[*] [-] [-] [x] [A+] [a-]  
[l] at 1/28/22 8:56am
Finland Ministry for Foreign Affairs revealed that devices of Finnish diplomats have been infected with NSO Groups Pegasus spyware. Finlands Ministry for Foreign Affairs revealed that the devices of some Finnish diplomats have been compromised with the infamous NSO Groups Pegasus spyware. The diplomats were targeted with the popular surveillance software as part of a cyber-espionage campaign. Finnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity. The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part. Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features. reads a statement published by the Ministry. According to the statement, threat actors have stolen data from the infected devices belonging to employees working in Finnish missions abroad. The attacks were spotted following an investigation that started in the autumn of 2021, anyway, according to the government experts the campaign is no longer active. The announcement pointed out that the data transmitted or stored on diplomats devices are either public or classified at the lowest level of classified information (level 4). Finlands Ministry for Foreign Affairs warns that even if the information is not directly classified, the information itself and its source may be subject to diplomatic confidentiality. The Ministry for Foreign Affairs is continually monitoring events and activities in its operating environment and assessing related risks. The Ministry for Foreign Affairs monitors its services and strives to prevent harmful activities.  The preparation of and decisions on foreign and security policy, in particular, are matters that attract much interest, which may also manifest itself as unlawful intelligence. concludes the Ministry. The Ministry responds to the risk by various means, but complete protection against unlawful intelligence is impossible. In December, Apple warned that the mobile devices of at least nine US Department of State employees were compromised with NSO Group ‘s Pegasus spyware. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Pegasus spyware) The post Finnish diplomats devices infected with Pegasus spyware appeared first on Security Affairs.

[Category: Breaking News, Cyber warfare, Hacking, Intelligence, Malware, Mobile, hacking news, information security news, IT Information Security, Pegasus Spyware, Pierluigi Paganini, Security Affairs, Security News, spyware]

[*] [-] [-] [x] [A+] [a-]  
[l] at 1/28/22 8:14am
Zero-day exploit broker Zerodium announced it will pay $400,000 for zero-day RCE in Microsoft Outlook email client. The zero-day exploit broker Zerodium has announced it will pay $400,000 for zero-day remote code execution (RCE) vulnerabilities in the Microsoft Outlook email client. Were currently paying up to $200,000 per exploit for Mozilla Thunderbird RCEs.Were also (temporarily) increasing our bounty for MS Outlook RCEs to $400,000 (from $250,000).More details at: https://t.co/VL04uBvgUj— Zerodium (@Zerodium) January 27, 2022 The company pointed out that the increased payout for this specific vulnerability exploit is temporary, but it did not disclose the deadline for submissions. We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment. Exploits relying on opening/reading an email may be acquired for a lower reward. reads the announcement of temporary bounty. The bounty for zero-click RCE exploits for a vulnerability in Microsoft Outlook for Windows jumped from $250,000 to $400,000. A zero-click exploit is a code that could trigger the vulnerability without any user interaction. In the case of Microsoft Outlook for Windows it is enough to send a message to the email client to trigger the issue. Zerodium is also temporarily offering $250,000 for RCE exploits in Mozilla Thunderbird, instead of $200,000. We are looking for zero-click exploits affecting Thunderbird and leading to remote code execution when receiving/downloading emails, without requiring any user interaction such as reading the malicious email message or opening an attachment. Exploits relying on opening/reading an email may be acquired for a lower reward. continues the company. The last announcement for temporary bounties is dated March 31, 2021, when Zerodium announced that it was temporarily tripling the bounty for WordPress RCE exploits. The payouts for WordPress RCEs passed from $100,000 to $300,000, and the offer is still active. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, REvil ransomware) The post Zerodium offers $400,000 for Microsoft Outlook RCE zero-day exploits appeared first on Security Affairs.

