Normal view

There are new articles available, click to refresh the page.
Today — 28 March 2024Security Affairs

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

28 March 2024 at 12:14

Google’s Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively exploited zero-day vulnerabilities in 2023.

Google’s Threat Analysis Group (TAG) and its subsidiary Mandiant reported that in 2023 97 zero-day vulnerabilities were exploited in attacks, while in 2022 the actively exploited zero-day flaws were 62.

In 2023, Google (TAG) and Mandiant discovered 29 out of 97 vulnerabilities exploited in the wild.

In 2023, the researchers observed 36 zero-day vulnerabilities exploited in the wild targeting enterprise-specific technologies, while 61 vulnerabilities affected end-user platforms and products such as mobile devices, operating systems, browsers, and other applications.

google zero-days

The researchers reported that the investments into exploit mitigations for across browsers and operating systems are impacting the offensive capabilities of threat actors.

Out of the eight in-the-wild zero-day issues targeting Chrome in 2023, none of the vulnerabilities impacted the Document Object Model (DOM) and there were use-after-free issues.

“In 2023 there were no use-after-free vulnerabilities exploited in Chrome for the first time since we began seeing Chrome zero days in-the-wild. Both Chrome and Safari have made exploiting JavaScript Engine vulnerabilities more complex through their V8 heap sandbox and JITCage respectively. Exploits must now include bypasses for these mitigations instead of just exploiting the bug directly.” reads the report published by Google TAG.

The researchers reported that Lockdown mode on iOS makes it difficult for attackers to exploit zero-day flaws.

In 2023, the researchers observed a surge in zero-day vulnerabilities in third-party components and libraries that can impact all products that use them.

In 2023, the researchers attributed a combined total of 48 out of 58 zero-day vulnerabilities to commercial surveillance vendors (CSVs) and government espionage actors, while 10 zero-day flaws were attributed to financially motivated actors.

The financially motivated threat actors exploited a total of ten zero-day vulnerabilities, and the cybercrime group FIN11 was one of the most active with the active exploitation of three separate zero-day flaws. The researchers also tracked at least four ransomware groups exploiting four zero-day vulnerabilities.

“FIN11 appears to have invested heavily in zero-day exploitation in the last several years. From late 2020 to early 2021, the group also exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA), demonstrating a years-long focus by these actors on identifying and exploiting zero-days. Additionally, we tracked the exploitation of four additional zero-day vulnerabilities by four ransomware families in 2023.” continues the report.

The Chinese government made the headlines because government-linked APT groups exploited 12 zero-day vulnerabilities in 2023, which marks a notable increase from seven in 2022.

“While it is near impossible to predict the number of zero-days for 2024, it remains clear that the pace of zero-day discovery and exploitation will likely remain elevated when compared to pre-2021 numbers. Regardless of the number, it is clear that the steps we as security researchers and product vendors are taking are having an impact on attackers. However, we must recognize that our successes will likely manifest as actors increasingly targeting wider and more varied products, as the tried and true methods increasingly become less viable.” concludes the report. “Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, zero-day vulnerabilities)

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

28 March 2024 at 00:38

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during the Pwn2Own Vancouver 2024.

Google addressed several vulnerabilities in the Chrome web browser this week, including two zero-day vulnerabilities, tracked as CVE-2024-2886 and CVE-2024-2887, which were demonstrated during the Pwn2Own Vancouver 2024 hacking competition.

The high-severity vulnerability CVE-2024-2886 is a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024.

The high-serverity vulnerability CVE-2024-2887 is a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024.

Google also addressed the following vulnerabilities:

  • [$10000][327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
  • [TBD][328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11

“The Stable channel has been updated to 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.” reads the advisory published by the It giant.

The IT giant did not reveal if the vulnerabilities have been actively exploited in the wild.

Mozilla last week addressed two zero-day vulnerabilities in the Firefox web browser exploited during the recent Pwn2Own Vancouver 2024 hacking competition.

The researcher Manfred Paul (@_manfp), who won the competition, exploited the two vulnerabilities, respectively tracked CVE-2024-29944 and CVE-2024-29943.

On Day Two, Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.

Below is the description of both issues, according to the advisory the vulnerability CVE-2024-29944 affects Desktop Firefox only, it does not affect mobile versions of Firefox:

  • CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.
  • CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. 

Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to address both issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

Yesterday — 27 March 2024Security Affairs

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

27 March 2024 at 20:33

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening to leak three terabytes of alleged stolen data.

The INC Ransom extortion gang added the National Health Service (NHS) of Scotland to the list of victims on its Tor leak site. The cybercrime group claims to have stolen three terabytes of data and is threatening to leak them.

Scotland’s NHS, or National Health Service, is the publicly funded healthcare system serving Scotland. It provides a wide range of healthcare services, including hospitals, general practitioners (GPs), mental health services, and community healthcare. The Scottish Government oversees the NHS in Scotland, and it operates separately from the NHS systems in England, Wales, and Northern Ireland.

“3 terabytes of data will be published soon. NHSScotland currently employs approximately 140,000 staff who work across 14 territorial NHS Boards, seven Special NHS Boards and one public health body. Each NHS Board is accountable to Scottish Ministers, supported by the Scottish Government Health and Social Care Directorates. Territorial NHS Boards are responsible for the protection and the improvement of their population’s health and for the delivery of frontline healthcare services. Special NHS Boards support the regional NHS Boards by providing a range of important specialist and national services.” reads the announcement published by the INC Ransom group.

The group published the images of medical documents as proof of the hack and will publish the stolen data if the NHS does not pay the ransom.

National Health Service (NHS) of Scotland

The cyber attack occurred on March 15, 2023.

“Meanwhile, work continues to assess the consequences of the incursion into NHS systems, and the concern that those responsible may have acquired a significant amount of data including patient and staff-specific information.” reads the incident notice initially published by the company.

NHS Dumfries and Galloway has confirmed that crooks obtained at least a “limited amount” of patient data following a cyberattack.”

“We absolutely deplore the release of confidential patient data as part of this criminal act.” said the chief executive of the NHS board, Jeff Ace. ““This information has been released by hackers to evidence that this is in their possession. We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish government and other agencies in response to this developing situation.”  “NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

Ace confirmed that the National Health Service (NHS) of Scotland will notify impacted patients.

“This incident remains contained to NHS Dumfries and Galloway and there have been no further incidents across NHS Scotland as a whole.” a spokesperson for the Scottish government told The Guardian.

“The Scottish government is working with the health board, Police Scotland and other agencies, including the National Crime Agency and National Cyber Security Centre, to assess the level of this breach and the possible implications for individuals concerned.”

The INC RANSOM has been active since 2023, it claimed responsibility for the breach of at least 65 organizations to date.

The victims of the group include Xerox Corp and Ejército del Peru’.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, National Health Service (NHS) of Scotland)

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

27 March 2024 at 15:11

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the 2023 Pwn2Own to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-24955 Microsoft SharePoint Server Code Injection Vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Microsoft addressed the remote code execution flaw in SharePoint Server, tracked as CVE-2023-24955 (CVSS Score 7.2), in May 2023. The Star Labs team demonstrated the vulnerability at the Pwn2Own Vancouver 2023 hacking competition. The vulnerability was part of an exploit chain that allowed the white hat hackers to obtain code execution on the target server.

“In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server.” reads the advisory published by Microsoft.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 16, 2024.

This week CISA also added the following vulnerabilities to its catalog.

  • CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability
  • CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
  • CVE-2019-7256 Nice Linear eMerge E3-Series OS Command Injection Vulnerability

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, CISA)

The DDR Advantage: Real-Time Data Defense

27 March 2024 at 12:12

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build a real-time data defense.

In cybersecurity, and in life, by the time you find out that something went wrong it is often too late. The advantage of Data Detection and Response (DDR) is that you no longer have to wait until the milk is spilled. With DDR, your organization can have real-time data defense.

Here’s how it works.

What is Data Detection and Response (DDR)? And why do we need it?

Before you think, “Oh no, not another –DR acronym,” and keep scrolling – wait. Data Detection and Response is in a class of its own and shares the common surname in name only.

Status-quo cybersecurity works by securing the “boxes” in which our data resides. Twenty years ago, that used to be on-premises networks surrounded by the “perimeter.” Then, the perimeter died drastically and was replaced with email servers and cloud repositories. Now, it’s data lakes and environments so complex that a box can hardly be seen. Or, in the case of the cloud, it morphs so much that it is barely recognizable.

