Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Web Server security. Show all posts

PROPHET SPIDER is Abusing Citrix ShareFile Remote Code Execution Bug to Deploy Webshell

 

Security researchers at CrowdStrike Intelligence have examined an incident in which PROPHET SPIDER abused a remote code execution (RCE) bug affecting Citrix ShareFile Storage Zones Controller to exploit one of Microsoft Internet Information Services (IIS) webservers. Threat actors exploited the flaw to install a web shell that enabled the downloading of additional weapons. 
 
Last year in September, Citrix discovered a relative path-traversal bug in ShareFile Zones Storage Controller, tracked CVE-2021-22941. The vulnerability allows malicious actors to overwrite an existing file on a target server via an upload id parameter passed in an HTTP GET request.  
 
On Jan. 10, 2022, CrowdStrike received HTTP POST request from PROPHET SPIDER on its Falcon® platform customer. Threat actors requested to upload three web requests:  
 
●Targeting upload.aspx 
●Containing encoded strings for ../ and ConfigService\Views\Shared\Error.cshtml in the URL parameters 
●And, contain &bp=123&accountid=123 if the attacker has not customized the payload  
 
The URI endpoint /upload.aspx is used for ShareFile uploads and usually comes with parameters to define upload object specifications, such as uploadid, cid or batched.   
 
Once the webshell is set, it can be accessed by sending an HTTP request to /configservice/Home/Error with one or two URL parameters. ASP.NET will direct these requests to Error.cshtml, which usually contains a simple HTML header saying “Sorry, an error occurred while processing your request.” Due to the exploit, the contents have been replaced with the C# code block and will invoke Process.Start(cmd.arg) using the URL parameter(s) passed in the GET request.  
 
According to cybersecurity researchers, PROPHET SPIDER has been active since at least May 2017, and primarily target victims by exploiting vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. This recent CVE-2021-22941 exploitation demonstrates how PROPHET SPIDER is expanding and refining its tradecraft while continuing to exploit known web-server vulnerabilities.  
 
Last month, BlackBerry Research & Intelligence and Incident Response teams discovered evidence correlating attacks from Prophet Spider with the exploitation of the Log4J bug in VMware Horizon. Additionally, the researchers unearthed mass deployments of cryptocurrency mining software and Cobalt Strike beacons but also identified "an instance of exploitation containing tactics, techniques, and procedures relating to the Prophet Spider IAB."  
 
"When an access broker group takes interest in a vulnerability whose scope is so unknown, it's a good indication that attackers see significant value in its exploitation," Tony Lee, vice president of global services technical operations at BlackBerry explained. "It's likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it's an attack vector against which defenders need to exercise constant vigilance."

For 9 Months, Hackers Went Unnoticed on a Queensland Water Supplier's Server

 

Hackers hid on a server holding client information for a Queensland water company for nine months, demonstrating the need for robust cyber defenses for key infrastructure. SunWater is a government-owned water company in Australia that manages 19 large dams, 80 pumping stations, and 1,600 miles of pipelines. SunWater was hacked for nine months, according to the Queensland Audit Office's annual financial audit report, with the perpetrators going unnoticed the entire time. 

Although the entity isn't named in the report, ABC Australia questioned the authority and discovered it was SunWater. Between August 2020 and May 2021, the actors gained access to a webserver that the water company used to store customer information. The hackers didn't appear to be interested in stealing critical information, as they instead used specialized malware to drive traffic to an online video platform.  

There is no evidence that the threat actors stole any consumer or financial information, according to the audit report, and the vulnerability that they exploited has since been addressed. According to the report, the actors only hacked the older, more vulnerable version of the system, leaving the modern, far more secure web servers unharmed. 

The audit looked at six water authorities, including Seqwater, Sunwater, Urban utilities, Unitywater, Gladstone Area Water Board, and Mount Isa Water Board, and warned of information system vulnerabilities. Internal control flaws, such as those involving money transfer payment information, were also discovered. The 36-page report recommended that "ongoing security weaknesses in information systems" be addressed immediately. 

It was observed that in the instance of the cyber breach, steps were made to address the problem, including software updates, the use of stronger passwords, and the monitoring of incoming and outgoing network traffic. Despite the audit office's recommendation last year that institutions tighten the security of their information systems, not all had taken action, according to the study. On June 30, three of the six organizations still exhibited "control weaknesses," according to the report. The report also identified issues with internal controls, identifying 24 flaws in the sector. According to the report, one authority had three deficiencies in managing user access across financial, invoicing, and payroll systems. 

"We continue to identify several control deficiencies relating to information systems. Cyber-attacks continue to be a significant risk, with ongoing changes in entities' working environments due to COVID-19," reads the auditors' report.

