Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero Day Attack. Show all posts

SysAid Ransomware: Unveiling the Zero-Day Menace

A zero-day ransomware attack has recently been reported on, affecting SysAid, a well-known provider of IT service management and help desk services. The cybersecurity community has been shaken by the occurrence, which has prompted swift response and a careful examination of the scope and nature of the intrusion.

The attack, orchestrated by the infamous hacking group known as 'Lace Tempest,' leveraged a zero-day vulnerability in SysAid's on-premise software. This vulnerability allowed the attackers to exploit weaknesses in the system, gaining unauthorized access and compromising sensitive information. The severity of the situation has been highlighted by cybersecurity experts, as SysAid plays a crucial role in managing IT services for numerous organizations.

The zero-day ransomware attack was first brought to light by cybersecurity researchers who discovered the breach and reported it on various platforms, including Dark Reading. According to the information provided, the attackers targeted SysAid's software, exposing a vulnerability that was promptly exploited for unauthorized access and data compromise.

SysAid has acknowledged the security breach and has released a notification regarding the on-premise software security vulnerability on its official blog. The company is actively working to address the issue and has urged its users to take immediate action by applying patches and updates to mitigate the risk of exploitation. The urgency is further emphasized by the fact that the vulnerability has already been exploited by Lace Tempest, as reported by cybersecurity firm Profero.

The CVE-2023-47246 SysAid zero-day vulnerability is being keenly watched by security researchers, and Rapid7 has published a thorough blog post breaking down the details. The article highlights how crucial it is for businesses to continue being watchful and proactive in protecting their IT infrastructure while also shedding light on the technical underpinnings of the attack.

Organizations that depend on SysAid's services are urged to keep up with the latest developments during the investigation and to swiftly put recommended security measures into place. The SysAid security incident highlights the necessity of ongoing awareness and strong cybersecurity procedures in today's digital environment by serving as a sobering reminder of the sophisticated and ever-evolving nature of cyber threats.

Microsoft Fixes Two Zero-Day Vulnerabilities on December Patch Tuesday

 

Microsoft has patched 48 new flaws in its products, including one that attackers are currently employing as well as one that has been made public but is not currently being actively used by attackers. 

In its final monthly security update of the year, the business addressed six vulnerabilities, six of which are significant. 43 vulnerabilities received a significant severity rating, while three problems received a moderate severity grade. 

The update from Microsoft fixes 23 vulnerabilities in Google's Chromium browser technology, which Microsoft's Edge browser is built on, as well as out-of-band CVEs that it fixed over the past month. 

Exploiting a security vulnerability 

CVE-2022-44698, the vulnerability that attackers are actively attempting to exploit, is not one of the more serious issues for which Microsoft today issued updates. The vulnerability enables attackers to get around Windows SmartScreen, a security feature that guards users against dangerous files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft explained. 

According to Kevin Breen, director of cyber-threat research at Immersive Labs, CVE-2022-44698 only poses minimal danger to enterprises. "It has to be used in partnership with an executable file or other malicious code like a document or script file. In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, Breen advises users to rapidly repair the problem and not undervalue the threat. 

Another vulnerability, is an elevation of privilege problem in the DirectX Graphics kernel, as defined by Microsoft as a publicly known zero-day but not yet being actively exploited. The company rated the vulnerability (CVE-2022-44710) as having an "important" degree of severity and one that, if abused, would provide an attacker system-level privilege. The business did note that attackers are less likely to take advantage of the weakness. 

Current vulnerabilities to patch 

Three additional severe vulnerabilities were identified by Trend Micro's ZDI in the December Patch Tuesday security update: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699. 

A spoofing flaw in Microsoft Outlook for Mac is CVE-2022-44713. Due to the flaw, an attacker might impersonate a trusted user and trick a victim into believing that an email was sent by one of them. 

ZDI's head of threat awareness Dustin Childs wrote in a blog post, "we don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice.” When coupled with the previously disclosed SmartScreen MoTW bypass issue that attackers are actively using, the vulnerability might prove particularly problematic. 

A PowerShell remote code execution (RCE) flaw known as CVE-2022-41076 enables an authenticated attacker to bypass the PowerShell Remoting Session Configuration and execute arbitrary commands on a vulnerable system, Microsoft added. 

Despite the fact that the attack complexity is considerable, the organization determined that the vulnerability is one that attackers are more likely to exploit. Organizations should be aware of the vulnerability, according to Childs, because it is the kind of issue that hackers frequently use to "live off the land" after getting initial access to a network. 

Uncertain bug count 

It's interesting to note that various manufacturers' opinions on the number of vulnerabilities that Microsoft patched this month varied. For example, ZDI estimated that Microsoft patched 52 vulnerabilities; Talos estimated 48; SANS estimated 74, and Action1 initially estimated 74 before reducing it to 52. 