This is not good for advocates of data protection but great for attackers who thrive in our confusion and in the gaps that exist between the boxes. After all, you can’t secure what you can’t see, and today’s environments obfuscate the true location of data so well that we, as security practitioners, can hardly keep up with it.

Advantages of Data Detection and Response

The IEEE Computer Society lists the top five benefits of DDR as:

  1. Innovative data classification | DDR solutions sort and label data by content and lineage, meaning not only what it is but where it came from. Sometimes, the history tells the story – was this information kept in high-clearance databases only to end up on Chad’s Slack? Something must be off.
  2. Protects data in motion | As they state, “Data is most at risk when in motion, so that’s when DDR scans it.” The real damage is done when data travels (outside of the enterprise, from a person who has access to one who does not, to a mysterious external server in Belize…), isn’t it?
  3. Follows data across all assets | DDR doesn’t start in one box (say OneDrive) and then picks its job back up again when the data has landed in another box (say the corporate email server). Instead, it follows all the steps in between, and it follows the data itself.
  4. Real-time exfiltration protection | By alerting teams at the first sign of trouble (instead of the last) DDR gives SOCs a fighting chance of stopping the threat in real-time.
  5. Data-centric approach | By connecting monitoring, alerts, and additional protections to the actual data, DDR gives organizations more accurate data classification and more gapless coverage.

The second benefit is what we’ll be focusing on today.

DDR Knows What Your Data Did Last Summer

Then, along came a revolutionary idea. What if we don’t protect the boxes but rather the data itself? DDR would, in effect, “tag” data so that a GPS-type homing beacon would keep a gapless record of where it went, who accessed it, what they did with it, and (with the help of some cyber sleuthing) perhaps why.

The most important thing is that DDR enables teams to chart the safe route for certain types of sensitive data (as classified by the team) and deny any “funny business” attempted with said data beyond that. And the proof is in where the data goes, not where it sleeps at night.

As Data Detection and Response provider Cyberhaven explains,

“Data sitting on a file server, or in a Google Drive folder, or in a Snowflake database untouched for months or even years doesn’t have much insider risk until an employee does something with it… When an employee accesses that data on the file server, tries to share the Google Drive folder, or exports data from Snowflake, that’s when the risk to data increases. Data Detection and Response relies on real-time monitoring, detection of risks, and response to better protect data.”

Spotting Data Fouls in Real-Time

Knowing where exactly your data is getting off to is advantageous for several reasons, but perhaps none so important as being able to spot threats to your data in real-time. If SOCs receive an alert that an employee is trying to send confidential merger documents to their personal email, teams will be made aware of the attempt as it is happening, giving them a chance to respond.

Notifying a SOC that a sensitive repository has been breached is important, but it is not as important as letting them know when any data has left that repository. Conversely, an employee may send sensitive financial data to their personal cloud repository without ever having breached a protected system to get it – perhaps they are in finance and have legitimate access to the database.

Being able to spot real-time data fouls is a key advantage that DDR brings to the table, and the fact that these errors are being caught right at the cusp of an obviously illicit activity is itself a vetting system that prevents false positives.

In today’s data-centric world, it is becoming necessary to keep closer and closer tabs on our information. With the risk of insider threats high – Verizon estimates nearly one in five breaches originate from the inside – and the threat of ever more subtle external tactics, it is more important than ever to not look at only boxes and buckets but the data itself – and most importantly, what people are doing with it.  

Speaking of zero trust, Dave Lewis, the global advisory CISO for Duo Security, offered some words of advice that could sum up the rationale of DDR in a soundbite: “Don’t trust something simply because it’s inside your firewall — there’s no reason for that.” Or, inside any of your access-controlled spaces, we might add. Instead, he suggests, “Assume everything’s on fire.” And more often than you want to, you’ll be right.

However, DDR is one of the only tools on the market that can track the fire at its impetus, and that’s wherever data made its first wrong step.

About the Author Katrina Thompson: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DDR Advantage)

Finnish police linked APT31 to the 2021 parliament attack

27 March 2024 at 06:35

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to the China-linked group APT31.

The Finnish Police attributed the March 2021 attack on the parliament to the China-linked group APT31. The Finnish authorities investigated multiple offenses, including aggravated espionage, aggravated unlawful access to an information system, and aggravated violation of the secrecy of communications.

According to the police, the offences were committed between autumn 2020 and early 2021. The police immediately suspected the involvement of the China-linked cyberespionage group APT31 and now confirmed the attribution. The police announced that they had also identified one suspect.

The multi-year investigation revealed a complex criminal infrastructure used by the nation-state actors, explained the Head of Investigation, Detective Chief Inspector Aku Limnéll of the National Bureau of Investigation.

“The police have previously informed that they investigate the hacking group APT31’s connections with the incident. These connections have now been confirmed by the investigation, and the police have also identified one suspect.” reads the press release published by the Finnish Police.

The investigation relied on an international information exchange, the National Bureau of Investigation collaborated with international entities and the Finnish Security and Intelligence Service

This week, the US government announced sanctions against a pair of Chinese hackers (Zhao Guangzong and Ni Gaobin), alleged members of the China-linked APT31 group, who are responsible for “malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors.”

The U.S. Treasury Department has sanctioned a tech company based in Wuhan, the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), used by the Chinese Ministry of State Security (MSS) as a front in attacks against organizations in the U.S. critical infrastructure sector.

UK, Australia and New Zealand are also accusing China-linked APT31 of cyber operations against UK institutions and parliamentarians.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT31)

Before yesterdaySecurity Affairs

TheMoon bot infected 40,000 devices in January and February

26 March 2024 at 21:19

A new variant of TheMoon malware infected thousands of outdated small office and home office (SOHO) routers and IoT devices worldwide.

The Black Lotus Labs team at Lumen Technologies uncovered an updated version of “TheMoon” bot targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices. The new version of the bot has been spotted infecting thousands of outdated devices in 88 countries.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits. The botnet targeted broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

In February 2019, CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

TheMoon variant discovered by the Black Lotus Labs team was observed targeting over 40,000 bots from 88 countries in January and February of 2024.

Most of the bots are associated with the activity of a notorious, cybercriminal-focused proxy service, known as Faceless.

TheMoon bot Faceless service 2

According to the experts, the botnet TheMoon is enabling the growth of the Faceless service at a rate of nearly 7,000 new users per week.

“Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.” reads the report published by Black Lotus Labs. “Faceless is an ideal choice for cyber-criminals seeking anonymity, our telemetry indicates this network has been used by operators of botnets such as SolarMarker and IcedID.”

The infection chain starts with a lightweight loader file. Initially, it scanned for the existence of “/bin/bash,” “/bin/ash,” or “/bin/sh.” If none of these shells were detected, the file halted its execution. However, if any of these shells were present, it proceeded to decrypt, deposit, and execute the subsequent stage payload “.nttpd.”

Afterward, it checks for the file “.nttpd.pid.” If the file doesn’t exist, it generates it and records the process’s PID along with the fixed version 26. If “.nttpd.pid” already exists, it opens the file. If the version is more recent than 26, it terminates all processes named “.nttpd.pid.”

Then the binary sets up these iptable rules that drop incoming TCP traffic on ports 8080 and 80 while accepting traffic from specific addresses.

Once the rules have been created, a thread connects to an NTP server from a roster of authentic NTP servers. The researchers believe that the malware connects the NTP to verify the infected device’s internet connection and confirm it is not operating within a sandbox environment.

Then the bot connects to C2 server by cycling through a set of hardcoded IP addresses and awaiting for instructions from the C2.

“The C2 may respond with a packet that gives a specific filename and a location from which it can be retrieved. The infected device then requests and downloads the corresponding ELF executable.” continues the report. “Thus far we have identified two subsequent modules, one appears to be a worm while the other file is named “.sox,” which is used to proxy traffic from the bot to the internet on behalf of a user.

The report includes Indicators of Compromise (IoCs) associated with this campaign. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, TheMoon)

UK, New Zealand against China-linked cyber operations

26 March 2024 at 12:46

UK, Australia and New Zealand are accusing China-linked threat actors of cyber operations against UK institutions and parliamentarians.

GCHQ’s National Cyber Security Centre believes that China-linked cyberespionage group APT31 was responsible for cyber attacks against UK parliamentarians’ emails in 2021.

The UK intelligence believes that China-linked threat actors also compromised the UK Electoral Commission’s systems in a separate campaign.

“The UK government has called out China state-affiliated actors today (Monday) for carrying out malicious cyber activity targeting UK institutions and individuals important to our democracy.

