Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label zero-day. Show all posts

Apple Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones

On Thursday, Apple urgently issued security patches for iOS, iPadOS, macOS, and watchOS. These updates were released in response to the exploitation of two previously unknown vulnerabilities in the wild. These flaws were utilized to deploy NSO Group's Pegasus spyware, often used for mercenary purposes. 

Here are the described issues: 

CVE-2023-41061: This concerns a validation problem within Wallet. It has the potential to lead to arbitrary code execution if a maliciously crafted attachment is processed. 

CVE-2023-41064: This pertains to a buffer overflow problem within the Image I/O component. It could lead to arbitrary code execution when dealing with a maliciously crafted image. 

CVE-2023-41064 was identified by the Citizen Lab at the University of Toronto's Munk School. On the other hand, CVE-2023-41061 was internally detected by Apple, with the Citizen Lab providing "assistance" in the process. 

The available updates apply to the following devices and operating systems: iOS 16.6.1 and iPadOS 16.6.1: Compatible with iPhone 8 and newer models, iPad Pro (all versions), iPad Air starting from the 3rd generation, iPad from the 5th generation onwards, and iPad mini from the 5th generation onwards. macOS Ventura 13.5.2: Applicable to macOS devices running macOS Ventura. WatchOS 9.6.2: Compatible with Apple Watch Series 4 and subsequent models. 

In a distinct advisory, Citizen Lab disclosed that the dual vulnerabilities have been utilized in a zero-click iMessage exploit chain dubbed BLASTPASS. This exploit chain enables the deployment of Pegasus on iPhones that are fully updated with iOS 16.6. Additionally, Due to ongoing exploitation, detailed technical information regarding these vulnerabilities has not been disclosed. 

Nevertheless, it has been reported that the exploit has the capability to circumvent Apple's BlastDoor sandbox framework, which was designed to counteract zero-click attacks. The cybersecurity experts at Kaspersky, a prominent Russian cybersecurity firm, have raised an alarm about an ongoing attack campaign. They assert that it exploits a zero-click, zero-day iMessage vulnerability. 

Along with this, reports of these zero-day vulnerabilities coincide with indications that the Chinese government may have issued a directive. This directive is believed to enforce a ban, instructing central and state government officials to refrain from utilizing iPhones and other devices from foreign brands for official work. This move is seen as part of an effort to lessen dependence on international technology, especially in the midst of an intensifying trade dispute between China and the United States.

Global Ransomware Attack Targets VMware ESXi Servers



Cybersecurity firms around the world have recently warned of an increase in cyberattacks, particularly those targeting corporate banking clients and computer servers. The Italian National Cybersecurity Agency (ACN) recently reported a global ransomware hacking campaign that targeted VMware ESXi servers, urging organisations to take action to protect their systems.

In addition, Italian cybersecurity firm Cleafy researchers Federico Valentini and Alessandro Strino reported an ongoing financial fraud campaign since at least 2019 that leverages a new web-inject toolkit called drIBAN. The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments, altering legitimate banking transfers performed by the victims and transferring money to an illegitimate bank account.

These accounts are either controlled by the threat actors or their affiliates, who are then tasked with laundering the stolen funds. The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.

The operators behind drIBAN have become more adept at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.

Organisations need to be aware of these threats and take immediate action to protect their systems from cyberattacks. The ACN has reported that dozens of Italian organisations have been likely affected by the global ransomware attack and many more have been warned to take action to avoid being locked out of their systems.


Hackers Designs Malware for Recently Patched Fortinet Zero-Day Vulnerability


Researchers who recently disclosed and patched the zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a new backdoor, specifically created in order to run on Fortinet’s FortiGate firewalls. 

Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa. 

According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government. 

It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing. 

BoldMove Backdoor 

The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls. 

The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests. 

Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands. 

Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added. 

The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format. 

Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021. 

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted. 

Schooled in FortiOS 

Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine. 

According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes. 

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet. 

Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.  

ProxyNotShell Exchange Zero-Day Exploit Fixed by Microsoft


 

There have been updates published by Microsoft to address two severe zero-day vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell. These vulnerabilities have already been exploited and will continue to be exploited.

There is evidence that attackers have been chaining the two security flaws together to deploy Chinese Chopper web shells on compromised servers. As a result, they have been able to persist, steal data, as well as move laterally within the networks of their victims since September this year. 

