Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label zero Day vulnerability. Show all posts

Citrine Sleet APT Exploits Chrome Zero-Day Vulnerability for Rootkit Infiltration

 


It is believed that North Korean hackers have been able to use unpatched zero-day in Google Chrome (CVE-2024-7971) to install a rootkit called FudModule after gaining admin privileges by exploiting a kernel vulnerability in Microsoft Windows. An investigation by Microsoft has revealed that a North Korean threat actor exploited a zero-day vulnerability in the Chromium browser that has been tracked as CVE-2024-7971 to conduct a sophisticated cyber operation.  

According to the report, Citrine Sleet, the notorious group behind the attack that targets cryptography sectors in particular, is responsible for the attack. It has been reported that CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine that had been impacted in versions of Chrome before 128.0.6613.84. By exploiting this vulnerability, threat actors could gain remote code execution (RCE) access to the sandboxed Chromium renderer process and conduct a remote attack. 

There was a vulnerability that was fixed by Google on August 21, 2024, and users should ensure that they are running the most recent version of Chrome. It is clear from this development that the nation-state adversary is trying to increase its penetration of Windows zero-day exploits in recent months, indicating that they are persistent in their efforts to acquire and introduce oodles of zero-day exploits. 

A Microsoft security researcher found evidence that Citrine Sleet (formerly DEV-0139 and DEV-1222) was responsible for the activity. Citrine Sleet is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, all of which are associated with Citrine Sleet. There is an assessment that this sub-cluster is part of the Lazarus Group (a.k.a. Diamond Sleet and Hidden Cobra) which is related to Lazarus. 

Several analysts have previously credited the use of AppleJeus malware to a Lazarus subgroup called BlueNoroff (also known as APT38, Nickel Gladstone, and Stardust Chollima), indicating the fact that the threat actors share both toolsets and infrastructure from one subgroup to another. Some cybersecurity vendors maintain track of this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736, among others. 

Hidden Cobra is a term used by the U.S. government to describe malicious actors sponsored by the North Korean government collectively as being influenced by the state. It is mostly targeted at financial institutions, with a special focus on cryptocurrency organizations and individuals who are closely associated with the cryptocurrency industry. 

In the past, it has been linked to Bureau 121 of the Reconnaissance General Bureau of North Korea, where it practices intelligence gathering. Moreover, North Korean hackers are also known for using malicious websites that appear to be legitimate cryptocurrency trading platforms to infect prospective victims with fake job applications, weaponized cryptocurrency wallets, and cryptocurrency trading apps designed to steal sensitive information. 

This is the first time UNC4736 malware has been identified in a supply chain attack, for example in March 2023 it attacked the Electron-based desktop client of video conferencing software provider 3CX. Further, they were able to breach the website of Trading Technologies, an automation company for stock market trading, to sneakily push trojanized versions of the X_TRADER software into the system. In a March 2022 report, Google's Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies' website, highlighting AppleJeus as being behind the attack. 

For years, the U.S. government has repeatedly issued warnings about state-sponsored cyberattacks targeting cryptocurrency-related businesses and individuals with AppleJeus malware that is backed by the North Korean government. As a result of the security vulnerability CVE-2024-7971 that was discovered last week, Google patched Chrome's version 8 JavaScript engine and reported it as a type confusion vulnerability. 

In a recent cybersecurity incident report, it was revealed that victims were directed to a domain controlled by the threat group Citrine Sleet, identified as voyagorclub[.]space. The exact method by which victims were lured to this domain remains undetermined, though it is suspected that social engineering tactics were employed. This is consistent with Citrine Sleet’s established modus operandi, which frequently involves manipulating individuals through social engineering to initiate attacks. 

Upon successful redirection to the malicious domain, attackers leveraged a zero-day remote code execution (RCE) vulnerability, identified as CVE-2024-7971. This vulnerability is linked to a type of confusion flaw in Chrome’s V8 JavaScript engine. Google addressed this security issue in a recent patch, highlighting that it allowed attackers to achieve RCE within the sandboxed Chromium renderer process of the victim's browser. Once inside this sandboxed environment, the attackers further escalated their access by exploiting a secondary vulnerability in the Windows kernel. 

The additional vulnerability, CVE-2024-38106, was exploited to escape the browser’s sandbox environment. This kernel vulnerability, which Microsoft had patched in their latest Patch Tuesday release, allowed attackers to gain SYSTEM-level privileges on the compromised system. Following this, the attackers downloaded and activated a highly sophisticated rootkit known as FudModule. This malware, when loaded into memory, enabled direct kernel object manipulation (DKOM), providing attackers with the capability to bypass critical kernel security measures.

The FudModule rootkit is particularly concerning, as it is designed to manipulate kernel-level processes, enabling attackers to establish persistent backdoor access to the compromised system. Through DKOM, the rootkit effectively tampers with core system functions, allowing attackers to evade detection, steal sensitive information, and potentially deploy additional malicious software. Interestingly, the FudModule rootkit has been linked to another North Korean state-sponsored group known as Diamond Sleet, which has utilized this malware since its discovery in October 2022. 

This suggests a potential collaboration between Citrine Sleet and Diamond Sleet or, at the very least, shared access to malicious tools and infrastructure. Furthermore, the rootkit bears similarities to tools used by another notorious hacking group, the Lazarus Group, indicating that FudModule may be part of a broader North Korean cyber-espionage toolkit. Citrine Sleet's attack demonstrates a highly coordinated and multi-faceted approach, beginning with social engineering techniques to lure victims to a compromised domain and culminating in the exploitation of critical vulnerabilities to gain deep control over target systems. 