The National Cyber Security Centre – a part of GCHQ – assesses that the China state-affiliated cyber actor APT31 was almost certainly responsible for conducting online reconnaissance activity in 2021 against the email accounts of UK parliamentarians, most of whom have been prominent in calling out the malign activity of China.” reads the press release published by the NCSC.

“Separately, the compromise of computer systems at the UK Electoral Commission between 2021 and 2022 has also been attributed to a China state-affiliated actor.”

The NCSC has assessed that threat actors likely accessed and stole email data and other information from the Electoral Register. The UK intelligence warns that combining the compromised data with other datasets, Chinese intelligence services can obtain precious source information for various malicious activities, including espionage and suppressing dissidents and critics in the UK. To enhance the UK’s cyber resilience, the NCSC has issued updated guidance in its Defending Democracy series, offering advice to political organizations and election coordinators on how to minimize the risk of cyber attacks.

“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world.”

“The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society.” said Paul Chichester, NCSC Director of Operations.

“It is vital that organisations and individuals involved in our democratic processes defend themselves in cyberspace and I urge them to follow and implement the NCSC’s advice to stay safe online.”

Australia and New Zealand condemned China for cyber operations against UK institutions and Members of the UK Parliament.

“New Zealand stands with the United Kingdom in its condemnation of People’s Republic of China (PRC) state-backed malicious cyber activity impacting its Electoral Commission and targeting Members of the UK Parliament. The use of cyber-enabled espionage operations to interfere with democratic institutions and processes anywhere is unacceptable,” Minister Responsible for the Government Communications Security Bureau (GCSB) Judith Collins says.

The GCSB also collected evidence that links China-linked threat actors to malicious cyber activity targeting Parliamentary entities in New Zealand.

“The GCSB’s National Cyber Security Centre (NCSC) completed a robust technical assessment following a compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021, and has attributed this activity to a PRC state-sponsored group known as APT40,” Ms Collins says.

“Fortunately, in this instance, the NCSC worked with the impacted organisations to contain the activity and remove the actor shortly after they were able to access the network.”

The Australian Government also expressed concerns about the malicious activities associated with the malicious activities carried out by China-linked threat actors.

“The Australian Government joins the United Kingdom and other international partners in expressing serious concerns about malicious cyber activities by China state-backed actors targeting UK democratic institutions and parliamentarians.” reads a statement published by the Australian Foreign Minister. 

“The persistent targeting of democratic institutions and processes has implications for democratic and open societies like Australia. This behaviour is unacceptable and must stop.”  

On Monday, the US government announced sanctions against a pair of Chinese hackers (Zhao Guangzong and Ni Gaobin), alleged members of the China-linked APT31 group, who are responsible for “malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors.”

The U.S. Treasury Department has sanctioned a tech company based in Wuhan, the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), used by the Chinese Ministry of State Security (MSS) as a front in attacks against organizations in the U.S. critical infrastructure sector.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, UK)

US Treasury Dep announced sanctions against members of China-linked APT31

26 March 2024 at 09:40

The US Treasury Department announced sanctions on two APT31 Chinese hackers linked to attacks against organizations in the US critical infrastructure sector.

The US government announced sanctions against a pair of Chinese hackers (Zhao Guangzong and Ni Gaobin), alleged members of the China-linked APT31 group, who are responsible for “malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors.”

The U.S. Treasury Department has sanctioned a tech company based in Wuhan, the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), used by the Chinese Ministry of State Security (MSS) as a front in attacks against organizations in the U.S. critical infrastructure sector.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a Wuhan, China-based Ministry of State Security (MSS) front company that has served as cover for multiple malicious cyber operations. OFAC is also designating Zhao Guangzong and Ni Gaobin, two Chinese nationals affiliated with Wuhan XRZ, for their roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors, directly endangering U.S. national security.” reads the press release published by the U.S. Treasury Department. “This action is part of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation (FBI), Department of State, and the United Kingdom Foreign, Commonwealth & Development Office (FCDO).”

The U.S. Treasury Department states that China-linked APT groups continue to be one of the greatest and most persistent threats to U.S. national security.

The US Department of Justice unsealed an indictment against 7 Chinese nationals, including the two members of the APT31 group.

The indictment charged seven Chinese nationals with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in the APT31 China-based hacking group.

For around 14 years, the group has targeted critics, businesses, and political officials in the United States and abroad as part of China’s economic espionage and foreign intelligence goals.

The defendants are Ni Gaobin (倪高彬), 38; Weng Ming (翁明), 37; Cheng Feng (程锋), 34; Peng Yaowen (彭耀文), 38; Sun Xiaohui (孙小辉), 38; Xiong Wang (熊旺), 35; and Zhao Guangzong (赵光宗), 38. All are believed to reside in the PRC.

China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) was involved in multiple cyber espionage operations, it made the headlines in 2022 after the Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers.

In July 2021, the French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers were hijacking home routers to set up a proxy mesh of compromised devices to conceal its attack infrastructure.

The cyberespionage group targeted entities in EU, the United States, Canada in previous campaigns. In August 2021, the APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia.

“The APT31 Group was part of a cyberespionage program run by the MSS’s Hubei State Security Department, located in the city of Wuhan. Through their involvement with the APT31 Group, since at least 2010, the defendants conducted global campaigns of computer hacking targeting political dissidents and perceived supporters located inside and outside of China, government and political officials, candidates, and campaign personnel in the United States and elsewhere and American companies.” reads the press release published by DoJ. “The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targets’ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT31)

CISA adds FortiClient EMS, Ivanti EPM CSA, Nice Linear eMerge E3-Series bugs to its Known Exploited Vulnerabilities catalog

25 March 2024 at 20:52

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds FortiClient EMS, Ivanti EPM CSA, Nice Linear eMerge E3-Series bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

  • CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability
  • CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
  • CVE-2019-7256 Nice Linear eMerge E3-Series OS Command Injection Vulnerability

CVE-2023-48788 (CVSS score 9.3) is a critical pervasive SQL injection issue that resides in the DAS component.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.” reads the advisory.

Thiago Santana from the ForticlientEMS development team and UK NCSC reported the issue to the security vendor.

Last week security researchers at Horizon3 released a proof-of-concept (PoC) exploit for a critical vulnerability, tracked as CVE-2023-48788 (CVSS score 9.3), in Fortinet’s FortiClient Enterprise Management Server (EMS) software. The vulnerability is now actively exploited in attacks in the wild.

The initial advisory reported that Fortinet was not aware of attacks in the wild exploiting this vulnerability.

However, the company has updated the advisory confirming that “this vulnerability is exploited in the wild.”

Horizon3’s Attack Team published a technical analysis of this vulnerability and the PoC exploit. The researchers demonstrated how to turn this SQL injection issue into remote code execution using the built-in xp_cmdshell functionality of Microsoft SQL Server.

The researchers explained that the database was not configured to run the xp_cmdshell command, however it was possible to do it using a few other SQL statements.

“The POC we are releasing only confirms the vulnerability by using a simple SQL injection without xp_cmdshell. To enable RCE, altering the POC is necessary.” reads the analysis published by Horizon3.

“There are various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be examined for connections from unrecognized clients or other malicious activity. The MS SQL logs can also be examined for evidence of xp_cmdshell being utilized to obtain command execution.”

The second vulnerability added to the Known Exploited Vulnerabilities catalog is CVE-2021-44529. The issue is a code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA), an unauthenticated user can exploit the flaw to execute arbitrary code with limited permissions (nobody).

The third issue added to the catalog by CISA is a Command Injection flaw in Linear eMerge E3-Series devices.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 15, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)

Iran-Linked APT TA450 embeds malicious links in PDF attachments

25 March 2024 at 13:59

In recent campaigns, Iran-linked APT group MuddyWater used a legitimate Remote Monitoring and Management (RMM) solution called Atera.

Proofpoint researchers observed the Iran-linked APT group MuddyWater (aka SeedWormTEMP.Zagros, TA450, and Static Kitten) was behind a new phishing campaign in March 2024 that attempted to drop a legitimate Remote Monitoring and Management (RMM) solution called Atera on the target systems.

The campaign targeted Israeli employees of large multinational organizations with a pay-related social engineering lure.

The phishing campaign started on March 7 and continued through the week of March 11, 2024. The TA450 group sent spear-phishing messages with PDF attachments containing malicious links.

The threat actors sent multiple phishing emails with PDF attachments with slightly different embedded links to the same recipients.

The links employed in the campaign were related to several file-sharing sites, including Egnyte, Onehub, Sync and TeraBox. Some of the messages were also sent using a likely a compromised .IL sender account.

