Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Threat actors stole at least $1.7M worth of NFTs from tens of OpenSea users

Sun, 02/20/2022 - 09:11
Threat actors have stolen and flipped high-valued NFTs from the users of the world’s largest NFT exchange, OpenSea.

The world’s largest NFT exchange, OpenSea on Sunday confirmed that tens of some of its users have been hit by a phishing attack and had lost valuable NFTs worth $1.7 million.

The phishing attack was confirmed by OpenSea Co-Founder and CEO, Devin Finzer, he also added that 32 users have lost NFTs.

Another update: over the last few hours we’ve talked to dozens of people, teams, and projects across the NFT space. https://t.co/fB5r3cMA1r

— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022

The analysis of the attacker’s walled revealed it contained $1.7 million of ETH (Ethereum) obtained by selling some of the stolen NFTs. Finzer pointed out that the company doesn’t believe the hack is connected to the OpenSea website.

Blockchain records show that the attacker was able to transfer numerous NFTs from different users to their address for free. Stolen NFTs included examples from the Bored Ape Yacht Club, Mutant Ape Yacht Club, and several other popular collections. The attacker has already sold some of the NFTs, for example, this NFT from the Azuki collection for 13.4 ETH ($36,380). The attacker’s wallet currently contains more than 600 ETH worth nearly $2 million.” reported Motherboard.

According to the Blockchain security firm Peckshield the threat actors behind the OpenSea hack used TornadoCash fully decentralized protocol for private transactions on Ethereum to wash 1,100 ETH (approximately $2.7 million)

The @opensea scammer just made use of @TornadoCash to wash 1,100 ETH…https://t.co/eQCopgqx43 pic.twitter.com/8KB6QxBC8P

— PeckShield Inc. (@peckshield) February 20, 2022

According to PeckShield, threat actors may have launched a phishing campaign using the migration process as bait.

OpenSea is investigating rumors of an exploit associated with OpenSea related smart contracts that may have been exploited by attackers.

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.

— OpenSea (@opensea) February 20, 2022

The attack was linked to the announcement of the marketplace of a new smart contract upgrade with a one-week deadline aimed at delisting inactive NFTs on the platform.

The new contract is live! Start migrating your listings now: https://t.co/W1w9ciCK2D

— OpenSea (@opensea) February 18, 2022

In order to upgrade the smart contract, users have to migrate their listed NFTs from ETH blockchain to a new smart contract. However, impacted users started reporting suspicious activities within hours after the upgrade announcement.

Finzer asked impacted users to get in contact with him via Twitter DM.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, NFT)

The post Threat actors stole at least $1.7M worth of NFTs from tens of OpenSea users appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 354

Sun, 02/20/2022 - 04:59
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

CISA compiled a list of free cybersecurity tools and servicesWhite House and UK Gov attribute DDoS attacks on Ukraine to Russia’s GRUUpdraftPlus WordPress plugin update forced for million sitesGoogle Privacy Sandbox promises to protect user privacy onlineIran-linked TunnelVision APT is actively exploiting the Log4j vulnerabilityCVE-2021-44731 Linux privilege escalation bug affects Canonical’s Snap Package ManagerResearchers created a PoC exploit for recently disclosed critical Magento CVE-2022-24086 bugThreat actors leverage Microsoft Teams to spread malwareSpecially crafted emails could crash Cisco ESA devicesEuropean Data Protection Supervisor call for bans on surveillance spyware like Pegasus
New Kraken botnet is allowing operators to earn USD 3,000 every month
Nation-state actors hacked Red Cross exploiting a Zoho bugRussia-linked threat actors breached US cleared defense contractors (CDCs)Trickbot targets customers of 60 High-Profile companiesExperts disclose details of Apache Cassandra DB RCECISA added 9 new flaws to the Known Exploited Vulnerabilities Catalog, including Magento e Chrome bugsVMware fixes flaws demonstrated at Chinese Tianfu Cup hacking contestUkraine: Military defense agencies and banks hit by cyberattacksQNAP extends security Updates for some EOL devicesBlackCat gang claimed responsibility for Swissport ransomware attack
Google fixes a Chrome zero-day flaw actively exploited in attacks
Remote sex toys might spice up your love life – but crooks could also get a kick out of themSSU: Russia-linked actors are targeting Ukraine with ‘massive wave of hybrid warfare’BlackByte ransomware breached at least 3 US critical infrastructure organizationsEuropean Central Bank tells banks to step up defences against nation-state attacksCritical Magento zero-day flaw CVE-2022-24086 actively exploitedAlleged ransomware attack disrupted operations at Slovenia’s Pop TV stationOrganizations paid at least $602 million to ransomware gangs in 2021San Francisco 49ers NFL team discloses BlackByte ransomware attackAnalyzing Phishing attacks that use malicious PDFs

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 354 appeared first on Security Affairs.

Categories: Cyber Security News

Trickbot operation is now controlled by Conti ransomware

Sun, 02/20/2022 - 04:52
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.

TrickBot operation has arrived at the end of the journey, according to AdvIntel some of its top members move under the Conti ransomware gang, which is planning to replace the popular banking Trojan with the stealthier BazarBackdoor.

TrickBot is a popular Windows banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features, including powerful password-stealing capabilities.

