Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

Research Study shows that 100 Million IOT Devices are at Risk

 

Forescout Research Labs has disclosed a new collection of DNS vulnerabilities in collaboration with JSOF, potentially impacting over 100 million consumer devices. The seemingly simple code that underpins how computers interact with the internet has identified a shocking number of vulnerabilities for researchers. As of now, there are 9 new vulnerabilities, including Internet of Things products and IT control servers, with approximately 100 million devices worldwide. 

The newly revealed bugs are the code that implements protocol of network communication for connecting devices to the internet in four ubiquitous TCP/IP stacks. In operating systems such as the FreeBSD open-source project and Nucleus NET of the industrial control company Siemens, the vulnerabilities are all related to how the “Domain Name System” Internet phone book is carried out. 

They all encourage an attacker to destroy a computer and take it offline or get remote control access. All the vulnerabilities found by Forescout and JSOF security scientists now have patches, but this does not necessarily lead to corrections in actual devices that frequently run outdated versions of software. 

“With all these findings I know it can seem like we’re just bringing problems to the table, but we're really trying to raise awareness, work with the community, and figure out ways to address it,” says Elisa Costante, vice president of research at Forescout. She further added, “We've analyzed more than 15 TCP/IP stacks both proprietary and open source and we've found that there's no real difference in quality. But these commonalities are also helpful because we've found they have similar weak spots. When we analyze a new stack we can go and look at these same places and share those common problems with other researchers as well as developers.” 

Researchers are yet to see indications of these types of vulnerabilities being actively exploited in the wild by attackers. But the exposure is noticeable in the hundreds, perhaps billions, of devices that have potentially been affected as per several different findings.

Similar failures of Forescout and JSOF have already found themselves exposed in hundreds of millions or potentially trillions of devices in other TCP/IP proprietary and open-source stacks around the world. 

“For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago,” says Ang Cui, CEO of the IoT security firm Red Balloon Security. 

Although the fixes do not proliferate in the near future, they too are available. And some other halted mitigation measures will minimize the exposure, namely by ensuring that as many devices as possible do not link to the internet directly and by using an internal DNS server. 

Forescout's Costante noted that operational behaviour would be predictable and that attempts to exploit certain defects would be easier to identify. 

Forescout has published an open-source script for network administrators in their organizations to recognize potentially insecure IoT devices and servers. 

The organization also continues to maintain an access database library of inquiries, which scientists and developers could use to quickly identify similar DNS vulnerabilities. 

“It’s a widespread problem; it’s not just a problem for a specific kind of device,” says Costante.

NCSC Warns of Exploited VPN Servers: Here are the Safety Tips to Fix Your VPN

 

The UK’s Nationwide Cyber Safety Centre (NCSC) has published a new advisory warning that cybercriminals as well as Advanced Persistent Threat (APT) actors are actively searching for unpatched VPN servers and trying to exploit the CVE-2018-13379 susceptibility.

According to NCSC, a significant number of organizations in the UK have not fixed a Fortinet VPN vulnerability found in May 2019, resulting in the credentials of 50,000 vulnerable VPNs being stolen and revealed on a hacker forum. As such, the NCSC recommended organizations that are using such devices to assume they are now compromised and to start incident management procedures, where security updates have not been downloaded.

“The NCSC is advising organizations which are using Fortinet VPN devices where security updates have not been installed, to assume they are now compromised and to begin incident management procedures. Users of all Fortinet VPN devices should check whether the 2019 updates have been installed. If not, the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured, and then returned to service,” NCSC stated.

Safety tips for users & organizations 

The first step is to check whether the 2019 update is installed on all Fortinet VPN devices or not. If not, the NCSC recommends installing it as soon as possible. Secondly, the corrupt devices should be removed from service, returned to a factory default, reconfigured, and then restored to service. 