[Category: Uncategorized, Hacking, hacking news, information security news, IT Information Security, Microsoft Outlook, Pierluigi Paganini, RCE, Security Affairs, zero-Day, Zerodium]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/28/22 4:56am
Delta Electronics, a Taiwanese contractor for multiple tech giants such as Apple, Dell, HP and Tesla, was hit by Conti ransomware Taiwanese electronics manufacturing company Delta Electronics was hit by the Conti ransomware that took place this week. Delta Electronics operates as a contractor for major tech giants such as Apple, Tesla, HP, and Dell. According to the company, the security breach did not impact its operation, it already notified local authorities. Resta inteso che Delta ha rilevato che il server è stato attaccato da hacker stranieri intorno alle 6:00 di ieri e ha immediatamente attivato il meccanismo di risposta e difesa della sicurezza delle informazioni. Eseguire operazioni di ripristino. states the data breach notification published by the company. Delta ha dichiarato che i principali servizi interessati sono i sistemi non critici, che stanno gradualmente riprendendo le operazioni.Al momento, la valutazione non ha un impatto significativo sulle operazioni della società e ha notificato alle forze dellordine governative e alle unità di sicurezza delle informazioni di assistere nelle seguenti operazioni: e continuerà a migliorare la rete e la sicurezza Controllo della sicurezza dellinfrastruttura dellinformazione per garantire la sicurezza dei dati. The company is restoring its systems after the attack and is investigating the intrusion with the help third-party cybersecurity experts. The company did not reveal details about the attack or the malware family that infected its systems. According to CTWANT, which cited an undisclosed information security company, Delta Electronics was hit by Conti ransomware that asked Delta to pay a $15 million ransom to restore encrypted files and avoid their leak. On January 26, 2022, the malware intelligence team collected a sample of the Conti ransomware with a hash value of 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9. reported a statement from the security company cited by CTWANT. According to the report, the sample may have been used in an attack on Taiwanese electronics manufacturing company Delta Electronics Inc. The hacker group claimed to have deployed the ransomware around January 21, 2022 and demanded a ransom of $15 million (approximately NT$412 million). Of the 65,000 computers in Deltas network, about 1,500 servers and about 12,000 computers are encrypted. According to The Record, the company has yet to restore most of its systems and its official websites remain offline. Conti operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider. Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data. Conti operators claimed to have already compromised at least 500 organisations worldwide. In December 2021, the Australian Cyber Security Centre (ACSC) warns of Conti ransomware attacks against multiple Australian organizations from various sectors since November. The ACSC also published a ransomware profile for the Conti gang that contains information about the operations of the group, including mitigations. In September, CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) also warned of an increased number of Conti gang attacks against US organizations. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Conti ransomware) The post Delta Electronics, a tech giants contractor, hit by Conti ransomware appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, Conti ransomware, Cybersecurity, cybersecurity news, Delta Electronics, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/28/22 3:19am
A researcher devised a technique to bypass a security feature of Microsoft Outlook and deliver a malicious link to the recipient. Reegun Richard Jayapaul, SpiderLabs lead threat architect at Trustwave, has devised a technique to bypass a security feature of Microsoft Outlook and deliver a malicious link to the recipient. While investigating a malware campaign, the expert discovered that multiple emails were bypassing a specific email security system. The expert discovered that improper hyperlink translation in Microsoft Outlook for Mac allows complete bypass of email security systems and sending the malicious link to the victim. The issue is a variation of a known vulnerability, tracked as CVE-2020-0696, that addressed in February 2020. A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats. The security feature bypass by itself does not allow arbitrary code execution. However, to successfully exploit the vulnerability, an attacker would have to use it in conjunction with another vulnerability, such as a remote code execution vulnerability, to take advantage of the security feature bypass vulnerability and run arbitrary code. reads the description for the CVE-2020-0696 flaw. Abusing the issue, an attacker on Outlook for Mac can create a legitimate link (http://trustwave.com) that is hyperlinked with file:///malciouslink and send it to the target recipient. The email is delivered on the victims Microsoft Outlook for Windows’ as file:///trustwave.com. Upon clicking on the link, file:///trustwave.com translates to http://malciouslink. During this transmission from sender to receiver, the link file:///trustwave.com is not recognized by any email security systems and is delivered to the victim as a clickable link. The initial test was done on Microsoft M365 security feature Safelink protection. Later, I checked this action on multiple email security systems, confirmed the issue, and reported responsibly. reported the expert. The attack was initially demonstrated using Outlook with the Safelinks feature enabled, successive tests confirmed it was also effective to bypass multiple email security systems. Further investigation allowed the expert to discover other vulnerable vectors, the issue could be also exploited if the legitimate link is hyperlinked with “http:/://maliciouslink”, because the “:/” is stripped by the email system that will deliver the link to the victim as “http://maliciouslink.” This attack works on both the Windows and macOS Outlook clients. With the new exploit vector http:/://maliciouslink, The patch will strip :/ from the link and be delivered to the user as http://maliciouslink, bypassing Microsoft ATP Safelink and other Email security products. Once the victim clicks, the link will be converted automatically to http://maliciouslink and open. This vulnerability can be exploited on both Windows and macOS Outlook clients. continues the report. “This secondary bypass method was fixed by Microsoft during the summer of 2021, and the new update makes the URL accessible or proxied through Safelinks.” Microsoft has addressed the vulnerabilities on client-side, security patches are automatically installed in Outlook by default. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Microsoft Outlook) The post Experts devise a technique to bypass Microsoft Outlook Security feature appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, hacking news, information security news, IT Information Security, Microsoft Outlook, Microsoft Outlook Security feature, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/27/22 2:41pm
Puerto Rico’s Senate announced that is was it by a cyberattack that shut down its internet provider, phone system and official online page. The Senate of Puerto Rico announced this week that it was hit by a major cyberattack that disabled its internet provider, phone system and official online page. Local and federal authorities are investigating the attack. According to Senate President José Luis Dalmau, there is no evidence that threat actors were able to access sensitive information belonging to employees, contractors or consultants. This isnt the first time that Puerto Rico was hit by a cyber attack in recent years. In March 2021, Puerto Rico Electric Power Authority (PREPA) power utility confirmed early this week that it has been hacked over the weekend. In June 2021, a large fire at the Luma’s Monacillo electrical substation in San Juan for Puerto Rico’s new electricity provider, Luma Energy, caused major blackouts across Puerto Rico on Thursday. The same day the blackout took place, the company announced that a major DDoS attack disrupted its online services. It is still unclear whether the fire and DDoS attack are connected. In October 2020, Puerto Rico’s firefighting department disclosed a security breach, hackers breached its database and demanded a $600,000 ransom. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, cyberattack) The post Puerto Rico was hit by a major cyberattack appeared first on Security Affairs.

[Category: Breaking News, Hacking, hacking news, information security news, Pierluigi Paganini, Puerto Rico, Security Affairs]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/27/22 1:30pm
North Korea-linked Lazarus APT group uses Windows Update client to deliver malware on Windows systems. North Korea-linked Lazarus APT started using Windows Update to execute the malicious payload and GitHub as a command and control server in recent attacks, Malwarebytes researchers reported. The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack. The spear-phishing messages analyzed by Malwarebytes employed two weaponized documents (Lockheed_Martin_JobOpportunities.docx, Salary_Lockheed_Martin_job_opportunities_confidential.doc) that lure recipients with new job opportunities at Lockheed Martin. Both documents were compiled on 2020-04-24, but experts believe that they have been used in a campaign around late December 2021 and early 2022. Upon opening the documents and enabling macros, the embedded code drops WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder. In the next stage of the attack chain, threat actors used the LNK file to launch the Windows Update client (wuauclt.exe) to execute a command that loads a malicious DLL. drops_lnk.dll – This DLL is loaded and executed inside the explorer.exe process, it mainly drops the lnk file (WindowsUpdateConf.lnk) into the startup folder and then it checks for the existence of wuaueng.dll in the malicious directory and manually loads and executes it from the disk if it exists. The lnk file (WindowsUpdateConf.lnk) executes “C:\Windows\system32\wuauclt.exe” /UpdateDeploymentProvider C:\Wíndows\system32\wuaueng.dll /RunHandlerComServer. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms. reads the analysis published by Malwarebytes. With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll. Experts also discovered that the malware is using GitHub as C2, which is an uncommon choice for malware authors and this is the first time that Lazarus leveraging it. The use of Github as a C2 aims at evading detection. The attribution of the campaign to the Lazarus APT is based on multiple evidence, including: the use of job opportunities as template, a technique used by Lazarus in the past.the targets in the defense industry, and specifically Lockheed Martin, are known targets for North Korea-linked APT.The document’s metadata used in this campaign links them to several other documents used by Lazarus in the past. Lazarus APT is one of the advanced APT groups that is known to target the defense industry. The group keeps updating its toolset to evade security mechanisms. concludes the report that also included IoCs. Even though they have used their old job theme method, they employed several new techniques to bypass detections: Use of KernelCallbackTable to hijack the control flow and shellcode executionUse of the Windows Update client for malicious code executionUse of GitHub for C2 communication Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Lazarus APT) The post North Korea-linked Lazarus APT used Windows Update client and GitHub in recent attacks appeared first on Security Affairs.