TrickBot initially partnered with Ryuk ransomware that used it for initial access in the network compromised by the botnet. Then Ryuk was replaced by Conti Ransomware gang who has been using Trickbot for the same purpose.

“The group’s elite division, called Overdose, managed the TrickBot campaigns that resulted in the creation of Conti and Ryuk ransomware.” states the analysis published by AdvInt. “The group has made at least $200 million USD with one extreme case extorting ~$34 million USD from a single victim and has perpetrated a spate of attacks on numerous healthcare organizations, including Universal Health Services (UHS) via BazarBackdoor to Ryuk ransomware (the attack was estimated for an account for $67 Million USD in damages).”

In 2021, the Conti gang used in exclusive the TrickBot to achieve initial accesses in the network of organizations worldwide.

The goal of the Conti gang is to aggregate highly skilled members of the ransomware ecosystem in a structure, which gives them a little autonomy, to monopolize the market.

The TrickBot’s core team of developers had already created a stealthier piece of malware dubbed BazarBackdoor, used to achieve remote access into corporate networks and use it to deploy the ransomware.

With the increasing popularity of TrickBot it became easy to detect it with antimalware solutions, for this reason the gang began employing the BazarBackdoor for initial access to networks.

By the end of 2021, Conti gang employed core developers and managers of the TrickBot botnet.

“At the same time, Conti turned into the sole end-user of TrickBot’s botnet product. By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers joining the ransomware cosa nostra.” concludes the post.

“However, the people who have led TrickBot throughout its long run will not simply disappear. After being “acquired” by Conti, they are now rich in prospects with the secure ground beneath them, and Conti will always find a way to make use of the available talent.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

The post Trickbot operation is now controlled by Conti ransomware appeared first on Security Affairs.

Categories: Cyber Security News

CISA compiled a list of free cybersecurity tools and services

Sat, 02/19/2022 - 11:22
The U.S. CISA has created a list of free cybersecurity tools and services that can help organizations increase their resilience.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced this week that it has compiled a list of free cybersecurity tools and services that can help organizations to reduce cybersecurity risk and increase resilience.

The list is part of an ongoing project, it will be continuously updated by CISA that also plans to allow third parties to propose their resources to include in the list.

The list includes open source tools and free resources provided by government organizations and private cybersecurity firms.

The tools cover a broad range of activities normally conducted by defenders, from incident response to threat detection.

“As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future.” reads the announcement published by CISA. “The list is not comprehensive and is subject to change pending future additions.”

The US agency proposed the following categorization according to the four goals outlined in CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats:

  1. Reducing the likelihood of a damaging cyber incident;
  2. Detecting malicious activity quickly;
  3. Responding effectively to confirmed incidents; and
  4. Maximizing resilience.

The list already includes cybersecurity tools and services from major IT and cybersecurity firms, including ones provided by CISA, AT&T Cybersecurity, Cloudflare, Cisco, Center for Internet Security, CrowdStrike, Google, IBM, Microsoft, Mandiant, Splunk, SANS, Secureworks, Tenable, and Palo Alto Networks. The list also includes tens of tools are open source.

CISA pointed out that it does not endorse any commercial product or service.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA compiled a list of free cybersecurity tools and services appeared first on Security Affairs.

Categories: Cyber Security News

White House and UK Gov attribute DDoS attacks on Ukraine to Russia’s GRU

Sat, 02/19/2022 - 05:58
The White House has linked the recent DDoS attacks against Ukraine ‘s banks and defense agencies to Russia’s GRU.

The White House has linked the recent DDoS attacks that took offline the sites of banks and defense agencies of Ukraine to Russia’s Main Directorate of the General Staff of the Armed Forces (aka GRU).

This week, the Ministry of Defense and the Armed Forces of Ukraine and state-owned banks, Privatbank (Ukraine’s largest bank) and Oschadbank were hit by Distributed Denial-of-Service (DDoS) attacks. The website of the Ukrainian Ministry of Defense has been taken down by the wave of DDoS attacks.

NEWS: "We believe that the Russian government is responsible for widespread cyberattacks on Ukrainian banks this week," says Deputy National Security Advisor for Cyber Anne Neuberger, citing technical information linking Russia's GRU to the attacks

— Sara Cook (@saraecook) February 18, 2022

“The US government believes that Russian cyber actors likely have targeted the Ukrainian government, including military and critical infrastructure networks, to collect intelligence and preposition to conduct disruptive cyber activities,” said Anne Neuberger, the Biden administration’s deputy national security adviser for cyber and emerging technologies.

“We have technical information that links the Russian main intelligence directorate, or GRU, as known GRU infrastructure was seen transmitting high volumes of communication to Ukraine-based IP addresses and domains.”

Neuberger pointed out that the attacks are part of a broad strategy that aims at assisting destructive attacks in preparation for a military attack and consequent invasion.

“Russia likes to move in the shadows and counts on a long process of attribution. In light of that, we’re moving quickly to attribute the DDoS attacks,” Neuberger added.

