Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero-Day Bug. Show all posts

Ransomware Group Leveraged Mitel Zero-Day Bug To Target VOIP Appliances

 

CrowdStrike researchers have identified ransomware groups targeting a zero-day flaw impacting the Linux-based Mitel VoIP appliance. 

The vulnerability tracked as CVE-2022-29499 was patched earlier this year in April by Mitel after CrowdStrike researcher Patrick Bennett unearthed the bug during a ransomware investigation. 

In a blog post published last week, Bennett explained that after taking the Mitel VoIP appliance offline, he unearthed a “novel remote code execution exploit used by the threat actor to gain initial access to the environment.” 

“After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VoIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity,” Bennett said. 

Although the hacker erased all files from the VoIP device’s filesystem, Bennett was able to retrieve forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the attacker. 

The zero-day bug impacts the Mitel Service Appliance component of MiVoice Connect. The company rated the bug critical and said it could be abused in MiVoice Connect Service Appliances, SA 100, SA 400, and/or Virtual SA, Mitel explained in its security advisory. 

"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company stated.

The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure. 

The hacker leveraged the exploit to design a reverse shell, utilizing it to launch a web shell ("pdf_import.php") on the VoIP appliance and download the open-source Chisel proxy tool.

Subsequently, the binary was implemented, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device." 

But detection of the activity halted their operation and restricted them from moving laterally across the network. The announcement of a zero-day bug arrives less than two weeks after German penetration testing firm SySS disclosed two vulnerabilities in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could have allowed threat actors to secure root privileges on the devices.

F5 Patches NGINX LDAP Zero-Day Bug

 

The maintainers of NGINX, F5 Networks, have disclosed a zero-day bug on NGINX Lightweight Directory Access Protocol Reference (LDAP) implementation at the end of the first week of April. Now, they have released security updates to address security loophole in LDAP.

According to security analysts at F5, NGINX Open Source and NGINX Plus are not affected by the bug by themselves. So, there is no action required if the reference implementation is not employed.

“NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation,” Liam Crilly and Timo Stark of F5 Networks said in an advisory. However, if LDAP reference implementation is used, any of the following conditions will cause vulnerability in the systems: 

• Command-line parameters to configure the Python-based reference implementation daemon 
• Unused, optional configuration parameters and 
• Specific group membership to carry out LDAP authentication

If any of these conditions are fulfilled, a threat actor could override the configuration parameters by sending specially designed HTTP request headers and even bypass LDAP authentication. This would allow LDAP authentication failure to occur even if the user is falsely authenticated. 

“The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (member Of) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups,” F5 researchers told.

“To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters – () – and the equal sign (=), which all have special meanings for LDAP servers. advisory. The backend daemon in the LDAP reference implementation will be updated in this way in due course.” 

NGINX project developers advised users to strip special characters so as they are removed from the username field during authentication, and to update configuration parameters using an empty value. The LDAP-reference implementation mainly explains how the integration operates, and all the components necessary to verify it and how it is not a production grade LDAP solution.

Signal Patches Zero-Day Bug in its Android App

 

Signal has patched a critical flaw in its Android app that, in some circumstances, sent random unintended images to contacts without an obvious explanation. 

The flaw was first reported in December 2020 by Rob Connolly on the app's GitHub page. Despite being known for months, Signal has fixed the bug only recently. While the team faced a backlash over this delay, Greyson Parrelli, Signal’s Android developer confirmed fixing the bug recently. As per his response on the same GitHub thread, Signal has patched the flaw with the release of the Signal Android app version 5.17. 

When a user sends an image via the Signal Android app to one of his contacts, the contact would occasionally receive not just the selected image, but additionally a few random, unintended images, that the sender had never sent out, Connolly explained. 

“Standard conversation between two users (let’s call them party A and party B). Party A shares a gif (from built-in gif search). Party B receives the gif, but also some other images, which appear to be from another user (party A has searched their phone and does not remember the images in question). Best case the images are from another contact of B and messages got crossed, worst case they are from an unknown party, who's [sic] data has now been leaked,” Connolly told while describing the flaw. 

At this time, the flaw seems to have only impacted the Android version of the app. Signal Android app users should update to the latest version of the app, available on the Google Play store, researchers advised.

Last year in May 2020, cybersecurity researchers at Tenable discovered a flaw in the secure messaging app Signal which allowed threat actors to track user’s locations. Threat actors can track user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity, researcher David Wells wrote.

“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact. Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number. Usually, it’ll be somewhat near you. So, I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location,” Wells explained.