By leveraging both CVE-2024-7971 and CVE-2024-38106, the attackers were able to bypass multiple layers of security, from browser sandboxing to Windows kernel defences. Microsoft has issued a series of recommendations to help organizations mitigate the risk of such attacks. They stress the importance of maintaining up-to-date software and operating systems, as timely patching is critical to closing vulnerabilities before they can be exploited. 

Additionally, Microsoft advocates for the deployment of security solutions that provide unified visibility across the entire cyberattack chain. Such tools can detect and block attacker tools and post-compromise malicious activity. Lastly, strengthening the configuration of the operating environment is recommended to minimize the likelihood of successful exploitation and post-compromise activity. This incident underscores the evolving nature of cyber threats and highlights the importance of proactive cybersecurity measures to detect, block, and mitigate advanced persistent threats (APTs).

Lazarus Group Exploits Microsoft Zero-Day in a Covert Rootkit Assault

 


The North Korean government-backed hackers were able to gain a major victory when Microsoft left a zero-day vulnerability unpatched for six months after learning it was actively exploited for six months. As a result of this, attackers were able to take advantage of existing vulnerabilities, thereby gaining access to sensitive information. Although Microsoft has since patched this vulnerability, the damage had already been done. 

Researchers from the Czech cybersecurity firm Avast discovered a zero-day vulnerability in AppLocker earlier this month, and Microsoft patched the flaw at the beginning of this month. AppLocker is a service that allows administrators to control which applications are allowed to run on their systems. 

APT38, the Lazarus group, is a state-run hacking team operated by the North Korean government. It's tasked with cyberespionage, sabotage, and sometimes even cybercrime to raise money for the regime. Although Lazarus has operated for many years, some researchers believe it is essentially a group of subgroups operating their campaigns and developing specific types of malware for specific targets that they use to accomplish their objectives. 

In addition to Lazarus's toolset tools, FudModule has been analyzed by other cybersecurity firms in the past in 2022 and is not new to Lazarus. Essentially, it is an in-user data-only rootkit that is active within the user space, utilizing kernel read/write privileges through the drivers to alter Windows security mechanisms and hinder the detection of other malicious components by security products. 

In August 2023, the security company Avast developed a proof-of-concept exploit for this vulnerability after observing the Lazarus attack and sending it to Microsoft. The vulnerability has been tracked as CVE-2024-21338 and was identified in the Lazarus attack last year. In an updated version of its FudModule rootkit, which ESET first documented in late 2022, Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive, which Avast reports. 

As part of the rootkit, previously, BYOVD attacks were performed using a Dell driver. Avast reported that threat actors had previously established the administrative-to-kernel primitive through BYOVD (Bring Your Own Vulnerable Driver) techniques, which are noisy. However, there seems to be no doubt that this new zero-day exploit has made it easier for kernel-level read/write primitives to be established. 

The issue was discovered in further detail due to a thin line in Microsoft Windows Security that has been left for a very long time, which was the cause of this issue. Since "administrator-to-kernel vulnerabilities are not a security boundary", Microsoft still retains the right to patch them. Furthermore, it is also important to remember that threat actors with administrative privileges have access to the Windows kernel. 

Since this is an open space that attackers can play around with, they take advantage of any vulnerabilities they find to gain access to the kernel.  The threat actors will gain kernel-level access to the OS once they have managed to disrupt the software, conceal infection indicators, and disable kernel-mode telemetry, among other malicious activities once they have gained kernel-level access to the OS. 

In an announcement made by Avast, a cybersecurity vendor that discovered an admin-to-kernel exploit for the bug, the company noted that by weaponizing the kernel flaw, the Lazarus Group could manipulate kernel objects directly in an updated version of their data-only rootkit FudModule by performing direct kernel object manipulation.." 

A rootkit named FudModule has been detected by ESET and AhnLab since October 2022 as capable of disabling the monitoring of all security solutions on infected hosts. As a result of the Bring Your Own Vulnerable Driver (BYOVD) attack, in which an attacker implants a driver with known or unknown flaws to escalate privileges, the security solution is unable to monitor the network. 

There is something important about the latest attack because it goes "beyond BYOVD by exploiting a zero-day vulnerability in a driver that is already installed on the target machine, which is known to be a zero-day vulnerability." It is an appid.sys driver, which plays a crucial role in the functioning of an application control feature in Windows called AppLocker. 

In a study published earlier this week, researchers discovered that Lazarus was spreading malicious open-source software packages to a repository where Python software is hosted, aimed directly at software developers. The researchers report that the malicious packages have been downloaded hundreds of times, according to their findings. 

The South Korean judicial system was also targeted by Lazarus as part of his endeavours. There was a large hack at the Supreme Court of South Korea last year, which was allegedly carried out by the criminal Lazarus group of hackers. Police confiscated servers from the court in February. It is still being investigated whether or not the servers are compromised. 

North Korean hackers, including Lazarus, are said to have hacked more crypto platforms for the first time last year, according to a report by crypto analytics firm Chainalysis. The number of stolen assets reached $1 billion, more than any other year.

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.

Progress Software Advises MOVEit Customers to Patch Third Severe Vulnerability

 

Customers of MOVEit are being urged by Progress Software to update their software in less than a month to address a third severe vulnerability. 

According to the most recent vulnerability, identified as CVE-2023-35708, an unauthenticated attacker may be able acquire escalated privileges and gain entry to the MOVEit Transfer database through a SQL injection bug.

In a warning, Progress states that, “an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

Versions of MOVEit Transfer prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) are affected by the vulnerability.

On June 15, proof-of-concept (PoC) code aimed at exploiting the flaw was made available. Progress quickly responded, noting that the flaw was made public "in a way that did not follow normal industry standards." 

