Feed aggregator

A flaw in Xiaomi phones using MediaTek Chips could allow to forge transactions

Security Affairs - 4 hours 51 min ago
Flaws in Xiaomi Redmi Note 9T and Redmi Note 11 models could be exploited to disable the mobile payment mechanism and even forge transactions.

Check Point researchers discovered the flaws while analyzing the payment system built into Xiaomi smartphones powered by MediaTek chips.

Trusted execution environment (TEE) is an important component of mobile devices designed to process and store sensitive security information such as cryptographic keys and fingerprints.

TEE protection leverages hardware extensions (such as ARM TrustZone) to secure data in this enclave, even on rooted devices or systems compromised by malware.

The most popular implementations of the TEE are Qualcomm’s Secure Execution Environment (QSEE) and Trustronic’s Kinibi, but most of the devices in the wider Asian market are powered by MediaTek chips, which is less explored by security experts.

The experts explained that on Xiaomi devices, trusted apps are stored in the /vendor/thh/ta directory. The apps are in the format of unencrypted binary file with a specific structure.

Trusted apps of the Kinibi OS have the MCLF format, while Xiaomi uses its own format.

A trusted app can have multiple signatures following the magic fields and the magic fields are the same across all trusted apps on the mobile device.

The researchers noticed that the version control field is omitted in the trusted app’s file format, this means that an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Using this trick, the TEE will load the app transferred by the attacker.

“Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. To prove the issue, we successfully overwrote the thhadmin trusted app on our test device running MIUI Global 12.5.6.0 OS with an old one extracted from another device running MIUI Global 10.4.1.0 OS.” reads the analysis published by Check Point researchers “The old thhadmin app was successfully launched, even though its code is significantly different from the original.”

The experts also found multiple flaws in “thhadmin,” app that could be exploited to leak stored keys or to execute malicious code in the context of the app.

Check Point researchers have analyzed an embedded mobile payment framework, named Tencent Soter, used by Xiaomi devices. This framework provides an API for third-party Android applications to integrate the payment capabilities. Tencent soter allows to verify payment packages transferred between a mobile application and a remote backend server, it is supported by hundreds of millions Android devices.

A heap overflow vulnerability in the soter trusted app could be exploited to trigger a denial-of-service by an Android app that has no permissions to communicate with the TEE directly.

The researchers demonstrated that it is possible to extract the private keys used to sign payment packages by replacing the soter trusted app with an older version affected by an arbitrary read vulnerability. Xiaomi tracked the issue as CVE-2020–14125.

“This vulnerability [CVE-2020–14125] can be exploited to execute a custom code. Xiaomi trusted apps do not have ASLR. There are examples on the Internet of exploiting such a classic heap overflow vulnerability in Kinibi apps. In practice, our goal is to steal one of the soter private keys, not execute the code. The key leak completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.” concludes the report.

“To steal a key, we used another arbitrary read vulnerability that exists in the old version of the soter app (extracted from the MIUI Global 10.4.1.0). As noted, we can downgrade the app on Xiaomi devices.”

Xiaomi addressed the CVE-2020-14125 vulnerability on June 6, 2022.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, mobile)

The post A flaw in Xiaomi phones using MediaTek Chips could allow to forge transactions appeared first on Security Affairs.

Categories: Cyber Security News

Tornado Cash Developer Arrested After U.S. Sanctions the Cryptocurrency Mixer

The Hacker News - 15 hours 31 min ago
Dutch authorities on Friday announced the arrest of a software developer in Amsterdam who is alleged to be working for Tornado Cash, days after the U.S. sanctioned the decentralized crypto mixing service. The 29-year-old individual is "suspected of involvement in concealing criminal financial flows and facilitating money laundering" through the service, the Dutch Fiscal Information and
Categories: Cyber Security News

CISA, FBI shared a joint advisory to warn of Zeppelin ransomware attacks

Security Affairs - 15 hours 49 min ago
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are warning of Zeppelin ransomware attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint advisory to warn of Zeppelin ransomware attacks.

The Zeppelin ransomware first appeared on the threat landscape in November 2019 when experts from BlackBerry Cylance found a new variant of the Vega RaaS, dubbed Zeppelin.