“We do expect that should Russia decide to proceed with a further invasion of Ukraine, we may see further destabilizing or destructive cyber activity, and we’ve been working closely with allies and partners to ensure we’re prepared to call out that behavior and respond,” said Neuberger. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,”

“And, as the President said earlier this week, if Russia attacks the United States or allies through asymmetric activities like disruptive cyberattacks against our companies or critical infrastructure, we are prepared to respond,” Neuberger continued.

The UK government also linked the DDoS attacks to Russian GRU.

“The UK Government judges that the Russian Main Intelligence Directorate (GRU) were involved in this week’s distributed denial of service attacks against the financial sector in Ukraine,” a Foreign, Commonwealth & Development Office spokesperson said. “The attack showed a continued disregard for Ukrainian sovereignty. This activity is yet another example of Russia’s aggressive acts against Ukraine.””

Ukraine’s SBU intelligence agency also attributed the DDoS attacks to Russia, but Moscow also denied any accusation.

The Security Service of Ukraine (SSU) today revealed the country is the target of an ongoing “wave of hybrid warfare” conducted by Russia-linked malicious actors. Threat actors aim at destabilizing the social contest in the country and instilling fear and untrust in the country’s government.

The SSU said the campaign is linked to Russian intelligence agencies that are spreading disinformation through social networks and other media.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post White House and UK Gov attribute DDoS attacks on Ukraine to Russia’s GRU appeared first on Security Affairs.

Categories: Cyber Security News

UpdraftPlus WordPress plugin update forced for million sites

Sat, 02/19/2022 - 04:55
WordPress forces the update of the UpdraftPlus plugin patch on 3 million sites to fix a high-severity vulnerability.

WordPress has forced the update of the UpdraftPlus plugin around three million sites to address a high-severity vulnerability, tracked as CVE-2022-0633 (CVSS v3.1 score of 8.5) that can allow website subscribers to download the latest database backups, which could potentially contain sensitive data.

“The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.” reads the advisory for this issue.

The flaw was discovered Marc Montpas during an internal audit of the plugin.

“The plugin uses custom “nonces” and timestamps to securely identify backups. Given the knowledge of said nonce and timestamp can give someone access to quite a few of the plugin’s features, making sure this info is only accessible to those who legitimately need it is crucial.” reported the analysis. “Unfortunately, as we’ll demonstrate, it wasn’t the case.”

The issue impacts versions 1.16.7 to 1.22.2 of the plugin, the development team addressed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.

The plugin allows users to easily perform manual or scheduled backups, it allows to restore backups directly from the WordPress control panel.The issue is an improper user validation bug that can allow low-level authenticated users to craft a valid link that would allow them to download the files.

The attack chain starts by sending a heartbeat request containing a data parameter to obtain information about the site’s latest backup to date.

“An attacker could thus craft a malicious request targeting this heartbeat callback to get access to information about the site’s latest backup to date, which will among other things contain a backup’s nonce.” continues the report.

This info could allow attackers to receive the backup via mail by manipulating the request.

“Unfortunately, the UpdraftPlus_Admin::maybe_download_backup_from_email method, which is hooked to admin_init didn’t directly validate users’ roles either.” continues the analysis. “While it did apply some checks indirectly, such as checking the $pagenow global variable, past research has shown that this variable can contain arbitrary user input. Bad actors could use this endpoint to download file & database backups based on the information they leaked from the aforementioned heartbeat bug.”

Below is the timeline for this flaw:

2022-02-14 – Initial contact with UpdraftPlus
2022-02-15 – We send them details about this vulnerability
2022-02-16 – UpdraftPlus 1.22.3 is released, forced auto-updates launched

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

The post UpdraftPlus WordPress plugin update forced for million sites appeared first on Security Affairs.

Categories: Cyber Security News

Google Privacy Sandbox promises to protect user privacy online

Fri, 02/18/2022 - 16:52
Google introduces Privacy Sandbox on Android aimed at leading to more private advertising solutions for mobile users.

Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.

“Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.

Google is also committed tp fighting and reducing covert data collection.

The goals of the Privacy Sandbox are:

  • Build new technology to keep your information private
  • Enable publishers and developers to keep online content free
  • Collaborate with the industry to build new internet privacy standards

Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.

“Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

The post Google Privacy Sandbox promises to protect user privacy online appeared first on Security Affairs.

Categories: Cyber Security News

Iran-linked TunnelVision APT is actively exploiting the Log4j vulnerability

Fri, 02/18/2022 - 10:21
Iran-linked TunnelVision APT group is actively exploiting the Log4j vulnerability to deploy ransomware on unpatched VMware Horizon servers.

Researchers from SentinelOne have observed the potentially destructive Iran-linked APT group TunnelVision is actively exploiting the Log4j vulnerability to deploy ransomware on unpatched VMware Horizon servers.

TunnelVision’s TTPs overlap with the ones associated with Iran-linked nation-state actors PhosphorusCharming Kitten and Nemesis Kitten. The TunnelVision group heavily leverages 1-day vulnerabilities in its campaigns.

During the time SentinelOne experts monitored the activity of the group, the state-sponsored hackers exploited several flaws, including Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and recently Log4Shell. In almost all the attacks, the threat actors deployed a tunneling tool, such as Fast Reverse Proxy Client (FRPC) and Plink, wrapped in a unique fashion.

“TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.” reads the analysis published by SentinelOne. “Typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs further commands by means of PS reverse shells, executed via the Tomcat process.”

The threat actors leverage the Log4Shell issue in VMware Horizon to run PowerShell commands, sending outputs back utilizing a webhook.

The attackers used PowerShell commands to download tools like Ngrok and run further commands to establish reverse shells and drop a PowerShell backdoor used to gather credentials and perform lateral movements.

The researcher noticed that a dropped executable contains an obfuscated version of a reverse shell which is similar to PowerLess backdoor employed by the Iran-linked APT group APT35 (aka ‘Charming Kitten‘, ‘Phosphorus‘, Newscaster, and Ajax Security Team) in a recent wave of attacks.

Experts also reported that the threat actor utilized a github repository “VmWareHorizon” associated with an account named “protections20” which is owned by the nation-state actor.

“We track this cluster separately under the name “TunnelVision”. This does not imply we believe they are necessarily unrelated, only that there is at present insufficient data to treat them as identical to any of the aforementioned attributions.” concludes the report that also includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, TunnelVision)

The post Iran-linked TunnelVision APT is actively exploiting the Log4j vulnerability appeared first on Security Affairs.

Categories: Cyber Security News

CVE-2021-44731 Linux privilege escalation bug affects Canonical’s Snap Package Manager

Fri, 02/18/2022 - 04:47
Qualys experts found a new Linux privilege escalation vulnerability, tracked as CVE-2021-44731, in Canonical’s Snap Package Manager.

Canonical’s Snap software packaging and deployment system are affected by multiple vulnerabilities, including a privilege escalation flaw tracked as CVE-2021-44731 (CVSS score 7.8).

Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions

The flaws have been discovered by Qualys researchers, the CVE-2021-44731 is the most severe one and is a race condition in the snap-confine’s setup_private_mount() function.

The snap-confine is a program used internally by snapd to construct the execution environment for snap applications. An unprivileged user can trigger the flaw to gain root privileges on the affected host.

“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.” reads the post published by the experts. “As soon as the Qualys Research Team confirmed the vulnerability, we engaged in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions in announcing this newly discovered vulnerability.”

Qualys experts also developed a PoC exploit for this issue that allows obtaining full root privileges on default Ubuntu installations.

Below is the full list of vulnerabilities discovered by the experts:

CVEDescriptionCVE-2021-44731Race condition in snap-confine’s setup_private_mount()CVE-2021-44730Hardlink attack in snap-confine’s sc_open_snapd_tool()CVE-2021-3996Unauthorized unmount in util-linux’s libmountCVE-2021-3995Unauthorized unmount in util-linux’s libmountCVE-2021-3998Unexpected return value from glibc’s realpath()CVE-2021-3999Off-by-one buffer overflow/underflow in glibc’s getcwd()CVE-2021-3997Uncontrolled recursion in systemd’s systemd-tmpfiles

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-44731)

The post CVE-2021-44731 Linux privilege escalation bug affects Canonical’s Snap Package Manager appeared first on Security Affairs.

Categories: Cyber Security News

Threat actors leverage Microsoft Teams to spread malware

Thu, 02/17/2022 - 18:06
Attackers compromise Microsoft Teams accounts to attach malicious executables to chat and spread them to participants in the conversation.

While the popularity of Microsoft Teams continues to grow, with roughly 270 million monthly active users, threat actors started using it as an attack vector.

Starting in January 2022, security researchers from Avanan observed attackers compromising Microsoft Teams accounts attach malicious executables to chat and infect participants in the conversation.

In the attacks observed by the experts, threat actors inserted a .exe file called “User Centric” into a chat in an attempt to trick participants into opening it. Upon opening the executable, the malicious code will install DLL files and create shortcut links to self-administer.

“Starting in January 2022, Avanan observed how hackers are dropping malicious executable files in Teams conversations. The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer. Avanan has seen thousands of these attacks per month.” reads the analysis published by Avanan. “In this attack brief, Avanan will analyze how these .exe files are being used by hackers in Microsoft Teams.”

Experts believe that attackers can launch the attack by compromising a partner organization and listening in on inter-organizational chats. In another attack scenario, threat actors can compromise an email address and use it to access Teams. Once an attacker obtained Microsoft 365 credentials, for example from a previous phishing campaign or data breach, that can access Teams and other Office applications.

Once the attackers have gained access to an organization, they can determine defense solutions that are installed and use the proper malware to bypass existing protections. 

“Compounding this problem is the fact that default Teams protections are lacking, as scanning for malicious links and files is limited. Further, many email security solutions do not offer robust protection for Teams.” continues the analysis. “Hackers, who can access Teams accounts via East-West attacks, or by leveraging the credentials they harvest in other phishing attacks, have carte blanche to launch attacks against millions of unsuspecting users.” 

Researchers also explained that in some specific contests, users have no perception of the threat that could use Teams as a vector.

Avanan experts analyzed the use of Microsoft Teams in hospitals where the internal staff uses this technology to share patient medical information ignoring the risks associated with opening files when they come through Teams.