While fixing the security loophole, organizations should examine all connected hosts and networks to detect any further attacker movement and activities. Anomalous connections in access logs for the SSL VPN service may also indicate the use of compromised credentials. Organizations should then make it a high priority to upgrade to the latest FortiOS versions to prevent reinfection. 

"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.

AMD Admits Ryzen 5000 CPU Exploit Could Leave Your PC Open to Hackers

 

According to AMD itself, AMD's Zen 3 CPU architecture may include a feature that could be exploited by hackers in a Spectre-like side-channel attack. 

With Zen 3, the speculative execution feature—which is a common feature in modern processors— is known as Predictive Store Forwarding (PSF). Essentially its task is to guess which instruction is most likely to be sent next through the use of branch prediction algorithms and fetch that command in anticipation. The aim is to speed up the microprocessor's output pipeline, but the feature comes with risks, according to TechPowerUp. 

In the occurrence of a misinterpretation, software such as web browsers that use 'sandboxing' can expose your CPU to side-channel attacks. 

Sandboxing (isolation) is actually aimed at protecting against threats by placing malicious code on the naughty step and challenging its motivations. However, similar to the Spectre vulnerabilities, possible changes to the cache state in such cases could result in hackers gaining access to portions of one’s personal data. 

Due to Spectre and Meltdown vulnerabilities, web browsers don't tend to rely on isolation processes as much nowadays, but there are still risks that AMD outlines forthrightly. 

Under the security analysis section of a publicly accessible AMD report, "A security concern arises if code exists that implements some kind of security control which can be bypassed when the CPU speculates incorrectly. This may occur if a program (such as a web browser) hosts pieces of untrusted code and the untrusted code can influence how the CPU speculates in other regions in a way that results in data leakage."

"If an attacker is able to run code within a target application, they may be able to influence speculation on other loads within the same application by purposely training the PSF predictor with malicious information." 

However, there is a way to protect yourself from the feature's potential flaws, which is by simply disabling PSF. However, this is not an option that AMD recommends because it has the potential to stifle performance. In certain cases, Meltdown and Spectre mitigations in Intel CPUs had also led to similar performance limitations.

The tests by Phronix show that turning off the feature only reduces CPU output by 1%. A firmware update could provide a short-term patch for those that are currently affected, but a long-term solution will likely have to come in the form of a change to the architecture itself.

FBI & CISA Warns of Active Attacks on Fortinet FortiOS Servers

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of active exploits targeting three susceptibilities in Fortinet FortiOS. Fortinet FortiOS is an operating system designed to improve enterprise security and it enables secure networks, endpoints, and clouds to keep the user safe from vulnerabilities and threats. 

According to the advisory, these three unpatched vulnerabilities in Fortinet FortiOS platforms belong to technology services, government agencies, and other private sector bodies. The advanced persistent threat (APT) actors are targeting the vulnerabilities CVE-2018-13379, a path traversal vulnerability (CVSS base score of 9.8); CVE-2020-12812, an improper authentication flaw (CVSS base score of 9.8) and CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5) which were initially revealed in 2019.

The attackers have specifically exploited the vulnerability CVE-2018-13379 since its discovery in 2018. In 2019, nation-state hackers exploited the flaw and targeted the U.S. National Security Agency. Last year in October, a joint CISA/FBI advisory regarding federal, state, and local U.S. government networks being targeted mentioned the flaw.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use the other CVEs or common exploiting techniques – such as spear-phishing – to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the advisory read.

Carl Windsor, Fortinet field chief technology officer responded to the joint advisory by stating that Fortinet has already patched the flaws and is educating the customers regarding the vulnerabilities.

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020,” he further stated.

278,000 GitHub Repositories Affected by a Critical Networking Flaw in Netmask

 

Security researchers have unearthed a critical networking flaw CVE-2021-28918 in a popular npm library netmask. Netmask is commonly utilized by tons of thousands of applications to analyze IPv4 addresses and CIDR blocks or compare them. 