TA450

Upon clicking on the link that is included in the PDF, a ZIP archive containing a compressed MSI ise served to the recipient.

The installer would install the remote administration software named AteraAgent, which was used by the TA450 APT in other campaigns.

Proofpoint attributes this campaign to TA450 based on the observation of tactics, techniques, and procedures associated with the cyberespionage group, campaign targeting, and malware employed in the attack.

“This activity is notable for several reasons, including that it marks a turn in TA450’s tactics. While this campaign is not the first observed instance of TA450 using attachments with malicious links as part of the threat actor’s attack chain, it is the first time Proofpoint researchers have observed TA450 attempt to deliver a malicious URL in a PDF attachment rather than directly linking the file in an email.” reads the report published by Proofpoint. “Additionally, this campaign is the first time Proofpoint has observed TA450 using a sender email account that matches the lure content. For example, this campaign used an email account of salary[@]<compromisedorg>co[.]il, which is in alignment with the various pay-themed subject lines.”

The report includes Indicators of compromise (IOCs) for this campaign.

The first MuddyWater campaign was observed in late 2017, when the APT group targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date. The group evolved over the years by adding new attack techniques to its arsenal. Over the years the APT group also has also targeted European and North American nations. 

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January 2022, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TA450)

StrelaStealer targeted over 100 organizations across the EU and US

25 March 2024 at 09:46

Researchers reported that over 100 organizations in Europe and US were targeted by a wave of large-scale StrelaStealer campaigns

Palo Alto Networks’ Unit42 spotted a wave of large-scale StrelaStealer campaigns impacting over 100 organizations across the EU and US.

The threat actors sent out spam emails with attachments that eventually launched the StrelaStealer malware.

The malware StrelaStealer is an email credential stealer that DCSO_CyTec first documented in November 2022. The most recent StrelaStealer variant is delivered through a zipped JScript and it employs an updated obfuscation technique in the DLL payload.

Since the discovery of StrelaStealer, threat actors launched numerous massive campaigns. WildFire researchers reported a massive campaign that occurred in November 2023 and targeted organizations in the U.S. and EU.

Unit 42 researchers observed another large-scale campaign that peaked on January 29, 2024, threat actors used a spam email localized and the subject line has the pattern of Factura/Rechnung/invoice####. The campaign targeted organizations in many sectors, including the high-tech, finance, legal services and manufacturing industries.

The infection chain was continuously updated, current StrelaStealer version is distributed via spear phishing emails containing a ZIP file attachment. Upon downloading and opening the archive, a JScript file is dropped onto the system.

“The JScript file then drops a Base64-encrypted file and a batch file. The Base64-encrypted file is decoded with the certutil -f decode command, resulting in the creation of a Portable Executable (PE) DLL file.” reads the report published by Palo Alto Networks. “Depending on the user’s privileges, the file drops into either %appdata%\temp or c:\temp on the local disk. The DLL file is then executed through the exported function hello using rundll32.exe.”

StrelaStealer infection chain

The latest StrelaStealer variant uses a packer that employs a control flow obfuscation technique to render analysis more difficult.

The authors also remove PDB strings to evade detection based on static signatures.

“StrelaStealer malware is an active email credential stealer that is always evolving. With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself. Attackers do this to evade detection by security vendors.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

GoFetch side-channel attack against Apple systems allows secret keys extraction

25 March 2024 at 08:23

Researchers demonstrated a new side-channel attack, named GoFetch, against Apple CPUs that could allow an attacker to obtain secret keys.

A team of researchers from several US universities demonstrated a new microarchitectural side-channel attack named GoFetch that could allow attackers to extract secret keys from systems using Apple CPUs.

GoFetch side-channel attack can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs).

Data memory-dependent prefetchers (DMPs) are a type of hardware optimization technique used in modern processors to improve performance.

Researchers explained that DMPs are present in many Apple CPUs, the researchers demonstrated how to extract keys from OpenSSL Diffie-Hellman, Go RSA, as well as CRYSTALS Kyber and Dilithium.

The researchers performed a reverse-engineering of DMPs on Apple m-series CPUs and discovered that the DMP activates and attempts to dereference data loaded from memory that resembles a pointer.

“This explicitly violates a requirement of the constant-time programming paradigm, which forbids mixing data and memory access patterns.” reads the report published by the researchers. “To exploit the DMP, we craft chosen inputs to cryptographic operations, in a way where pointer-like values only appear if we have correctly guessed some bits of the secret key. We verify these guesses by monitoring whether the DMP performs a dereference through cache-timing analysis. Once we make a correct guess, we proceed to guess the next batch of key bits. Using this approach, we show end-to-end key extraction attacks on popular constant-time implementations of classical (OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum cryptography (CRYSTALS-Kyber and CRYSTALS-Dilithium).”

The researchers demonstrated the GoFetch attacks on Apple systems using m1 processors, however, they believe that systems based on m2 and m3 CPUs are also vulnerable.

The first attack method targeting Apple m-series DMP was discovered by Augury in 2022. GoFetch is based on Augury, but is significantly more aggressive.

“Specifically, we find that any value loaded from memory is a candidate for being dereferenced (literally!). This allows us to sidestep many of Augury’s limitations and demonstrate end-to-end attacks on real constant-time code.” continues the experts.

The researchers explained that DMP can be disabled only on some processors. On m3 CPUs, it is possible to disable DMP setting the DIT bit on.

The researchers plan to release a proof-of-concept (PoC) exploit soon, they also confirmed to have disclosed their findings to Apple on December 5, 2023

“For users, we recommend using the latest versions of software, as well as performing updates regularly. Developers of cryptographic libraries can either set the DOIT bit and DIT bit bits, which disable the DMP on some CPUs.” said the researchers. “Additionally, input blinding can help some cryptographic schemes avoid having attacker-controlled intermediate values, avoiding key-dependent DMP activation. Finally, preventing attackers from measuring DMP activation in the first place, for example by avoiding hardware sharing, can further enhance the security of cryptographic protocols.”

The experts published a paper that includes details about their study, they also published a video PoC for the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

Security Affairs newsletter Round 464 by Pierluigi Paganini – INTERNATIONAL EDITION

24 March 2024 at 15:57

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Russia-linked APT29 targeted German political parties with WINELOADER backdoor
Mozilla fixed Firefox zero-days exploited at Pwn2Own Vancouver 2024
Large-scale Sign1 malware campaign already infected 39,000+ WordPress sites
German police seized the darknet marketplace Nemesis Market
Unsaflok flaws allow to open millions of doors using Dormakaba Saflok electronic locks
Pwn2Own Vancouver 2024: participants earned $1,132,500 for 29 unique 0-days
Critical Fortinet’s FortiClient EMS flaw actively exploited in the wild
Pwn2Own Vancouver 2024 Day 1 – team Synacktiv hacked a Tesla
Ivanti urges customers to fix critical RCE flaw in Standalone Sentry solution
New Loop DoS attack may target 300,000 vulnerable hosts
Critical flaw in Atlassian Bamboo Data Center and Server must be fixed immediately
Threat actors actively exploit JetBrains TeamCity flaws to deliver malware
BunnyLoader 3.0 surfaces in the threat landscape
Pokemon Company resets some users’ passwords
Ukraine cyber police arrested crooks selling 100 million compromised accounts
New AcidPour wiper targets Linux x86 devices. Is it a Russia’s weapon?
Players hacked during the matches of Apex Legends Global Series. Tournament suspended
Earth Krahang APT breached tens of government organizations worldwide
PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released
Fujitsu suffered a malware attack and probably a data breach
Remove WordPress miniOrange plugins, a critical flaw can allow site takeover
The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats
Email accounts of the International Monetary Fund compromised
Threat actors leaked 70,000,000+ records allegedly stolen from AT&T
“gitgub” malware campaign targets Github users with RisePro info-stealer

Cybercrime

The Aviation And Aerospace Sectors Face Skyrocketing Cyber Threats   

Accounts of Internet users were appropriated: cyber police of the Kharkiv region exposed members of a criminal group 

AI adoption by hackers pushed financial scams in 2023      

Illegal darknet marketplace “Nemesis Market” shut down

Malware

RisePro stealer targets Github users in “gitgub” campaign  

Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled  

Sign1 Malware: Analysis, Campaign History & Indicators of Compromise  

APT29 Uses WINELOADER to Target German Political Parties  

Hacking  

Red Teaming: A Proactive Approach to AI Safety

IMF Investigates Cyber-Security Incident  

Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded 

CVE-2024-25153: Remote Code Execution in Fortra FileCatalyst  

Esports league postponed after players hacked midgame 

New Attack Shows Risks of Browsers Giving Websites Access to GPU 
Identity Providers for RedTeamers

Pokemon resets some users passwords after hacking attempts   

TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types 

Loop DoS: New Denial-of-Service Attack targets Application-Layer Protocols

CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive       

PWN2OWN VANCOUVER 2024 – DAY TWO RESULTS  

Unsaflok

Intelligence and Information Warfare 

Brussels’ spy problem is the tip of the iceberg, says Belgian justice minister  

Russia says cyberattacks had no impact on presidential election  

Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks 

The CNI warns about growing security threats in Spain: Russian espionage and cybercrimes, at the forefront

Gen Z Spies: Are Gamers a Bigger Threat Than Foreign Operatives?     