“Most employees have been trained to second-guess identities in email, but few know how to make sure that the name and photo they see in a Teams conversation are real. It is simple to edit a profile and become most anyone you like. So when someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of “User Centric”, many users won’t think twice and will click on it.” concludes the report. “This attack demonstrates that hackers are beginning to understand and better utilize Teams as a potential attack vector As Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks.”

Below is a list of recommendations provided by Avanan:

    • Implement protection that downloads all files in a sandbox and inspects them for malicious content
    • Deploy robust, full-suite security that secures all lines of business communication, including Teams
    • Encourage end-users to reach out to IT when seeing an unfamiliar file

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Teams)

The post Threat actors leverage Microsoft Teams to spread malware appeared first on Security Affairs.

Categories: Cyber Security News

Specially crafted emails could crash Cisco ESA devices

Thu, 02/17/2022 - 10:49
Cisco warns of a DoS issue affecting its Email Security Appliance (ESA) product that could be exploited using specially crafted emails.

Cisco ESA products are affected by a DoS vulnerability, tracked as CVE-2022-20653, that resides in the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA.

A remote, unauthenticated attacker can trigger the flaw by sending specially crafted emails to vulnerable devices.

The flaw is caused by insufficient error handling in DNS name resolution, the advisory pointed out that continued attacks could trigger a persistent DoS condition.

“This vulnerability is due to insufficient error handling in DNS name resolution by the affected software. An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device. A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition.” reads the advisory published by Cisco. “Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition.”

The issue only impacts Cisco ESA products running AsyncOS Software with the DANE feature (which is disabled by default) enabled and with the downstream mail servers configured to send bounce messages.

“To determine whether DANE is configured, check the web UI page Mail Policies > Destination Controls > Add Destination and verify whether the DANE Support option is enabled.” continues the advisory.

The company released security patches (Cisco AsyncOS Software Release 13.5.4.102) and also workarounds to address the vulnerability. In order to prevent the exploitation of this bug, customers may configure bounce messages from Cisco ESA instead of from downstream dependent mail servers.

The following table reports appropriate fixed software releases that fix this issue:

Cisco AsyncOS Software ReleaseFirst Fixed Release12.5 and earlierMigrate to a fixed release.13.013.0.313.513.5.4.102114.014.0.2.020

The vulnerability was reported by Cesare Auteri, Steven Geerts, John-Paul Straver, and Roy Wiss of Rijksoverheid Dienst ICT Uitvoering (DICTU).

The good news is that Cisco PSIRT is not aware of attacks exploiting this issue in the wild.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CISCO ESA)

The post Specially crafted emails could crash Cisco ESA devices appeared first on Security Affairs.

Categories: Cyber Security News

European Data Protection Supervisor call for bans on surveillance spyware like Pegasus

Thu, 02/17/2022 - 09:52
The European Data Protection Supervisor authority called for a ban on the development and the use of Pegasus-like commercial spyware.

The European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.

Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.

The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection. 

“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS). 

“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”

Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.

Pegasus was used by governments with dubious human rights records and histories of abusive behaviour by their state security services.

The surveillance software allows to completely take over the target device and spy on the victims. Developers of surveillance solutions leverage zero-click zero-day exploits to silently compromise the devices without any user interaction. Pegasus is known to have used KISMET and FORCEDENTRY exploits to infect the devices of the victims.

NSO Group has repeatedly claimed that its software is sold exclusively to law enforcement and intelligence agencies to fight crime and terrorism, in so-called “life-saving mission.”

According to a series of disclosures by the business publication Calcalist in recent weeks, dozens of citizens in the country were targeted by Israel Police with the NSO Group’s spyware to gather intelligence without a search warrant authorizing the surveillance.

“National security cannot be used as an excuse to an extensive use of such technologies nor as an argument against the involvement of the European Union.” continues EDPS.

EDPS urges tight control over the use of surveillance and hacking tools to prevent and disincentive unlawful use.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Pegasus)

The post European Data Protection Supervisor call for bans on surveillance spyware like Pegasus appeared first on Security Affairs.

Categories: Cyber Security News

New Kraken botnet is allowing operators to earn USD 3,000 every month

Thu, 02/17/2022 - 06:01
Researchers spotted a new Golang-based botnet called Kraken that is under active development and supports a lot of backdoor capabilities.

Kraken is a new Golang-based botnet discovered in late October 2021 by researchers from threat intelligence firm ZeroFox Intelligence. Experts pointed out that despite having the same name, this botnet should not be confused with the Kraken botnet that was spotted in 2008.

The botnet appears to be under active development, it supports a broad range of backdoor capabilities, such as the ability to download and execute secondary malicious payloads and run shell commands.

It currently uses the SmokeLoader loader to install other malicious payloads.

Kraken attack chain initially leveraged self-extracting RAR SFX files downloaded by SmokeLoader. These SFX files contained a UPX-packed version of Kraken, RedLine Stealer, and another binary used to delete Kraken. New versions of Kraken are downloaded by SmokeLoader directly.

“Thanks to a tip by @abuse_ch, ZeroFox learned that Kraken originally spread in self-extracting RAR SFX files downloaded by SmokeLoader. These SFX files contained a UPX-packed version of Kraken, RedLine Stealer, and another binary used to delete Kraken.” reads the analysis published by ZeroFox. “Current versions of Kraken are now downloaded by SmokeLoader directly. Kraken binaries are still UPX-packed but are now further protected by the Themida packer as well.”

