Search This Blog

Showing posts with label Security patches. Show all posts

Zoom Security Flaw: Now Hackers Can Take Control Of Your PC, Wait For Patch

 


Zoom security issues were lately troubling users worldwide, very often so. The Zoom video conferencing app was not in the limelight before the ongoing pandemic, however, since the inception of Covid-19, a lot has changed along with the ways of living, this was also the time when Zoom App underwent some regulatory security measures, owing to the suddenly enhanced reputation enjoyed by the app, as the work from home was necessitated by the pandemic. 

However, as of now, it is being observed that the security measures that had been taken a year ago are failing to secure users' data from threat actors.

Cybercriminals exploited a vulnerability and undertook a distant code execution (RCE) assault to take management of host PCs. The two Computest cyber safety intelligence observed the vulnerability on the Pwn2Own 2021 competition, organized by the Zero Day Initiative. The two Computest researchers Daan Keuter and Thijs Alkemade were awarded $200,000 for their findings. 

How does This work? 


Foremostly, the hacker has to be a part of the same organizational domain as the host PC’s user has to get permission from the host to join the meeting; When the attackers become part of a meeting, they will be able to execute a chain of three malware that will install an RCE backdoor on the victim’s PC. 

It can also be understood as — the threat actors can get access to your PC, and simultaneously will able to be able to implement remote commands that will then give access to your sensitive data.

Besides, what is even dangerous here is that the hackers can run their operations without the victim being required to do anything, therefore it is very essential to add more layers of security measures that can slow down the future operations of the attackers. 

The aforementioned operation runs on Mac, Windows, but on Zoom’s iOS and Android apps, it has not been checked yet. Notably, the browser version is safe. 

Currently, Zoom is yet to take measures, and the technical details of the attack have not been reported to the public, yet. Reportedly, the patch will arrive on Zoom for Mac and Windows within the next 90 days. 

Guardian: Truecaller Fixes Location Vulnerabilty In Its New App

Caller ID and spam blocking company Truecaller recently launched its "Guardian" application that allows users to share their live locations with the trusted guardians in their contact lists. Anand Prakash, cybersecurity expert based in Bangalore, however, pointed out that the app had a major vulnerability and Truecaller soon fixed it. The individual security app has an emergency option that informs the user's selected peers of his/her live location, which gives real-time information during any emergency.  Mr. Prakash who founded Pingsafe, a cybersecurity startup, says that the vulnerability could allow any potential threat actor to gain access into any user's account via using a phone number. 

Later, the hacker could hijack the user account and take all its data, this may include the live location (both user and emergency contacts), user date of birth, and profile picture. Guardian was released on 3rd March and has over 1,00,000 downloads on the play store. "We are using an encrypted line between the two different clients...So that actually means that you can't revisit a previous journey because we don't store that data...The data that is shared with the 'forever sharing' option is the state of battery and signal, along with the location to help the trusted guardians follow the user," says Truecaller. Mr. Prakash contacted Truecaller the next day, notifying the latter about the vulnerability. 

Basic API error was the reason for the flaw. If API (Application Programming Interfaces) problems persist, it allows attackers to access website data and software, generally not accessible to a user. Mr. Prakash says he immediately looked into the app after its release and soon discovered issues with the app. using the "login API" option in the app, the researcher was able to gain access to another person's profile using his phone number. 

A similar pattern was tried with other contacts and the issue was reported to Truecaller. The company soon fixed the issue and later notified the expert. Mr. Prakash identified the issue as an "Insecure Direct Object Interference" flaw.  PingSafe's report says, "companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers’ privacy and lead to companies’ revenue losses." 

SAP Issued Warning and Updates Regarding the Serious Flaws with the Code Injection

 

A German multinational software corporation SAP ( Systems Applications and Products in Data Processing ) is known for developing software solutions that work on managing business operations as well as customer relations. SAP is the name of their software as well as of the company that works on this technology. SAP provides “future-proof Cloud ERP (Enterprise Resource Planning) solutions that will power the next generation of business.” With its advanced capabilities, SAP can boost your organization's efficiency and productivity by automating repetitive tasks, making better use of your time, money, and resources. 

SAP has published some 14 new updates or the Security Note on the 2020 December Patch Day. Whereas in January 2021 they published another set of 7 new Security Notes, later providing their new updates as well. Five of the seven have the highest severity rate of the Hot News. Later in the month, they made a proclamation where they published 10 advisories to a document of flaws ad fixes for a range of serious security vulnerabilities. In the congregation of asserted vulnerabilities, the most important issue bears a CVSS score of 9.9 in the SAP Business Warehouse. 

 The very first note addressed CVE-2021-21465 which according to SAP is multiple issues in the Database Interface. These bugs are an SQL Injection with a missing authorization check which should have featured a CVSS score of 6.5. A SQL Injection is basically a code injection technique that might at times destroy the database interface. One of the most common hacking technique used by hackers is SQL Injection. In the SQL Injection, another thing that was missing was Onapsis, a firm that secures Oracle and SAP applications. These missing authorization checks would easily exploit to read any table of a database. 

 Mentioning that minimum privileges are required for successful exploitation, Onapsis in a blog quoted, “An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” SAP decided to fix such bugs b disabling the function module and applying the patches that will result in abandoning of all the applications that call this function module. 

 Another serious issue, other than the aforementioned issue, is a code injection flaw in both Business Warehouse and BW/4H4NA , that addresses as CVE-2021-21466. This issue is a result of insufficient input validation. Such flaws are misused to inject malicious code that gets stored persistently as a repot. These issues potentially affect the confidentiality, integrity, and availability of systems. The remaining three from the total five updates are fixes for the programs released in 2018 and 2020. 