After a zero-day vulnerability was discovered on May 31 and a second severe bug was patched a week later, Progress has now fixed three critical SQL injection flaws in its MOVEit products in around three weeks. CVE-2023-35708 is the most recent of these. 

Security experts discovered evidence indicating that exploitation may have begun two years prior to the initial flaw, CVE-2023-34362, which only began to be widely exploited in late May.

Attacks on the MOVEit zero-day have affected more than 100 organisations. The Cl0p ransomware gang is responsible for the most recent campaign, and it has begun naming some of the victims in public.

The British Broadcasting Corporation, British Airways, Aer Lingus, the Nova Scotia government, the U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE) are just a few of the organisations that have been identified as victims to date. 

Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the United Kingdom, and the United States all have victims. Malwarebytes adds that the majority of the victims are in the US. 

On June 9, CVE-2023-35036, the second vulnerability, was made public; however, it does not seem to have been used in the wild. Even though Progress claims to be unaware of any exploits for CVE-2023-35708, it advises users to install the most recent updates as soon as feasible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company added. 

Customers should stop HTTP and HTTPS traffic, limiting access to localhost only, apply the updates that are available (the June 15th patch also fixes the prior vulnerabilities), and then re-enable HTTP and HTTPS traffic to prevent unauthorised access to the MOVEit Transfer environment. 

To fix the issues, Progress has published both DLL drop-in fixes and entire MOVEit Transfer installers. The company's advisory provides more details on how to apply the updates.

Ransomware Attacks Surge in March 2023

According to recent reports, March 2023 saw a record-breaking number of ransomware attacks globally, with a staggering 459 incidents reported. This highlights the increasing prevalence and sophistication of cyber-attacks and the need for robust cybersecurity measures.

Ransomware attacks involve hackers encrypting a victim's data and demanding a ransom payment in exchange for the decryption key. Cybercriminals typically gain access to systems through phishing emails or exploiting vulnerabilities in software.

One such attack in March involved a zero-day vulnerability in the GoAnywhere MFT software used for secure file transfer. Cybersecurity firm Fortra completed an investigation into the incident and confirmed that the vulnerability had been exploited by attackers.

The incident emphasizes the importance of promptly identifying and patching vulnerabilities to prevent cyber attacks. With the increasing use of software and internet-connected devices, cybercriminals have more opportunities to exploit weaknesses.

Cybersecurity experts recommend implementing best practices such as regular security assessments, employee training, and security controls to minimize the risk of cyber attacks. In addition, having an incident response plan in place can help organizations quickly respond to and contain any attacks.

The prevalence of ransomware attacks underscores the importance of investing in robust cybersecurity measures to protect sensitive data and prevent business disruption. Cybersecurity threats are constantly evolving, and organizations must remain vigilant and proactive in their approach to cybersecurity to stay ahead of cybercriminals.

A recent surge in ransomware attacks and the GoAnywhere MFT incident serve as reminders of the vulnerabilities that exist in software and the need for proactive cybersecurity measures. Organizations must prioritize cybersecurity to protect themselves against these evolving threats and prevent potentially catastrophic consequences.

A spyware Rival Intellexa Challenges NSO Group

The Pegasus creator NSO Group is now facing competition from a little-known spyware company called Intellexa, which is charging $8 million for its services to hack into Android and iOS devices. 

Vx-underground, a distributor of malware source code, discovered documents that represented a proposal from Intellexa, a company that provides services like Android and iOS device exploits. On Wednesday, it shared several screenshots of documents that appeared to be part of an Intellexa business proposal on Twitter.

Europe is the base of Intellexa, which has six locations and R&D facilities there. According to a statement on the company's website, "We help law enforcement and intelligence organizations across the world reduce the digital gap with many and diverse solutions, all integrated with our unique and best-in-class Nebula platform."

A Greek politician was the target of Intellexa, a Cytrox iPhone predator spyware program, according to a Citizen Lab study from last year.

The Intellexa Alliance, which Citizen Lab defined as "a marketing term for a range of mercenary surveillance companies that emerged in 2019," included Cytrox, according to Citizen Lab.

Spyware threat 

The product specifically focuses on remote, one-click browser-based exploits that let users inject a payload into iOS or Android mobile devices. According to the brief explanation, in order for the exploit to be used, the victim must click on a link.

The docs, "classified as proprietary and confidential," according to Security Week, confirmed that the exploits should function on iOS 15.4.1 and the most recent Android 12 upgrade." The fact that Apple released iOS 15.4.1 in March indicates that the offer is current.

The deal gives a "magazine of 100 active infections" in addition to 10 concurrent infections for iOS and Android devices. A sample list of Android devices that an attack would allegedly be effective against is also displayed in the stolen documents.

Last year, Apple sued NSO Group to prevent the business from using its products and services. It implies that the offer is relatively new. Since then, three security patches for the mobile operating system have been released.

This indicates that Apple might have addressed one or more of the zero-day vulnerabilities utilized by the Intellexa iOS attack, but it's also feasible that the exploits provided by these kinds of businesses could stay unpatched for a considerable amount of time.

The buyer would actually receive considerably more for the $8 million, despite the fact that some have claimed that this is the cost of an iOS hack. The offer is for a whole platform with a 12-month guarantee and the ability to evaluate the data obtained by the exploits.

The documents are undated, but according to vx-underground, the screenshots were published on the hacker forum XSS in Russian on July 14. While there is a wealth of technical knowledge available about the exploits provided by spyware companies, nothing is known regarding the prices they charge clients.