[Category: APT, Breaking News, Cyber warfare, Hacking, Intelligence, hacking news, information security news, IT Information Security, Lazarus APT, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/27/22 11:54am
Personal data belonging to millions of customers of large businesses have been exposed due to a flaw in Onfido IDV. Millions of customers of large businesses have been left vulnerable to identity theft, thanks to a security flaw that exposes their personal data to illicit download. Among those affected are clients of Europcar, a vehicle rental service, and FxPro, a trading platform. Original post at CyberNews: https://cybernews.com/security/popular-apps-left-biometric-data-ids-of-millions-of-users-in-danger/Service providers using Onfido, an identification verification (IDV) service, let a major flaw in their security go unchecked, in the form of an exposed admin token that potentially left app users’ biometric data exposed. Using this safety gap, threat actors could have downloaded personally identifiable information (PII), including copies of client-submitted IDs, passports, and drivers licenses. On December 19, Mikail Tunç, a security researcher, discovered a front-end application programming interface (API) token in several mobile apps used by millions of customers worldwide.https://www.youtube.com/embed/OrlPtKrG1iE Millions affected Large businesses appear to be affected, including FxPro Direct App a trading platform with over five million installs on Google Play alone and Europcar, a vehicle rental service with over one million installs on Google Play. Other affected businesses include Chip, a UK-based savings app boasting 400,000 users; Hoolah, a shopping app with over 100,000 installs; Mode, a cryptocurrency app with over 50,000 installs; and Greenwheels, a car-sharing service with over 50,000 installs. Note that iOS users are affected as much as Android users. However, the App Store doesnt publicly share download data. The research uncovered more Onfido clients with admin tokens in the front end. However, these were inactive. According to Tunç, that could mean a couple of things. The token being included in the application is indicative that it was active and leaking data at some point in time; some could have been in this state for years, Tunç said. The token being included in the application is indicative that it was active and leaking data at some point in time; some could have been in this state for years.-Mikail Tunç, a security researcher The other scenario could be that businesses were alerted to the issue by Onfido. Apps that had inactive front-end admin tokens include the Couchsurfing Travel App, with over five million installs, and the BigPay and Wirex apps, with over a million installs each. The research also identified Babylon Health, Wombat, and First Bank Romania with over 100,000 installs each, as well as Coconut and Currencies Direct apps with over 10,000 installs each. Verification process Onfido, a London-based company, offers photo-based IDV services for businesses. Financial service providers, car rentals, and many other suppliers that need to confirm customer identities employ similar third-party services. First, the verification process requires customers to take a photo of their ID document. Next, a client is prompted to take a selfie or upload a video to confirm whether theres a match with the documents photo. If the user is successful on both the document and facial verification checks, Onfidos client will likely consider the user to have proven their identity, the companys privacy policy states. Whats the problem? API tokens serve to hide sensitive data exchanged between the apps user and the server. Only the service provider knows which user or piece of data a specific token represents. Using tokens renders sensitive information inaccessible to threat actors. However, Onfido provides its clients with an admin token that allows companies to decode the data. In essence, this admin token therefore serves as a master key to open all doors. What Tunç has discovered is that contrary to an explicit recommendation by Onfido developers left the admin key in the front end of several apps used by millions of clients. In simple terms, an easily accessible admin token means that anyone can have the master key and use this to download app users’ data. The data includes PII such as name, surname, home, email address, and date of birth. Since the IDV process requires users to take pictures of an ID card, passport, or drivers license, threat actors who obtained the admin token could easily download copies of these documents. You must never use API tokens in the front end of your application, or malicious users could discover them in your source code.-an advisory by Onfido According to the investigation, threat actors could have also had access to biometric information liveness check videos and/or selfies customers take to prove their identities. Though tokens usually have an expiration date, those uncovered in the investigation did not, making the security flaw much more dangerous. Leaving admin tokens in the front end suggests that app developers did not read the documentation provided by Onfido. You must never use API tokens in the front end of your application, or malicious users could discover them in your source code. You should only use them on your server, Onfido cautions. First contact An investigation by Tunç has confirmed at least seven apps with a front-end admin token. The security flaw potentially affects millions of users, as combined app installations on Android devices alone are close to 18 million. The first app identified as having an open admin API token belongs to Kroo, a London-based fintech with over 10,000 downloads on the Google Play store. Tunç informed Kroo about the flaw on December 20. Two days later, the company fixed the issue. Interestingly, on the same day, a post on Kroos Twitter account announced that the company was carrying out “essential maintenance on the systems which affects those applying for a Kroo account”. Though the IDV process that uses the front-end token affects users during the application process, the tweet did not mention the security flaw. Divergent reaction Tunç and CyberNews researchers contacted every affected business mentioned in this article to inform them about the issue. The Onfido security team replied to us after we sent the responsible disclosure emails to affected companies, but we have yet to receive answers to questions sent to Onfido after exchanging technical details regarding the issue. In contrast, Europcar were quick to react. A representative of the company told CyberNews that it was working with Onfido to resolve the problem. Europcar also confirmed that front-end tokens have been revoked, closing the breach. Representatives of Hoolah informed CyberNews that the issue was resolved within a few hours. Additionally, the company claims that a preliminary investigation did not indicate any attempts to gain unauthorized access to its systems. Meanwhile, Mode claims to have already mitigated the problem by using software development kit (SDK) tokens. According to their response, the front-end token was left in the Android version of the app by a former team member. “We’re currently doing a full audit with the logs provided to us from Onfido. From our preliminary findings, we can find no evidence of malicious access by a third party. Our investigations are still ongoing,” Mode told CyberNews. Other companies affected did not respond to our request for comment at time of publication. Looming dangers Having your personal data leaked poses many hazards. Threat actors can abuse PII to conduct phishing and social engineering attacks. PII coupled with an ID card, passport, or drivers license copy can lead to identity theft. If malicious actors have access to a video used in the IDV process, they could set up accounts using stolen names. Determined attackers can combine information found in the leaked files with other data breaches to create detailed profiles of their potential victims. In other cases, threat actors can quickly sell valid identification documents on the dark web. Next steps If you suspect that threat actors might have scraped your data, we recommend that you: Beware of suspicious messages and connection requests from strangers.Consider using a password manager to create strong passwords and store them securely.Enable two-factor authentication (2FA) on all your online accounts.Watch out for potential phishing emails and text messages. Again, dont click on anything suspicious or respond to anyone you dont know. If you want to know what should engineers and vendors do give a look at the original post published by CyberNews: https://cybernews.com/security/popular-apps-left-biometric-data-ids-of-millions-of-users-in-danger/ Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, large businesses) The post Popular apps left biometric data, IDs of millions of users in danger appeared first on Security Affairs.