Netmask usually gets over 3 million weekly downloads, and as of today, has scored over 238 million complete downloads over its lifetime. Apart from this, nearly 278,000 GitHub repositories depend on the netmask. Due to improper input validation flaw, netmask sees a different IP and this flaw could allow hackers to achieve server-side request forgery (SSRF) in downstream applications.

 Security researchers Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, and John Jackson were responsible for tracking down the vulnerability in the popular netmask library. The flaw was initially detected when security researchers including Codes were designing a patch for a separate, critical, SSRF flaw (CVE-2020-28360) in downstream package Private-IP, which helps in preventing personal IP addresses from communicating with an application’s internal resources.

According to a GitHub advisory published by Sick Codes, “the primary cause of the problem turned out to be Netmask’s incorrect evaluation of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound.”

Security researchers initially discovered the flaw on March 16 and advised node js developers to examine their projects for use of Netmask and upgrade immediately if they identify the package in use. Sick Codes stated that the 30 billion nodejs packages downloaded last week were mostly installed by automated CI/CD pipelines and with no manual runtime inspections.

Olivier Poitrey, netmask developer and director of engineering at Netflix, released a series of patches [1,2,3] for the bug to GitHub, containing test cases validating that IPv4 octets with 0 prefixes are treated as octal and not decimal numbers. Earlier this month, the Perl component Net::Netmask also suffered from this bug.

Weintek’s HMI Found with Vulnerabilities which can Allow Attackers to Exploit Devices

 

Weintek's human-machine interface (HMI) products include three types of critical vulnerabilities, according to a cybersecurity researcher - who specializes in industrial control systems (ICS). 

Customers should download relevant patches and follow measures to mitigate risks, according to a technical advisory posted by the company. The risk of abuse is higher if the devices are linked to an open network, according to the study. Customers can disconnect the devices from the network and update the operating system if the device is accessible by an open network. While devices that are not attached to an open network cannot be compromised, consumers are still encouraged to update their operating systems. If a computer can be accessed via a public IP address, it is said to be exposed to an open network. 

Marcin Dudek, a senior ICS/OT security researcher at Poland’s CERT Polska, identified the flaws; the security flaws have also been discovered in the Weintek cMT products', EasyWeb, web-based configuration interface. HMIs (including screen-less HMIs), programmable logic controllers (PLCs), and gateways are all the affected products. 

A remote, unauthenticated attacker may use the flaws to conduct malicious JavaScript code with root privileges (CVE-2021-27446), remotely access critical information, and perform actions on behalf of an admin (CVE-2021-27444) and conduct malicious JavaScript code through a stored XSS vulnerability (CVE-2021-27442). 

There are even more than 170 cMT HMIs linked directly to the internet, according to Dudek, with networks located in Europe, Asia, and North America. According to the researcher, an attacker may exploit the first two flaws by sending a single query to the targeted computer. An attacker could take advantage of CVE-2021-27444 to extract the administrator password hash. 

In the worst-case scenario, an attacker might use the bugs to gain full control of the targeted system with root privileges, which could have significant implications in the actual world. 

“Having such high privileges, an attacker can have unlimited access to all functions of the HMI,” Dudek explained. “It could also be used as a proxy to get access to the internal network of an organization, or to have direct access to other industrial devices in the same network, such as PLCs.” 

Dudek also said that “he worked well with the vendor during the disclosure process. He said it took roughly two months to release all patches, but most of the fixes were ready one month after he reported his findings.” 

The impacted items are mainly used in the water and commercial facilities industries, according to the US Cybersecurity and Infrastructure Security Agency (CISA), which released an advisory for the Weintek CMT vulnerabilities this week.

Black code: Two critical vulnerabilities found in Intel processors

Two new vulnerabilities have been found in Intel processors. They are undocumented capabilities of the manufacturer that allow hijacking control over the device. Access to them opens in a special mode that in most cases only Intel engineers have access to. However, in some scenarios it can also be activated by hackers. Information security experts suggest that these options may be present in all current Intel processors and see them as a major potential threat.