The problem, according to Johannes Ullrich, dean of research at the SANS Technology Institute, has to do with the various methodologies used to count vulnerabilities. For instance, while some count Chromium vulnerabilities, others do not. 

Security advisories that occasionally accompany Microsoft upgrades are also listed by others, such as SANS, as vulnerabilities. Some researchers do not include the patches that Microsoft occasionally distributes throughout the month and included them in the next Patch Tuesday update. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third-party vendors," Breen added. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser." 

Since the last Patch Tuesday in November, 74 vulnerabilities, according to Breen, have been fixed. For the Edge browser, there are 51 from Microsoft and 23 from Google. "If we exclude both the out-of-band and Google Chromium [patches], 49 patches for vulnerabilities were released today," he concluded. 

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Malicious Actors Exploit Zero-Day RCE Bug in Sophos Firewall

 

Sophos, security software and hardware vendor published a patch update for its firewall product after it identified that hackers were exploiting a new critical zero-day vulnerability to target its users' network. 

The vulnerability tracked as CVE-2022-3236 was spotted in the User Portal and Webadmin of Sophos Firewall, its exploitation can lead to code execution (RCE). 

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed,” the company stated. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” 

The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default. 

The firm fixed the vulnerability with the released Firewall v19.0 MR1 (19.0.1) and older, and also offered a solution by advising customers not to expose User Portal, and Webadmin to WAN and to disable WAN access to the User Portal and Webadmin. The company also recommended employing VPN and/or Sophos Central (preferred) for remote access and management.

"Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management," the company added. 

Earlier this year in March, Sophos fixed an identical critical vulnerability, tracked as CVE-2022-1040, identified in the User Portal and Webadmin areas of Sophos Firewall. The vulnerability received a CVSS score of 9.8 and affected Firewall versions 18.5 MR3 (18.5.3) and older. The security bug was reported to the security firm by an anonymous threat analyst via its bug bounty program. 

A remote hacker with access to the Firewall’s User Portal or Webadmin interface can exploit the vulnerability to circumvent authentication and execute arbitrary code to target multiple organizations.

Volexity researchers investigated the security vulnerability and disclosed that a Chinese APT group they track as DriftingCloud, exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a web shell backdoor and target the customer’s staff.

Safeguarding Android Users From Zero-Day Attacks

 

The term "zero-day" refers to newly found security flaws that hackers can exploit to attack systems. It refers to the fact that the vendor or developer only recently discovered the fault, leaving them with "zero days" to repair it. A zero-day attack is when a zero-day exploit is used to harm or steal data from a system that has been exposed to a vulnerability.

Google's Threat Analysis Group (TAG) is always on the lookout for zero-day exploits. In 2021, it revealed nine zero-day exploits impacting Chrome, Android, Apple, and Microsoft, resulting in updates to safeguard consumers. Google believes that these attacks were bundled by a single commercial monitoring firm called Cytrox.

Cytrox is a North Macedonian firm with offices in Israel and Hungary that was exposed in late 2021 as the creator and maintainer of the spyware "Predator". 

According to new Google research, Cytrox offers new exploits to government-backed actors, who subsequently deploy them in three separate attack campaigns. Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are among the actors who purchased Cytrox services. 

The hackers take advantage of the time differential between when some significant problems were patched but not identified as security issues and when these fixes were fully propagated across the Android ecosystem, using 0-day exploits alongside n-day exploits. 

These findings highlight the extent to which commercial surveillance vendors have proliferated capabilities that were previously solely available to governments with the technical know-how to build and deploy exploits. TAG is actively tracking more than 30 vendors providing exploits or surveillance capabilities to government-backed entities, with different levels of sophistication and public exposure.

The three initiatives were all emailed to targeted Android users with one-time URLs that looked like URL shortener services. The campaign was small - researchers estimate that the number of users targeted in each case was in the tens of thousands. When the link was clicked, the target was sent to an attacker-controlled domain that provided the bugs before redirecting the browser to a legitimate website. The user was forwarded to a valid website if the link was not active. These ads are believed to be transmitted by ALIEN, a simple Android malware capable of loading PREDATOR, an Android implant first reported by CitizenLab in December 2021. 

