Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label vulnerability patch. Show all posts

TellYouThePass Ransomware Exploits Recent PHP RCE Vulnerability to Compromise Servers

 

The TellYouThePass ransomware gang has been exploiting the recently patched CVE-2024-4577 remote code execution vulnerability in PHP to deliver webshells and execute their ransomware payload on target systems.

The attacks began on June 8, less than 48 hours after PHP maintainers released security updates, utilizing publicly available exploit code. TellYouThePass is notorious for quickly adopting public exploits for widespread vulnerabilities. In November, they exploited an Apache ActiveMQ RCE, and in December 2021, they used the Log4j exploit to breach companies.

In the latest attacks observed by researchers at cybersecurity company Imperva, TellYouThePass leveraged the critical-severity CVE-2024-4577 bug to execute arbitrary PHP code. They used the Windows mshta.exe binary to run a malicious HTML application (HTA) file. This file contained VBScript with a base64-encoded string that decoded into a binary, loading a .NET variant of the ransomware into the host's memory.

Ransomware Impact and Tactics

Upon execution, the malware sends an HTTP request to a command-and-control (C2) server disguised as a CSS resource request and encrypts files on the infected machine. It then leaves a ransom note, "READ_ME10.html," with instructions for the victim on how to restore their files. User posts on the BleepingComputer forum indicate that TellYouThePass attacks have claimed victims since June 8, demanding 0.1 BTC (around $6,700) for the decryption key. One user reported that the ransomware campaign affected multiple websites hosted on their server.

Vulnerability Details and Response

CVE-2024-4577 is a critical RCE vulnerability that affects all PHP versions since 5.x. It originates from unsafe character encoding conversions on Windows when used in CGI mode. The vulnerability was discovered on May 7 by Devcore's Orange Tsai, who reported it to the PHP team. A fix was released on June 6 with PHP versions 8.3.8, 8.2.20, and 8.1.29.

The following day, WatchTowr Labs released a proof-of-concept (PoC) exploit code for CVE-2024-4577. The Shadowserver Foundation observed exploitation attempts on their honeypots the same day. According to a report from Censys, over 450,000 exposed PHP servers could be vulnerable to the CVE-2024-4577 RCE vulnerability, with most located in the United States and Germany. Wiz, a cloud security startup, estimated that around 34% of these instances might be vulnerable.

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.

Ethical Hackers Uncover 38TB Microsoft Data Breach via Azure Storage

 

The recent Microsoft data leak, stemming from the inadvertent sharing of open-source training data on GitHub by AI researchers, has been successfully addressed. Microsoft swiftly responded to a vulnerability that exposed a significant 38TB of private data from its AI research division. 

The breach was uncovered by ethical hackers from cloud security firm Wiz, who identified a shareable link utilizing Azure Statistical Analysis System tokens on June 22, 2023. Promptly reporting their findings to the Microsoft Security Response Center, the SAS token was invalidated by June 24. Subsequently, on July 7, the token on the original GitHub page was replaced.

The exploit revolved around Shared Access Signature (SAS) tokens, a feature of Azure for file-sharing. Such tokens, when mishandled, can leave systems vulnerable. Wiz's initial detection of this vulnerability occurred during their search for improperly configured storage containers online, a known entry point for cloud-hosted data breaches. 

Their investigation led them to 'robust-models-transfer', a repository housing open-source code and AI models used for image recognition within Microsoft's AI research division.

The root of the problem traced back to a Shared Access Signature token associated with an internal storage account. A Microsoft employee, while engaged in the development of open-source AI learning models, inadvertently shared a URL for a Blob store (a form of object storage in Azure) containing an AI dataset on a public GitHub repository. Leveraging this misconfigured URL, the Wiz team gained unauthorized access to the entire storage account.

Upon following the link, the hackers gained access to a repository containing disk backups of two former employees’ workstation profiles, along with internal Microsoft Teams messages. This repository housed a staggering 38TB of sensitive information, including secrets, private keys, passwords, and the open-source AI training data.

Notably, SAS tokens lack expiration dates, making them ill-suited for sharing critical data externally. In a security advisory on September 7, Microsoft underscored that "Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period."

It's worth emphasizing that no customer data was compromised, and there was no threat to other Microsoft services stemming from the AI dataset exposure. This incident isn't unique to Microsoft's AI endeavors; any large-scale open-source dataset could potentially face similar risks. Wiz, in its blog post, highlighted that "Researchers collect and share massive amounts of external and internal data to construct the required training information for their AI models. This poses inherent security risks tied to high-scale data sharing."