According to Positive Technologies experts Mark Yermolov and Dmitry Sklyarov, there are two undocumented instructions in Intel processors that allow modification of the microcode and gain control over the processor and the entire system.

"The discovered instructions allow bypassing all existing x86 architecture protection mechanisms in modern processors," said Yermolov.

The experts specified that the features found are in Intel's Atom processor family, which has been updated since 2011 to the present day.

"In theory, the vulnerabilities found can be exploited by any attacker who has the necessary information", Alexander Bulatov, Commercial Director of RuSIEM, told the publication.

In this case, the hacker would get a whole set of opportunities to control the compromised system.

“This can be either the simplest forced shutdown of the device, or flashing the processor with microcode that secretly performs certain tasks of the attacker,” explained Bulatov.

According to Yermolov, instructions can be activated remotely only in a special mode of operation of processors Red Unlock, which only Intel engineers should have access to. As Positive Technologies noted, some processors have vulnerabilities that allow third parties to enable Red Unlock mode as well.

Intel's press office said it takes Positive Technologies' research seriously and is carefully reviewing their claims.

The vulnerabilities found are potentially dangerous for users of devices based on the Intel Atom family. These are low-power processors mainly used in netbooks, tablets, POS terminals and POS machines.


Major Security Flaw Spotted in 5G Core Network Slicing Design

 

AdaptiveMobile security researchers have discovered a major flaw in the architecture of 5G network slicing and virtualized network functions. This vulnerability has been discovered to potentially allow data access and denial of service (DOS) attacks between different network slices on a mobile operator which leaves enterprise clients exposed to malicious cyberattacks. 

Details of 5G network

5G, the 5th generation mobile network, is the latest global wireless standard after the previously introduced 1G, 2G, 3G, and 4G networks which makes it all the more important because it enables a new kind of network that is created to connect virtually everyone and everything including machines, objects and devices.

How does 5G network slicing works?

Network slicing basically permits a mobile operator to divide their core and radio network into multiple distinct virtual blocks that provide different amount of resources to different types of traffics.

A great benefit of 5G network slicing for network operators will be the ability to deploy only the functions necessary to support specific clients and particular market segments such as automotive, healthcare, critical infrastructure, and entertainment. 

Some of the top nations using 5G are also the ones who are most affected by the vulnerability including South Korea, United Kingdom, Germany, and the United States because multiple firms in these countries deployed networks and are selling compatible devices.

5G network loopholes 

In its investigation, AdaptiveMobile Security examined 5G core networks that contain both shared and dedicated network functions, disclosing that when a network has these ‘hybrid’ network functions that support several slices there is a lack of mapping between the application and transport layers identities.

This vulnerability in the industry standards has the potential impact of creating an opportunity for an attacker to access data and launch denial-of-service attacks across multiple slices if they have access to the 5G service-based architecture. 

“When it comes to securing 5G, the telecoms industry needs to embrace a holistic and collaborative approach to secure networks across standards bodies, working groups, operators and vendors. Currently, the impact on real-world applications of this network-slicing is only limited by the networks globally. The risks, if the fundamental flaw in the design of 5G standards had gone undiscovered, are significant,” said Dr. Silke Holtmanns, Head of 5G Security Research at AdaptiveMobile Security.

GitHub Awards $25,000 Bug Bounty to the Google Employee

 

GitHub awarded $25,000 to the security researcher, Teddy Katz for discovering a bug and patching it. On March 17, bug bounty hunter and Google employee Teddy Katz published a note regarding a GitHub flaw discovered in the communication system between repositories and the organization’s workflow automation software, GitHub actions.

The security flaw was tracked as CVE-2022-22862 and was reported as an improper access control susceptibility that “allowed an authenticated user with the ability to fork a repository to disclose Action secrets for the parent repository of the fork.”