Cybersecurity          

US holds conference on military AI use with dozens of allies to determine ‘responsible’ use  

DFSA’s Cyber Risk Management Guidelines: A Blueprint for Cyber Resilience?  

From Deepfakes to Malware: AI’s Expanding Role in Cyber Attacks

Preparing Society for AI-Driven Disinformation in the 2024 Election Cycle  

House Passes Bill Barring Sale of Personal Information to Foreign Adversaries

 If SpaceX’s Secret Constellation Is What We Think It Is, It’s Game Changing (Updated)  

Meta’s AI Watermarking Plan Is Flimsy, at Best – Watermarks are too easy to remove to offer any protection against disinformation

Insider threats are AI developers next hurdle  

Investors’ pledge to fight spyware undercut by past investments in US malware maker

Here’s the U.S. Government’s Antitrust Case Against Apple

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ramadan)

Cybercriminals Accelerate Online Scams During Ramadan and Eid Fitr

24 March 2024 at 10:37

During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams.

During the month of Ramadan, Resecurity observed a significant increase in fraudulent activities and scams, coinciding with a surge in retail and online transactions. Middle Eastern enterprises, facing this heightened risk, are urged to bolster consumer protection and reinforce their brand security.

Notably, in the Kingdom of Saudi Arabia (KSA), consumer spending topped regional charts, exceeding $16 billion. This spike in e-commerce activity has, unfortunately, drawn the attention of cybercriminals who exploit these platforms to execute scams, leading to substantial financial repercussions for both consumers and businesses. The estimated total financial impact of these activities ranges between $70 and $100 million, accounting for frauds perpetrated against expatriates, residents, and foreign visitors.

Due to continued efforts in brand protection for many clients in the Middle East, Resecurity has effectively blocked over 320 fraudulent resources that were impersonating key logistics providers and e-government services. Cybercriminals are aggressively exploiting platforms such as Sadad, Musaned, Ajeer, Ejar, and well-known logistics services to deceive internet users and draw them into different scams. It is strongly advised to refrain from sharing personal and payment information on questionable sites or with individuals posing as bank or government employees.

The malicious actors utilize cloud-based hosting services like Softr, Netlify, and Vercel, which offer pre-defined templates, to create websites using AI. This method allows them to scale their operations efficiently, saving time and effort while rapidly generating new fraudulent sites at an unprecedented rate.

The full report published by Resecurity is available here:

https://www.resecurity.com/blog/article/cybercriminals-accelerate-online-scams-during-ramadan-and-eid-fitr

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ramadan)

Russia-linked APT29 targeted German political parties with WINELOADER backdoor

23 March 2024 at 18:21

Russia-linked threat actors employ the WINELOADER backdoor in recent attacks targeting German political parties.

In late February, Mandiant researchers spotted the Russia-linked group APT29 using a new variant of the WINELOADER backdoor to target German political parties with a CDU-themed lure.  

This is the first time Mandiant observed the APT29 subcluster targeting political parties, suggesting an emerging interest beyond the typical targeting of diplomatic missions.

Targeted entities received phishing emails disguised as invitations to a dinner reception on March 1, featuring the logo of the German political party Christian Democratic Union (CDU). The phishing emails, written in German, included a link that led to a malicious ZIP file hosted on a compromised website.
The ZIP file contained a ROOTSAW dropper that is used to deploy a second-stage lure document also themed around the CDU, along with a WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”.

The WINELOADER backdoor supports multiple features and functions that overlap with other malware in the APT29’s arsenal such as BURNTBATTER, MUSKYBEAT and BEATDROP, which suggests they are likely developed by the same professionals.

WINELOADER is launched using the DLL side loading into a legitimate Windows executable, then it starts to decrypt the main implant logic itself using RC4.

Researchers at Zscaler ThreatLabz first detected WINELOADER in February 2023, the security firm attributed the campaign to an APT dubbed SPIKEDWINE.

Zscaler warned that SPIKEDWINE was a previously unknown threat actor that had been observed targeting European officials. The cyberspies used a bait PDF document masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024.

The campaign is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed by the threat actors.

“Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)

Mozilla fixed Firefox zero-days exploited at Pwn2Own Vancouver 2024

23 March 2024 at 13:53

Mozilla addressed two Firefox zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.

Mozilla has done an amazing job addressing two zero-day vulnerabilities in the Firefox web browser exploited during the recent Pwn2Own Vancouver 2024 hacking competition.

The researcher Manfred Paul (@_manfp), who won the competition, exploited the two vulnerabilities, respectively tracked CVE-2024-29944 and CVE-2024-29943.

On Day Two, Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.

Below is the description of both issues, according to the advisory the vulnerability CVE-2024-29944 affects Desktop Firefox only, it does not affect mobile versions of Firefox:

  • CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.
  • CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. 

Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to address both issues.

​Pwn2Own Vancouver 2024 hacking competition took place this week, Trend Micro’s Zero Day Initiative (ZDI) announced that participants earned $1,132,500 in the Pwn2Own Vancouver 2024 hacking competition for demonstrating 29 unique zero-days. On day one, the Team Synacktiv successfully demonstrated exploits against a Tesla car.

The researcher Manfred Paul (@_manfp) won the Master of Pwn earning $202,500 and 25 points.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla)

Large-scale Sign1 malware campaign already infected 39,000+ WordPress sites

23 March 2024 at 13:00

A large-scale malware campaign, tracked as Sign1, has already compromised 39,000 WordPress sites in the last six months.

Sucurity researchers at Sucuri spotted a malware campaign, tracked as Sign1, which has already compromised 39,000 WordPress sites in the last six months.

The experts discovered that threat actors compromised the websites implanting malicious JavaScript injections that redirect visitors to malicious websites.

Querying SiteCheck, the researchers discovered that the campaign infected over 2,500 sites in the past two months. 

“Plugins that allow for arbitrary JavaScript and other code to be inserted into a website are especially useful for website owners and developers but can also be abused by attackers in a compromised environment. Since these types of plugins allow for pretty much any code at all to be added, attackers often use them to insert their malicious or spammy payload.” reads the report published by the experts. “Sure enough, checking the plugin settings revealed our culprit nestled inside Custom CSS & JS

The threat actors behind Sign1 inject malicious JavaScript into legitimate plugins and HTML widgets. The injected code includes a hard-coded array of numbers that uses XOR encoding to get new values.

The experts decoded the XOR-encoded JavaScript code and discovered which it was used to execute a JavaScript file hosted on a remote server.

sign1

The researchers noticed that attackers employed dynamically changing URLs, the use of dynamic JavaScript code allows to change URLs every 10 minutes. The code is executed in the visitors’ browser, leading to unwanted redirects and ads for site visitors.

This code stands out because it checks whether the visitor came from a well-known website like Google, Facebook, Yahoo, or Instagram. If the visitor isn’t referred by one of these popular sites, the malicious code won’t run. Threat actors used this trick to avoid detection. Normally, someone who owns a website would visit it directly, instead of going through a search engine first. Malware uses this difference to try and stay hidden.

The redirects observed by the researchers led to VexTrio domains.

The Sign1 campaign was first spotted by the researcher Denis Sinegubko in the second half of 2023, Sucuri reported that threat actors leveraged as many as 15 different domains since July 31, 2023.

The name of the campaign comes from the sign1 parameter used in the code to extract and decode the domain name of a third-party malicious URL. 

In October 2023, the attackers started using a different obfuscation technique and removed the sign1 parameter. Threat actors likely compromised the websites with successful brute-force attacks.

sign1

“This is yet another example of why securing the administration panel and using website monitoring tools should be a top priority for website owners.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, sign1 campaign)

German police seized the darknet marketplace Nemesis Market

23 March 2024 at 08:45

The German police seized the infrastructure of the darknet marketplace Nemesis Market disrupting its operation.