The ransomware was involved in attacks aimed at technology and healthcare, defense contractors, educational institutions, manufacturers, companies across Europe, the United States, and Canada. At the time of its discovery, Zeppelin was distributed through watering hole attacks in which the PowerShell payloads were hosted on the Pastebin website.

Before deploying the Zeppelin ransomware, threat actors spend a couple of weeks mapping or enumerating the victim network to determine where data of interest is stored. The ransomware can be deployed as a .dll or .exe file or contained within a PowerShell loader.

Zeppelin actors request ransom payments in Bitcoin, they range from several thousand dollars to over a million dollars.

The group uses multiple attack vectors to gain access to victim networks, including RDP exploitation, SonicWall firewall vulnerabilities exploitation, and phishing attacks.

The threat actors also implement a double extortion model, threatening to leak stolen files in case the victims refuse to pay the ransom.

Zeppelin is typically deployed as a .dll or .exe file within a PowerShell loader. To each encrypted file, it appends a randomized nine-digit hexadecimal number as an extension. A ransom note is dropped on the compromised systems, usually on the desktop.

“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.” reads the joint advisory.

The US agencies recommend not paying the ransom because there is no guarantee to recover the encrypted files and paying the ransomware will encourage the illegal practice of extortion.

The alert also included Indicators of Compromise (IOC) along with MITRE ATT&CK TECHNIQUES for this threat.

The FBI also encourages organizations to report any interactions with Zeppelin operators, including logs, Bitcoin wallet information, encrypted file samples, and decryptor files.

To mitigate the risks of ransomware attacks, organizations are recommended to define a recovery plan, implement multi-factor authentication, keep all operating systems, software, and firmware up to date, enforce a strong passwords policy, segment networks, disable unused ports and services, audit user accounts and domain controllers, implement a least-privilege access policy, review domain controllers, servers, workstations, and active directories, maintain offline backups of data, and identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.

“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file” concludes the alert.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Zeppelin ransomware)

The post CISA, FBI shared a joint advisory to warn of Zeppelin ransomware attacks appeared first on Security Affairs.

Categories: Cyber Security News

Killnet claims to have breached Lockheed Martin

Security Affairs - Sat, 08/13/2022 - 12:51
Russian hacker group Killnet claims to have launched a DDoS attack on the aerospace and defense giant Lockheed Martin. 

The Moscow Times first reported that the Pro-Russia hacker group Killnet is claiming responsibility for a recent DDoS attack that hit the aerospace and defense giant Lockheed Martin.

The Killnet group also claims to have stolen data from a Lockheed Martin employee and threatened to share it.

The group has been active since March, it launched DDoS attacks against governments that expressed support to Ukraine, including Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia.

In a video shared by the group on Telegram, the group claimed to have stolen the personal information of the Lockheed Martin employees, including names, email addresses, phone numbers, and pictures.

The group also shared two spreadsheets containing a message in Russian:

“If you have nothing to do, you can email Lockheed Martin Terrorists – photos and videos of the consequences of their manufactured weapons! Let them realize what they create and what they contribute to.” (Tanslated with Google).

At this time it is impossible to determine the real source of these data. Lockheed Martin is aware of the Killnet claims, but it did not comment on them.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Killnet)

The post Killnet claims to have breached Lockheed Martin appeared first on Security Affairs.

Categories: Cyber Security News

Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users

The Hacker News - Sat, 08/13/2022 - 08:41
A pair of reports from cybersecurity firms SEKOIA and Trend Micro sheds light on a new campaign undertaken by a Chinese threat actor named Lucky Mouse that involves leveraging a trojanized version of a cross-platform messaging app to backdoor systems. Infection chains leverage a chat application called MiMi, with its installer files compromised to download and install HyperBro samples for the
Categories: Cyber Security News

Konta pracowników Twilio przejęte „zaawansowanym” atakiem socjotechnicznym.

Sekurak.pl - Sat, 08/13/2022 - 06:24

Niedawno Cisco, teraz Twilio, które oświadczyło: (…) obecni oraz byli pracownicy zgłaszali ostatnio otrzymywanie wiadomości tekstowych rzekomo pochodzących z naszego działu IT. Typowe treści tekstowe sugerowały, że hasła pracowników wygasły (…) i że muszą się zalogować pod adresem URL kontrolowanym przez atakującego. (…) current and former employees recently reported receiving text...