[Category: Breaking News, Data Breach, data leak, hacking news, information security news, IT Information Security, malware, Onfido, Pierluigi Paganini, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/27/22 8:55am
Microsoft announced to have mitigated a record 3.47 Tbps distributed denial of service (DDoS) attack targeting an Azure customer. Microsoft announced that its Azure DDoS protection platform has mitigated a record 3.47 Tbps attack that targeted one of its customers with a packet rate of 340 million packets per second (pps). The news of the attack was reported in the Azure DDoS Protection —2021 Q3 and Q4 DDoS attack trends. In November, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. We believe this to be the largest attack ever reported in history. reads the report. Attack vectors were UDP reflection on port 80 using Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP) comprising one single peak, and the overall attack lasted approximately 15 minutes. The attack took place in November and hit a customer in Asia, it originated from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan. The 3.47 Tbps attack was the largest one Microsoft has mitigated to date, likely the massive one ever recorded. The IT giant also reported that other two massive DDoS attacks targeted Asian Azure customers in December, they peaked at 3.25 Tbps and 2.55 Tbps respectively. Microsoft pointed out that as with the first half of 2021, the majority of the DDoS attacks were short-lived, experts observed a rise in attacks that lasted longer than an hour, with the composition more than doubling from 13 percent to 27 percent. The researchers warn that multi-vector attacks continue to remain prevalent. In October, Microsoft announced that its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) DDoS attack at the end of August, it represented the largest DDoS attack recorded to date, but the recent attack overwhelmed it. The attack hit the Russian internet giant Yandex and was launched by a new DDoS botnet, tracked as Mēris (Latvian word for ‘plague’). The concentration of attacks in Asia can be largely explained by the huge gaming footprint10, especially in China, Japan, South Korea, Hong Kong, and India, which will continue to grow as the increasing smartphone penetration drives the popularity of mobile gaming in Asia. concludes the report. In India, another driving factor may be that the acceleration of digital transformation, for example, the “Digital India” initiative11, has increased the region’s overall exposure to cyber risks. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Azure) The post Microsoft mitigated a 3.47 Tbps DDoS attack, the largest one to date appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Azure, DDoS, information security news, IT Information Security, Pierluigi Paganini, Security Affairs]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/27/22 8:07am
A few hours ago Lockbit ransomware operators announced to have stolen data from Ministry of Justice of France. The Ministry of Justice of France is a body of the French government, which is responsible for: supervision of the judiciary, its maintenance and administration; participation as Vice President of the Judicial Council; supervision of the prosecutors office; prison systems. A few hours ago Lockbit ransomware operators have announced to have stolen data from Ministry of Justice of France and threatened to leak it. The countdown on the Tor leak site of the gang reveals that the gang gave 14 days to the French government to pay the ransom. The deadline for the payment has been fixed on 10 Feb, 2022 11:20:00. I have contacted the French Cyber Threat Intelligence Analyst Anis Haboubi for a comment. I think we are in phase 3 leaks for failed negotiations. States will not pay by following the guidelines provided by Europol (nomoreransom.org). states the expert. The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return. recommends the Europol. At this time the ransomware gang has yet to report the volume of data stolen from the Ministry of Justice of France or to publish any sample of stolen documents. The French government has yet to publish any official comment about the alleged attack. (presse-justice@justice.gouv.fr). Local journalists confirmed the attack citing source internal to the Ministry. La cyberattaque sur le ministère de la Justice mest confirmée de source interne au ministère. Pas davantages dinfos sur son ampleur et ses conséquences. https://t.co/gzsvCQuqYk— Emile Marzolf (@emile_marzolf) January 27, 2022 This morning the LockBit ransomware gang has announced a number of European companies, including France, Germany, Italy, and the UK, on the victim list. [ALERT] LockBit ransomware gang has announced a number of European companies, including France, Germany, Italy, and the UK, on the victim list.— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) January 27, 2022 If the security breach will be confirmed it could have a significant impact on French authorities. Stay tuned . Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Lockbit ransomware) The post Lockbit ransomware gang claims to have hacked Ministry of Justice of France appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Cybersecurity, cybersecurity news, Hacking, hacking news, hackingà, information security news, LockBit Ransomware, Ministry of Justice of France, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/27/22 6:02am
Experts spotted a sophisticated malware campaign delivering the AsyncRAT trojan since September 2021. Researchers from Morphisec spotted a sophisticated phishing campaign delivering the AsyncRAT trojan since September 2021. The phishing messages use an html attachment disguised in the form of an order confirmation receipt (e.g., Receipt-<digits.html). Experts pointed out the malware employed has the lowest detection rates as presented through VirusTotal. Upon opening the file, a webpage is displayed and it requests the recipients to save a downloaded ISO file. The experts noticed that the ISO is not downloaded from a remote web, instead, it is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file. When the victim decides to open the receipt, they see the following webpage that requests them to save a downloaded ISO file. They believe its a regular file download that will go through all the channels of gateway and network security scanners. Surprisingly, thats not the case. reads the report published by Morphisec. In fact, the ISO download is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file, and it is not downloaded from a remote server. The ISO file is being delivered as a base64 string, upon opening it, the image is automatically mounted as a DVD Drive. The ISO image includes either a .BAT or a .VBS file,when the recipient opens one of them it will retrieve the next-stage component via a PowerShell command execution. The PowerShell script that is executed allows to: Establish persistancy through Schedule TaskExecute the dropped .vbs file, usually at %ProgramData% Unpack an Base64 encoded and deflate compressed .NET moduleInject the .NET module payload in-memory(dropper) The .NET module acts as a dropper for three files: Net.vbs obfuscated invocation of Net.batNet.bat invocation of Net.ps1Net.ps1 next stage injection designed to deliver the final payload that is the AsyncRAT malware and bypass antimalware software and set up Windows Defender exclusions. In most cases, attackers have delivered AsyncRAT as the final payload that was hiding within the legitimate .NET aspnet_compiler.exe process. concludes the report that also includes IoCs. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, phishing) The post A new highly evasive technique used to deliver the AsyncRAT Malware appeared first on Security Affairs.