According to a 2019 estimate from India's Economic Times, a Pegasus license costs about $7-8 million each year. Additionally, it is well-known that brokers of exploits are willing to pay up to $2 million for fully automated iOS and Android flaws.



Twitter 5.4 Million Users Data is Up For Sale For $30,000

 

A Vulnerability in Twitter’s databases that allowed hackers group access to the personal data of 5.4 million Twitter users, has been patched. The report analysis said that the stolen data is up for sale at a $30,000 price. 

On Friday Twitter reported that a team of researchers has found that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. 

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,” Twitter reported.

In January 2020, various cyber security news platforms published a story on Twitter’s vulnerability that allowed hackers and other malicious actors to access sensitive data including phone numbers and email addresses of millions of users, leaving it susceptible to being accessed by anyone. 

What's even more threatening is that the data details could be accessed even if a user had enabled privacy settings to hide these details publicly. 

"As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company said in an advisory. 

When vulnerabilities in the system are not discovered by the software or hardware manufacturer remain, they remain a potentially hazardous threat. In most incidents, zero-day vulnerabilities are noticed by security experts like white-hat hackers, and security analysts inside tech companies. The essential thing to be noted about a zero-day is that there is no patch or update yet created for it, so long as it remains zero-day. 

Twitter said that the company has started notifying users affected by the attack and urging its users to turn on two-factor authentication to protect data against unauthorized logins. 

Solana Funds Breached via Unknown Bug

After customers complained about their funds being stolen, Solana, a blockchain that is growing in popularity for its quick transactions, became the subject of the most recent breach in the cryptocurrency world.

The platform has launched an inquiry and is currently attempting to ascertain how the hackers were able to steal the money. 

What is SOL?

The value of Solana's stake, dropped by 7% to $38.4 in the past day, marking its lowest level in a week.

Solana is an open-source project that relies on the permissionlessness of blockchain technology to offer decentralized financial (DeFi) solutions. According to CoinGecko, end-user applications in the Solana ecosystem include non-fungible tokens (NFT), marketplaces, gaming, e-commerce, and decentralized finance (DeFi).

According to CoinGecko, Solana is one of the top 10 cryptocurrency assets in terms of market value, although its value has fallen significantly from its all-time high of $259.96 reached in November 2021.

The primary reason for the breach

The security problem appears to have affected more than 8,000 wallets, depleting them of their SOL tokens and USDC stablecoins, according to Changpeng  Zhao, CEO of cryptocurrency exchange Binance.

A blockchain consulting firm called Elliptic stated that the attack started on August 2 and has already resulted in the data theft of $5.8 million for its clients. The Solana cryptocurrency, and non-fungible tokens, as per the report, were among the stolen goods.

Elliptic noted that the issue didn't seem to be with the blockchain core, the digital ledger of transactions that serves as the foundation of cryptocurrency assets, but rather with software utilized by such wallets.

Phantom, Slope, and TrustWallet are among the other wallets that have been compromised by the hack.

Several blockchain security experts believe that a supply chain attack, a browser zero-day vulnerability, or a flawed random number generator used during the key generation process might have been leveraged to access such a huge number of private keys.


New DeadBolt Ransomware Attacks Have Been Reported by QNAP

 

QNAP, Taiwanese network-attached storage (NAS) device vendor, has issued a warning to its clients about a fresh wave of Deadbolt ransomware assaults. "According to the QNAP Product Security Incident Response Team (QNAP PSIRT) investigation, the attack targeted NAS systems running QTS 4.3.6 and QTS 4.4.1, with the most affected models being the TS-x51 and TS-x53 series," the NAS manufacturer claimed. 

This is the third time since the beginning of the year that QNAP machines have been infected with the DeadBolt ransomware. "QNAP strongly advises all NAS customers to check and update QTS to the most recent version as soon as possible, and to avoid exposing its NAS to the internet," the company said in its advisory. 

As many as 4,988 DeadBolt-infected QNAP devices were discovered in late January, requiring the business to issue a forced firmware update. In mid-March, there was a second spike in new infections. Asustor, a storage solutions provider, issued a warning to its clients in February about a wave of Deadbolt ransomware assaults aimed at its NAS devices. QNAP devices were attacked in a new wave of DeadBolt ransomware attacks, according to Censys, an Internet search engine. 

QNAP patched several vulnerabilities in early May, including a major security flaw known as CVE-2022-27588 (CVSS 9.8) that might let a remote attacker execute arbitrary instructions on susceptible QVR devices. 

QNAP QVR is a video surveillance solution from a Taiwanese company that runs on its NAS devices without the need for additional software. DeadBolt assaults are also noteworthy for reportedly exploiting zero-day vulnerabilities in software to obtain remote access and encrypt systems.

According to a new report published by Group-IB, exploiting security vulnerabilities in public-facing applications has emerged as the third most common vector for gaining initial access, accounting for 21% of all ransomware attacks examined by the firm in 2021. However, QNAP owners infected with the DeadBolt ransomware will have to pay the ransom to receive a valid decryption key.

Apple Launched a Safety Fix for a Zero-day Flaw

 

Apple released an emergency patch for iPhone, Mac, and iPad early last month that addressed two zero-day vulnerabilities in the various operating systems. Now, just days after the launch of iOS 15.5, Apple is asking Mac and Apple Watch owners to upgrade. 

Zero-day vulnerabilities are defects in software that the vendor is ignorant of and has not yet patched. Before a fix is released, this type of vulnerability may have publicly available proof-of-concept hacks or be actively exploited in the wild. Apple stated in security warnings released on Monday that they are aware of reports this security flaw "may have been actively exploited."