Artykuł Konta pracowników Twilio przejęte „zaawansowanym” atakiem socjotechnicznym. pochodzi z serwisu Sekurak.

Three flaws allow attackers to bypass UEFI Secure Boot feature

Security Affairs - Sat, 08/13/2022 - 05:39
Researchers discovered a flaw in three signed third-party UEFI boot loaders that allow bypass of the UEFI Secure Boot feature.

Researchers from hardware security firm Eclypsium have discovered a vulnerability in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that can be exploited to bypass the UEFI Secure Boot feature.

Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”

According to the experts, these three new bootloader vulnerabilities affect most of the devices released over the past 10 years, including x86-64 and ARM-based devices.

“These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process;  enabling the attacker to modify the operating system as it loads, install backdoors, and disable operating system security controls.” reads the post published by the experts. “Much like our previous GRUB2 BootHole research, these new vulnerable bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority. By default, this CA is trusted by virtually all traditional Windows and Linux-based systems such as laptops, desktops, servers, tablets, and all-in-one systems.”

Experts pointed out that these bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority, the good news is that the IT giant has already addressed this flaw with the release of Patch Tuesday security updates for August 2020.

The flaws identified by the experts have been rated as:

  • CVE-2022-34301 – Eurosoft (UK) Ltd
  • CVE-2022-34302 – New Horizon Datasys Inc
  • CVE-2022-34303 – CryptoPro Secure Disk for BitLocker

The two CVE-2022-34301 and CVE-2022-34303 are similar in the way they involve signed UEFI shells, the first one the signed shell is esdiags.efi while for the third one (CryptoPro Secure Disk), the shell is Shell_Full.efi.

Threat actors can abuse built-in capabilities such as the ability to read and write to memory, list handles, and map memory, to allow the shell to evade Secure Boot. The experts warn that the exploitation could be easily automated using startup scripts, for this reason, it is likely that threat actors will attempt to exploit it in the wild.

“Exploiting these vulnerabilities requires an attacker to have elevated privileges (Administrator on Windows or root on Linux). However,  local privilege escalation is a common problem on both platforms. In particular, Microsoft does not consider UAC-bypass a defendable security boundary and often does not fix reported bypasses, so there are many mechanisms in Windows that can be used to elevate privileges from a non-privileged user to Administrator.” continues the post.

The exploitation of the New Horizon Datasys vulnerability (CVE-2022-34302) is more stealthy, system owners cannot detect the exploitation. The bootloader contains a built-in bypass for Secure Boot that can be exploited to disable the Secure Boot checks while maintaining the Secure Boot on.

“This bypass can further enable even more complex evasions such as disabling security handlers. In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. The simplicity of exploitation makes it highly likely that adversaries will attempt to exploit this particular vulnerability in the wild.” continues the post.

Experts highlighters that the exploitation of these vulnerabilities requires an attacker to have administrator privileges, which can be achieved in different ways.

“Much like BootHole, these vulnerabilities highlight the challenges of ensuring the boot integrity of devices that rely on a complex supply chain of vendors and code working together,” the post concludes. “these issues highlight how simple vulnerabilities in third-party code can undermine the entire process.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, UEFI Secure Boot)

The post Three flaws allow attackers to bypass UEFI Secure Boot feature appeared first on Security Affairs.

Categories: Cyber Security News

Hackerzy dostali się do sieci korporacyjnej Cisco. Sprytny phishing oraz ominięcie 2FA. Analiza od Talosa

Sekurak.pl - Fri, 08/12/2022 - 16:30

Cisco dowiedziało się o włamaniu 24. maja. Jak się zaczęło? Podczas dochodzenia ustalono, że dane uwierzytelniające pracownika Cisco zostały przejęte po tym, jak atakujący przejął kontrolę nad osobistym kontem Google, na którym synchronizowano dane uwierzytelniające zapisane w przeglądarce ofiary. During the investigation, it was determined that a Cisco employee’s credentials...

