Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label security exploit. Show all posts

This Vulnerability in E-Learning Platform Moodle Could Even Modify Exam Results

 

Critical Security Exploit in the popular e learning platform Moodle can be compromised that lets access to student data and test papers, the vulnerability can even modify exam results. The company is an open source e learning platform, used by 1,90,000 organizations across the world. Most of these organisations are educational institutes like college or university. A PHP objection vulnerability, the bug exists in Moodle's Shibboleth authentication module, which can permit malicious hackers to use RCE (Remote Code Execution), which can lead to a complete takeover of the server. 

If this happens, the attacker can have access to anything on the server, like student data, passwords, messages and exam grades. Penetration testers Robin Peraglie and Johannes Moritz found the flaw, they were hunting bugs in Moodle because of the previous findings of 2 RCE vulnerabilities in Moodle software. 

According to them, the vulnerability only exists in the Moodle LMS server having Shibboleth sign-in authentication allowed. It is disabled by default, which is a relief to the educational institutions that use the module. But in case if it's enabled, unauthorized hackers can perform a remote execution- arbitrary system commands. If this happens, it can lead to a complete hack of the server including user data leakage. Students can also use to it tamper with the exams before it actually happens. 

As per experts, the vulnerability is very easy to exploit. "After reporting the issue to Bugcrowd and, following a lengthy disclosure process, the flaw has now been patched. It took four months for the vulnerability to be triaged, revealed Moritz, who said he had the impression it was not treated as a priority. When asked why they didn’t report it directly to Moodle, which has its own vulnerability disclosure program, the researcher said they are “quite inflexible with providing patches because of their two-month release cycle”. Moritz did, however, reveal that the team also found  a second critical Moodle pre-authentication bug – details of which will be released following a separate, ongoing coordinated disclosure process," reports the Daily Swig.

Katana: New Variant of Mirai Botnet Posing Serious Threat?




A new variant of the Mirai botnet, Katana is being identified recently by the Avira Protection Lab. The botnet is known to be under development, however, it already has various advanced capabilities like fast replication, secure C&C, layer 7 DDoS, and different encryption keys for each source. Katana has actively exploited security flaws in GPON, Linksys routers, and DLink to infected hundreds of devices.

The IoT botnet, Mirai has continually evolved since its source code was made publically available in 2017. A threat report published by Avira Protection Labs depicts this continuous evolution by highlighting how newer versions of Mirai are easily available — can be sold, bought, or sourced through YouTube channels, enabling amateur threat actors to develop malicious botnet. This increased the number of attacks. Furthermore, Katana is equipped with several classic features of the parent Botnet, Mirai, including running a single instance, a random process name. It also can edit and manipulate the watchdog to stop the system from restarting.
 

What is Mirai and how does it work? 

 
Mirai is a malicious program that replicates itself and therefore is also known as a 'self-propagating' worm. It does so by searching and infecting vulnerable IoT devices. Altogether, Mirai is constructed upon two modules; one being a replication module and the other one being an attack module. As the affected devices are managed and directed by a central set of command and control (C&C) servers, it is also regarded as a botnet. 
 
In one of their recent campaigns, attackers were seen downloading Sora, a variant of Mirai, from their server against vBulletin pre-auth RCE vulnerability. In another incident, a hacker was observed adopting Mirai source code to launch his variant of the malware named Scarface and Demon, which later were used to target YARN exploit and DVR exploit. 
 
While giving insights on the matter, Alexander Vukcevic, Director of Avira Protection Labs, told, "Katana contains several features of Mirai. These include running a single instance, a random process name, editing the watchdog to prevent the device from restarting, and DDoS commands," "The problem with new Mirai variants like Katana is that they are offered on the DarkNet or via regular sites like YouTube, allowing inexperienced cybercriminals to create their botnets."