To prevent similar incidents, organizations are advised to caution employees against oversharing data. In this instance, the Microsoft researchers could have safeguarded the public AI dataset by relocating it to a dedicated storage account. Additionally, vigilance against supply chain attacks is crucial. These attacks may occur if malicious code is injected into files that are accessible to the public due to improper permissions.

"As we see wider adoption of AI models within companies, it’s important to raise awareness of relevant security risks at every step of the AI development process, and make sure the security team works closely with the data science and research teams to ensure proper guardrails are defined,” the Wiz team wrote in their blog post.

Ami Luttwak, CTO and cofounder of Wiz, released the following statement to TechRepublic: “As AI adoption increases, so does data sharing. AI is built on collecting and sharing lots of large models and quantities of data, and so what happens is you get high volumes of information flowing between teams. This incident reveals the importance of sharing data in a secure manner. Wiz also recommends security teams gain more visibility into the process of AI research, and work closely with their development counterparts to address risks early and set guardrails.”

Zenbleed: Security Flaw Steals Data from AMD Zen 2 CPUs


After initially disclosing the flaw to AMD on May 15, Google security researcher Tavis Ormandy published an overview of it on his blog. Because of the Zenbleed vulnerability, AMD’s entire Zen 2 product line is said to be affected.

The flaw apparently enables attackers to take control of private information stored in the AMD Zen 2 class CPUs – which includes PS5, XBox, and desktop and data center computers – such as encryption keys and logins. Remote attackers can use website Javascript to exploit Zenbleed, according to cloud infrastructure provider Cloudflare.

AMD Zen 2 CPU

AMD’s Zen 2 CPU, launched in 2019, is the third generation of the company’s Ryzen processors. The processors include Ryzen 4000U/H desktop chips, Ryzen 5000U for mobile applications, Threadripper 3000 for high-performance workstations, and Ryzen 4000G Accelerated Processing Unit (APU) system-on-a-chip.

Moreover, the processors also powers Sony’s PlayStation 5, Microsoft’s Xbox Series S and Series X, and Steam’s Steam Deck. Zen 2 CPUs are also used across a number of standalone computers and data center servers.

The CPUs, as mentioned earlier are now affected by Zenbleed – labeled as CVE-2023-20593 – which relies on an error in the way how CPUs execute a process known as speculative execution.

CPU Misprediction 

Modern CPUs are designed such that they increase processing speed, by preloading a number of alternatives, to predict what it needs to do next so that the CPU does not have to wait for them to load after finishing the current instruction. This technique is known as speculative execution.

While, the predictions that are eventually of no use are eliminated using a command called vzeroupper, that rolls back the guess by "zeroing out" the memory space, known as a YMM register, that had been prepared for those predictions.

However, Tavis Ormandy discovered that the chip does not always delete the data stored in the YMM register—which are also used by regular CPU instructions that move and copy data—when Zen 2 CPUs predict the next instruction will be vzeroupper, and it turns out to be a misprediction.

He further notes that the memory space may include sensitive data like passwords, credit-card details, encryption keys, etc. and well executed exploit can dupe the CPU into recovering in a way that it will enable threat actors to steal data from affected systems at a speed of 30KB per core/second.

Since the flaw related to the normal operation of the CPU, it operates regardless of the operating system, programs, virtual machines, or security tools that are installed on the system.

Patching the Underlying Vulnerability

Ormandy, in his post has recently released the exploit code along with a PoC exploit, that has already been published. This flaw is said to be simpler to exploit than other recent CPU bugs like Spectre and Meltdown.

Moreover, AMD has released a temporary patch that will be applied to the affected systems’ core chips and is also planning to release a full update on the equipment manufacturers by October. 

Cloudflare announced that it is "patching [its] entire fleet of potentially impacted servers with AMD's microcode." 

Citrix has provided a patch, and the developers of the Linux operating systems Debian and Red Hat have also responded. Red Hat has categorized the vulnerability as having "moderate impact" and has cautioned that an appropriate solution is not currently available.

Security experts have further advised companies to assess their impact by the bug, by reviewing use of their systems based on Zen 2 CPUs. They also advise businesses to be mindful of other, related hardware bugs like RAMBleed that allow data to be read straight from CPU and memory hardware.