Tag: Flaw

Security flaw in popular proxy service leaves 50,000 hosts vulnerable

Post author By lisa nichols
Post date May 7, 2024
No Comments on Security flaw in popular proxy service leaves 50,000 hosts vulnerable

[ad_1]

More than half of Tinyproxy service hosts are running a flawed version which hackers could use in remote code execution attacks, a new report from researchers from Cisco Talos has claimed.

Tinyproxy is a lightweight HTTP/HTTPS proxy server commonly used to improve internet access speed by caching frequently accessed web pages, filtering out unwanted content, and providing anonymity.

The tool is often used in home networks, small businesses, or on personal servers.

Thousands of vulnerable endpoints

In its findings, Cisco Talos said Tinyproxy version 1.10.0 and 1.11.1 were vulnerable to CVE-2023-49606, a use-after-free bug with a severity score of 9.8.

“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution,” the researchers explained in their report. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”

Citing data from attack surface management expert Censys, TheHackerNews reported that of the 90,310 hosts exposing a Tinyproxy service to the public internet, 57% – 52,000 – were running a vulnerable version of the tool. Most are located in the U.S. (32,846), followed by South Korea (18,358), China (7,808), France (5,208), and Germany (3,608).

In the days immediately following Talos’ report, Tinyproxy maintainers made a few commits, criticizing the researchers from trying to reach out via an “outdated email address”. They added that a Debian Tinyproxy package maintainer tipped them off on Sunday.

“No GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat,” rofl0r said in a commit. “If the issue had been reported on Github or IRC, the bug would have been fixed within a day.”

Users are advised to apply the patch, as soon as it becomes available.

Over a billion users could be at risk from keyboard logging app security flaw

Post author By lisa nichols
Post date April 25, 2024
No Comments on Over a billion users could be at risk from keyboard logging app security flaw

[ad_1]

Almost a billion mobile users, holding various devices, could have had their communications revealed to malicious third parties, a report from cybersecurity researchers Citizen Lab claims.

It says different device manufacturers have used different keyboard apps which were relaying unencrypted communications, transmitting keystrokes via plaintext, and similar. Tencent QQ Pinyin, Baidu IME, iFlytek IME, Samsung Keyboard on Android, Xiaomi (with keyboard apps from Baidu, iFlytek, and Sogou), OPPO, Vivo, Honor, all of these allowed potential threat actors to decrypt Chinese mobile users’ keystrokes, completely passively, and without the users needing to send any extra network traffic.

The team says it believes the keyboard apps found on these devices were “revealing the contents of users’ keystrokes in transit”.

Keeping private talk private

The only manufacturer whose keyboard app was secure is Huawei, the researchers said. As for Apple and Google, neither app has a feature to transmit keystrokes to cloud servers for cloud-based communications, it was said, which made it impossible to analyze the keyboards for the security of the feature.

“However, we observed that none of the mobile devices that we analyzed included Google’s keyboard, Gboard, preinstalled, either,” the researchers claim.

The researchers disclosed their findings to the manufacturers and say that as of April 1, almost all have addressed their issues. Only Honor and Tencent (QQ Pinyin) still remain a work in progress.

To defend from potential eavesdroppers, users should keep their apps and mobile operating systems updated, and use a keyboard that fully works on the device. Developers, on the other hand, are advised to use well-tested and standard encryption protocols, instead of building their own, potentially vulnerable versions, The Hacker News reports.

“Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users’ keystrokes may have also been under mass surveillance,” the researchers concluded.

Microsoft says Russian hackers are exploiting an ancient printer security flaw

Post author By lisa nichols
Post date April 23, 2024
No Comments on Microsoft says Russian hackers are exploiting an ancient printer security flaw

[ad_1]

Russian state-sponsored threat actors were observed abusing an old printer vulnerability to drop custom malware on target endpoints.

The malware helped them exfiltrate sensitive data and login credentials. This is according to a new report from Microsoft Threat Intelligence, published earlier this week.

As per the report, since mid-2019, a group known as Fancy Bear has been abusing a print spooler elevation of privilege bug found in Windows printers. The vulnerability, tracked as CVE-2022-38028, was discovered in 2022, and patched in October the same year.

The fall of Moobot

However, even after the release of the fix, Fancy Bear targeted unpatched endpoints in government, non-government, education, and transportation firms, located in Ukraine, Western European, and North American countries.

Once found, the devices would be infected with a custom-built malware called GooseEgg, which granted the attackers elevated privileges, and the ability to steal credentials across compromised systems.

Given that the patch has been available for almost two years now, it’s the best and easiest way to protect the endpoints from Russian spies.

Fancy Bear is probably Russia’s most popular threat actor. Some researchers have linked it to the GRU – the Russian General Staff Main Intelligence Directorate – the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation.

In mid-February this year, US law enforcement agents successfully shut down a malicious Fancy Bear botnet. At the time, the U.S. Department of Justice (DoJ) said its agents conducted a “court-authorized operation” that has neutralized a network of “hundreds of small office/home office (SOHO) routers”.

As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which was developed by a private hacking group. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 (as they call Fancy Bear) swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”

Via The Register

A critical security flaw could affect thousands of WordPress sites

Post author By lisa nichols
Post date April 22, 2024
No Comments on A critical security flaw could affect thousands of WordPress sites

[ad_1]

Hundreds of thousands of WordPress websites are vulnerable to a critical severity flaw which allows threat actors to upload malware to the site through a bug in a plugin.

As reported by BleepingComputer, Japan’s CERT recently found a critical severity flaw (9.8) in the Forminator plugin, built by WPMU DEV. The flaw, now tracked as CVE-2024-28890, allows threat actors to obtain sensitive information by accessing files on the server.

The researchers also said the flaw could be used to change the contents of the site, mount denial-of-service (DoS) attacks, and more.

No evidence of abuse

Forminator is a plugin that allows WordPress operators to add custom contact, feedback, quizzes, surveys, polls, and payment forms. Everything is drag-and-drop and thus user-friendly, and plays well with many other plugins.

WPMU DEV has addressed the issue and released a patch. Users are advised to apply it and bring their Forminator plugin to version 1.29.3 as soon as possible. At press time, the WordPress.org website shows at least 500,000 active downloads, of which 56% run the latest version. That leaves at least 230,000 websites that are possibly still vulnerable.

So far, there is no evidence of CVE-2024-28890 being exploited in the wild, but given its destructive potential, and the simplicity to be abused, chances are abuse is just a matter of time.

While WordPress itself is generally considered a safe platform, its various plugins and add-ons present a unique opportunity for hackers looking for a way in. As a general rule of thumb, WordPress admins are advised to keep the platform, the plugins, themes, and add-ons updated at all times, and to deactivate all of the add-ons that they don’t actively use.

WordPress is the world’s number one website builder platform, with almost half of all websites on the internet being powered by the builder.

Criminals hack OpenMetadata flaw to mine crypto on Kubernetes

Post author By lisa nichols
Post date April 19, 2024
No Comments on Criminals hack OpenMetadata flaw to mine crypto on Kubernetes

[ad_1]

Hackers have been observed abusing flaws in OpenMetadata workloads to install cryptocurrency miners on Kubernetes.

Cybersecurity researchers from the Microsoft Threat Intelligence team reported of a new campaign, which started in early April 2024 that saw unidentified threat actors were scanning the web for internet-connected OpenMetadata workloads, vulnerable to these five flaws: CVE-2024-28847, CVE-2024-28848, CVE-2024-28253, CVE-2024-28254, and CVE-2024-28255.

Once found, they would abuse these flaws with malware, to gain a foothold on the systems. After a bit of analysis and reconnaissance, the attackers would install cryptocurrency miners on Kubernetes workloads.

Cryptomining season

OpenMetadata is an open source framework and standard for managing metadata in an open and interoperable manner across various tools, technologies, and platforms. Metadata is essentially data about data, providing context, description, and structure to the actual data.

Among various cryptocurrency miners, the standout one is called XMRig. It’s a lightweight program that “mines” (generates, essentially), the Monero currency, also known as XMR. Monero is described as a privacy-oriented coin, almost impossible to trace, making it particularly interesting for cybercriminals.

“Mining” cryptocurrency refers to conducting compute-heavy operations, which render the computer doing them useless for anything else, even if the device is extremely powerful. At the same time, the device will spend an enormous amount of electrical power mining the crypto, raking up huge electricity bills for the victims.

The attackers, on the other hand, will get disproportionally few cryptos, making the damage done that much greater.

On the flip side, being infected with a cryptominer is relatively easy to spot, since the compromised computer slows down to a crawl. However, since the crypto bull run is currently in full swing, we can expect to see more of these crypto miners around.

“This attack serves as a valuable reminder of why it’s crucial to stay compliant and run fully patched workloads in containerized environments,” the researchers said.

Via The Hacker News

Major Palo Alto security flaw is being exploited via Python zero-day backdoor

Post author By lisa nichols
Post date April 15, 2024
No Comments on Major Palo Alto security flaw is being exploited via Python zero-day backdoor

[ad_1]

For weeks now, unidentified threat actors have been leveraging a critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software, running arbitrary code on vulnerable firewalls, with root privilege.

Multiple security researchers have flagged the campaign, including Palo Alto Networks’ own Unit 42, noting a single threat actor group has been abusing a vulnerability called command injection, since at least March 26 2024.

This vulnerability is now tracked as CVE-2024-3400, and carries a maximum severity score (10.0). The campaign, dubbed MidnightEclipse, targeted PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled, since these are the only vulnerable endpoints.

Highly capable threat actor

The attackers have been using the vulnerability to drop a Python-based backdoor on the firewall which Volexity, a separate threat actor that observed the campaign in the wild, dubbed UPSTYLE. While the motives behind the campaign are subject to speculation, the researchers believe the endgame here is to extract sensitive data. The researchers don’t know exactly how many victims there are, nor who the attackers primarily target. The threat actors have been given the moniker UTA0218 for now.

“The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives,” the researchers said. “UTA0218’s initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users’ DPAPI keys.”

In its writeup, The Hacker News reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a deadline of April 19 to apply the patch and otherwise mitigate the threat.

“Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities,” Volexity said.

“It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks.”

BMC flaw left unchecked for 6 years hits Intel and Lenovo servers

Post author By lisa nichols
Post date April 12, 2024
No Comments on BMC flaw left unchecked for 6 years hits Intel and Lenovo servers

[ad_1]

The lack of communication that happened six years ago resulted in thousands of devices being vulnerable to a remotely exploitable heap out-of-bounds (OOB) read vulnerability – today. Among the vulnerable devices are Intel and Lenovo servers.

Here is what happened: Six years ago, the maintainers of Lighttpd discovered the above-mentioned flaw, which could allow threat actors to exfiltrate process memory addresses. That, in turn, could have been used to work around protection mechanisms.

The security team patched the flaw in August 2018, in version 1.4.51, but they didn’t assign a CVE. Lighttpd is an open-source web server optimized for speed-critical environments.

Thousands of vulnerable devices

As the CVE wasn’t assigned, the developers of AMI MegaRAC Baseboard Management Controllers (BMC) missed the update and did not integrate it into their product, BleepingComputer reports. BMCs are microcontrollers found on motherboards built for servers, data centers, cloud environments, and similar. They are designed for remote management, rebooting, monitoring, and firmware.

Consequently, the vulnerability was passed down the supply chain to system vendors and their customers.

Six years later, during a BMC scan, security researchers Binarly stumbled upon the vulnerability. The company says that multiple products, including some from Intel, Lenovo, and Supermicro, are all vulnerable.

“Based on our data, nearly 2000+ devices are impacted in the field. In reality, this number is even bigger,” the researchers told BleepingComputer.

Depending on the vendors and the devices, the vulnerability was given three separate identifiers: BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004.

While Binarly claims that some of the vulnerable systems were released as recently as late February last year, both Intel and Lenovo said the impacted models reached end-of-life and as such aren’t recommended for use anyway. They will never receive further patches to address the problem, and will remain vulnerable until they are replaced with newer, supported systems.

Another top WordPress plugin has a serious security flaw — patch now to keep your website safe

Post author By lisa nichols
Post date April 3, 2024
No Comments on Another top WordPress plugin has a serious security flaw — patch now to keep your website safe

[ad_1]

Another major WordPress plugin was found vulnerable to a high-severity flaw which allowed malicious actors to steal sensitive information from the website, including password hashes.

LayerSlider has published a new security advisory, saying the product is now in version 7.10.1, but adding, “This update includes important security fixes.”

While the announcement does not detail the vulnerability fixed, The Hacker News reported that the project fixed an SQL injection vulnerability impacting versions 7.9.11 through 7.10.0. This vulnerability is now tracked as CVE-2024-2879, and has a severity score of 9.8 (critical).

Targeting WordPress

On its website, LayerSlider describes itself as a “visual web content editor, a graphic design software, and a digital visual effects application all in one”. It also claims to be used by “millions” of people worldwide. LayerSlider is a commercial WordPress plugin, with annual license packages ranging from $26 to $159.

Being the world’s most popular website builder, and used by roughly half of all the websites in existence, WordPress is a major target for cybercriminals everywhere. However, with the platform generally considered safe, hackers have turned their attention to third-party themes and plugins, as these are rarely as secure as the platform itself.

There are thousands of themes and plugins for WordPress, all of which build upon and improve the WordPress experience. Some are free to use, but commercial ones usually have a dedicated team that works on improvements and security. As a result, most of the time, hackers will go for free-to-use themes and plugins – many have millions of users, but have been abandoned by their developers and contain vulnerabilities that are never (or rarely) addressed.

To remain secure, admins should only install themes and plugins they intend on using, and make sure they are always updated to the latest version.

An ancient Linux flaw might be opening up users to dangerous cyberattacks

Post author By lisa nichols
Post date March 30, 2024
No Comments on An ancient Linux flaw might be opening up users to dangerous cyberattacks

[ad_1]

Many versions of Linux may be vulnerable to a flaw that allowed hackers to steal passwords, or change the contents of their clipboard.

The vulnerability, however, comes with a major caveat that makes exploitations somewhat unlikely (or at least heavily limited).

Cybersecurity researcher Skyler Ferrante recently discovered an “improper neutralization of escape sequences in wall” vulnerability, a flaw impacting the “wall” command. This command is usually used to broadcast messages to the terminals of all users logged to the same system.

WallEscape

With escape sequences not being properly filtered when processing input through command line arguments, a threat actor could, theoretically, launch a prompt to all connected users and have them type in their administrator password. Escape sequences could also be used to change the clipboard of a target user, although this method may not work with all terminal emulators.

The vulnerability is tracked as CVE-2024-28085, and dubbed WallEscape. It was fixed in Linux version 2.40, released in March 2024, but that means it has been present in Linux versions for the past 11 years.

While a proof-of-concept (PoC) for the vulnerability exists, and a practical application could occur, multiple factors need to align, first. For example, the attacker needs to have physical access to a Linux server, to which multiple other potential victims are already connected through the terminal. If you’re still worried about your Linux server being targeted, there is a solution. Linux released an upgrade to linux-utils v.2.40, which patches the vulnerability.

Usually, these updates are available through the LInux distribution’s standard update channel, so keep an eye out. Furthermore, system administrators can fix the issue by removing the setgid permission from the “wall” command, or by disabling the message broadcast functionality using the “mesg” command to set its flag to “n”.

Via BleepingComputer

Ray framework flaw exploited for hackers to breach servers

Post author By lisa nichols
Post date March 28, 2024
No Comments on Ray framework flaw exploited for hackers to breach servers

[ad_1]

The Ray framework, an open source tool for AI and Python workload scaling, is vulnerable to half a dozen flaws that allow hackers to hijack the devices and steal sensitive data.

This is according to cybersecurity researchers from Oligo, who published their findings on a new hacking campaign they dubbed “ShadowRay”.

Apparently active since early September 2023, ShadowRay’s operators abused five distinct Ray vulnerabilities to target firms in education, cryptocurrency, biopharma, and other verticals.

“Shadow vulnerability”

Four of the vulnerabilities are tracked as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, and Anyscale, Ray’s developer, fixed them. The fifth one, deemed a critical remote code execution (RCE) flaw by researchers, and tracked as CVE-2023-48022, was not fixed.

Anyscale argues that this was not a bug, but a feature: “The remaining CVE (CVE-2023-48022) – that Ray does not have authentication built in – is a long-standing design decision based on how Ray’s security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy,” it said.

As per the developers, this RCE flaw can only be abused in deployments that go against Anyscale’s recommendations and don’t limit Ray’s use to a strictly controlled network environment.

Oligo, on the other hand, says that by disputing the CVE, Anyscale is leaving many developers in the dark on the potential holes. “We have observed instances of CVE-2023-48022 being actively exploited in the wild, making the disputed CVE a “shadow vulnerability”—a CVE that doesn’t show up in static scans but can still lead to breaches and significant losses.”

The researchers said they observed “hundreds” of publicly exposed Ray servers, compromised via this vulnerability. As a result, threat actors were stealing sensitive data such as AI models, production database credentials, and more. In some instances they were even installing cryptominers.

Via BleepingComputer