The early variants of the Kraken bot have been found to be based on source code available on GitHub, but at this time it is unclear if the code was uploaded by the botnet operators.

Experts spotted multiple versions of the administration panel or dashboard since October 2021. The code uploaded on GitHub did include a server, but it did not have a web-based interface to manage the botnet.

Kraken’s authors are constantly updating their code by implementing new features. Current versions could steal a broad range of info from the infected host and target wallets from multiple platforms, including Armory, Atomic Wallet, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash. It leverages the RedLine Stealer to siphon credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. 

According to the experts, the Kraken botnet is allowing operators to earn around USD 3,000 every month.

“While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP.” concludes the report. “It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet,”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Kraken botnet)

The post New Kraken botnet is allowing operators to earn USD 3,000 every month appeared first on Security Affairs.

Categories: Cyber Security News

Nation-state actors hacked Red Cross exploiting a Zoho bug

Thu, 02/17/2022 - 03:18
The International Committee of the Red Cross (ICRC) said attackers that breached its network last month exploited a Zoho bug.

The International Committee of the Red Cross (ICRC) revealed that the attack that breached its network in January was conducted by a nation-state actor that exploited a Zoho vulnerability.

In January, a cyberattack on a Red Cross contactor resulted in the theft of personal data for more than 515,000 highly vulnerable people seeking missing families. The attack was disclosed by the ICRC, which confirmed that the data originated from at least 60 different Red Cross and Red Crescent National Societies worldwide.

Stolen data includes information belonging to individuals separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.

The contractor targeted by the attackers is an external company in Switzerland that stores data for the organization. ICRC shut down the systems and website for the Restoring Family Links program that was hit by the attackers.

The attribution of the hack is based on similarities of attackers’ TTPs with the ones associated with APT groups and the targeted nature of the attack.

The Red Cross pointed out that attackers used a “code designed purely for execution on the targeted ICRC servers.” Threat actors also used sophisticated obfuscation techniques to avoid detection. ICRC update speculates that attackers have a high level of skills only available to a limited number of actors.

However, the organization did not attribute the attack to a specific threat actor.

“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).” reads the update published by Red Cross. “The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected.”

The attackers remained inside the Red Cross’s infrastructure for 70 days before being detected, attackers first compromised the servers of the organization on November 9, 2021.

The intruders exploited an unpatched critical vulnerability (CVE-2021-40539) in Zoho’s ManageEngine ADSelfService Plus enterprise password management solution to achieve remote code execution.

“This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” reported the ICRC. “Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.”

Red Cross reiterates its call to the attackers not to share, sell, leak or otherwise use this data.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

The post Nation-state actors hacked Red Cross exploiting a Zoho bug appeared first on Security Affairs.

Categories: Cyber Security News

Russia-linked threat actors breached US cleared defense contractors (CDCs)

Wed, 02/16/2022 - 16:36
Russia-linked threat actors have breached the network of U.S. cleared defense contractors (CDCs) since at least January 2020.

According to a joint alert published by the FBI, NSA, and CISA, Russia-linked threat actors conducted a cyber espionage campaign aimed at US cleared defense contractors to steal sensitive info related to intelligence programs and capabilities.

CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in multiple areas:

  • Command, control, communications, and combat systems;
  • Intelligence, surveillance, reconnaissance, and targeting;
  • Weapons and missile development;
  • Vehicle and aircraft design; and
  • Software development, data analytics, computers, and logistics. 

The campaign has been active since at least January 2020 and several US cleared defense contractors were breached by the nation-state actors.

The attackers targeted CDCs and subcontractors of any size with varying levels of cybersecurity protocols and resources. 

“From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors.” reads the joint alert. “The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.”

Threat actors employed similar tactics in many attempts to compromise enterprise and cloud networks. Attackers seem to focus their efforts on attacks against organizations using Microsoft 365 (M365) environment. The actors were able to maintain persistence by using legitimate credentials and a variety of malware that was used for data exfiltration. In some cases, cyberspies have maintained persistence for at least six months.

“These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology.” states the report. “By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment.”

The alert provides recommendations on how to detect malicious activity and respond in case of compromise.

In mid-January US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint alert to warn critical infrastructure operators about threats from Russian state-sponsored hackers.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, US cleared defense contractors)

The post Russia-linked threat actors breached US cleared defense contractors (CDCs) appeared first on Security Affairs.

Categories: Cyber Security News

Trickbot targets customers of 60 High-Profile companies

Wed, 02/16/2022 - 14:29
TrickBot malware is targeting customers of 60 financial and technology companies with new anti-analysis features.

The infamous TrickBot malware was employed in attacks against customers of 60 financial and technology companies with new anti-analysis features. The news wave of attacks aimed at cryptocurrency firms, most of them located in the U.S..

Trickbot is a sophisticated, modular malware, CheckPoint researchers have observed more than 20 modules that allow operators to create a broad range of malicious activities.

“now we see that the malware is very selective in how it chooses its targets. Various tricks – including anti-analysis – implemented inside the modules show the authors’ highly technical background and explain why Trickbot remains a very prevalent malware family.” reads the analysis published by CheckPoint.

