Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Web Servers. Show all posts

Ransomware Attackers Are Weaponizing PHP Flaw to Infect Web Servers

 

Security researchers revealed that ransomware attackers have swiftly turned a simple-to-exploit PHP programming language vulnerability—which allows malicious code to be executed on web servers—into a weapon. 

As of Thursday last week, Censys' Internet scans had found 1,000 servers infected with the TellYouThePass ransomware strain, down from 1,800 on Monday. The servers, which are largely based in China, no longer display their typical content; instead, many list the site's file directory, which shows that all files have a.locked extension, indicating that they have been encrypted. The accompanying ransom note demands around $6,500 in exchange for the decryption key. 

The vulnerability, identified as CVE-2024-4577 and assigned a severity rating of 9.8 out of 10, results from flaws in PHP's conversion of Unicode characters to ASCII. Best Fit, a feature integrated into Windows, enables attackers to utilise argument injection to turn user-supplied data into characters that send malicious commands to the main PHP application. Exploits enable attackers to circumvent CVE-2012-1823, a significant code execution vulnerability addressed in PHP in 2012. 

CVE-2024-4577 only affects PHP when it is run in CGI mode, which involves a web server parsing HTTP requests and passing them to a PHP script for processing. Even if PHP is not configured to use CGI mode, the vulnerability may still be exploitable if PHP executables such as php.exe and php-cgi.exe are located in directories accessible to the web server. This setup is fairly uncommon, with the exception of the XAMPP platform, which includes it by default. An extra requirement appears to be that the Windows locale, which is used to personalise the OS to the user's local language, be set to Chinese or Japanese. 

The critical vulnerability was made public on June 6, along with a security fix. The attackers were exploiting it within 24 hours to install TellYouThePass, Imperva researchers disclosed last week. The exploits ran malware that exploited the Windows binary mshta.exe to launch an HTML application hosted on an attacker-controlled server. The use of the programme revealed a strategy known as living off the land, in which attackers employ native OS features and tools to blend in with routine, non-malicious behaviour.

In a post published Friday, Censys researchers stated that the TellYouThePass gang's exploitation began on June 7 and mirrored previous incidents in which opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of affected servers have IP addresses in China, Taiwan, Hong Kong, or Japan, most likely because Chinese and Japanese localities are the only ones verified to be vulnerable, Censys researchers noted in an email.

“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI or XAMPP service stops responding—hence the drop in detected infections,” researchers added. “Another point to consider is that there are currently no observed ransom payments to the only Bitcoin address listed in the ransom notes (source). Based on these facts, our intuition is that this is likely the result of those services being decommissioned or going offline in some other manner.”

Insomniac Games Cybersecurity Breach

A cyberattack has compromised the prestigious game company Insomniac Games, exposing private data without authorization. Concerns over data security in the gaming business have been raised by this hack, which has spread throughout the community.

Targeting Insomniac Games, the company behind the well-known Spider-Man series, the cyberattack was purportedly executed by a gang going by the name Rhysida. Fans and the gaming industry were left in a state of anticipation and fear as the hackers obtained access to a treasure mine of data, including secret footage of new projects like Wolverine.

The leaked information not only included sneak peeks into future game developments but also internal data that could compromise the studio's operations. The gravity of the situation prompted a rallying of support for Insomniac Games from both the gaming community and industry professionals.

Amid the chaos, cybersecurity experts have been quick to emphasize the importance of robust security measures in an era where digital attacks are becoming increasingly sophisticated. This incident serves as a stark reminder that even major players in the gaming industry are vulnerable to cyber threats.

Insomniac Games responded promptly to the breach, acknowledging the incident and assuring fans that they are taking necessary steps to address the issue. The studio urged users to remain vigilant and promptly report any suspicious activities related to their accounts.

The gaming community, known for its passionate fanbase, has shown solidarity with Insomniac Games in the wake of the cyberattack. Messages of support have flooded social media platforms, emphasizing the need for collective efforts to combat cyber threats and protect the integrity of the gaming industry.

As the situation unfolds, industry leaders and policymakers are likely to scrutinize the incident to enhance cybersecurity protocols across the gaming landscape. The hack serves as a wake-up call for developers and publishers to invest in cutting-edge security measures to safeguard intellectual property and user data.

Leaders in the industry and legislators will probably be closely examining the incident as it develops to improve cybersecurity practices in the gaming sector. Developers and publishers should take note of this hack and invest in state-of-the-art security solutions to protect user data and intellectual property.

The recent hack on Insomniac Games serves as a reminder that even the biggest names in the gaming business are susceptible to online attacks. The aftermath of this disaster calls for the gaming community as a whole to prioritize cybersecurity in addition to data security. One thing is certain as the gaming industry struggles with the fallout from this breach: protecting digital assets is critical to the business's long-term viability and public confidence.

HavanaCrypt Ransomware Deployed Via Fake Google Updates

 

Trend Micro researchers have unearthed a new ransomware family dubbed ‘HavanaCrypt’ being deployed as a fake Google Software Update application. 