An operation conducted by the Federal Criminal Police Office in Germany (BKA) and the Frankfurt cybercrime combating unit (ZIT) led to the seizure of the infrastructure of the darknet marketplace Nemesis Market in Germany and Lithuania.

“On Wednesday , the Frankfurt am Main Public Prosecutor’s Office – Central Office for Combating Internet Crime ( ZIT ) – and the Federal Criminal Police Office ( BKA ) secured the server infrastructure of the global illegal darknet marketplace “Nemesis Market” located in Germany and Lithuania and thus closed it.” reads the press release published by the German BKA.

The international operation was conducted in coordination between German, American and Lithuanian law enforcement authorities.

The law enforcement confiscated about 94,000 euros worth of cryptocurrencies.

The Nemesis Market has been active since 2021, its offerings included illegal drugs and narcotics, stolen data and credit cards, as well as a selection of cybercrime services such as ransomware , phishing or DDoS attacks.

The Nemesis Market recently reached over 150,000 users and over 1,100 seller accounts registered worldwide. The investigation revealed that almost 20 percent were seller accounts from Germany.

The Nemesis Market marketplace currently displays the following banner informing visitors that the site has been seized by law enforcement.

Nemesis Market

The police will use the data obtained from the seized infrastructure to identify and persecute platform sellers and users.

The German police is very active and efficient, in early March, the Düsseldorf Police announced that a large-scale international law enforcement operation led to the seizure of the largest German-speaking cybercrime marketplace Crimemarket.

Crimemarket was a prominent platform for trading illegal drugs, narcotics, and cybercrime services. Operators were also offering tutorials for several criminal activities.

In December 2023, the Federal Criminal Police Office in Germany (BKA) and the internet-crime combating unit of Frankfurt (ZIT), along with law enforcement agencies from multiple countries (United States, Switzerland, Moldova, and Ukraine), conducted an operation that resulted in the seizure of the dark web marketplace Kingdom Market.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Nemesis Market)

Unsaflok flaws allow to open millions of doors using Dormakaba Saflok electronic locks

22 March 2024 at 22:27

A flaw in Dormakaba Saflok electronic locks, dubbed Unsaflok, can allow threat actors to open millions of doors worldwide.

Researchers Lennert WoutersIan CarrollrquBusesCanFlySam Currysshell, and Will Caruana discovered a series of vulnerabilities, collectively named Unsaflok, in Dormakaba Saflok electronic RFID locks. The researchers explained that the issues be chained to forge keycards. Dormakaba Saflok electronic RFID locks are very popular and used in hotels and multi-family housing environments.

The Saflok electronic RFID locks are installed in 13,000 properties in 131 countries. The researchers estimated that they are installed on 3 million doors worldwide.

Once obtained a keycard from the hotel, by booking a room there or stealing one from the box of used ones at the reception, the researchers used a $300 RFID read-write device to read a code. Then they wrote the code on two keycards and used it to open the door.

“An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.” reads a website set up by the researchers. “Forged keycards can then be created using any MIFARE Classic card, and any commercially available tool capable of writing data to these cards. One pair of forged keycards allows an attacker to open any door in the property.”

The experts revealed that an attacker can perform this attack by using any device that can read and write or emulate MIFARE Classic cards. Proxmark3 and Flipper Zero tools can be used to carry out, but experts explained that hackers can also use an NFC-capable Android device.

The experts reported the flaws in September 2022, on November 2023 Dormakaba issued the updates to address the problem.

“An immediate mitigation solution is available for a security vulnerability associated with both the key derivation algorithm used to generate MIFARE Classic® keys and the secondary encryption algorithm used to secure the underlaying card data. This vulnerability affects Saflok systems (System 6000™, Ambiance™, and Community™).” reads the advisory published by the vendor.

The issues impact multiple lock models, including Saflok MT, the Quantum Series, the RT Series, the Saffire Series and the Confidant Series.

These lock models are commonly used in hotels using the management software System 6000 or Ambiance. The flaws also affect some applications in the multifamily housing space which use System 6000 or Community.

The researchers estimated that only approximately 36% of the impacted locks have been updated or replaced as of March 2024.

“Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.” added the researchers.

The experts did not share details of the attack to ensure that hotels staff and guests are informed about the flaws.

To determine whether the Unsaflok attack was carried out, the researchers recommend hotel staff to audit the lock’s entry/exit logs, via the HH6 device.

“Dormakaba started selling Saflok locks in 1988, which means that vulnerable locks have been in use for over 36 years.” concludes the report. “While we are not aware of any real world attacks that use these vulnerabilities, it is not impossible that these vulnerabilities are known, and have been used, by others.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Unsaflok)

Pwn2Own Vancouver 2024: participants earned $1,132,500 for 29 unique 0-days

22 March 2024 at 10:48

Pwn2Own Vancouver 2024 hacking competition has ended, and participants earned $1,132,500 for demonstrating 29 unique zero-days.

Trend Micro’s Zero Day Initiative (ZDI) announced that participants earned $1,132,500 on the Pwn2Own Vancouver 2024 hacking competition for demonstrating 29 unique zero-days. On day one, the Team Synacktiv successfully demonstrated exploits against a Tesla car.

The researcher Manfred Paul (@_manfp) won the Master of Pwn earning $202,500 and 25 points.

That's a wrap! #Pwn2Own Vancouver is complete. Overall, we awarded $1,132,500 for 29 unique 0-days. Congrats to @_manfp for winning Master of Pwn with $202,500 and 25 points. Here's the final top 10 list: pic.twitter.com/4ZFKWBQffI

— Zero Day Initiative (@thezdi) March 22, 2024

The participants demonstrated multiple zero-day exploits against multiple products, including Apple Safari, Google Chrome, and Microsoft Edge browsers, Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox and of course Tesla.

On Day Two, Manfred Paul (@_manfp) demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.

pwn2own vancouver 2024

The researcher Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to achieve remote code execution in the renderer on both Micosoft Edge and Google Chrome. He earned $85,000 and 9 Master of Pwn points. 

The team from STAR Labs SG demonstrated the first Docker desktop escape at Pwn2Own hacking competition by chaining two vulnerabilities, including a UAF. The team STAR Labs SG earned $60,000 and 6 Master of Pwn points.

The complete list of results for the first Two of the Pwn2Own Vancouver 2024 hacking competition is available here:

https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results

Vendors have 90 days to address the vulnerabilities exploited by the participants during the Pwn2Own hacking competition before TrendMicro’s Zero Day Initiative publicly discloses the issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2024)

Critical Fortinet’s FortiClient EMS flaw actively exploited in the wild

21 March 2024 at 21:42

Researchers released a PoC exploit for a critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is actively exploited.

Security researchers at Horizon3 have released a proof-of-concept (PoC) exploit for a critical vulnerability, tracked as CVE-2023-48788 (CVSS score 9.3), in Fortinet’s FortiClient Enterprise Management Server (EMS) software. The vulnerability is now actively exploited in attacks in the wild.

The vulnerability CVE-2023-48788 is a critical pervasive SQL injection issue that resides in the DAS component.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.” reads the advisory.

Below are the affected versions and the release that addressed this flaw.

VersionAffectedSolution
FortiClientEMS 7.27.2.0 through 7.2.2Upgrade to 7.2.3 or above
FortiClientEMS 7.07.0.1 through 7.0.10Upgrade to 7.0.11 or above

Thiago Santana from the ForticlientEMS development team and UK NCSC reported the issue to the company.

The initial advisory reported that Fortinet was not aware of attacks in the wild exploiting this vulnerability.

However, the company has updated the advisory confirming that “this vulnerability is exploited in the wild.”

Horizon3’s Attack Team published a technical analysis of this vulnerability and the PoC exploit. The researchers demonstrated how to turn this SQL injection issue into remote code execution using the built-in xp_cmdshell functionality of Microsoft SQL Server.

The researchers explained that the database was not configured to run the xp_cmdshell command, however it was possible to do it using a few other SQL statements.

“The POC we are releasing only confirms the vulnerability by using a simple SQL injection without xp_cmdshell. To enable RCE, altering the POC is necessary.” reads the analysis published by Horizon3.

“There are various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be examined for connections from unrecognized clients or other malicious activity. The MS SQL logs can also be examined for evidence of xp_cmdshell being utilized to obtain command execution.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiClient)

Pwn2Own Vancouver 2024 Day 1 – team Synacktiv hacked a Tesla

21 March 2024 at 18:36

Participants earned $732,500 on the first day of the Pwn2Own Vancouver 2024 hacking competition, a team demonstrated a Tesla hack.

