for services like Docker, Apache WebLogic, and Redis.

This group has used a publically available exploit in the past to breach confluence systems. Once inside, the attackers employ SSH brute force to spread out and commandeer the available computing power to operate crypto miners that point to untraceable pools.

Another improvement is the script's usage of block lists to prevent infections on particular hosts, usually, honeypots set up by security researchers.

Lastly, 8220 Gang has updated PwnRig, their proprietary crypto miner based on XMRig, an open-source Monero miner.

Microsoft researchers claim that the gang has actively upgraded its payloads and tactics over the past year. In a recent campaign, the organization targeted Linux systems running on i686 and x86 64 architectures and gained early access using RCE exploits for CVE-2022-26134 (Atlassian Confluence) CVE-2019-2725 (WebLogic) vulnerabilities.

In addition to underscoring a more intense "fight" to seize control of victim systems from rival cryptojacking-focused groups, the operations' expansion is seen as an effort to counteract the declining value of cryptocurrencies.



Read more »
Vulnerability and Exploits
Node.js patch fixes Security Patch Vulnerabilities and Exploits Vulnerability and Exploits

Node.js Patches Various Flaws that may Lead to Attacks

About vulnerabilities

Node.js maintainers released multiple patches for flaws in the JavaScript runtime environment that can cause HTTP request smuggling and arbitrary code execution, among some other attacks. An advisory mentions the information about the seven patched bugs, it includes three seperate HTTP Request Smuggling vulnerabilities. 

The three flaws- a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213, an errored delimiting of header fields issue, tracked as CVE-2022-32214, and an improper parsing of multi-line transfer encoding exploit, tracked as CVE-2022-32215, can all in the end lead towards HTTP request smuggling. 

The Daily Swig says "the moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances. AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written." 

How Severe are these bugs?

The three bugs were rated as "medium" severity, they affect all three variants of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 includes the patches that were updated inside Node.js. 

Other problems 

The advisory also includes information about a DNS rebinding flaw in --inspect through improper IP addresses. Categorised as "high" severity, the bug (CVE-2022-32212) can permit arbitrary code execution, warns the advisory. 

“The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not.When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” says the advisory. 

The flaw affects all variants of the 18.x, 16.x, and 14.x releases lines.

Read more »
Vulnerability and Exploits
data security Device Security HPE Vulnerability and Exploits

How vulnerability in Brocade Might Affect Major Companies


Broadcom disclosed that few softwares made by Brocade, its storage network subsidiary, is hit by various vulnerabilities, and the exploits can affect the products of various big companies. A similar incident happened with HPE earlier this year.

How does the vulnerability impact?

The Brocade SAN (storage area network) management app is impacted by 9 flaws, the patches are available for these security holes. 

Six vulnerabilities affect third-party products like Open SSL, Oracle Java, and NGINX, these are rated "medium severity" and "low severity."

A hacker can exploit these vulnerabilities (unauthorised attacker) and modify data, decode data, and make a Denial of Service (DoS) situation. 

The other three vulnerabilities are limited to Brocade SANnav, these are given "high" severity risk and impact ratings. 

The vulnerabilities let a hacker access switch and server passwords from log files, and hack potential sensitive info via static key ciphers.

About the vulnerability

The security flaws (CVE-2022-28167, CVE-2022-28168 and CVE-2022-28166) were discovered internally and currently no use of the exploit in the wild has been found. 

But the storage solutions of several companies that collaborate with Brocade can be impacted by these flaws. 

HPE in its advisory told the customers that the company's B series SANNav Management Portal is impacted by the exploits and suggested the customers to install the latest updates. 

The flaws can be exploited locally and remotely to leak sensitive info, attempt unauthorised access and modify data cause partial Denial of Service.

Other info related to Brocade vulnerability 

Another Brocade partner NetApp released individual advisories for the Brocade specific SANNav vulnerabilities. The NetApp products have not been affected. Brocade also partners with other big tech companies for storage solutions that include Huawei, Dell, Lenovo, IBM and Fujitsu. 

Security Week says "one of the other Brocade OEM partners appear to have published advisories for the SANnav vulnerabilities so it’s unclear if their products are also impacted. In the past, at least some of them did publish advisories to notify their customers about SANnav flaws."









Read more »
Subscribe to: Posts (Atom)