Artykuł Hackerzy dostali się do sieci korporacyjnej Cisco. Sprytny phishing oraz ominięcie 2FA. Analiza od Talosa pochodzi z serwisu Sekurak.

Researchers Uncover UEFI Secure Boot Bypass in 3 Microsoft Signed Boot Loaders

The Hacker News - Fri, 08/12/2022 - 16:02
A security feature bypass vulnerability has been uncovered in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that allow bypass of the UEFI Secure Boot feature. "These vulnerabilities can be exploited by mounting the EFI System Partition and replacing the existing bootloader with the vulnerable one, or modifying a UEFI variable to load the vulnerable loader
Categories: Cyber Security News

Weekendowa Lektura: odcinek 480 [2022-08-12]. Bierzcie i czytajcie

ZaufanaTrzeciaStrona.pl - Fri, 08/12/2022 - 14:34

Zapraszamy do nowego wydania Weekendowej Lektury. Urlopy urlopami, ale przestępcy działają nadal. Poniżej kolejna porcja informacji o najnowszych atakach, świeżo odkrytych podatnościach i grasujących w sieci szkodnikach. Życzymy zatem udanej lektury.

W dzisiejszym wydaniu szczególnie polecamy w części fabularnej informacje o atakach phishingowych na Twilio i Cloudflare (pkt 10) oraz artykuł o nowych marketach w sieci Tor powiązanych z meksykańskimi kartelami (pkt 13).… Czytaj dalej

The post Weekendowa Lektura: odcinek 480 [2022-08-12]. Bierzcie i czytajcie first appeared on Zaufana Trzecia Strona.

The US offers a $10M rewards for info on the Conti ransomware gang’s members

Security Affairs - Fri, 08/12/2022 - 13:58
The U.S. State Department announced a $10 million reward for information related to five individuals associated with the Conti ransomware gang.

The U.S. State Department announced a $10 million reward for information on five prominent members of the Conti ransomware gang. The government will also reward people that will provide details about Conti and its affiliated groups TrickBot and Wizard Spider.

The reward is covered by the Rewards of Justice program operated by the a U.S. Department of State which offers rewards for information related to threats to homeland security.

According to Wired, which first reported the announcement, the State Department is looking for the members’ physical locations and vacation and travel plans.

This is the first time that the U.S. Government shows the face of a Conti associate, referred to as “Target.”

“Today marks the first time that the US government has publicly identified a Conti operative,” says a State Department official who asked not to be named and did not provide any more information about Target’s identity beyond the picture. “That photo is the first time the US government has ever identified a malicious actor associated with Conti,” 

The other members of the Conti gang for which the US Government is offering a reward are referred to as “Tramp,” “Dandis,” “Professor,” and “Reshaev.”

The U.S. Government reveals the face of a Conti associate for the first time! We’re trying to put a name with the face!

To the guy in the photo: Imagine how many cool hats you could buy with $10 million dollars!

Write to us via our Tor-based tip line: https://t.co/WvkI416g4W pic.twitter.com/28BgYXYRy2

— Rewards for Justice (@RFJ_USA) August 11, 2022

In February, a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia..

The leaked files revealed that some high-level members of the gang have connections to Russian intelligence.

The Rewards of Justice program also offer rewards for information on other threat actors, including the REvil ransomware gang, Darkside gang, the Evil Corp, and the North Korea-liked APT groups.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

The post The US offers a $10M rewards for info on the Conti ransomware gang’s members appeared first on Security Affairs.

Categories: Cyber Security News

Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments

The Hacker News - Fri, 08/12/2022 - 08:20
Security flaws have been identified in Xiaomi Redmi Note 9T and Redmi Note 11 models, which could be exploited to disable the mobile payment mechanism and even forge transactions via a rogue Android app installed on the devices. Check Point said it found the flaws in devices powered by MediaTek chipsets during a security analysis of the Chinese handset maker's "Kinibi" Trusted Execution
Categories: Cyber Security News

U.S. Government Offers $10 Million Reward for Information on Conti Ransomware Gang

The Hacker News - Fri, 08/12/2022 - 06:41
The U.S. State Department on Thursday announced a $10 million reward for information related to five individuals associated with the Conti ransomware group. The reward offer, first reported by WIRED, is also notable for the fact that it marks the first time the face of a Conti associate, known as "Target," has been unmasked. The four other associates have been referred to as "Tramp," "Dandis," "
Categories: Cyber Security News