CVE-2022-22675 is a bug in AppleAVD, an audio and video extension that allows programs to run arbitrary code with kernel privileges. Apple patched the flaw in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with enhanced bounds checking after unknown researchers reported it. Apple Watch Series 3 or later, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD are all among the affected. 
  • In 2022, Apple had five zero-day vulnerabilities. Apple patched two more zero-day vulnerabilities in January, allowing hackers to execute arbitrary code with kernel privileges (CVE-2022-22587) and track online surfing habits and user identities in real-time (CVE-2022-22594). 
  • Apple also issued security upgrades to address a new zero-day vulnerability (CVE-2022-22620) that was used to compromise iPhones, iPads, and Macs.
  •  Two more actively exploited zero-days in the Intel Graphics Driver (CVE-2022-22674) and the AppleAVD media decoder were discovered in March (CVE-2022-22675). The latter is also backported in older macOS versions, including watchOS 8.6 and tvOS 15.5. 

Apple did not previously disclose specifics about the flaw to prevent hackers from using the knowledge. While, throughout last year, Apple fixed a slew of zero-day vulnerabilities that had been discovered in the wild and targeted iOS, iPadOS, and macOS devices. 

How do I upgrade my Mac? 
  • In the corner of the screen, select the Apple menu, and 'System Preferences' will appear. 
  • Click 'Software Update' in the following menu. 
  • Then select 'Update Now' or 'Upgrade Now' from the menu. 
If you're still using an older version of the operating system, such as Big Sur, click 'Upgrade Now' to upgrade to the most recent version. Monterey is approximately 12GB in size. 

How to manually update your Apple Watch: 
  • Open the Apple Watch app on your iPhone, then tap the 'My Watch' tab. 
  • Select 'Software Update' from the General menu. 
  • Install the update. If your iPhone or Apple Watch passcode is requested, enter it. 
  • On your Apple Watch, wait for the progress wheel to display. The update could take anything from a few minutes to an hour to finish.

Last Year, Brute-Forcing Passwords and ProxyLogon Exploits were Among the Most Common Attack Vectors

 

Last year, brute-forcing passwords and exploiting ProxyLogon vulnerabilities against Microsoft Exchange Server were among the most prominent attack methods. According to ESET's Q3 Threat Report, which covers September to December 2021, while supply chain attacks increased over 2020, the year 2021 was marked by the continuous discovery of zero-day vulnerabilities potent enough to wreak havoc on enterprise systems. The discovery of zero-day flaws in Exchange Server, as well as Microsoft's emergency patches to address on-premise issues, haunted IT admins well into the year.

The end of the year was similarly tumultuous in terms of RDP attacks, which grew in severity throughout 2020 and 2021. Despite the fact that 2021 was no longer distinguished by the chaos of freshly imposed lockdowns and fast migrations to remote work, the data from the final weeks of T3 2021 eclipsed all prior records, amounting to a remarkable yearly surge of 897% in total attack attempts thwarted. The only positive news from the RDP attack front is that the number of targets has been gradually decreasing, albeit the rampage does not appear to be coming to a stop anytime soon. 

Ransomware, previously described as "more aggressive than ever" in the Q4 2020 Threat Report, outperformed the worst predictions in 2021, with attacks on critical infrastructure, outrageous ransom demands, and over US$5 billion in bitcoin transactions tied to potential ransomware payments identified in the first half of 2021 alone. 

However, the pressure from the opposing side has been increasing as well, as evidenced by increased law enforcement efforts against ransomware and other cybercriminal endeavors. While the intensive crackdown prompted numerous gangs to quit the scene – even providing decryption keys – it appears that other attackers are becoming even more daring: T3 saw the biggest ransom demand yet, US$240 million, tripling the prior report's figure. 

The repercussions of a critical vulnerability in Log4j were also discovered in the last four months of 2021. The remote code execution (RCE) flaw in Log4j, tracked as CVE-2021-44228, received a CVSS severity level of 10.0, sending organizations scrambling to repair the problem. Threat actors immediately began attempting to exploit the flaw.

Despite the fact that the vulnerability was only made public in the last three weeks of 2021, ESET has classified CVE-2021-44228 as one of the top five attack vectors of the year. 

According to the study, there has been a significant increase in Android banking malware, with a 428% increase in 2021 compared to 2020. According to ESET, infection rates connected with Android banking Trojans including SharkBot, Anatsa, Vultur, and BRATA have now surpassed adware levels.

Zero-Day Vulnerability Exploited in Zimbra Email Platform to Spy on Users

 

As part of spear-phishing campaigns that began in December 2021, a threat actor, most likely of Chinese origin, is proactively trying to attack a zero-day vulnerability in the Zimbra open-source email infrastructure. 

In a technical report published last week, cybersecurity firm Volexity described the espionage operation, codenamed "EmailThief," stating that successful exploitation of the cross-site scripting (XSS) vulnerability could lead to the execution of arbitrary JavaScript code in the context of the user's Zimbra session. 

The incursions, which commenced on December 14, 2021, were linked to a previously unknown hacker gang that Volexity is investigating under the moniker TEMP HERETIC, with the attacks focused on European government and media organizations. The zero-day vulnerability affects Zimbra's most recent open-source edition, version 8.8.15. 

The assaults are said to have been carried out in two stages, with the first stage targeted at reconnaissance and the distribution of emails to see if a target had received and opened the messages. Multiple waves of email messages were sent out after that to lure users into clicking on a fraudulent link. The attacker used 74 different Outlook.com email identities to send the messages out over two weeks, with the initial recon emails having generic subject lines ranging from invitations to charity auctions and refunds for airline tickets. 

Steven Adair and Thomas Lancaster noted, "For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser. The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook." 