[Category: Breaking News, Malware, Security, AsyncRAT, Cybersecurity, cybersecurity news, Hacking, hacking news, information security news, malware, phishing, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/27/22 2:48am
LockBit expands its operations by implementing a Linux version of LockBit ransomware that targets VMware ESXi servers. LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware ESXi virtual machines. The move aims at expanding the audience of potential targets, including all the organizations that are migrating to virtualization environments. The LockBit operations are advertising a new Linux version that targets VMware ESXi virtual machines since October 2021. According to Trend Micro, an announcement for LockBit Linux-ESXi Locker version 1.0 was advertising the Linux version in the underground forum RAMP since October. Trend Micro analyzed the Lockbit Linux-ESXi Locker version 1.0 which uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption. The following image shows the list of arguments supported by the version analyzed by the researchers. This version is able to gather the following information from the infected systems: Processor informationVolumes in the systemVirtual machines (VMs) for skippingTotal filesTotal VMsEncrypted filesEncrypted VMsTotal encrypted sizeTime spent for encryption Below is the list of commands supported by LockBits encryptor analyzed by Trend Micro, they allow to determine the type of virtual machines registered on the target system and power off them to unlock and encrypt their resources. CommandDescriptionvm-support listvms Obtain a list of all registered and running VMsesxcli vm process list Get a list of running VMs esxcli vm process kill type   force world-id Power off the VM from the list esxcli storage filesystem list Check the status of data storage /sbin/vmdumper %d suspend_v Suspend VM vim-cmd hostsvc/enable_ssh Enable SSH vim-cmd hostsvc/autostartmanager/enable_autostart false Disable autostart vim-cmd hostsvc/hostsummary grep cpuModel Determine ESXi CPU model Lockbit ransomware operations is the last in order of time to add the support for the Linux encryptors, other gangs that already implemented it in the past are HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations. The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide. reads the analysis published by Trend Micro. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Lockbit ransomware) The post Experts analyze first LockBit ransomware for Linux and VMware ESXi appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Cybercrime, hacking news, information security news, IT Information Security, LINUX, Linux VMware ESXi, LockBit Ransomware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/26/22 3:25pm
Apple released security updates to fix two zero-day flaws, one of them actively exploited to hack iPhones and Macs. Apple has released security updates to address a couple of zero-day vulnerabilities, one of them being actively exploited in the wild by threat actors to compromise iPhone and Mac devices. One of the zero-day flaws addressed by the IT giant, tracked as CVE-2022-22587, is a memory corruption issue that resides in the IOMobileFrameBuffer and affects iOS, iPadOS, and macOS Monterey. The exploitation of this flaw leads to arbitrary code execution with kernel privileges on compromised devices. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. reads the security advisory published by Apple. The company addressed the flaw by improving input validation. The vulnerability impacts iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).The complete list of impacted devices includes: Apple acknowledged an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01) for having reported this flaw. “actively exploited” Achievement Unlocked Btw I already posted the poc for this one on 1st January pic.twitter.com/3nmEvgnyPZ— binaryboy (@b1n4r1b01) January 26, 2022 My first 2022 CVE is iOS kernel arbitrary code execution in IOMobileFrameBuffer. https://t.co/WnE7dQ9RyJ— Meysam Firouzi (@R00tkitSMM) January 26, 2022 The second zero-day vulnerability, tracked as CVE-2022-22594, is a Safari WebKit issue that impacts iOS and iPadOS. Due to this flaw, a website could track user browsing activity and identities in real-time. A cross-origin issue in the IndexDB API was addressed with improved input validation. reads the advisory. A website may be able to track sensitive user information This vulnerability impacts iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). The bug was first reported to Apple by Martin Bajanik of FingerprintJS on November 28th and apple addressed it with the release of iOS 15.3 and iPadOS 15.3 security update. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, zero-day) The post Apple fixed the first two zero-day vulnerabilities of 2022 appeared first on Security Affairs.

[Category: Breaking News, Hacking, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security News, zero-Day]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/26/22 1:44pm
The BfV German domestic intelligence services warn of ongoing attacks carried out by the China-linked APT27 cyberespionage group. The Bun­des­amt für Ver­fas­sungs­schutz (BfV) federal domestic intelligence agency warns of ongoing attacks coordinated by the China-linked APT27 group. The Federal Office for the Protection of the Constitution ( BfV ) has information about an ongoing cyber espionage campaign by the cyber attack group APT27 using the malware variant HYPERBRO against German commercial companies. reads the advisory published by the German intelligence. The APT27 group (aka Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse) has been active since 2010, it targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia. The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. APT27 has been exploiting vulnerabilities in Microsoft Exchange and in the Zoho AdSelf Service Plus1 software since March 2021. The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated. German intelligence warns of Chinese nation-state actors targeting commercial organizations with HyperBro remote access trojans (RAT). The attacks aim at stealing sensitive data from the victims and attempt to launch supply chain attacks targeting their customers. HyperBro is a custom in-memory backdoor used by the APT27 group to maintain persistence on the victims networks. Below is the HyperBro infection chain detailed in the report published by BfV: It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers ( supply chain attack). continues the advisory. The German intelligence experts believe that the threat actors will continue to target the German economy, for this reason, they shared Indicators of Compromise and Yara rules to help defenders in protecting their networks from this threat. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, APT27) The post German intelligence agency warns of China-linked APT27 targeting commercial organizations appeared first on Security Affairs.

