Search This Blog

Showing posts with label Flaws. Show all posts

Threat Actors Abuse Top 15 Flaws Millions of Times to Target Linux Systems

 

Researchers at Trend Micro, have identified and flagged nearly 14 million Linux-based systems that are directly exposed to the internet, making them a lucrative target for attackers to deploy malicious web shells, ransomware, coin miners, and other Trojan horses. 

The U.S.-Japanese company published a detailed analysis on the Linux threat setting, highlighting the top threats and flaws that affected the operating system in the first half of 2021, based on the data gathered from honeypots, sensors, and anonymized telemetry.

The company, which discovered nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for 29% of the share. 

Furthermore, researchers examined more than 50 million events from 100,000 unique Linux hosts and discovered 15 different security weaknesses that have been actively exploited in the wild or have a proof of concept (POC) - 

• CVE-2017-5638 (CVSS score: 10.0) – Apache Struts 2 remote code execution (RCE) vulnerability 

• CVE-2017-9805 (CVSS score: 8.1) – Apache Struts 2 REST plugin XStream RCE vulnerability 

• CVE-2018-7600 (CVSS score: 9.8) – Drupal Core RCE vulnerability. 

• CVE-2020-14750 (CVSS score: 9.8) – Oracle WebLogic Server RCE vulnerability 

• CVE-2020-25213 (CVSS score: 10.0) – WordPress File Manager (wp-file-manager) plugin RCE vulnerability 

• CVE-2020-17496 (CVSS score: 9.8) – vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability 

• CVE-2020-11651 (CVSS score: 9.8) – SaltStack Salt authorization weakness vulnerability 

• CVE-2017-12611 (CVSS score: 9.8) – Apache Struts OGNL expression RCE vulnerability 

• CVE-2017-7657 (CVSS score: 9.8) – Eclipse Jetty chunk length parsing integer overflow vulnerability

• CVE-2021-29441 (CVSS score: 9.8) – Alibaba Nacos AuthFilter authentication bypass vulnerability 

• CVE-2020-14179 (CVSS score: 5.3) – Atlassian Jira information disclosure vulnerability 

• CVE-2013-4547 (CVSS score: 8.0) – Nginx crafted URI string handling access restriction bypass vulnerability 

• CVE-2019-0230 (CVSS score: 9.8) – Apache Struts 2 RCE vulnerability 

• CVE-2018-11776 (CVSS score: 8.1) – Apache Struts OGNL expression RCE vulnerability 

• CVE-2020-7961 (CVSS score: 9.8) – Liferay Portal untrusted deserialization vulnerability 

To make matters worse, the 15 commonly used Docker images on the official Docker Hub repository are noticed to port flaws that span across a python, node, WordPress, golang, Nginx, Postgres, influxdb, httpd, MySQL, Debian, Memcached, Redis, mongo, centos, and rabbitmq, underscoring the need to protect and secure containers threats during the development stage.

“Consumers and companies need to often utilize security finest techniques, which include using the security by style and design technique, deploying multilayered digital patching or vulnerability shielding, using the theory of the very least privilege, and adhering to the shared obligation product,” the researchers explained.

5G Security Vulnerabilities Concern Mobile Operators

 

As 5G private networks become more widely available in the next years, security may become a major concern for businesses. According to a report presented at the Mobile World Congress on Monday, significant gaps in mobile operators' security capabilities still prevail. 

According to the GSMA and Trend Micro report, 68 percent of carriers already sell private wireless networks to enterprise customers, with the rest expecting to do so by 2025. However, these may not be ready for prime time in terms of security: For example, 41% of surveyed operators claimed they are having difficulty addressing vulnerabilities connected to 5G network virtualization. 

In addition, 48% of them indicated they don't have adequate internal knowledge or resources to find and fix security flaws at all. For 39 percent of surveyed operators, a restricted pool of mobile-network security professionals is a contributing cause to the problem. 

5G Networks: Diverse Architecture, Diverse Risks 

As 5G networks are essentially software-defined and virtualized, they are a significant change from previous wireless networks. In 5G, network operations that were previously defined in hardware are transformed into virtual software capabilities that are orchestrated by a flexible software control plane. In 5G, even the radio access network (RAN) air interfaces are software-defined. The concern is that this opens the door for a slew of new exploitable flaws to appear throughout the architecture, in places where they have never been exposed before. 