  • Campaign 1 – Chrome redirection to SBrowser (CVE-2021-38000): In August 2021, the first campaign was discovered using Chrome on a Samsung Galaxy S21, and the webserver immediately responded with an HTTP redirect (302) pointing to the following intended URL. This URL took use of a logic issue in Chrome to force the Samsung Browser to load another URL without user intervention or warnings. 
  • Campaign 2 – Chrome sandbox escape: TAG discovered a campaign in September 2021, in which the exploit chain was sent to a fully updated Samsung Galaxy S10 running Chrome. The exploit that was utilized to get out of the Chrome Sandbox was retrieved, but not the original RCE exploit. The libchrome-embedded sandbox escape was loaded directly as an ELF binary. Libmojo bridge is also custom. The exploit was found to have two separate vulnerabilities in Chrome that are given below: 
  1. CVE-2021-37973: In the handling of Portals API and Fenced subframes, there is a use-after-free vulnerability. 
  2. CVE-2021-37976: A memory instrumentation. mojom. Coordinator information leak allows privileged programs to obtain Global Memory Dumps. These dumps contain sensitive data (addresses) that can be utilized to circumvent ASLR. After escaping the sandbox, the vulnerability downloaded another exploit to raise privileges and install the implant in /data/data/com.android.chrome/p.so. 
  • Campaign 3 – Android 0-day exploit chain in its entirety (CVE-2021-38003, CVE-2021-1048): A full chain exploits on an up-to-date Samsung phone running the newest version of Chrome in October 2021. Two zero-day exploits were included in the chain: CVE-2021-38003, a JSON renderer 0-day vulnerability. The whole value is leaked, allowing the attacker to totally exploit the renderer. The sandbox escape relied on a Linux kernel fault in the epoll() system call. The attacker can use this system call to escape the BPF sandbox and compromise the system by injecting code into privileged processes. 
Google hasn't been able to locate a copy of the exploit and will continue to keep the community informed as they learn more about these campaigns. To combat these issues, a robust, comprehensive approach will be required, involving collaboration between threat intelligence teams, network defenders, university researchers, and technology platforms.

Cisco's Routers. Switches and IP Equipment Suffer Zero-Day Attacks! Major Vulnerabilities Discovered!


The extremely well-known Cisco’s products, including IP Phones, Routers, cameras, and switches, were determined to have several severe “zero-day” vulnerabilities by researchers in the “Cisco Discovery Protocol (CDP)”, per sources.

CDP is a proprietary “Layer 2” network protocol that is put into effect in all the Cisco devices to be privy to the mechanisms of the devices.

Reports mention that a total of five vulnerabilities were ascertained out of which, four were “Remote Code Execution” (RCE) that let hackers or any other cyber-con to manipulate every single operation of the devices without any sort of consent of the user.

According to sources, one of the vulnerabilities led to a “Denial of Service” in the Cisco FXOS, NX-OS and IOS XR software that ended up damaging the victims’ networks

By exploiting the vulnerabilities effectively, numerous organizations’ and companies’ networks were smashed, costing all the affected parties heavily.

Per legitimate sources, following is the list of all the vulnerable devices in the represented categories:

Switches
• Nexus 1000 Virtual Edge
• Nexus 1000V Switch
• Nexus 3000 Series Switches
• Network Convergence System (NCS) 1000 Series
• Network Convergence System (NCS) 5000 Series
• Network Convergence System (NCS) 540 Routers
• Network Convergence System (NCS) 5500 Series
• Network Convergence System (NCS) 560 Routers
• MDS 9000 Series Multilayer Switches
• Nexus 5500 Series Switches
• Nexus 5600 Series Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Fabric Switches
• Network Convergence System (NCS) 6000 Series
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

IP Phones
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821-EX
• Wireless IP Phone 8821
• IP Conference Phone 7832
• IP Conference Phone 8832
• IP Phone 6800 Series
• IP Phone 7800 Series
• IP Phone 8800 Series
• IP Phone 8851 Series

IP Cameras
• Video Surveillance 8000 Series IP Cameras

Routers
• IOS XRv 9000 Router
• Carrier Routing System (CRS)
• ASR 9000 Series Aggregation Services Routers
• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Security Appliances
• White box routers running Cisco IOS XR

The exploitation of the other four Remote Execution vulnerabilities could be in a way that a “maliciously” fabricated “CDP Packet” could be sent on the targeted Cisco devices and have their mechanisms altered.

There’s a vulnerability that could be hunted down or traced by (CVE-2020-3119). It helps the attackers to completely override the default switch and network infrastructure settings.

One of the vulnerabilities which could be traced as (CVE-2020- 3118), could help attackers gain control of the target’s router via remote code execution and use it in any harmful way they find acceptable.

Cisco’s 800 series IP cameras were vulnerable to attackers’ remote code execution. The vulnerability could be located as (CVE-2020-3110)

According to sources, in the other Cisco “Voice over IP Phone” vulnerability, an overflow in the parsing function could be exploited to access “code execution”. This vulnerability could be traced to (CVE-2020-311).

The troubles this vulnerability could cause an organization are manifold.
Acquiring access to other devices via “man-in-the-middle” attacks.
Damaging the network’s structure
“Data Exfiltration”, ranging from network traffic to sensitive information and personal phone calls, by the help of manipulated routers and switches.

Per reports, Cisco has come up with patches and the users are directed to employ them without any further delay.
[CVE-2020-3111
CVE-2020-3118
CVE-2020-3120
CVE-2020-3110
CVE-2020-3119]