 Further SAP added as a warning, “An issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service”.

NSA Issued Warning Against Russian State-Sponsored Attackers for Exploiting VMware Access

An advisory warning has been issued by the United States National Security Agency (NSA) on 7th December that Russian malicious actors are posing a big threat to VMware by installing malware on corporate systems and accessing protected data. 
The attack came two weeks after the virtualization software company publicly disclosed vulnerabilities. According to the company malicious actor (s) is accessing —VMware workspace one, Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux. However, the identities of malicious actors and when all of this started have not been disclosed. 

What is VMware? 

VMware is an American Software Company that provides cloud computing and virtualization software and services. VMware was one of the commercially successful companies to virtualize the x86 architecture.

Its desktop software runs on Microsoft Windows, Linux, and macOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system. 

When The Threat Surfaced? 

It was about in late November when Vmware had addressed the attacking threat and pushed temporary workarounds to dig deeper into the issue. However, the ‘escalation-of-privileges ‘bug resolution had to wait till the 3rd of December 2020 to get resolved. 

The same day witnessed the United States Cybersecurity and Infrastructure Security Agency (CISA) releasing a brief bulletin to encourage administrators to review, apply, and patch as soon as possible.

Meanwhile, as per the National Security Advisor, VMware didn’t clearly disclose that the bug was being actively exploited by the attackers, which led to adversaries leveraging the vulnerability for launching attacks to steal data and exploit shared authentication systems. 

''The misuse via shell injection led to the installation of a web shell and follow up malicious activity where Security Assertion Markup Language (SAML) in the form of authentication assertions generated and sent to Microsoft Active Directory Federation Services, which allow actors access to protected data," the agency said. 

What is SAML? 

Security Assertion Markup Language or SAML an Open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). 

Besides insisting on the organizations to update compromised systems to the latest version, the agency is also moving forward towards securing strong management. 

As of now, the threat hasn’t gone anywhere; the US National Security Advisory has advised the agencies to monitor all the systems, scan server logs for the presence of "exit statements" that indicate possible malicious activity. 

Attention! Malvertising Campaigns Using Exploit Kits On The Rise


Of all the things that online advertising could be used for, spreading malware is the one that throws you off the list by surpassing them all.

Not of late, researchers found out a recent ‘Malvertising’ campaign and sources say that it was done by way of the “Domen Social Engineering Toolkit”.
‘Malvertising’ (malicious advertising) could be defined as using online advertising means for spreading malware. Most typically it is done by inserting malware or malicious advertisements into legitimate advertising web pages or networks.

Per informed sources, this campaign was uncovered while trying to influence a VPN service as bait. It displayed a group of domains that gave Domen’s attack mechanism a fresh bend.

The construction of the campaign, as mentioned in reports, was such that ‘search-one[.]info’ was comprised in it as the ‘fake’ page, ‘mix-world[.]best’ as the download site and ‘panel-admin[.]best as the backend panel.

As revealed in reports, the campaign managed to redirect the users and bare them to ‘Smoke Loader’. This is conceivably a downloader that installs secondary payloads. And that’s what it did. They consisted of a ‘Vidar stealer’, ‘Buran ransomware’ and ‘IntelRapid cryptominer’.

Need not to mention, this campaign isn’t the first one to surface which was focused on payloads. Women's malvertising per source had commenced in September last year. The social engineering toolkit was employed to exploit the website and fool users into clicking on a fake ‘Adobe Flash Player’ update. The clicking would start a download of “download.hta”. Afterward, by way of employing PowerShell to connect to “xyxyxyxyxy[.]xyz”, only to download the 'NetSupport Remote Access Trojan' (RAT), later.

With amplification in the usage of the internet and online means, it becomes a top priority to build up a structured and strong defense mechanism to fight and prevent Malvertising.

Hiring security professionals is a safe pre-requisite and a building block towards creating the defense structure. Keeping abreast of the latest updates and patches must be a primary priority.

Word has it that in most cases the ‘exploit kits’ are employed to disseminate the malware payloads. Hence the organizations should have a clear account of all its obstruction points so that Malvertising campaign’s attack payloads could be detected and dealt with in time.

Security Flaw in Oracle POS systems discovered

Researchers at ERPScan have discovered a new security flaw in the Oracle Micros Point-of-Sale (POS) systems that has left over 300,000 systems vulnerable to attack from hackers.

It was discovered in September 2017 by Dmitry Chastuhin, a security researcher, and was named “CVE-2018-2636”.

Oracle has already issued updates for this issue earlier in the month but due to companies’ fear of unstable patches and losses, it is suspected that it may take months for the patch to reach affected systems.

According to Chastuhin, the POS malware enables hackers to collect configuration files from the systems and gain access to the server.

Hackers can also exploit the flaw remotely using carefully crafted HTTP requests. Many of the vulnerable systems have already been misconfigured to allow such access and are available online to be easily exploited if the patches aren’t used soon.

Patches for the flaw were made available in January 2018 in Oracle’s Critical Patch Update (CPU). More information on the bug can be found here.

Microsoft provides urgent security fix for Windows

Microsoft has recently provided a security fix for its Windows operating systems to plug a lapse in security that allowed hackers access to a victims computer.

Microsoft has said that the vulnerability present in their operating system would have allowed a hacker to gain complete access to an affected computer.

The vulnerability is present in Windows Vista, Windows 7, Windows 8 and 8.1 and Windows RT. These operating systems represent two out of three computers in the world that run a Microsoft operating system.

The company had previously provided an update like this in November 2014 also.

The flaw is said to exist in the final version of Windows 10 also that will be available to users from July 29.

The security fix will be done through Windows Update