Most of the infections were observed in APAC (3.3%) and Latin America regions (2.1%).

TrickBot operators have continually enhanced their tactics avoid detection and target the largest number of banking users as possible.

The variant analyzed by the experts leverage the injectDll module to perform web injection that allows operators to steal banking and credential data. The module also implements several anti-analysis techniques, such as crashing tab process to prevent the scrutiny of the source code.

Another anti-analysis technique used by botnet operators prevents a researcher from sending automated requests to Command-and-Control servers to get fresh web-injects.

Another module analyzed by the researchers is the tabDLL module which is used to grab the user’s credentials and spread the malware via network share. Below is the procedure to grab the credentials:

  1. Enables storing user credential information in the LSASS application.
  2. Injects the “Locker” module into the “explorer.exe” application.
  3. From the infected “explorer.exe”, forces the user to enter login credentials to the application and then locks the user’s session.
  4. The credentials are now stored in the LSASS application memory.
  5. Grabs the credentials from the LSASS application memory using the mimikatz technique.

The malware uses the EternalRomance exploit to spread via the SMBv1 network share.

Another module used by Trickbot is “pwgrabc” which allows the malware to steal passwords from popular applications and web browsers, including Chrome, Internet Explorer, Edge, Outlook, Filezilla, WinSCP, RDP, Putty, OpenSSH, OpenVPN, and TeamViewer.

“Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage. Meanwhile, from our previous research, we know that the operators behind the infrastructure are very experienced with malware development on a high level as well.” concludes the researchers. “The combination of these two factors has already led to more than 140,000 infected victims after the takedown, several 1st place rankings in top malware prevalence lists, and collaboration with Emotet – all within a year. “

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Trickbot)

The post Trickbot targets customers of 60 High-Profile companies appeared first on Security Affairs.

Categories: Cyber Security News

Experts disclose details of Apache Cassandra DB RCE

Wed, 02/16/2022 - 10:08
Researchers disclose a now-patched remote code execution (RCE) vulnerability in the Apache Cassandra database software.

JFrog researchers publicly disclosed details of a now-patched high-severity security vulnerability (CVE-2021-44521) in Apache Cassandra database software that could be exploited by remote attackers to achieve code execution on affected installations.

Apache Cassandra is an open-source NoSQL distributed database used by thousands of companies.

“JFrog’s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned to CVE-2021-44521 (CVSS 8.4).” reads the analsyis published by JFrog. “This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra.”

Cassandra offers the functionality of creating user-defined-functions (UDFs) that allow to perform custom processing of data in the database.

Admins can use Java and JavaScript to write UDFs. In JavaScript it leverages the Nashorn engine in the Java Runtime Environment (JRE) which is not guaranteed to be secure when accepting untrusted code

JFrog researchers that discovered that when the configuration for user-defined functions (UDFs) are enabled, threat actors could leverage the Nashorn engine to escape the sandbox and achieve remote code execution.

“For example, running the following Nashorn JavaScript code allows execution of an arbitrary shell command –

java.lang.Runtime.getRuntime().exec("touch hacked")

Cassandra’s development team decided to implement a custom sandbox around the UDF execution which uses two mechanisms to restrict the UDF code” states the report.

Experts noticed that the exploitation is possible when the cassandra.yaml configuration file contains the following definitions:

  • enable_user_defined_functions: true
  • enable_scripted_user_defined_functions: true
  • enable_user_defined_functions_threads: false

“When the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. We will show how to abuse these permissions to achieve sandbox escape and RCE.” continues the analysis.

Experts shared a PoC to create a new file named “hacked” on the Cassandra server

Apache released versions 3.0.263.11.12, and 4.0.2 to address the vulnerability, it adds a new flag “allow_extra_insecure_udfs” that’s set to false by default, it prevents turning off the security manager and blocks access to java.lang.System..

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Experts disclose details of Apache Cassandra DB RCE appeared first on Security Affairs.

Categories: Cyber Security News

CISA added 9 new flaws to the Known Exploited Vulnerabilities Catalog, including Magento e Chrome bugs

Wed, 02/16/2022 - 05:04
The U.S. CISA added to the Known Exploited Vulnerabilities Catalog another 9 security flaws actively exploited in the wild.

US Cybersecurity and Infrastructure Security Agency (CISA) added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including two recently patched zero-day issues affecting Adobe Commerce/Magento Open Source and Google Chrome. CISA orders all Federal Civilian Executive Branch Agencies (FCEB) agencies to address both security vulnerabilities by March 1st, 2022.

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

“CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.” reads the CISA’s announcement.

Below is the list of the vulnerabilities added to the catalog:

CVE NumberCVE TitleRemediation Due DateCVE-2022-24086Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability3/1/2022CVE-2022-0609Google Chrome Use-After-Free Vulnerability3/1/2022CVE-2019-0752Microsoft Internet Explorer Type Confusion Vulnerability8/15/2022CVE-2018-8174Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability8/15/2022CVE-2018-20250WinRAR Absolute Path Traversal Vulnerability8/15/2022CVE-2018-15982Adobe Flash Player Use-After-Free Vulnerability8/15/2022CVE-2017-9841PHPUnit Command Injection Vulnerability8/15/2022CVE-2014-1761Microsoft Word Memory Corruption Vulnerability8/15/2022CVE-2013-3906Microsoft Graphics Component Memory Corruption Vulnerability8/15/2022

This week, Adobe rolled out security updates to address a critical security vulnerability, tracked as CVE-2022-24086, affecting its Commerce and Magento Open Source products that is being actively exploited in the wild.