The software giant confirmed on September 30, "that limited targeted attacks have been launched using these vulnerabilities to gain access to users' systems," stating that "we are aware of limited targeted attacks using these vulnerabilities to enter users' systems." 

"Our team of security experts is monitoring these already deployed detection tools for malicious activity and will take action in order to protect customers in the future. We are working on a timeline that will allow us to release a fix in a short period of time," the company explained. 

It was announced later that the company had released mitigation measures that allowed defenders to block ProxyNotShell attacks that were originating. In spite of this, the guidance had to be updated twice after researchers showed that attackers could still bypass them.

Updates have been issued to administrators 

The security updates that have been released by Microsoft to address these two vulnerabilities are part of Patch Tuesday for November 2022. 

Due to the fact that they are aware of active exploits of these vulnerabilities (limited targeted attacks), their recommendation is that "all users comply with the guidelines and install these updates immediately to be protected from these attacks." 

"Exchange Server is affected by the vulnerabilities addressed in these SUs and Exchange Online customers are already protected from these vulnerabilities. They will not need to take any further action than just updating the Exchange servers within their environment." 

These two security flaws, CVE-2022-41082 and CVE-2022-41040, have been tracked since 2012. They have been found to affect Microsoft Exchange Server 2013, 2016, and 2019. 

Attackers can exploit these vulnerabilities by elevating privileges to execute PowerShell within the context of a system, thereby gaining arbitrary control over the system. 

CVE-2022-41082, an advisory for the vulnerability that Microsoft has released, warns that an attacker could exploit this vulnerability to execute arbitrary commands through server accounts. 

Using the account of the server as a proxy to trigger malicious code, "the attacker will be able to gain access to the account of the server as an authenticated user." 

There are some vulnerabilities identified with ProxyNotShell that can only be exploited remotely by authenticated threat actors. However, these flaws are only exploited when low-complexity attacks do not require user interaction.

Hackers Used Internet Explorer Zero-Day Vulnerability To Target Security Researchers

 

In recent times, during the attacks against the security and vulnerability researchers in North Korea, an Internet Explorer zero-day vulnerability has been discovered. The zero-day vulnerability is a computer software vulnerability unknown to individuals who need to minimize the harm. Hackers may use the vulnerability to change computer systems, files, machines, and networks to the detriment of the vulnerability. 

Google announced last month that the Lazarus-sponsored state-based North Korean hacking community carried out attacks on security scholars in social engineers, wherein the hacking community used social networks as a tool to target security researchers and used custom backdoor malware. The Lazarus group is a North Korea based persistent threat group (APT), which has gained a lot of prominence in the preceding years as various CyberAttacks have been attributed to the threat group. 

The threat actors have developed comprehensive online "security researcher" personas who then use social media to connect with renowned security researchers to contribute to the vulnerability and exploit growth to execute their attacks. 

In this regard, the attackers have sent malignant Visual Studio Projects and links to the website that hosts the exploit kits to install backdoors in the computers of the researchers. Microsoft also announced that it had monitored the assault and saw Lazarus exchanging MHTML files containing malicious java scripts with the researchers. The server command and control at the time of the investigation was down and therefore no further payloads were investigated by Microsoft. 

Recently in this social-engineering campaign, South Korean cybersecurity company ENKI claimed that Lazarus attacked MHTML files on their squad. Although the attacks were ineffective, they analyzed payloads downloaded from MHT files and found that they contained a vulnerability exploit for Internet Explorer. 

MHT/MHTML is a file format that is used by Internet Explorer to store a web page and services in one file. MHT / MHTML file is sometimes also known as MIME HTML. The MHT file transmitted to ENKI investigators was confirmed to be an exploit of Chrome 85 RCE and called "Chrome_85_RCE_Full_Exploit_Code.mht." 

On further executing the MHT/MHTML file, Internet Explorer will automatically start to display the MHT file contents. ENKI stated that a malicious javascript would download two payloads with one containing a zero-day version of Internet Explorer if the execution of the script was allowed. ENKI has affirmed that they have reported the bug to Microsoft and for which they were later contacted by a Microsoft employee. 

Concerning the aforementioned incident, Microsoft has said that they have investigated every aspect of the report and will surely provide an update in near future, “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”