[Category: APT, Breaking News, Hacking, Intelligence, Malware, APT27, BfV, Cyberespionage, HYPERBRO backdoor, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/26/22 8:42am
New malware is targeting targets QNAP NAS devices, it is the DeadBolt ransomware and ask 50 BTC for master key DeadBolt ransomware is targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems. Once encrypted the content of the device, the ransomware appends .deadbolt extension to the name of the excerpted files and deface the login page of the QNAP NAS to display the following message: WARNING: Your files have been locked by DeadBolt Source DarkFeed Twitter Deadbolt #Ransomware team targets QNAP devices with a new zero-day No ones paid them yet #DEADBOLT pic.twitter.com/Y1YxE1X6Rs— DarkFeed (@ido_cohen2) January 26, 2022 The hijacked QNAP login screen displays a ransom note demanding the payment of 0.03 BTC ransom (roughly $1017) to receive a decryption key to recover the files. Operators claim a transparent process for the delivery of the decryption key directly to the Bitcoin blockchain. The decryption key is stored directly in the OP_RETURN field of a transaction made by the operators in response to the payment. Victims can retrieve the key by monitoring the address they have they made the ransom payment. After payment is made, the threat actors claim they will make a follow-up transaction to the same address that includes the decryption key (composed of 32 characters), which can be retrieved using the following instructions. At this time there is no confirmation that paying a ransom will allow the victims to decrypt their files. QNAP continues to be a privileged target for cybercriminals, recently a new wave of Qlocker ransomware was observed targeting QNAP NAS devices worldwide. In December 2021, another wave of ech0raix ransomware attacks started targeting QNAP network-attached storage (NAS) devices. The ransom note also includes a link titled important message for QNAP, which points to a page that offers technical details of the alleged zero-day vulnerability in QNAP NAS devices for 5 BTC (approximately $184,000). #QNAP seem to have a new #Ransomware attack: #Deadbolt. Whats the fix, QNAP?Each customer being asked to pay 0.03 #BTC pic.twitter.com/1XS1liTZn2— Wireless-News (@news_wireless) January 25, 2022 They are also offering for sale the QNAP the master decryption key for 50 BTC which could allow all the victims of this ransomware family to decryp their files. Make a bitcoin payment of 50 BTC to bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8, reads the message, as reported by BleepingComputer. You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to security@qnap.com. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, REvil ransomware) The post New DeadBolt ransomware targets QNAP NAS devices appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, hacking news, information security news, malware, QNAP NAS, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/26/22 6:20am
VMware released security patches to address critical Log4j security vulnerabilities in VMware Horizon servers targeted in ongoing attacks. VMware urges customers to patch critical Log4j security vulnerabilities impacting Internet-exposed VMware Horizon servers targeted in ongoing attacks. Searching for Internet-exposed VMware Horizon servers with Shodan, we can find tens of thousands of installs potentially exposed to attacks. This month, the Night Sky ransomware operation started exploiting the Log4Shell flaw (CVE-2021-44228) in the Log4j library to gain access to VMware Horizon systems. In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online. I suspect this got totally lost while I was away before Xmas, roughly the 23rd, attackers started dropping custom webshells on VMware Horizon boxes, by modifying legit VMware file absg-worker.js to add a shell. https://t.co/p3FagzulNq— Kevin Beaumont (@GossiTheDog) January 20, 2022 Recently, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware. We have observed a China-based ransomware operator that we’re tracking as DEV-0401 exploiting the CVE-2021-44228 vulnerability in Log4j 2 (aka #log4shell) targeting internet-facing systems running VMWare Horizon. https://t.co/6GOdRwRTjk— Microsoft Security Intelligence (@MsftSecIntel) January 11, 2022 The security team at the UK National Health Service (NHS) also announced to have spotted threat actors exploiting the Log4Shell vulnerability to hack VMWare Horizon servers and install web shells. “An unknown threat group has been observed targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities in order to establish persistence within affected networks.” reads the security advisory published by NHS. “The attack likely consists of a reconnaissance phase, where the attacker uses theJava Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure. Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.” Once installed a web shell, threat actors can use it to carry out a broad range of malicious activities, such as deploying data exfiltration or deployment of ransomware. Upon exploiting log4J flaws, threat actors deploy custom web shells into the VM Blast Secure Gateway service to gain access to the networks of target organizations. In an email to Bleeping Computer today, VMware said they are strongly urging customers to patch their Horizon servers to defend against these active attacks. Multiple VMWare products, including VMware Horizon products, are impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046). Recently the Dutch National Cybersecurity Centre (NCSC) warned organizations to remain vigilant on possible attacks exploiting the Log4J vulnerability. According to the Dutch agency, threat actors the NCSC will continue to attempt to exploit the Log4Shell flaw in future attacks. “Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn’t mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant.” states the Dutch NCSC agency. “The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary. In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity.” The risk that cybercriminal groups and nation-state actors could exploit Log4j vulnerabilities in future attacks is still high. The virtualization giant urges customers to examine VMSA-2021-0028 and apply the guidance for Horizon. VMware published a dedicated Guidance to VMware Horizon customers regarding Log4j. In a zero-day situation such as the Apache Software Foundation Log4j vulnerability, cyber criminals are racing to exploit the vulnerabilities identified by CVE-2021-44228 and CVE-2021-45046 before organizations can address them. We continue to amplify the message in our security advisory, VMSA-2021-0028, urging customers to address the vulnerability immediately, including with VMware Horizon 8 and Horizon 7.x. reads the guidance. While most customers have followed the guidance, those who have not done so remain at risk. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, VMware Horizon) The post VMware urges customers to patch VMware Horizon servers against Log4j attacks appeared first on Security Affairs.

[Category: Breaking News, Security, Hacking, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News, VMware, VMware Horizon]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/26/22 4:12am
A flaw in Polkits pkexec component, tracked as CVE-2021-4034 (PwnKit) can be exploited to gain full root privileges on major Linux distros. An attacker can exploit a vulnerability in Polkits pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges. The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected. Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission). Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit. The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. reads the post published by Qualys.Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability is an attackers dream come true explained Qualys: pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable); pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, Add a pkexec(1) command); any unprivileged local user can exploit this vulnerability to obtain full root privileges; although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way; and it is exploitable even if the polkit daemon itself is not running. Experts pointed out that it is very easy to exploit the flaw, while Qualys doesnt plan to release a PoC for this issue other experts are already working on releasing it. Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts. The exploit for CVE-2021-4034 is both simple and universal. Whats not to love? https://t.co/rXzHjEwFm4 pic.twitter.com/ZRsbd0So53— Will Dormann (@wdormann) January 25, 2022 Below is the vulnerability disclosure timeline: 2021-11-18: Advisory sent to secalert@redhat.2022-01-11: Advisory and patch sent to distros@openwall.2022-01-25: Coordinated Release Date (5:00 PM UTC). Qualys provided instructions to its customers on how to detect PwnKit in their environment. If no patches are available for your operating system, experts recommend to remove the SUID-bit from pkexec as a temporary mitigation; for example: # chmod 0755 /usr/bin/pkexec Administrators should apply the patches that Polkit’s authors has already released on their GitLab. Major Linux distros are expected to release updated pkexec packages as soon as possible, some of them have already done it at the time of this writing. In order to check for evidence of exploitation, users have to inspect the logs searching for either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” entries in the logs.Yes, this exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content”). However, please note that this vulnerability is also exploitable without leaving any traces in the logs. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, PwnKit) The post PwnKit: Local Privilege Escalation bug affects major Linux distros appeared first on Security Affairs.