William Malik, vice president of infrastructure strategies at Trend Micro, told Threatpost, “Because so much of the environment is virtualized, there will be a lot of software creating images and tearing them down – the volume of virtualization is unlike anything we have experienced so far. The risk there is that we do not know how well the software will perform under such huge loads. Every experience with distributed software under load suggests that things will fail, services will drop and any vulnerability will be wide open for exploitation.” 

“Think about the traffic at a major port – much of the work is not done by individuals but by application software coordinated by scheduling and orchestration software. If you can take this over, you can dump containers into Long Beach Harbor, or ship 2,000 pounds of Cream O’ Wheat to your neighbor. In the port of Amsterdam, the bad guys took over the scheduling software and actually had containers full of guns, drugs, and in some cases, criminals delivered without inspection into the port then smuggled onwards throughout Europe,” he added.

Moreover, rather than transmitting all data to the cloud for processing, 5G employs multi-access edge computing (MEC), which implies that data created by endpoints is analyzed, processed, and stored at the network edge. Collecting and processing data closer to the client decreases latency and gives high-bandwidth apps real-time performance, but it also creates a new footprint to secure, with new data pools distributed over the network. 

Malik added further, “We’re focusing on corporate 5G implementations, generally called NPN – non-public networks. In these environments the 5G signal is restricted to a specific area – a port, a distribution center, a manufacturing facility – so we don’t have random devices connecting, and every application and device can be authenticated (note that this is not an architectural requirement but it is a really good idea). Even with that, the 5G network will be a very efficient way to move data around the site, so if malware gets into something, it will spread fast.” 

According to the survey, MEC is a crucial part of half (51%) of the operators' plan for serving enterprises' private network demands in the next two years. Only 18% of the operators polled that they provide security for both the edge and endpoints. 

Best Practices for 5G Private Network Security:

“The bad guys will try to take over the 5G network by either sneaking some rogue software into the mix, using a supply-chain attack like SolarWinds; or sneaking past authentication to launch their own processes that can crypto mine (steal resources), exfiltrate data, or initiate a ransomware attack,” Malik predicted. 

Even though security skills are currently lacking, nearly half of the operators polled (45%) believe it is essential to invest in security to meet their long-term enterprise revenue targets – compared to only 22% in 2020. 

Due to COVID-19, 44 percent of operators have observed a spike in demand for security services from their enterprise clients, and 77 percent of operators see security as major income potential, with 20 percent of 5G revenue expected to come from security add-on services. 

The 3GPP, which is in charge of wireless network specifications, has included various security features in the 5G specification. 

According to Malik, certain security practices must be implemented: 

-employ technologies to detect activities that are malfunctioning like a process that starts encrypting everything it can touch. 

-take frequent backups and double-check that they are valid to aid recovery from an assault. 

-purchase technology from reputable sources and make use of reliable integrators to hook things up. 

Malik told Threatpost, “Best practices for securing these NPN environments would include authenticating everything and everyone – that’s the idea behind zero trust. You have to prove you are who you say you are before you can do anything on the network.” 

New Vulnerabilities in Cellebrite's Tools Discovered by a Researcher

 

Signal, the messaging app that has recently become a new focus for Cellebrite's data-collection tools for law enforcement, raised the question late last month. 

Moxie Marlinspike, the creator of Signal, claimed that software flaws discovered in Cellebrite's tools could be used to tamper with facts. As a result, one lawyer has already requested a new trial. But Marlinspike isn't the only one who has scrutinized Cellebrite's gadgets. At the Black Hat Asia conference on Friday, Matt Bergin of KoreLogic will present his latest findings, which are related to Cellebrite's Universal Forensic Extraction Device, or UFED. KoreLogic's senior information security researcher, Bergin, claims to have discovered three vulnerabilities in UFED.