Participants earned $732,000 on the first day of the Pwn2Own Vancouver 2024 hacking competition for demonstrating 19 unique zero-days, announced Trend Micro’s Zero Day Initiative (ZDI). The experts successfully demonstrated exploits against a Tesla car, Linux and Windows operating systems, and more.

That brings a close to the first day of #Pwn2Own Vancouver 2024. We awarded $732,500 for 19 unique 0-days. @Synacktiv currently leads in the hunt for Master of Pwn, but @_manfp is right behind them. Here are the full standings: pic.twitter.com/GbtDzbCFgO

— Zero Day Initiative (@thezdi) March 21, 2024

The team Synacktiv earned $200,000 for demonstrating an integer overflow exploit against a Tesla car, the experts targeted the electronic control unit (ECU) with CAN bus control. The team also won a new Tesla Model 3.

pwn2own vancouver 2024 Tesla

In past editions of the hacking competition, the same team already demonstrated exploits against Tesla. In January the Synacktiv Team (@Synacktiv) compromised the Tesla infotainment system on the second day of the Pwn2Own Automotive 2024 hacking competition. The bug hunters chained two vulnerabilities to hack the Tesla infotainment system, they earned $100,000 and 10 Master of Pwn Points.

The researchers Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from cyber security firm Theori (@theori_io) chained an uninitiallized variable bug, a UAF, and a heap-based buffer overflow to achieve a VMware Workstation escape and execute code as SYSTEM on the host Windows OS. The team earned $130,000 and won 13 Master of Pwn points.

The researcher Manfred Paul (@_manfp) chained an integer underflow bug and a PAC bypass in Apple Safari to achive remote code execution on the popular browser. He earned $60,000 and 6 Master of Pwn points.

Bruno PUJOS and Corentin BAYET from software reverse engineering & vulnerability discovery company REverse Tactics (@Reverse_Tactics) chained a buffer overflow and a Windows UAF bypass in Oracle VirtualBox to escape the guest OS and execute code as SYSTEM on the host OS. The team earned $90,000 and 9 Master of Pwn points.

The complete list of results for the first day of the Pwn2Own Vancouver 2024 hacking competition is available here:

https://www.zerodayinitiative.com/blog/2024/3/20/pwn2own-vancouver-2024-day-one-results

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2024)

Ivanti urges customers to fix critical RCE flaw in Standalone Sentry solution

21 March 2024 at 09:59

Ivanti urges customers to address a critical remote code execution vulnerability impacting the Standalone Sentry solution.

Ivanti addressed a critical remote code execution vulnerability, tracked as CVE-2023-41724 (CVSS score of 9.6), impacting Standalone Sentry solution.

An unauthenticated attacker can exploit this vulnerability to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network. 

“An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.” reads the advisory.

This vulnerability affects all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also impacted.

The company urge customers to install the available versions 9.17.1, 9.18.1, and 9.19.1, which address the issue.

Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of the NATO Cyber Security Centre reported the vulnerability.

Ivanti is not aware of attacks in the wild exploiting the vulnerability CVE-2023-41724.

“We are not aware of any customers being exploited by this vulnerability at the time of disclosure. Threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the Internet.” reads the advisory.

In early February, the Five Eyes intelligence alliance issued a joint cybersecurity advisory warning of threat actors exploiting known vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.

The advisory provides details about the exploitation in the wild of Connect Secure and Policy Secure vulnerabilities CVE-2023-46805CVE-2024-21887, and CVE-2024-21893. Multiple threat actors are chaining these issues to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)

New Loop DoS attack may target 300,000 vulnerable hosts

21 March 2024 at 08:24

Boffins devised a new application-layer loop DoS attack based on the UDP protocol that impacts major vendors, including Broadcom, Microsoft and MikroTik.

Researchers from the CISPA Helmholtz Center for Information Security (Germany) devised a new denial-of-service (DoS) attack, called loop DoS attack, that hundreds of thousands of internet-facing systems from major vendors.

The attack consists of pairing servers using protocols based on UDP to get them to communicate with each other indefinitely by using IP spoofing.  

“A new Denial-of-Service (DoS) attack targets application-layer protocols that draw on the User Datagram Protocol (UDP) for end-to-end communication. ‘Application-layer Loop DoS Attacks’ pair servers of these protocols in such a way that they communicate with each other indefinitely.” explained the researchers. “The vulnerability affects both legacy (e.g., QOTD, Chargen, Echo) and contemporary (e.g., DNS, NTP, and TFTP) protocols. Discovered by researchers of the CISPA Helmholtz-Center for Information Security, the attack puts an estimated 300,000 Internet hosts and their networks at risk.”

The User Datagram Protocol (UDP) is a core protocol of the Internet Protocol suite that operates at the transport layer. UDP is a simple, lightweight protocol that provides a way for applications to send datagrams, or packets of data, across a network.

UDP is considered a connectionless protocol because it does not establish a direct connection between the sender and receiver before transmitting data. Instead, it simply sends packets without waiting for acknowledgment or establishing a connection.

The technique relies on IP spoofing, an attacker can forge UDP packets with the victim’s IP address and send them to servers that will respond to the victim.

In a simplified scenario, threat actors can target two application servers running a vulnerable version of the protocol. An attacker can start sending to the first server messages using the spoofed address of the second one.

The first server will send an error message in response to the second server, returning another error message to the first server. This process is repeated indefinitely exhausting each other’s resources.

The issue impacts multiple implementations of the UDP protocol, including DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time.

The researchers pointed out that the application-layer loop DoS attack can be triggered from a single spoofing-capable host. 

“For instance, attackers could cause a loop involving two faulty TFTP servers by injecting one single, IP-spoofed error message. The vulnerable servers would then continue to send each other TFTP error messages, putting stress on both servers and on any network link between them.” said Professor Dr. Christian Rossow who is co-author of the study.

The researchers clarified that the loops they identified at the application level are distinct from those observed at the network layer. Consequently, the packet lifetime checks currently in use at the network level are ineffective in halting application-layer loops.

“The newly discovered DoS loop attack is self-perpetuating and targets application-layer messages. It pairs two network services in such a way that they keep responding to one another’s messages indefinitely. In doing so, they create large volumes of traffic that result in a denial of service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack.” continues the researchers. “Previously known loop attacks occurred on the routing layer of a single network and were limited to a finite number of loop iterations.”

Despite around 300,000 hosts and their networks being exposed to Loop DoS attacks, the researchers are not aware of attacks in the wild exploring this issue.

The researchers have published an incomplete list of hardware products that are affected, they are in contact with vendors to verify if their products are impacted. Vulnerability scans suggest that the following vendors may be affected:

  • Arris
  • Broadcom (2023-12-26)
  • Brother (2024-02-06)
  • Cisco (e.g., out-of-life 2800/2970 routers; maintained products unaffected)
  • D-Link
  • Honeywell (2024-01-03, CVE-2024-1309)
  • Hughes Network Systems
  • Microsoft (2024-02-19, in WDS)
  • MikroTik (2024-01-09)
  • PLANET Technology Corporation
  • TP-Link (e.g., out-of-life products TD-W8901G, TD-W8101G, R600VPN, WR740N, TD-W8960N)
  • Zyxel (e.g., end-of-life ZyWALL; maintained products unaffected)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)

Critical flaw in Atlassian Bamboo Data Center and Server must be fixed immediately

20 March 2024 at 19:39

Atlassian fixed tens of vulnerabilities in Bamboo, Bitbucket, Confluence, and Jira products, including a critical flaw that can be very dangerous.

Atlassian addressed multiple vulnerabilities in its Bamboo, Bitbucket, Confluence, and Jira products. The most severe vulnerability, tracked as CVE-2024-1597 (CVSS score of 10), is a SQL injection flaw that impacts the org.postgresql:postgresql third-party dependency of Bamboo Data Center and Server.

“This org.postgresql:postgresql Dependency vulnerability, with a CVSS Score of 10 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.” reads the advisory.

The vulnerability impacts Bamboo Data Center and Server versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0. The software giant addressed this vulnerability with the release of versions 9.6.0 (LTS), 9.5.2, 9.4.4, and 9.2.12 (LTS).

The company also addressed a DoS (Denial of Service) software.amazon.ion:ion-java Dependency issue, tracked as CVE-2024-21634 (CVSS Score of 7.5), that impacts Bamboo Data Center and Server.

“This software.amazon.ion:ion-java Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.” reads the advisory.

The high severity software.amazon.ion:ion-java Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server.

The complete list of vulnerabilities addressed by Atlassian is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bamboo)

Threat actors actively exploit JetBrains TeamCity flaws to deliver malware

20 March 2024 at 15:06

Multiple threat actors are exploiting the recently disclosed JetBrains TeamCity flaw CVE-2024-27198 in attacks in the wild.

Trend Micro researchers are exploiting the recently disclosed vulnerabilities CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score 7.3) security flaws in JetBrains TeamCity to deploy multiple malware families and gain administrative control over impacted systems.

In early March, Rapid7 researchers disclosed two new critical security vulnerabilities, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score:7.3), in JetBrains TeamCity On-Premises.

An attacker can exploit the vulnerabilities to take control of affected systems.

Below are the descriptions for these vulnerabilities:

  • CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).
  • CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.” reads the advisory published by JetBrains.

The flaws impact all TeamCity On-Premises versions through 2023.11.3, it was addressed with the release of version 2023.11.4.

The company also released a security patch plugin for those customers who are unable to patch their systems.

The two flaws were discovered by Stephen Fewer, Principal Security Researcher at Rapid7, were disclosed following Rapid7’s vulnerability disclosure policy.

Rapid7 published a detailed analysis of the two flaws here.

Describing the flaw CVE-2024-27198, the researchers pointed out that an unauthenticated attacker can use a specially crafted URL to bypass all authentication checks. A remote unauthenticated attacker can exploit this flaw to take complete control of a vulnerable TeamCity server.

Recently JetBrains addressed another critical vulnerability in TeamCity servers, tracked as CVE-2024-23917 (CVSS score: 9.8), that could be exploited by an unauthenticated attacker to gain administrative control of servers.

Since the public availability of Public proof-of-concept (POC) exploits for these vulnerabilities the risk of widespread exploitation increased. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 in its Known Exploited Vulnerabilities catalog.

Trend Micro reported that threat actors can exploit CVE-2024-27198 to perform a broad range of malicious activities, including:

  • Dropping the Jasmin ransomware
  • Deploying the XMRig cryptocurrency miner
  • Deploying Cobalt Strike beacons
  • Deploying the SparkRAT backdoor
  • Executing domain discovery and persistence commands

“Threat actors might exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication on vulnerable On-Premise TeamCity servers and perform follow-on commands. They are then able to perform RCE and TeamCity-related processes, such as spawning a command and scripting interpreter (including PowerShell) to download additional malware or perform discovery commands.” reads the report published by Trend Micro. “The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs).”

JetBrains TeamCity

Threat actors can deploy ransomware as a final payload, for example, one of the earliest actors that the experts spotted exploiting the above issues deployed a variant of the open-source Jasmin ransomware. In other instances analyzed by Trend Micro, threat actors deployed a variant of the open-source XMRig cryptocurrency-mining malware to vulnerable TeamCity servers.

In March, researchers from GuidePoint Security observed BianLian ransomware exploiting vulnerabilities in JetBrains TeamCity software in recent attacks.

The experts also observed several attempts to discover network infrastructure and employ persistence commands arising from the java.exe process under a vulnerable TeamCity server directory.

In other cases, attackers exploited the above flaws to deploy Cobal Strike beacon to vulnerable TeamCity servers. 

“This malicious activity not only jeopardizes the confidentiality, integrity, and availability of sensitive data and critical systems but also imposes financial and operational risks for affected organizations. Swift action is imperative to mitigate these vulnerabilities and prevent further damage from ransomware extortion and other types of malware.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, JetBrains TeamCity)

BunnyLoader 3.0 surfaces in the threat landscape

20 March 2024 at 12:53

Researchers found a new variant of the BunnyLoader malware with a modular structure and new evasion capabilities.

In October 2023, Zscaler ThreatLabz researchers discovered a new malware-as-a-service (MaaS) called BunnyLoader, which was advertised for sale in multiple cybercrime forums since September 4, 2023.

The BunnyLoader malware loader is written in C/C++ and is sold on various forums for $250 for a lifetime license. The researchers believe that the BunnyLoader is under rapid development, the authors are releasing multiple updates to implement new features and fix bugs.

The malware also supports anti-sandbox techniques and evasion techniques, it can download and execute a second-stage payload, log keys, steal sensitive information and cryptocurrency, and execute remote commands.

Now Palo Alto Networks Unit 42 researchers discovered a new version of the malware, BunnyLoader 3.0, demonstrated that threat actors continued to modify and enhance the malicious code.

Senior threat intelligence researcher @RussianPanda9xx first shared the announcement on the malware operators.

#BunnyLoader announced a big 3.0 update. Maybe something to hunt for 🤭 @banthisguy9349 @ViriBack pic.twitter.com/ViFUsoXdOA

— RussianPanda 🐼 🇺🇦 (@RussianPanda9xx) February 11, 2024

The latest version was announced on February 11, 2024, revealing that the malware has been “completely redesigned and enhanced by 90%.”

Major enhancements to BunnyLoader payloads include payloads/modules “completely rewritten for improved performance,” reduction of the payload size, and the implementation of advanced keylogging capabilities.

“By the end of September 2023, BunnyLoader underwent a rapid retooling.” reads Unit 42’s report. “According to the BunnyLoader advertisement, new features include the following:

  • Command-and-control (C2) panel bug fixes
  • Antivirus evasion
  • Multiple data recovery methods used for information theft
  • Added browser paths
  • Keylogger functionality
  • Anti-analysis protections”

BunnyLoader 3.0 supports new denial-of-service attack features and uses distinct binaries for stealer, clipper, keylogger, and DoS modules.

The operators of BunnyLoader can deploy these modules or use BunnyLoader’s built-in commands to load their preferred malicious code.

Palo Alto Networks researchers also observed important changes in the attack chain, they detailed the use of a previously undocumented dropper to loader PureCrypter forking into two branches.

BunnyLoader 3.0

In one branch the PureLogs loader is executed to deliver the PureLogs stealer, while in the second attack pattern the BunnyLoader is dropped and used to execute the Meduza stealer.

Version 3.0 uses the same base URI structure of the C2 communication observed in prior versions, it uses the format http://[C2]/[path]/[PHP API]. The sample of BunnyLoader analyzed by the experts communicates with the C2 server located at hxxp://ads[.]hostloads[.]xyz/BAGUvIxJu32I0/gate.php. Unlike previous versions, this version doesn’t use the string Bunny in the URL path, BunnyLoader 3.0 allows the operator to specify the path name.

The samples of BunnyLoader 3.0 analyzed by Unit 42 use only one endpoint, gate.php.

BunnyLoader 3.0 obfuscates HTTP parameters using RC4 encryption instead of sending them in cleartext like previous versions.

“In the ever changing landscape of MaaS, BunnyLoader continues to evolve, demonstrating the need for threat actors to frequently retool to evade detection. Revealing these evolving tactics and the dynamic nature of this threat empowers readers to bolster their defense posture and better protect their assets.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BunnyLoader 3.0)

Pokemon Company resets some users’ passwords

20 March 2024 at 08:47

The Pokemon Company resets some users’ passwords in response to hacking attempts against some of its users.

The Pokemon Company announced it had reset the passwords for some accounts after it had detected hacking attempts, Techcrunch first reported. The company was likely the target of credential stuffing attacks. Credential stuffing is an attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.

In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

Last week, the Pokemon’s official support website displayed the following message:

“Following an attempt to compromise our account system, Pokémon proactively locked the accounts of
fans who might have been affected. If you are unable to log in to your Pokémon Trainer Club account,
please reset your password following the instructions here.”

Pokémon, short for “Pocket Monsters,” is a media franchise created by Satoshi Tajiri and Ken Sugimori and managed by The Pokémon Company, a collaboration between Nintendo, Game Freak, and Creatures Inc. It was first introduced in 1996 as a video game for the original Game Boy console, developed by Game Freak and published by Nintendo. The franchise expanded to include video games, trading card games, animated television series, movies, comic books, toys, and merchandise. In Pokémon, players assume the role of Pokémon Trainers who capture and train fictional creatures called Pokémon to battle each other for sport.

Daniel Benkwitt, a Pokemon Company spokesperson, told Techcrunch that they haven’t suffered a security breach. Most of the hacking attempts against some users were detected and blocked, and only 0.1% of the the targeted accounts were compromised.

“The account system was not compromised. What we did experience and catch was an attempt to log in to some accounts. To protect our customers we have reset some passwords which prompted the message,” said Benkwitt.

A good mitigation against credential-stuffing attacks, and generally against account hijacking, is enabling multi-factor authentication.

Unfortunately, the Pokemon Company doesn’t support two-factor authentication on its platform.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pokemon Company)

❌
❌