Apple pushes out silent update for Mac users to remove Zoom web server

Earlier this week, a US-based security researcher named Jonathan Leitschuh had publicly disclosed a major vulnerability in the Zoom video conferencing software for Apple’s Mac computers which could make any website start a video-enabled call by hacking the webcam of the system. Now, according to a report by TechCrunch, Apple has pushed out an update silently to the macOS which removes the Zoom web server.

As per the report, the US-based technology giant has confirmed the said update has been released and it is installed automatically and does not require any interaction with the user. The purpose of the update is only to remove the local web server installed by the Zoom app. The company said that it pushed the update to protect its users from the risks posed by the exposed web server.

According to Leitschuh’s claims earlier this week, even if Mac users uninstall the Zoom app from their system, the web server continues to persist and it can reinstall Zoom without the user’s permission.

In a statement to The Verge and ZDNet, Zoom had said that it developed the local web server to save Mac users from too many clicks, after Apple changed their Safari browser in a way that requires Zoom users to confirm that they want to launch Zoom every single time. Zoom also said that it will tweak the app such that it will save the user’s and administrator’s preferences for whether the video will be turned on, or not, when they first join a call.

However, it seems Apple took it upon itself to rescue its users from the security vulnerability posed by Zoom app. The silent update was all the more needed because Zoom had installed a local web server that could reinstall the app even if the user had previously uninstalled it.

Mailsploit: Email that permits sender spoofing

Pretending to be somebody you're not in an email has never been very sufficiently hard – all thanks to phishing, that endless scourge of web security. In any case, now one researcher recently, has uncovered another gathering of bugs in an email program that by and large strip away even the current, defective protections against email impersonation, enabling anybody to imperceptibly spoof a message with no allude at all to the recipient.

 On Tuesday, Sabri Haddouche, a developer and a bug hunter revealed a noteworthy new email spoofing strategy. Named Mailsploit, the strategy use bugs in email clients and enables hackers to dispatch imperceptible email spoofing attack, including well know clients like Microsoft outlook 2016, apple mail, Yahoo! Mail and many more.

Mailsploit has the capacity to effectively go through email servers and circumvent the already established spoofing protection like DMARC and other spam filters. This implies that if the server is configured to utilize DMARC or Domain Keys Identified Mail (DKIM) it will regard a message as genuine, regardless of whether it ought to be spam-binned. Through a demo that Haddouche has made accessible on his site depicting the Mailsploit attack gives anybody the access to send messages from whichever address they desire; thinkblue@whitehouse.gov, redpigeon.9898@gmail.com or some other made up the email address that may trap somebody into surrendering their private information and details. Mailsploit now though has made it possible that no amount of scrutiny in the email client can help uncover the fakery.

 Where is DMARC?

 Domain-based Message Authentication, reporting and conformance, which blocks spoofed emails via painstakingly sifting through those whose headers pretend to originate from an unexpected source in comparison to the server that sent them. This authentication system has progressively been embraced by different administrators throughout the years.

 In any case, Mailspoilt's tricks defeat DMARC by misusing how email servers handle content information uniquely in contrast to desktop and portable or mobile working systems. By creating email headers to exploit the imperfect execution of a 25-year-old framework for coding ASCII characters in email headers known as RFC-1342, and the peculiarity of how Windows, Android, iOS, and macOS handle content, Haddouche has demonstrated that he can surely trap email servers into interpreting the email headers in one way, while email client programs read them in a totally different way.

 The interwoven fixes 

Haddouche says he contacted the majority of the influenced firm’s months prior to caution them about the vulnerabilities he's found. Yahoo! Mail, Protonmail and Hushmail have effectively settled their bugs, while firms like Apple and Microsoft are as yet dealing with it. In any case, Mozilla and Opera both have informed him that they don't plan to settle their Mailspolit bugs as they appear of being simply server-side issues.

 Haddouche further added that email providers and firewalls can likewise be set to filter this attack regardless of whether email clients stay helpless against it. Beyond the particular bugs that Mailspolit features, Haddouche's research focuses on a more principal issue with email authentication, as security add-ons for email like DMARC were intended to stop spam, not focused on spoofing.

Nevertheless, Haddouche recommends the users to stay tuned for more security updates to email clients to fix the Mailsploit bugs. As meanwhile, it's always insightful to treat emails with caution.

CVE-2013-2028 : Buffer Overflow vulnerability fixed in nginx 1.5.0, 1.4.1


A security researcher Greg MacManus from iSIGHT Partners Labs discovered a critical security flaw in several recent version of NGINX - an open source web server.

"A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution"

The security flaw now identified with CVE id "CVE-2013-2028" affects nginx version 1.3.9 - 1.4.0. NGINX developers released patch for fixing this security vulnerability.

The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt