A critical security vulnerability in Veeam Backup Enterprise Manager could allow threat actors to bypass authentication.

A critical vulnerability, tracked as CVE-2024-29849 (CVSS score: 9.8), in Veeam Backup Enterprise Manager could allow attackers to bypass authentication.

Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.

“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.” reads the advisory published by the vendor.

The company has addressed the following vulnerabilities in Veeam Backup Enterprise Manager:

• CVE-2024-29850 (CVSS score: 8.8) – the flaw allows account takeover via NTLM relay.
• CVE-2024-29851 (CVSS score: 7.2) – the flaw allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.
• CVE-2024-29852 (CVSS score: 2.7) – the flaw allows a privileged user to read backup session logs.

The four vulnerabilities have been addressed with the release of version 12.1.2.172. The company also provided the following mitigation:

• This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
  To do this, stop and disable the following services:
  • VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
  • VeeamRESTSvc (Veeam RESTful API Service)
    _{Note: Do not stop the ‘Veeam Backup Server RESTful API Service’.}
• Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
• Veeam Backup Enterprise Manager can be uninstalled if it is not in use.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Veeam)

Resecurity warns of a surge in malicious cyber activity targeting the election in India, orchestrated by several independent hacktivist groups

Resecurity has identified a spike of malicious cyber activity targeting the election in India, which is supported by multiple independent hacktivist groups who arrange cyber-attacks and publication of stolen personal identifiable information (PII) belonging to Indian citizens on the Dark Web.

India, with a population of over 1.4 billion and a GDP of over 3.417 trillion USD, has become a prime target for cyberattacks during its general elections scheduled between 19 April and 1 June 2024.

Multiple independent hacktivist groups are targeting India’s elections with influence and public opinion manipulation campaigns, Resecurity reports. The campaigns are designed to sway voters’ opinions and undermine trust in the democratic process. Attackers have also defaced websites and leaked data to launch influence campaigns against India’s government leaders, said researchers.

Around 16 different independent hacktivist groups are targeting Indian elections, including Anon Black Flag Indonesia, Anonymous Bangladesh, and Morocco Black Cyber Army, among others.

“These 16 groups have targeted multiple law enforcement, government, healthcare, financial, educational, and private sector organizations in India, taking advantage of geopolitical narratives before recent elections,” researchers noted.

Resecurity observed that the Ahadun-Ahad 2.0 Team has published Indian Voter ID cards on Telegram, which are issued by the Election Commission of India to 18+ individuals domiciled in India. The source of the data is unclear, but they suspect it is linked to compromised third-party entities. Earlier, cybercriminals have stolen AADHAAR, PAN, driving licenses, and NOC documents from the Dark Web, including 36 GB of personally identifiable information (PII) belonging to Indian citizens.

The data, primarily in graphic form with victims’ selfies, could be used to spread false information, undermine trust in the electoral process, and profit from selling stolen information on the dark web. Resecurity alerted law enforcement and federal authorities to the leaked data.

Besides graphical data files, including voter registration records and credentials from Voter Portal, the actors also leaked large data sets containing voters’ credentials collected using infostealers. Such malware programs, including Nexus, Medusa, Redline, Lumma, and Racoon, are designed to steal sensitive information such as login credentials and financial data. Specific signatures identified in leaked data sets may confirm that they originate not from any vulnerable election systems, but likely from compromised consumers with malicious code. The compromised credentials could have been obtained by intercepting login forms on popular Internet browsers or by accessing password storage on compromised devices. At some point, threat actors were aiming to leak a big number of voters’ records to create a perception that elections systems are vulnerable. In fact, the origin of these credentials is on the consumer side, as many Internet users are getting infected with malware due to poor network hygiene and lack of cybersecurity awareness.

Researchers also observed public opinion manipulation campaigns targeting Indian government leaders, using data leaks, website defacements, and political narratives. These ‘cyber-guerilla’ tactics blur attribution and operate under the ‘false flag’ of independent hacktivists aiming to create social conflict between Indian and Muslim populations.