Facebook Testing Default End-to-End Encryption and Encrypted Backup in Messenger

The Hacker News - Fri, 08/12/2022 - 05:09
Social media company Meta said it will begin testing end-to-end encryption (E2EE) on its Messenger platform this week for select users as the default option, as the company continues to slowly add security layers to its various chat services. "If you're in the test group, some of your most frequent chats may be automatically end-to-end encrypted, which means you won't have to opt in to the
Categories: Cyber Security News

Cisco Patches High-Severity Vulnerability Affecting ASA and Firepower Solutions

The Hacker News - Fri, 08/12/2022 - 04:48
Cisco on Wednesday released patches to contain multiple flaws in its software that could be abused to leak sensitive information on susceptible appliances. The issue, assigned the identifier CVE-2022-20866 (CVSS score: 7.4), has been described as a "logic error" when handling RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
Categories: Cyber Security News

Fast and Secure VPN on a Budget? Private Internet Access VPN Has You Covered

The Hacker News - Fri, 08/12/2022 - 04:36
Back when the internet consisted of a handful of computers networked together across a few research institutions, nobody could have imagined that it would one day form the backbone of a new digital way of life. And that probably explains why none of the researchers who thought up its core technologies — things like packet switching and TCP/IP — gave much consideration to the need to secure the
Categories: Cyber Security News

Experts warn of mass exploitation of an RCE flaw in Zimbra Collaboration Suite

Security Affairs - Fri, 08/12/2022 - 04:00
Threat actors are exploiting an authentication bypass Zimbra flaw, tracked as CVE-2022-27925, to hack Zimbra Collaboration Suite email servers worldwide.

An authentication bypass affecting Zimbra Collaboration Suite, tracked as CVE-2022-27925, is actively exploited to hack ZCS email servers worldwide.

Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries.

Yesterday, August 11, CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The two issues are:

  • CVE-2022-27925 (CVSS score: 7.2) – Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability: Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
  • CVE-2022-37042 – Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability: Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.

CISA orders federal agencies to fix both issues by August 25, 2022.

The vendor has already released security updates to address both vulnerabilities.

Cybersecurity firm Volexity described confirmed that the flaw is actively exploited in attacks in the wild.

In July and early August 2022, the company worked on multiple incidents where the organizations had their Zimbra Collaboration Suite (ZCS) email servers compromised. Volexity discovered that threat actors have exploited the CVE-2022-27925 remote-code-execution (RCE) vulnerability in these attacks.

The flaw was patched in March 2022, since the release of security fixes, it was reasonable that threat actors performed reverse engineering of them and developed an exploit code.

“As each investigation progressed, Volexity found signs of remote exploitation but no evidence the attackers had the prerequisite authenticated administrative sessions needed to exploit it. Further, in most cases, Volexity believed it extremely unlikely the remote attackers would have been able to obtain administrative credentials on the victims’ ZCS email servers.” reads the advisory published by Volexity.

“As a result of the above findings, Volexity initiated more research into determining a means to exploit CVE-2022-27925, and if it was possible to do so without an authenticated administrative session. Subsequent testing by Volexity determined it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925. This meant that CVE-2022-27925 could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.” reads the post published by Volexity.

Volexity researchers scanned the Internet for compromised Zimbra instances belonging to non-Volexity customers. The security firm identified over 1,000 ZCS instances around the world that were backdoored and compromised. The compromised ZCS installs belongs to a variety of global organizations, including government departments and ministries, military branches, worldwide billionaire businesses, and a significant number of small businesses.

The countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.

“CVE-2022-27925 was originally listed as an RCE exploit requiring authentication. When combined with a separate bug, however, it became an unauthenticated RCE exploit that made remote exploitation trivial. Some organizations may prioritize patching based on the severity of security issues. In this case, the vulnerability was listed as medium—not high or critical—which may have led some organizations to postpone patching.” concludes the post.

A few days ago, CISA added a recently disclosed flaw in the Zimbra email suite, tracked as CVE-2022-27924, to its Known Exploited Vulnerabilities Catalog.