[Category: Breaking News, Security, CVE-2021-4034, Hacking, hacking news, information security news, IT Information Security, LINUX, Pierluigi Paganini, privilege escalation, PwnKit, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/26/22 12:46am
PrinterLogic has addressed nine vulnerabilities in Web Stack and Virtual Appliance, including three high severity flaws. PrinterLogic has released security updates to address nine vulnerabilities in Web Stack and Virtual Appliance, the most severe ones, tracked as CVE-2021-42631, CVE-2021-42635, and CVE-2021-42638, are rated as high severity flaws (CVSS base score of 8.1). Below is the list of vulnerabilities fixed by Paranoids: CVE-2021-42631: Object Injection leading to RCECVE-2021-42635: Hardcoded APP_KEY leading to RCECVE-2021-42638: Misc command injections leading to RCECVE-2021-42633: SQLi may disclose audit logsCVE-2021-42637: Blind SSRFCVE-2021-42639: Misc reflected XSSCVE-2021-42640: Driver assignment IDORCVE-2021-42641: Username/email info disclosureCVE-2021-42642: Printer console username/password info disclosure An attacker can trigger these three vulnerabilities to remotely execute arbitrary code on vulnerable systems. CVE-2021-42631 is an object injection flaw, CVE-2021-42635 is a hardcoded APP_KEY issue, while CVE-2021-42638 is miscellaneous command injections. PrinterLogic pointed out that most of the installs are not internet-facing.  In order to exploit the PrinterLogic Web Stack server, attackers would need a privileged network position, such as access through a VPN or another vulnerability (i.e. SSRF) in an appliance on the edge.  Experts did not disclose the component affected by the vulnerability in order to give customers some time to address the flaws. The timeline for the flaws is: April 19th Set up a testing environmentMay 4th Decrypted the Web Stack server code, which allowed us to begin performing source auditingMay 6th Identified initial pre-auth object injection vulnerability (CVE-2021-42631)May 19th Began Work on developing a full exploitation toolkit around the vulnerability June 4th Full exploit was completed and ready for operational use The Paranoids researchers noted that the majority of PrinterLogic installations are not directly accessible from the Internet. The flaws impact all PrinterLogic Web Stack version 19.1.1.13 SP9 and earlier, and Virtual Appliance version 20.0.1304 and earlier, when used with macOS or Linux endpoint client software. PrinterLogic addressed the issue with the release of Web Stack version 19.1.1.13-SP10, no client software updates are required for Virtual Appliance. . Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Printer Management Suite) The post PrinterLogic fixes high severity flaws in Printer Management Suite appeared first on Security Affairs.