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.

The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.

The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.   

The vulnerability affects Adobe Commerce and Magento Open Source versions 2.4.3-p1/2.3.7-p2.

CISA also added CVE-2022-0609 to the catalog, it is a Chrome high-severity zero-day flaw fixed by Google this week, which is actively exploited. Google released a Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.

The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.

Last week, the US Cybersecurity & Infrastructure Security Agency (CISA) added fifteen more flaws to the Known Exploited Vulnerabilities Catalog.

One of the vulnerabilities is an elevation of privilege vulnerability in Microsoft Windows SAM (Security Accounts Manager) vulnerability. The US agency also added the CVE-2015-2051 remote code execution flaw impacting D-Link DIR-645 routers.

Among the issues added to the catalog there are also old vulnerabilities, such as the CVE-2014-4404 Apple OS X Heap-Based buffer overflow vulnerability. Another older issue added to the catalog is CVE-2020-0796 vulnerability in SMBv3 protocol that could be exploited by vxers to implement “wormable” malware.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post CISA added 9 new flaws to the Known Exploited Vulnerabilities Catalog, including Magento e Chrome bugs appeared first on Security Affairs.

Categories: Cyber Security News

VMware fixes flaws demonstrated at Chinese Tianfu Cup hacking contest

Wed, 02/16/2022 - 04:15
VMware addressed several high-severity flaws that were disclosed during China’s Tianfu Cup hacking contest.

VMware addressed several high-severity vulnerabilities that were demonstrated by Kunlun Lab team during China’s Tianfu Cup 2021 hacking contest. The vulnerabilities impact VMware ESXi, Workstation, and Fusion.

Below is the list published by the virtualization giant:

  • CVE-2021-22040 – VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
  • CVE-2021-22041 – VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
  • CVE-2021-22042 – VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. 
  • CVE-2021-22043 – VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files. 

VMware also reported that the white hat hackers that discovered the flaws first reported them to the Chinese Government in accordance with a local law that orders researchers who discover a zero-day to share their findings with the government authorities.

“These issues were discovered as part of the Tianfu Cup, a Chinese security event that VMware participates in. These vulnerabilities were reported to the Chinese government by the researchers that discovered them, in accordance with their laws,” VMware revealed. 

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)

The post VMware fixes flaws demonstrated at Chinese Tianfu Cup hacking contest appeared first on Security Affairs.

Categories: Cyber Security News

Ukraine: Military defense agencies and banks hit by cyberattacks

Tue, 02/15/2022 - 17:46
Ukraine ‘s defense agencies and two state-owned banks were hit by Distributed Denial-of-Service (DDoS) attacks.

The Ministry of Defense and the Armed Forces of Ukraine and state-owned banks, Privatbank (Ukraine’s largest bank) and Oschadbank were hit by Distributed Denial-of-Service (DDoS) attacks.

The website of the Ukrainian Ministry of Defense has been taken down by the wave of DDoS attacks.

“Starting from the afternoon of February 15, 2022, there is a powerful DDOS attack on a number of information resources of Ukraine. In particular, this caused interruptions in the work of web services of Privatbank and Oschadbank. The websites of the Ministry of Defense and the Armed Forces of Ukraine were also attacked.” reads the statement published by Ukraine’s State Service for Special Communication and Information Protection. “As of 19:30, the work of banking web resources has been resumed. A working group of experts from the main subjects of the national cybersecurity system is taking all necessary measures to localize and resist the cyberattack.” 

Сайт МОУ зазнав, ймовірно, DDoS-атаки: фіксувалася надмірна кількість звернень на секунду.
Проводяться техроботи з відновлення штатного функціонування.
Комунікація через сторінки в FB та Twitter, сайти АрміяInform https://t.co/ukMW41irPW та Армія FM https://t.co/IpDnBXoMXw.

— Defence of Ukraine (@DefenceU) February 15, 2022

While the website of the Oschadbank bank initially remained accessible, the customers were not able to access their online banking accounts. At the time of this writing, the website of the financial institution is not reachable.

Threat actors also hot Privatbank and defaced its website, threat actors added the following message: “BUSTED! PRIVATBANK WAF is watching you)”

The Ukrainian Center for Strategic Communications and Information Security also published a post on Facebook explaining that clients of the Privatbank were not able to perform payments, however threat actors did not steal funds from their bank accounts.

Yesterday, the Security Service of Ukraine (SSU) today revealed the country is the target of an ongoing “wave of hybrid warfare” conducted by Russia-linked malicious actors. Threat actors aim at destabilizing the social contest in the country and instilling fear and untrust in the country’s government.

The SSU said the campaign is linked to Russian intelligence agencies that are spreading disinformation through social networks and other media.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Ukraine: Military defense agencies and banks hit by cyberattacks appeared first on Security Affairs.

Categories: Cyber Security News

Pages