If exploited, the unpatched vulnerability might be used to exfiltrate cookies, providing constant access to a mailbox, sending phishing messages from the hijacked email account to spread the infection, and even facilitating the installation of new malware. 

The researchers stated, "None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups."  

"However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor." 

Further the company recommended, "Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15."  

The Log4j Incident Demonstrated Again That Publicly Disclosing 0-day Vulnerabilities Only Aids Intruders

 

On December 9, 2021, a (now-deleted) tweet pointing to a 0-day proof of concept (PoC) exploit for the Log4Shell vulnerability on GitHub set the internet ablaze, sending businesses rushing to mitigate, patch, and patch again as other PoCs surfaced. 

Public vulnerability disclosure – that is, revealing to the world the existence of a bug in a piece of software, a library, an extension, or another piece of software, and releasing a proof-of-concept (PoC) that exploits it – occurs frequently for vulnerabilities in a wide range of software, from the most esoteric to the most mundane (and widely used). 

Threat actors are the only ones who benefit from the public disclosure of 0-day PoCs, as per research and experience, because it puts enterprises in the awkward position of needing to remediate the issue without having anything solid to mitigate it with (i.e., a vendor's patch). 

There are several different types of responsible vulnerability disclosure systems available today. Some companies have an official vulnerability disclosure programme while others arrange and operate it through crowdsourced platforms. Companies typically offer money for information concerning flaws in their products (also known as "bug bounties"). 

Those disclosures usually follow a set of steps, and vendor patches have clearly stated release dates so that users have plenty of time to install them (90 days is the accepted standard for this). 

When the Log4Shell vulnerability was announced publicly, the disclosure procedure was already underway (as evidenced by the pull request on GitHub that appeared on November 30). The following is the timeline of the disclosure, according to information provided by the Apache Software Foundation:
  • November 24: The Log4j maintainers were informed 
  • November 25: The maintainers accepted the report, reserved the CV, and began researching a fix November 26: The maintainers communicated with the vulnerability reporter 
  • November 29: The maintainers communicated with the vulnerability reporter December 4: Changes were committed 
  • December 5: Changes were committed 
  • December 7: First release candidate created 
  • December 8: The maintainers communicated with the vulnerability reporter, made additional fixes, created a second release candidate 
  • December 9: Patch released 
While user comments on the Apache Log4j GitHub project page expressed dissatisfaction with the timeliness of the update, this is to be expected when it comes to patching vulnerabilities - as everyone keeps pointing out, after all, the patch was developed by volunteers. 

Probable reasons for releasing PoC 

There could be valid and logical reasons for releasing a 0-day proof-of-concept. The most prevalent of these is the breakdown of the vulnerability disclosure process: the vendor may not be or cease to be responsive, may judge the vulnerability to be minor enough to warrant a repair, or may take too long to fix it – or any combination of the above. 

In situations like these, security researchers frequently decide to make the PoC public for the "common good," i.e. to force vendors to release a patch quickly. Other factors could include publicity (especially if the researcher is associated with a security vendor) – nothing attracts more press attention than zero-day proof-of-concept exploits for a widely used piece of software, especially if no patch is available. 

However, it should be noted that the evidence against publishing proof-of-concept exploits is now substantial and overwhelming. According to a study conducted by Kenna Security, sharing proof-of-concept attacks mostly assists attackers. A presentation at Black Hat several years ago walked through the lifecycle of zero-days and how they were released and exploited, demonstrating that if proof-of-concept exploits aren't publicly disclosed, the vulnerabilities in question aren't discovered for an average of 7 years by anyone else (threat actors included).

Unfortunately, during the log4j scramble, this was discovered a little too late. Although the initial tweets and disclosures were quickly withdrawn, the harm had already been done. Even the most recent revelation, which resulted in the release of patch 2.17.1, generated so much criticism from the security community that the researcher apologized publicly for the publication's bad timing. 

It's encouraging to see that public disclosure of PoC exploits is becoming more common. Researchers who choose to jump the gun need to be criticized, but all must all work together to ensure that more rigorous disclosure mechanisms are in place for everyone so that the public PoC scenario is avoided the next time a vulnerability like Log4Shell is uncovered.

Hackers Exploit macOS Zero-Day Vulnerability: Google Warns

 

Google's Threat Analysis Group (TAG) determined that cybercriminals targeting visitors to Hong Kong websites potentially have been exploiting a previously unreported zero-day issue in macOS to record keystrokes and screen captures. Apple patched the problem, known as CVE-2021-30869, in September, around a month after Google researchers identified it. Apple indicated that it was made aware of claims that a bug vulnerability was in the wild and that a malicious program might utilize it to run arbitrary code with kernel privileges. 

Google has also disclosed further details, stating that this was a "watering hole" assault, in which attackers choose websites to hack based on the characteristics of usual users. The cyberattacks were aimed at Mac and iPhone users. 

"A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild," Apple said, crediting Google TAG researchers with reporting of the flaw. 

The watering hole exploited an unpatched XNU privilege escalation vulnerability in macOS Catalina at the time, resulting in the installation of a backdoor. 

"The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server -- one for iOS and the other for macOS," said Erye Hernandez of Google TAG. 

"We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," he added. 

The criminals used the earlier revealed XNU flaw, CVE-2020-27932, and an associated exploit to build an escalation of privilege problem that granted them root privileges on a targeted Mac. And once attackers got root privileges, they downloaded a payload that operated silently in the backdrop on affected Macs. According to Google TAG, the malware's architecture signals a well-resourced attacker. 

"The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules," notes Hernandez. 