[Category: Breaking News, Security, Hacking, hacking news, information security news, IT Information Security, Pierluigi Paganini, Printer Management Suite, PrinterLogic, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/25/22 3:24pm
Segway e-store suffered a Magecart attack that potentially allowed threat actors to steal credit cards and customer info. The online store of Segway was compromised as a result of a Magecart attack, threat actors planted a malicious script to steal credit card data and customer information while visitors were making a purchase Segway is known for the design of the two-wheeled, self-balancing personal transporter invented by Dean Kamen, the company also produces other human transportation devices. ol npo h tet, Malwarebytes researchers spotted a web skimmer on Segway’s online store (store.segway.com) and linked the attack to Magecart Group 12. Researchers noticed the Segway store was contacting a known skimmer domain (booctstrap[.]com) which has been active since November and involved in previous Magecart attacks. The store is running the Magento CMS, threat actors used to compromise them by exploiting vulnerabilities in vulnerable versions of the CMS itself or one of its plugins. The analysis of urlscanio data revealed that the site of Segway was compromised at least since January 6th. Attackers added JavaScript to Segways online store that pretended to display the sites copyright, but that was used to load an external favicon that contained the e-skimming code. The threat actors are embedding the skimmer inside a favicon.ico file. If you were to look at it, you’d not notice anything because the image is meant to be preserved. However, when you analyze the file with a hex editor, you will notice that it contains JavaScript starting with an eval function. reads the analysis published by Malwarebytes. Magecart Group 12 group has been active since at least 2019 when he carried out a large-scale operation against OpenCart online stores. Malwarebytes immediately shared its findings with the company. The compromise of the Segway store is a reminder that even well-known and trusted brands can be affected by Magecart attacks. While it usually is more difficult for threat actors to breach a large website, the payoff is well worth it. concludes the report. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Magecart) The post Segway e-store compromised in a Magecart attack to steal credit cards appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Cybercrime, data breach, e-skimmer, Hacking, hacking news, information security news, IT Information Security, MageCart, malware, Pierluigi Paganini, Security Affairs, Security News, Segway]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/25/22 1:05pm
The UK NCSC cybersecurity agency is going to release a collection of NMAP scripts that can allow defenders to find unpatched vulnerabilities. The United Kingdoms National Cyber Security Centre (NCSC) announced the release of NMAP Scripting Engine scripts that can help defenders to scan their infrastructure to find and fix unpatched vulnerabilities impacting them. The scripts were developed by i100 (Industry 100), an initiative that promotes close collaborative working between the NCSC and 100 industry personnel. The scripts will be published on GitHub through a project named Scanning Made Easy (SME). Scanning Made Easy (SME) is a joint project between the i100 and the NCSC to build a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. reads the description of the project. When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network. To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results. Scanning Made Easy (SME) was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them. Should you be interested in developing a script for SME, more detail can be found below on how scripts should be produced, how the NCSC will approve, publication and through life management. The NCSC will approve a script submitted industry partners by checking if it met the following mandatory requirements: written for NMAP using the NMAP Script Engine (.nse).relate to one of the high priority vulnerabilities impacting the UK;conform to the metadata template;run in isolation, i.e. no dependencies and does not connect to other servers;be as close to 100% reliable in detection of vulnerable instances as is practicable, i.e. low false-positive rate;be as unintrusive (i.e. not transmit excessive network traffic) and safe as possible in the detection mechanism;be hosted on a publicly available repository or website;be made freely available under a permissive open source license;not to capture sensitive data, e.g., exposure of cyber security risk or personal;not to send data off the system upon which the script is run; andability to write the output from the script to a file. Partners that have uploaded a script to a publicly available repository or website can contact the NCSC at https://www.ncsc.gov.uk/section/about-this-website/general-enquiries. The Agency will check the script, and once assessed notify the community and link to it. The NCSC has already released the first SME script to allow the maintainers of the Exim email server software to address a collection of 21 vulnerabilities, dubbed 21Nails, that can be exploited by attackers to take over servers and access email traffic through them. We want SME to be as straightforward as possible to use, and also needs to be reliable. Providing a false sense of security, or false positives, doesnt help make your systems safer, as you wont be fixing the real security issues. states the announcement published by NCSC. This is why SME scripts are written using the NMAP Scripting Engine (NSE). NMAP is an industry standard network mapping tool that has been in active development for over 20 years. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, NMAP) The post UK NCSC is going to release Nmap scripts to find unpatched vulnerabilities appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, hacking news, information security news, IT Information Security, NCSC, Pierluigi Paganini, Scanning Made Easy (SME), Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/25/22 9:01am
Experts found an undocumented macOS backdoor, dubbed DazzleSpy, that was employed in watering hole attacks aimed at politically active individuals in Hong Kong. Researchers from ESET have spotted an undocumented macOS backdoor, dubbed DazzleSpy, that was employed in watering hole attacks aimed at politically active individuals in Hong Kong. The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong. Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors. The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group. ESET also attributed the attacks to an actor with strong technical capabilities. According to Felix Aimé from SEKOIA.IO, one of the sites used by threat actors in the attacks was a fake website targeting Hong Kong activists.  One of the websites used to infect HK dissidents fightforhk[.]com seems to have been created from scratch for that unique purpose. Do not hesitate to check your logs/mails/SMS/private messages etc. against this domain. [1/2] pic.twitter.com/TfTSN5pqbf— Félix Aimé (@felixaime) November 13, 2021 Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report. The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. It’s interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented out reads the analysis published by ESET. Once exploited the WebKit RCE, threat actors executed the second-state Mach-O binary that exploits the local kernel privilege escalation issue CVE-2021-30869 to run the next stage malware as a root user. After gaining root, the downloaded payload is loaded and executed in the background on the victims machine via launchtl. In the attacks reached by Google, the final payload was tracked as MACMA, while in attacks documented by ESET threat actors employed the DazzleSpy backdoor. DazzleSpy supports a broad range of features that provide attackers a large set of functionalities to control, and exfiltrate files from, a compromised computer. Below is a list of supported features: Harvesting system informationExecuting arbitrary shell commandsDumping iCloud Keychain using a CVE-2019-8526 exploit if the macOS version is lower than 10.14.4Starting or terminating a remote screen sessionDeleting itself from the machine The watering-hole operations this group has pursued show that its targets are likely to be politically active, pro-democracy individuals in Hong Kong. This campaign has similarities with one from 2020 where LightSpy iOS malware (described by TrendMicro and Kaspersky) was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit. We cannot confirm at this point whether both campaigns are from the same group, but ESET Research will continue to track and report on similar malicious activities. concludes the report. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, macOS backdoor) The post Sophisticated attackers used DazzleSpy macOS backdoor in watering hole attacks appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, backdoor, DazzleSpy, hacking news, information security news, IT Information Security, macOS backdoor, Pierluigi Paganini, Security Affairs, Security News, watering hole]

[*] [+] [-] [x] [A+] [a-]  
[l] at 1/25/22 4:33am
Threat actors are actively exploiting a critical flaw (CVE-2021-20038) in SonicWalls Secure Mobile Access (SMA) gateways addressed in December. Threat actors are actively exploiting a critical flaw, tracked as CVE-2021-20038, in SonicWalls Secure Mobile Access (SMA) gateways addressed by the vendor in December. The vulnerability is an unauthenticated stack-based buffer overflow that was reported by Jacob Baines, lead security researcher at Rapid7. The CVE-2021-20038 vulnerability impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled. A remote attacker can exploit the vulnerability to execute arbitrary code as the nobody user in compromised SonicWall appliances. In early December, security vendor SonicWall urged customers using SMA 100 series appliances to apply security patches that address multiple security vulnerabilities, some of which have been rated as critical.“SonicWall has verified and patched vulnerabilities of critical and medium severity (CVSS 5.3-9.8) in SMA 100 series appliances, which include SMA 200, 210, 400, 410 and 500v products. SMA 100 series appliances with WAF enabled are also impacted by the majority of these vulnerabilities” reads the advisory published by the company. “SonicWall strongly urges that organizations follow the guidance below to patch SMA 100 series products, which include SMA 200, 210, 400, 410 and 500v appliances.” The most severe vulnerabilities addressed by SonicWall are two critical stack-based buffer overflow vulnerabilities tracked as CVE-2021-20038 and CVE-2021-20045 respectively. A remote attacker can trigger the two vulnerabilities to potentially execute as the ‘nobody’ user in compromised appliances. “A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.” reads the advisory for the CVE-2021-20038 flaw. The news of the exploitation of the issue in the wild was confirmed by the security firm NCC Group. Some attempts itw on CVE-2021-20038 (SonicWall SMA RCE). Also some password spraying of default passwords from the past few daysRemember to update AND change default passwords pic.twitter.com/WyDIXVKb4m— Rich Warren (@buffaloverflow) January 24, 2022 Experts also warned of some password spraying attacks attempting to compromise devices using default passwords. The attacks spotted by the researchers dont seem to be the result of a massive coordinated attack, some threat actors are only opportunistic attempts to trigger the flaw. None of the observed attacks were successful. Follow me on Twitter: @securityaffairs and Facebook try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, SonicWall Secure Mobile Access) The post Attackers are actively targeting critical RCE bug in SonicWall Secure Mobile Access appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, hacking news, information security news, IT Information Security, RCE, SonicWall, SonicWall Secure Mobile Access]

As of 1/28/22 2:45pm. Last new 1/28/22 8:56am.

Next feed in category: Dark Reading