The ransomware launches multiple anti-virtualization checks and employs a Microsoft web hosting service IP address for its command and control (C&C) server, which allows it to bypass detection. HavanaCrypt also leverages a namespace method function in its execution process, a report from Trend Micro explained. 

“It disguises itself as a Google software update application and uses a Microsoft web hosting service IP address as its command-and-control server to circumvent detection,” Trend Micro said in a blog. 

The ransomware is the latest in a series of malware that poses as a legitimate application. This year alone has seen ransomware masquerading as Windows 10, Google Chrome, and Microsoft Exchange updates. 

HavanaCrypt modus operandi 

HavanaCrypt is a .NET-compiled application, that employs an open-source tool called Obfuscar to obfuscate its code. Once installed on a system, HavanaCrypt examines the AutoRun registry to see whether the "GoogleUpdate" registry is already present. If not, it continues with the routine. 

The malware then undertakes a four-stage assessment of whether the compromised device is running in a virtualized environment. 

First, it checks for services used by common virtualization applications such as VMWare Tools and vmmouse. Then it scans for files related to virtual applications, followed by a check for specific file names employed in virtual environments. Finally, it compares the machine's MAC address with unique identifier prefixes usually employed in virtual machine settings. If any of the checks show the infected machine to be in a virtual environment, the malware terminates itself. 

Additionally, the malware designs a text file that logs all the directories containing the encrypted files. The file is named foo.txt and the ransomware encrypts it as well. No ransom note is dropped. 

"It is highly possible that the ransomware's author is planning to communicate via the Tor browser because Tor is among the directories that it avoids encrypting files in. It should be noted that HavanaCrypt also encrypts the text file foo.txt and does not drop a ransom note. This might be an indication that HavanaCrypt is still in its development phase," said Bharat Mistry, technical director at Trend Micro.

Will VPN Providers and the Indian Government Clash Over New Rules on User Data Collection?


The Ministry of Electronics and Information Technology, which administers CERT-in, has mandated all VPN providers and cryptocurrency exchanges save user records for five years. Some of the most well-known VPN providers, such as NordVPN and ExpressVPN, claim to collect only the most basic information about their customers and to provide ways for them to stay relatively anonymous by accepting Bitcoin payments. 

VPNs reroute users' internet connections through a separate network; this can be done for a variety of reasons, such as connecting to a workplace network that is not available from the general internet or accessing prohibited websites by using servers in other nations. 

Another characteristic of VPNs several VPN companies like Nord promote as a selling factor is privacy. They frequently claim to keep no logs; Nord's no-logs policy has been examined by PriceWaterhouseCoopers regularly. However, the IT Ministry's ruling would force the corporation to deviate from such a guideline for servers in India.

What sort of data does the government expect firms to preserve? 
  • Names of subscribers/customers who have hired the services have been verified.
  • Hire period, including dates.
  • IP addresses assigned to/used by members.
  • At the moment of registration/onboarding, the email address, IP address, and time stamp were utilized. 
  • Why are users hiring services? 
  • Validated contact information and addresses.
  • Subscriber/customer ownership patterns when hiring services.

Official orders from CERT-In, the government agency in charge of investigating and archiving national cybersecurity incidents, have generated controversy. It was announced in a press release for all "Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers" would be bound to maintain a variety of user data for at least five years after the service was canceled or discontinued. 

VPN industry's comment on user data?

ExpressVPN stated, that their apps and VPN servers have been meticulously designed to completely erase sensitive data. As a result, ExpressVPN will never be forced to give non-existent client data.

"Our team is currently analyzing the latest Indian government decree to determine the best course of action. Because the law will not take effect for at least two months, we are continuing to work as usual. We are committed to protecting our clients' privacy, thus if no other options exist, we may withdraw our servers from India," Patricija Cerniauskaite, a spokesman for NordVPN stated.

If NordVPN leaves India, would you still be able to use it?

Users will most likely be able to connect to NordVPN's servers in other countries even if the company decides to leave India. According to reports, NordVPN has 28 servers in India which users in India and other countries can connect to. Surprisingly, NordVPN's Indian servers provide access to websites that are normally restricted in India.

India enters an unfortunate list of other large countries where Nord and other VPN providers have either pulled servers or never had a presence: Russia, where Nord and other VPN providers pulled servers just after the country ordered VPN firms to provide backdoor access to government on demand in 2019; and China, where VPN providers are subject to stringent controls. 

The Internet Freedom Foundation, a New Delhi-based digital rights advocacy group, claimed in a comprehensive statement released Thursday afternoon, the requirements were "extreme" and would impair VPN users' "individual liberty and privacy."

New Hybrid Enemybot Malware Targets Routers, Web Servers

 

A recently discovered DDoS botnet is enslaving multiple router models and various types of web servers by abusing known vulnerabilities, researchers at Fortinet Labs warned. 

Dubbed Enemybot, the botnet has been linked to the cybercrime group named Keksec which specializes in DDoS attacks and cryptocurrency mining and has been linked to multiple botnets such as Simps, Ryuk, and, Samel. 

The malware is the result of combining and modifying the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 –and the infamous Mirai botnet, with the latest version using the scanner module and a bot killer module. 