The backdoor had the typical suspicious characteristics of malware designed to spy on a victim, such as device fingerprinting, screengrabs, the capacity to upload and download data, and the ability to implement terminal instructions. In addition, the spyware can record audio and track keystrokes. Google did not reveal the websites that were targeted but did mention that they included a "media outlet and a prominent pro-democracy labor and political group" relating to Hong Kong news.

A New LPE Zero-day Vulnerability Affected All Windows Versions

 

A security researcher has revealed technical specifics about a zero-day privilege elevation vulnerability in Windows, as well as a public proof-of-concept (PoC) attack that grants SYSTEM rights under specific settings. 

The good news is that because the exploit needs a threat actor to know another user's user name and password in order to trigger the vulnerability, it is unlikely to be extensively employed in attacks. The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. 

In August, Microsoft announced a security patch for a "Windows User Profile Service Elevation of Privilege Vulnerability" identified as CVE-2021-34484 by security researcher Abdelhamid Naceri. After investigating the fix, Naceri discovered that it was insufficient and he was able to circumvent it with a new exploit that he disclosed on GitHub. 

Naceria explained in a technical writeup about the vulnerability and the new bypass, "Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction. But as I see from the ZDI advisory and Microsoft patch, the bug was metered as an arbitrary directory deletion bug. Microsoft didn’t patch what was provided in the report but the impact of the PoC. Since the PoC I wrote before was horrible, it could only reproduce a directory deletion bug." 

According to Naceri, since they just rectified the symptom of his bug report and not the root cause, he could rewrite his exploit to establish a junction somewhere and still accomplish privilege elevation. This exploit will open an elevated command prompt with SYSTEM privileges while the User Account Control (UAC) prompt is shown. 

Will Dormann, a CERT/CC vulnerability analyst, examined the vulnerability and discovered that, while it functioned, it was temperamental and did not always establish the elevated command prompt. 

Dormann told BleepingComputer, "Definitely still a problem. And there may be scenarios where it can be abused. But the 2 account requirement probably puts it in the boat of NOT being something that will have widespread use in the wild." 

However, Naceri told BleepingComputer that a threat actor essentially requires another domain account to exploit the vulnerability, thus it is still a cause for concern. 

A Microsoft spokesperson stated, “We are aware of the report and will take appropriate action to keep customers protected.”

Port of Houston Attacked Employing Zoho Zero-Day Vulnerability

 

CISA officers on 23rd of September reported about a potential government-backed hacker organization that has tried to break the Port of Houston networks, one of the major port agencies in the United States, employing zero-day vulnerabilities in a Zoho user authentication device. 

Authorities at the Port claimed they fought the attack effectively, adding that the attempted breach was not influenced by operational data or systems. 

The attack investigation was launched that led to the formation of a combined advisory on 16 September by the CISA, the FBI, and the Coast Guard alerting American organizations of cyberattacks by a nation-state hacking group utilizing the Zoho zero-day. 

The zero-day was employed mostly in late August cyberattacks according to Matt Dahl, Principal Intelligence Analyst at the CrowdStrike security firm. Nevertheless, on 8 September Zoho fixed the vulnerability (CVE-2021-40539), whereupon CISA additionally sent the first warning on the ongoing attacks. 

CISA officials have claimed that they have still not given a specific hacking organization or foreign government the credit for the attack on the Port of Houston. 

The Port Houston is the nation's largest port with a waterborne tonnage and a vital economic powerhouse for the Houston area, the State of Texas, and the United States, which has held and managed public wharves and terminals along with Houston Ship Chanel for over 100 years. More than 200 private terminals and eight public terminals along with the federal waterway aid nearly 1.35 million jobs in Texas and a national 3.2 million jobs, while $339 billion in economic activity in Texas—20.6% of Texas' total gross domestic product (GDP), with economic impacts totaling $801.9billion across the country. 

“[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is,” CISA Director Jen Easterly told senators in a meeting of the Senate Homeland Security and Governmental Affairs Committee. 

“But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” the CISA Director added, who categorized the attackers as a “nation-state actor” in an answer to a subsequent question. 

However, The officers of Port of Houston did not respond to the response request to gather further facts regarding the attack.

Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

 

The exploitation of a recently fixed Windows zero-day vulnerability was attributed to known ransomware operators, according to Microsoft and threat intelligence firm RiskIQ.

The existence of the zero-day, called CVE-2021-40444, was revealed on September 7, when Microsoft released countermeasures and cautioned that the vulnerability had been exploited in targeted attacks using specially designed Office documents. 

The vulnerability connected to Office's MSHTML browser engine can and has been misused for remote code execution. As part of its Patch Tuesday updates, Microsoft delivered upgrades on September 14th. 

Microsoft announced the acquisition of RiskIQ in July and posted separate blog posts detailing the attacks exploiting CVE-2021-40444. 

The first exploitation efforts were discovered in mid-August. But Microsoft observed a massive spike in exploitation attempts when the proof-of-concept (PoC) code and other details were made public after the initial announcement. 

As per the company, several threat actors, including ransomware-as-a-service affiliates, have used the public PoC code, but some of the exploitation attempts are part of testing rather than criminal operations. 

The company initially saw less than ten exploitation attempts and leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. Microsoft has identified the attackers as DEV-0413 — DEV is allotted to emerging threat groups or unusual activity. To deliver the malware, they apparently used emails referencing contracts and legal agreements to get the targets to open documents formatted to abuse the MSHTML vulnerability.

Surprisingly, the Cobalt Strike infrastructure utilised in the assaults has earlier been linked to cybercrime organisations known for targeting big corporations with ransomware like Conti and Ryuk. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).

RiskIQ stated in its blog post, “Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.” 

The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.” 