In middle June, researchers from Sonarsource discovered the high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5). It can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Experts warn of mass exploitation of an RCE flaw in Zimbra Collaboration Suite appeared first on Security Affairs.

Categories: Cyber Security News

BazarCall attacks have revolutionized ransomware operations

Security Affairs - Fri, 08/12/2022 - 02:25
The Conti ransomware gang is using BazarCall phishing attacks as an initial attack vector to access targeted networks.

BazarCall attack, aka call back phishing, is an attack vector that utilizes targeted phishing methodology and was first used by the Ryuk ransomware gang in 2020/2021.

The BazarCall attack chain is composed of the following stages:

  • Stage One. Attackers send a mail to the victims that notify them that they have subscribed to a service for which payment is automatic. The email includes a phone number to call to cancel the subscription.
  • Stage Two. The victim is tricked into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, to help them cancel their subscription service.
  • Stage Three. Once accessed the victim’s desktop, the attacker silently extended a foothold in the user’s network, weaponizing legitimate tools that are known to be in Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
  • Stage Four. The initiated malware session yields the adversary access as an initial point of entry into the victim’s network.

The researchers at cybersecurity firm AdbIntel state that currently at least three autonomous threat groups are adopting and independently developing their own targeted phishing tactics derived from the call back phishing methodology. The three groups are tracked as Silent Ransom, Quantum, and Roy/Zeon, they emerged after the Conti gang opted to shut down its operation in May 2022.

In March 2022, formed members of the Conti, who were experts in call back phishing attacks, created “Silent Ransom” when it became an autonomous group.

Silent Ransom’s previous bosses, tracked as Conti Team Two, who were the main Conti subdivision, rebranded as Quantum and launched their own version of call back phishing campaigns. On June 13, 2022, AdvIntel researchers uncovered a massive operation called “Jörmungandr”.

The third iteration of the BazarCall group was observed in late June 20 and goes by the name of Roy/Zeon. The group is composed of old-Guard members of Conti’s “Team One,” which created the Ryuk operation. This group has the advanced social engineering capabilities of the three groups.

It involved large investments into hiring spammers, OSINT specialists, designers, call center operators, and expanding the number of network intruders. As a highly skilled (and most likely government-affiliated) group, Quantum was able to purchase exclusive email datasets and manually parse them to identify relevant employees at high-profile companies.

The adoption of Callback phishing campaigns has impacted the strategy of ransomware gangs, experts observed targeted attacks aimed at Finance, Technology, Legal, and Insurance industries. The industries are considered privileged targets in almost all internal manuals, which were shared between ex-Conti members.

“Since its resurgence in March earlier this year, call back phishing has entirely revolutionized the current threat landscape and forced its threat actors to reevaluate and update their methodologies of attack in order to stay on top of the new ransomware food chain.” concludes the report published by Advintel. “Although the first to begin using this TTP as its primary initial attack vector, Silent Ransom is no longer the only threat group utilizing the highly specified phishing operations that they pioneered. Other threat groups, seeing the success, efficiency, and targeting capabilities of the tactic have begun using reversed phishing campaign as a base and developing the attack vector into their own.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

The post BazarCall attacks have revolutionized ransomware operations appeared first on Security Affairs.

Categories: Cyber Security News

Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability

The Hacker News - Fri, 08/12/2022 - 02:14
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers - CVE-2022-27925 (CVSS score: 7.2)
Categories: Cyber Security News

Hackuj z nami polskie i zagraniczne systemy znanych organizacji. Super praca dla doświadczonego pentestera!

Sekurak.pl - Thu, 08/11/2022 - 16:32

Co nas wyróżnia? * Securitum to firma pentesterska z największa ilość projektów w centralnej europie (700+ osobnych projektów w samym 2022r., systemów i apek ponad 1000).* największa faktyczna różnorodność projektów, stanowiących kolosalny potencjał ciekawych rzeczy dla pentestera chcącego się rozwijać.* wsparcie project managera przy każdym projekcie – tj. nie zajmujesz...

Artykuł Hackuj z nami polskie i zagraniczne systemy znanych organizacji. Super praca dla doświadczonego pentestera! pochodzi z serwisu Sekurak.

Pages