Enemybot employs multiple obfuscation methodologies meant not only to prevent analysis, but also to keep it concealed from other botnets, and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands. 

The new botnet also attempts to exploit a wide range of devices and architectures by using known combinations of usernames and passwords, running shell commands on Android devices with a compromised Android Debug Bridge port (5555), and targeting roughly 20 known router vulnerabilities.

The most recent of the targeted security loopholes is CVE-2022-27226, a remote code execution issue that impacts iRZ mobile routers, and which was made public on March 19, 2022. Enemybot, Fortinet points out, is the first botnet to target devices from this vendor. 

Enemybot also targets the now infamous Apache Log4j remote code execution vulnerabilities disclosed last year (CVE-2021-44228 and CVE-2021-45046), as well as a couple of path traversal issues in the Apache HTTP server (CVE-2021-41773 and CVE-2021-42013). 

The botnet also attempts to abuse security loopholes in TOTOLINK routers and Seowon routers, as well as older vulnerabilities in ThinkPHP, D-Link routers, NETGEAR products, Zhone routers, and ZyXEL devices. 

Once a flaw has been successfully abused, the malware runs a shell command to download a shell script from a URL that is dynamically updated by the C&C. The script is responsible for downloading the actual Enemybot binary compiled for the target device’s architecture.

After successful exploitation, the malware links to its C&C server and waits for further instructions. Based on received commands, it can perform DNS amplification attacks and various types of DDoS assaults, sniff traffic, and spread to other devices via brute force attacks. 

“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for crypto mining is a big possibility,” Fortinet notes.

F5 Patches NGINX LDAP Zero-Day Bug

 

The maintainers of NGINX, F5 Networks, have disclosed a zero-day bug on NGINX Lightweight Directory Access Protocol Reference (LDAP) implementation at the end of the first week of April. Now, they have released security updates to address security loophole in LDAP.

According to security analysts at F5, NGINX Open Source and NGINX Plus are not affected by the bug by themselves. So, there is no action required if the reference implementation is not employed.

“NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation,” Liam Crilly and Timo Stark of F5 Networks said in an advisory. However, if LDAP reference implementation is used, any of the following conditions will cause vulnerability in the systems: 

• Command-line parameters to configure the Python-based reference implementation daemon 
• Unused, optional configuration parameters and 
• Specific group membership to carry out LDAP authentication

If any of these conditions are fulfilled, a threat actor could override the configuration parameters by sending specially designed HTTP request headers and even bypass LDAP authentication. This would allow LDAP authentication failure to occur even if the user is falsely authenticated. 

“The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (member Of) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups,” F5 researchers told.

“To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters – () – and the equal sign (=), which all have special meanings for LDAP servers. advisory. The backend daemon in the LDAP reference implementation will be updated in this way in due course.” 

NGINX project developers advised users to strip special characters so as they are removed from the username field during authentication, and to update configuration parameters using an empty value. The LDAP-reference implementation mainly explains how the integration operates, and all the components necessary to verify it and how it is not a production grade LDAP solution.

NSA: Risks Linked with Wildcard TLS Certificates and ALPACA Techniques

 

The National Security Agency issued a technical alert cautioning businesses against using wildcard TLS certificates and the new ALPACA TLS attack. 

The NSA advised companies to follow the technical recommendations in its alert and safeguard servers against situations in which attackers may obtain access and decrypt encrypted online traffic. 

While several instances and techniques might aid attackers in decrypting TLS-encrypted data, the NSA clearly specified the usage of wildcard TLS certificates, which many researchers have also warned against in the past.

A wildcard certificate is a digital TLS certificate obtained by a company from a certificate authority that allows the owner to apply it to a domain and all of its subdomains simultaneously (*.example.com). Companies have used wildcard certificates for years because they are less expensive and easier to administer, so administrators apply the same certificate to all servers instead of having to manage several certificates. 

The NSA stated, “A malicious cyber actor who gains control of the private key associated with a wildcard certificate will provide them the ability to impersonate any of the sites represented, and gain access to valid user credentials and protected information.” 

The agency is now advising administrators of both public and private networks to evaluate the necessity for a wildcard certificate inside their networks and prepare to install individual certificates to isolate and restrict potential breaches. 

About ALPACA attack 

Furthermore, the NSA's alert cautions of the new Application Layer Protocol Content Confusion Attack (ALPACA), which was revealed earlier this summer and is similarly vulnerable due to the usage of wildcard certificates. 

The problem was not taken seriously when it was revealed in June because carrying out an ALPACA attack needed threat actors to be able to intercept web traffic, which is challenging in some circumstances. 

However, the research team that identified the assault stated that over 119,000 web servers were exposed to ALPACA attacks, which is a significant amount. Four months later, the NSA is encouraging companies to take the matter seriously, determine whether their servers are susceptible, and reduce the risk, particularly if the organizations deal with sensitive information or are connected to the US government network. 

On October 7, the NSA stated, “NSA recommends NSS, DoD, and DIB administrators ensure their organization’s wildcard certificate usage does not create unmitigated risks, making their web servers vulnerable to ALPACA techniques.”