Resecurity has summarized the key risk indicators of malicious activity to increase cybersecurity awareness among Indian citizens, encouraging them not to react to any claims or narratives originating from unreliable sources planted by cybercriminals, which could affect their votes.

The full report is available here: https://www.resecurity.com/blog/article/cybercriminals-are-targeting-elections-in-india-with-influence-campaigns

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, India)

A threat actor is targeting organizations in Africa and the Middle East by exploiting Microsoft Exchange Server flaws to deliver malware.

Positive Technologies researchers observed while responding to a customer’s incident spotted an unknown keylogger embedded in the main Microsoft Exchange Server page. The keylogger was used to collect account credentials. Further investigation allowed to identify over 30 victims in multiple countries, most of whom were linked to government agencies. According to the researchers, the malware campaign targeting MS Exchange Server has been active since at least 2021. The researchers can’t attribute this campaign to a specific group, however, they observed that most victims are in Africa and the Middle East.

Some of the countries targeted by this campaign are Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.

The threat actors exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) in Microsoft Exchange Server to inject an info stealer. They added keylogger code to the server’s main page by embedding it into the clkLgn() function.

The attackers also added a code that processes the results of the stealer in the logon.aspx file, then the code redirects account credentials in a file accessible from the internet.

“You can check for potential compromise by searching for the stealer code on the main page of your Microsoft Exchange server.” concludes the report from Positive Technologies. “If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers. You can find the path to this file in the logon.aspx file. Make sure you are using the latest version of Microsoft Exchange Server, or install pending updates.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, MS Exchange Server)

GitHub addressed a vulnerability in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication.

GitHub has rolled out security fixes to address a critical authentication bypass issue, tracked as CVE-2024-4985 (CVSS score: 10.0), in the GitHub Enterprise Server (GHES).

GitHub Enterprise Server (GHES) is a self-hosted version of GitHub designed for use within organizations. It provides the full capabilities of GitHub, including source code management, version control, collaboration tools, and continuous integration and delivery (CI/CD), but allows organizations to host the platform on their own infrastructure. This setup is ideal for companies that require more control over their data, enhanced security, and customization to meet internal compliance and regulatory requirements.

The authentication bypass vulnerability impacts GHES when using SAML single sign-on with encrypted assertions. An attacker can trigger the issue to forge SAML responses, granting them site administrator privileges without prior authentication.

“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.” reads the advisory published by the company. “Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.”

The company pointed out that encrypted assertions are not enabled by default and that the vulnerability only affects installs using SAML single sign-on (SSO) or those that use SAML SSO authentication with encrypted assertions. Encrypted assertions are a security measure that allows encrypting the messages that the SAML identity provider (IdP) sends SAML SSO.

The vulnerability affected all GHES versions before 3.13.0 and was addressed with the release of versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. The issue was reported through the GitHub Bug Bounty program.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, GitHub Enterprise Server)

The digital imaging products manufacturer OmniVision disclosed a data breach after the 2023 ransomware attack.

OmniVision Technologies is a company that specializes in developing advanced digital imaging solutions. In 2023, OmniVision employed 2,200 people and had an annual revenue of $1.4 billion. OmniVision Technologies Inc. is an American subsidiary of Chinese semiconductor device and mixed-signal integrated circuit design house Will Semiconductor. The company designs and develops digital imaging products for use in mobile phones, laptops, netbooks and webcams, security and surveillance cameras, entertainment, automotive and medical imaging systems.

In 2023, the imaging sensors manufacturer was the victim of a Cactus ransomware attack.

Last week, OmniVision notified the California Office of the Attorney General. The threat actors had access to the company systems between September 4 and September 30, 2023, when they deployed ransomware.

“On September 30, 2023, OVT became aware of a security incident that resulted in the encryption of certain OVT systems by an unauthorized third party. In response to this incident, we promptly launched a comprehensive investigation with the assistance of third-party cybersecurity experts and notified law enforcement. At the same time, we took proactive measures to remove the unauthorized party and ensure the security of OVT systems.” reads the data Breach Notification. “This in-depth investigation determined that an unauthorized party took some personal information from certain systems between September 4, 2023, and September 30, 2023. On April 3, 2024, after completion of this comprehensive review, we determined that some of your personal information was involved.”

At this time is unclear the number of the impacted individuals.

In October, 2023, the Cactus ransomware group added OmniVision to the list of victims on its Tor leak site. As proof of the data breach, the extortion group published data samples, including passport images, NDAs, contracts, and other documents.

Then, after the failure of the alleged negotiation, the gang released all the stolen data for free, however, OmniVision is currently no longer listed on the Cactus ransom leak site.

As a result of the incident, OmniVision implemented more monitoring solutions to detect suspicious activity and prevent recurrence. The company is also updating security policies, migrating some systems to the cloud, and requiring additional security awareness training. Although there is no evidence of fraudulent use of the personal information of the impacted individuals, the company is offering complimentary credit monitoring and identity restoration services for 24 months.

The Cactus ransomware operation has been active since March 2023, Kroll researchers reported that the ransomware strain is notable for the use of encryption to protect the ransomware binary.

Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.

The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.

Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.

Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.

In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, data breach)

CISA adds NextGen Healthcare Mirth Connect deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a NextGen Healthcare Mirth Connect vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2023-43208, is a Deserialization of Untrusted Data Vulnerability.

Deserialization of untrusted data vulnerability is a security flaw that occurs when an application deserializes data from an untrusted source without properly validating or sanitizing it. Deserialization is the process of converting serialized data (data formatted for storage or transmission) back into an object or data structure that a program can use.

The flaw impacts NextGen Healthcare Mirth Connect before version 4.4.1, an unauthenticated remote attacker can trigger the issue to achieve code execution.

US CISA also addressed recently disclosed Google Chromium V8 Type Confusion Vulnerability (CVE-2024-4947).

The vulnerability CVE-2024-4947 is a type confusion that resides in V8 JavaScript engine. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.

“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by June 10, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

The Blackbasta extortion group claims to have hacked Atlas, one of the largest national distributors of fuel in the United States.

Atlas is one of the largest national fuel distributors to 49 continental US States with over 1 billion gallons per year.

The Blackbasta extortion group added the company to the list of victims on its Tor leak site, as the researcher Dominic Alvieri reported.

The gang claims to have stolen 730GB of data from ATLAS, including Corporate data: Accounts, HR, Finance, Executive, department data, and users and employees’ data.

The gang published a series of documents as proof of the hack, including people’s ID cards, data sheets, payroll payment requesters and a picture of the folder exfiltrated from the victim’s systems.

The oil company has yet to disclose the alleged incident.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.

In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.

The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.

The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atlas Oil)

A vulnerability in the Fluent Bit Utility, which is used by major cloud providers, can lead to DoS, information disclosure, and potentially RCE.

Tenable researchers have discovered a severe vulnerability in the Fluent Bit utility, which is used on major cloud platforms.

Fluent Bit is an open-source, lightweight, and high-performance log processor and forwarder. It is designed to collect, process, and ship logs and other types of data from various sources to different destinations. Fluent Bit is part of the Fluentd ecosystem and is optimized for resource efficiency, making it suitable for environments with limited resources, such as IoT devices, edge computing, and containerized applications.

The tool had over 3 billion downloads as of 2022 and approximately has 10 million new deployments each day.

The utility is used by major organizations such as VMware, Cisco, Adobe, Walmart, Splunk, Intel, Arm, Adobe and LinkedIn, and almost any cloud service provider, including AWS, Microsoft, and Google Cloud.

Researchers at cybersecurity firm Tenable have discovered a vulnerability in the Fluent Bit utility, called Linguistic Lumberjack, which is tracked CVE-2024-4323 (CVSS score of 9.8).

The vulnerability can trigger a denial-of-service (DoS) condition, lead to an information disclosure, and potentially remote code execution (RCE).

Tenable discovered the vulnerability in the Fluent Bit monitoring API that allows users or services with access to it to launch a Denial of Service (DoS) attack or obtain potentially sensitive information.

Fluent Bit’s monitoring API allows administrators to query and monitor internal service information through various HTTP endpoints, such as those for service uptime and plugin metrics. However, the researchers discovered that endpoints /api/v1/traces and /api/v1/trace, which manage trace configurations, can be accessed by any user with API access.

The vulnerability arises during the parsing of requests to these endpoints, where the data types of input names are not properly validated. They are mistakenly assumed to be valid strings (MSGPACK_OBJECT_STRs). The researchers discovered that an attacker can pass non-string values, such as integers, in the “inputs” array, leading to memory corruption issues. Specifically, the flb_sds_create_len() function can misinterpret the values, causing potential vulnerabilities.

“In their lab environment, the researchers were able to reliably exploit this issue to crash the service and cause a denial of service scenario. They were also able to retrieve chunks of adjacent memory, which are returned in the HTTP responses. While this is generally unlikely to reveal anything other than previous metrics requests, the researchers were able to occasionally retrieve partial secrets during their testing, indicating that this issue could potentially leak sensitive information.” reads the report published by Tenable. “As for the remote code execution possibilities of this issue, exploitation is dependent on a variety of environmental factors such as host architecture and operating system. While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive. The researchers believe that the most immediate and primary risks are those pertaining to the ease with which DoS and information leaks can be accomplished.”

The flaw was introduced in version 2.0.7 and exists thru 3.0.3. It is addressed in the main source branch and is expected in release 3.0.4.

Tenable also published a proof-of-concept (PoC) to trigger a DoS condition.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fluent Bit)

Experts warn of fifteen vulnerabilities in the QNAP QTS, the operating system for the Taiwanese vendor’s NAS products.

An audit of QNAP QTS conducted by WatchTowr Labs revealed fifteen vulnerabilities, most of which have yet to be addressed. The most severe vulnerability is a flaw tracked as CVE-2024-27130. The issue is an unpatched stack buffer overflow vulnerability in the ‘No_Support_ACL’ function of ‘share.cgi,’ an unauthenticated attacker can exploit this issue to perform remote code execution under certain conditions.

The WatchTowr Labs researchers also published technical details of the flaw CVE-2024-27130 and a proof of concept (PoC) exploit code.

An attacker can exploit CVE-2024-27130 by sending a malicious request with a specially crafted ‘name’ parameter, causing a buffer overflow and leading to remote code execution. To do this, the attacker needs a valid ‘ssid’ parameter, generated when a NAS user shares a file from their QNAP device. This parameter is included in the URL of the ‘share’ link. An attacker can obtain the parameter by using a social engineering technique.

“Unsafe use of strcpy in No_Support_ACL accessible by get_file_size function of share.cgi leads to stack buffer overflow and thus RCE” reads the advisory published by WatchTowr Labs. To exploit the flaw, an attacker needs a valid NAS user to share a file.

The other vulnerabilities impacting Network Attached Storage (NAS) discovered by WatchTowr code execution, buffer overflow, memory corruption, authentication bypass, and XSS issues impacting the security of Network Attached Storage (NAS) devices across different deployment environments.

Below is the full list of the vulnerabilities discovered by the experts:

The flaws impact QTS, QuTScloud, and QTS hero.

The vendor responded to the vulnerability reports submitted between December 12, 2023, and January 23, 2024, with multiple delays and has fixed only four of the fifteen flaws.

At this time, QNAP only addressed CVE-2023-50361, CVE-2023-50362, CVE-2023-50363, and CVE-2023-50364 with the release of a security update in April 2024. The following versions fixed the four vulnerabilities:

• QTS 5.1.6.2722 build 20240402 and later
• QuTS hero h5.1.6.2734 build 20240414 and later

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)