Despite the fact that Cellebrite has now fixed those problems, Bergin believes that forensics software should be placed through rigorous penetration testing to find bugs that might jeopardize proof. Bergin will also display up Lock Up, an Android app he created that can factory reset a phone if it detects Cellebrite software attempting to copy data. All of his research stems from a fear that Cellebrite's forensic instruments might be tampered with by bad actors, resulting in the false accusation of innocent people. 

"My whole goal for this project was to really highlight the fact that forensics tools are not immune to software vulnerabilities. And those issues, when exploited, do have real-life implications for people. That could be the rest of your life in jail," Bergin stated. 

Bergin obtained an inside look at how the UFED starts probing devices by cracking its cryptography. He was also able to write detection signatures for how UFED communicates with a target system as a result of this experience. He then developed Lock Up, an Android application. Bergin states he will not release Lock Up because he does not want to obstruct legal law enforcement investigations. 

However, he plans to make the source code accessible, as well as the indicators of compromise, which are checksums and hashes of files that Cellebrite's UFED installs on devices before collecting data.

Cellebrite also fixed CVE-2020-12798, a privilege escalation flaw, as well as CVE-2020-14474, an issue in which Cellebrite left hard-coded keys for encrypted data right next to the encrypted data. Given the value of digital evidence's credibility, Bergin believes the software should be expanded to include penetration tests. "We need functional testing, and we need security testing," he states "It should be part of the CFTT process before any evidence collected by these tools can be used in a court of law." 

There are also questions about supply chain tampering. Bergin and Marlinspike's results, according to Hank Leininger, co-founder of KoreLogic, have raised doubts about the factuality of data. Self-integrity checks could provide some assurance that software hasn't been manipulated, he added.

Another way Cellebrite might strengthen its procedures is to issue influential public notices detailing newly found and patched vulnerabilities. "Airing your own dirty laundry after you've washed it is a good way to create trust in your security commitment," says Leininger.

Several Vulnerabilities Identified In Emerson OpenEnterprise


Recently four vulnerabilities were found in Emerson OpenEnterprise and were accounted for to the vendor in December 2019 with the patches released a couple of months later.

Roman Lozko, a researcher at Kaspersky's ICS CERT unit, was responsible for the identification of the flaws, and the security holes found by him have been depicted as 'heap-based cushion buffer, missing authentication, improper ownership management, and weak encryption issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Kaspersky published advisories for three of the vulnerabilities a week ago. The rest of the vulnerability was described by Kaspersky in a previous advisory.

As indicated by Emerson, OpenEnterprise is explicitly intended to address the prerequisites of associations focusing on oil and gas production, transmission, and distribution.

The initial two followed as CVE-2020-6970 and CVE-2020-10640 are depicted as critical, as they can allow an attacker to remotely execute discretionary code with 'elevated privileges' on devices running OpenEnterprise.

Vladimir Dashchenko, a security expert at Kaspersky, says an attacker could misuse these vulnerabilities either from the system or directly from the internet. Notwithstanding, there don't give off an impression of being any occurrences of the affected product exposed to the internet.

“The most critical vulnerabilities allow remote attackers to execute any command on a computer with OpenEnterprise on it with system privileges, so this might lead to any possible consequences,”

 “Based on Shodan statistics, currently there are no directly exposed OpenEnterprise SCADA systems available,” Dashchenko explained. “It means that asset owners with installed OpenEnterprise are definitely following the basic security principles for industrial control systems.”

The rest of the vulnerabilities can be exploited to 'escalate privileges' and to acquire passwords for OpenEnterprise user accounts, yet exploitation in the two cases requires local access to the targeted system.

Biometric Data Exposure Vulnerability in OnePlus 7 Pro Android Phones Highlighted TEE Issues


In July 2019, London based Synopsys Cybersecurity Research Center discovered a vulnerability in OnePlus 7 Pro devices manufactured by Chinese smartphone maker OnePlus. The flaw that could have been exploited by hackers to obtain users' fingerprints was patched by the company with a firmware update it pushed in the month of January this year. As per the findings, the flaw wasn't an easy one to be exploited but researchers pointed out the possibility of a bigger threat in regard to TEEs and TAs.