RiskIQ states that the cyberspies could have gained access to the ransomware infrastructure, or they may have been allowed by the ransomware operators to utilise their infrastructure. Only one group might be involved in espionage and cybercrime, or the two groups use the same bulletproof hosting provider. 

According to Microsoft, the initial malicious document in attacks abusing CVE-2021-40444 emerges from the internet, and it should be labelled as the "mark of the web." 

Microsoft Office should open the document in Protected Mode unless the user specifically allows modification, limiting the misuse. However, if the attackers figure out a means to keep the document from being a “mark of the web,” they may utilise the vulnerability to execute the payload on the page without requiring user input.

Razer Device Plug-In grants Admin Rights on Windows 10 OS

 

A zero-day vulnerability in Razer external device installation software – be it a razer mouse, a keyboard, or any other equipment using the synapse program – offers complete admin privileges to the admin using Windows 10 by plugging and installing a relevant peripheral system. 

Razer is indeed a prominent developer of gameplay mouses and keyboards and is known for providing the best computer accessories. Razer Inc. is a multinational corporation in Singapore that creates, manufactures, and sells electronics, financial services, and games consoles for consumer products. 

However, talking about windows 11, there isn’t any proof yet if it allows the same privileges to the user or not while pugging Razer peripherals. Whereas the vulnerability has nothing with it that won't allow a user to gain access but since the testing on windows 11 hasn’t been done yet, speculations cannot be made. 

In this case, the OS immediately downloads and starts the system installation of the Razer Synapse software whenever users plug a Razer hardware into Windows 10 computer system. Razer Synapse is software that enables users to set up hardware, macros, or map buttons for their hardware devices. 

Security researcher Jonhat (@j0nh4t) disclosed the flaw and tweeted about it on Twitter on Saturday 21st August, after not receiving any response from Razer initially. The tweet had been receiving attention from Razer as of Sunday 22nd August and the maker has told Jonhat that their cybersecurity team is working on a patch for this issue, to fix it at the earliest. Perhaps they gave Jonhat a bug bounty reward as well.  

In the words of the researcher, as well as Bleeping Computer too has proved in the testing itself, that Windows automatically selects an installer containing driver software and a synapse utility when a user plugs into a Razer device (or dongle if this is a wireless device). The activation of Razer Synapse Plug-and-play enables users to obtain SYSTEM permissions on the lickety-split Windows device because it displays an Explorer window as part of the set-up process, which tells users where and how to set up the driver. 

The topmost user permission level in Windows is SYSTEM Privileges: A SYSTEM account enables someone to acquire full control over the system, permitting them to see, alter or delete data; to establish new accounts having full privileges of users, and to install anything – malware included. 

The installation method for Synapse, in other terms, works with Windows 10 with the maximum privileges. The installation application Razer was given the very same administrator rights as the RazerInstaller.exe executable with SYSTEM privileges, which has been launched via a Windows process. 

Jonhat has established that a "Choose a Folder" popup will be displayed if a user decides to modify the default installation folder location. One may right-click the installation window and click the Shift key which launches a certain PowerShell terminal with the same privileges. 

Similar problems are probably identified in other products installed through Windows plug-and-play processes, as indicated by Will Dormann, a CERT/CC vulnerability analyst.

Cisco: Firewall Manager RCE Flaw is a Zero-day, Patch Arriving Soon

 

In a Thursday security advisory update, Cisco disclosed that a remote code execution (RCE) vulnerability discovered last month in the Adaptive Security Device Manager (ADSM) Launcher is a zero-day flaw that is yet to be patched. 

Cisco ADSM is a firewall appliance manager that controls Cisco Adaptive Security Appliance (ASA) firewalls and AnyConnect Secure Mobility clients via a web interface. 

As per the updated advisory, "At the time of publication, Cisco planned to fix this vulnerability in Cisco ASDM. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability." 

The business also modified the list of compromised ADSM software versions from '9.16.1 and earlier'—as mentioned in the first advisory—to '7.16(1.150) and earlier' in a recent update. 

Incorrect signature verification for code shared between the ASDM and the Launcher caused the zero-day flaw, which is tracked as CVE-2021-1585. 

With the rights granted to the ASDM Launcher, successful exploitation could permit an unauthenticated attacker to remotely launch arbitrary code on a target's operating system. 

As Cisco explained in the updated advisory, "An attacker could exploit this vulnerability by leveraging a man-in-the-middle position on the network to intercept the traffic between the Launcher and the ASDM and then inject arbitrary code." 

"A successful exploit may require the attacker to perform a social engineering attack to persuade the user to initiate communication from the Launcher to the ASDM." 

Furthermore, according to the firm, its Product Security Incident Response Team (PSIRT) is not informed of any proof-of-concept attacks for zero-day or threat actors utilizing it in the open. 

Cisco patched a six-month-old zero-day vulnerability (CVE-2020-3556) in the Cisco AnyConnect Secure Mobility Client VPN software three months ago, using publicly accessible proof-of-concept exploit code. 

While proof-of-concept exploit code was publicly accessible when the problem was discovered, Cisco PSIRT also said that there was no indication of in the wild exploitation. 

Cisco reported the zero-day vulnerability in November 2020, without issuing any security patches to fix the fundamental flaw, although it did offer mitigation techniques to reduce the attack surface. No active exploitation was reported before CVE-2020-3556 was fixed in May, most likely because default VPN setups were prone to attacks and the vulnerability could only be exploited by authenticated local attackers. 

However, after Positive Technologies' Offensive Team revealed a proof-of-concept vulnerability last month, attackers pounced on a Cisco ASA flaw (partially fixed in October 2020 and fully resolved in April 2021).