Synopsys CyRC's analysis of the vulnerability referred as CV toE-2020-7958, states that it could have resulted in the exposure of OnePlus 7 pro users' biometric data. The critical flaw would have allowed authors behind malicious android applications with root privileges to obtain users' bitmap fingerprint images from the device's Trusted Execution Environment (TEE), a technique designed to protect sensitive user information by keeping the Android device's content secure against illicit access.

As it has become increasingly complex for malicious applications to acquire root privileges on Android devices, the exploitation of the flaw would have been an arduous task and might also be an unlikely one given the complexity of the successful execution. Meanwhile, the fix has been made available for months now– ensuring the protection of the users.

However, the issue with Trusted Execution Environments (TEEs) and Trusted Applications (TAs) remains the major highlight of Synopsys's advisory released on Tuesday, “Upon obtaining root privileges in the REE [Rich Execution Environment], it becomes possible to directly communicate with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. This attacker invokes a sequence of commands to obtain raw fingerprint images in the REE,” it read.

While explaining the matter, Travis Biehn, principal consultant at Synopsys, told, “Of course, people’s fingerprints don’t usually change. As attackers become successful in retrieving and building large datasets of people’s fingerprints, the usefulness of naïve fingerprint recognition in any application as a security control is permanently diminished,”

“A further possible consequence is that fingerprints become less trustworthy as evidence in our justice systems.”

“...this vulnerability shows that there'there are challenges with Trusted Execution Environments (TEEs) and Trusted Applications (TAs); these are software components that are opaque to most (by design), expertise is limited, and typically involve long supply chains. These factors together mean there'there are opportunities for organizations to make a mistake, and hard for security experts to catch at the right time,” he further added.

The flaw would have allowed attackers to recreate the targeted user's complete fingerprint and then use it to generate a counterfeit fingerprint that further would have assisted them in accessing other devices relying upon biometric authentication.

Vulnerabilities Discovered In Four Popular Open Source VNC Systems


Numerous vulnerabilities in the four well-known open sources virtual network computing (VNC) systems have been as of late identified by Kaspersky researchers however luckily most of them have just been patched.

After breaking down the four broadly utilized open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC, the cybersecurity firm says UltraVNC and TightVNC are frequently prescribed by industrial automation system vendors for associating with human-machine interfaces (HMIs).

A sum of 37 CVE identifiers has been allowed to the vulnerabilities discovered by Kaspersky in server and client software.

A portion of the defects are said to have been exploited for remote code execution, enabling the attacker to make changes to the targeted system and more than 20 of the security bugs have been thusly identified in UltraVNC.

Sometimes, the security firm noticed, the flaws were found as a major aspect of the research project were varieties of previously distinguished weaknesses. While the majority of the 37 vulnerabilities have been fixed, on account of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not discharged any fixes, in spite of being advised of in January 2019.

Pavel Cheremushkin, a scientist at Kaspersky ICS CERT said that, Kaspersky called attention to that while a portion of these vulnerabilities can represent a genuine hazard, especially on account of industrial systems, exploitation of the server-side bugs much of the time requires verification, and the software might be structured not to allow authentication without a password.

This implies setting a strong password on the server can avoid numerous attacks. On the client-side, the best defense prescribed is to ensure that users don't associate with untrusted VNC servers.

GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

A Bunch of Loopholes in Apple’s iMessage App?


Apple’s devices could be vulnerable to attacks owing it to a few flaws that the researchers have uncovered in its iMessage app.

Where, in one case, the extent of severity of the attack happens to be so large that the only way to safe-guard the device would be to delete all data on it.

The other case saw some files being copied off the device without needing the user to do anything. The fixes were released last week by Apple.

But somehow there was a problem which couldn’t be fixed in the updates, which was brought to the attention of the company by the researchers.

Google’s Project Zero Team was established in July 2014 with an aim to dig all the “previously undocumented cyber vulnerabilities”.

Samaung, Microsoft, Facebook and a few others were warned off by this team regarding the problems in their code.

The unrepaired flaw, according to Apple’s own sources could aid the hackers to crash an app or execute commands of its own accord on iPads, iPhones and iPod Touches.

Installation of new version of the iOS (iOS 12.4) has been strongly advised by the organization. The attacks/dangers could be easily handled by keeping the software up-to-date.