Katz identified the working method of GitHub and how it manages to pull requests. Every single pull request is meant to have a base branch, and this is often the main branch of a repository. Pull request designers can lay the base branch pointer. However, the bug bounty hunter recognized that it was possible to set branches to commits, and while this ended in errors due to merge conflicts, GitHub Actions converted the bug into something more dangerous. 

GitHub executes merge pull request stimulations to stop pull request creators from accessing repository secrets. According to Katz, this “breaks the GitHub actions permission model” and evades Actions secrets restrictions.

“Since the base branch is part of the base repository itself and not part of a fork, workflows triggered by pull_request_target are trusted and run with access to secrets. We just created a pull request where the base branch is a commit hash, not a branch. And anyone can create a new commit hash in the base repository since GitHub shares commits between forks,” Katz explained. 

An attacker could split public repositories that use GitHub Actions, design a pull request, and then set a malicious Actions workflow and separately commit to a fork – gaining access to repository secrets in the process.

“It would be difficult to conceal the malware for long – the malicious package would almost certainly be unpublished in a matter of hours or days depending on how fast the maintainers/npm security team were able to respond. Once it was exploited like this, the underlying GitHub vulnerability would probably have been noticed and fixed as well,” Katz stated.

A Russian IT expert said that home appliances threaten the security

In the last decade, a promising trend - the Internet of Things - has been actively developing in the world. Atypical functionality appears in many devices. Refrigerators are equipped with screens, kettles get Internet connection modules, and TVs get cameras. This is not a complete list of the symbioses that are formed in the modern world of technology, said partner and director of IQReserve Pavel Myasoedov.

According to the expert, this trend is clearly aimed at improving the quality of life, but along with it a number of cyber-threats emerge.

Devices are controlled by voice, receive our images and send all data to remote servers, where calculations take place, for example, to control the brightness of a smart light bulb or display a recipe on the refrigerator screen.

"At that time, there is a risk that the user's information or biometric data will be intercepted in the transmission process, or the server will be attacked by hackers. From this data, an attacker can learn a lot about a person. But this is not the biggest risk that smart home appliances bring to our world," noted Mr. Myasoedov.

Doorbells, cameras and microphones connected to the Internet allow us to monitor our actions from anywhere in the world in real-time. Switching on smart lights in different rooms will inform us about the person's movements in the apartment, while a sensor on the door will tell us when the person has left it. In some cases, the room can even be locked from the outside, creating a serious threat to life and health.

All this can let your partner know how and with whom you spend your time, and the thief will know the most appropriate moment to break into the apartment.

"Progress in terms of protecting devices from unauthorized access, of course, does not stand still. But today the Internet of Things is lagging far behind in terms of security. Neither manufacturers nor third-party companies offer sufficiently reliable anti-viruses and protection systems. So while smart technology is still developing, you have to be careful not to rely entirely on household appliances and not to load too much information into them," warned the expert.

Privacy Essentials Vulnerabilities in the DuckDuckGo Browser Extension

 

DuckDuckGo, the widely used web extension for Chrome and Firefox, that is meant to protect the privacy of its users has resolved a universal cross-site scripting (uXSS) flaw. DuckDuckGo Privacy Essentials, which blocks hidden trackers and offers private browsing features, was identified with the vulnerability. The research scientist Wladimir Palant has disclosed that it can allow arbitrary code to be executed on any domain on victims' devices. While the issue has been patched in Chrome, no updates for browsers like Microsoft Edge were published in Mozilla Firefox initially while it was disclosed. 

First of all, for certain internal communication, the extension used unsecure communication chains which ironically caused a certain amount of data leakage through the domain borders. DuckDuckGo's second security vulnerability allowed the DuckDuckGo server to execute arbitrary JavaScripting code on a given domain, and a Cross-Site Scripting (XSS) vulnerability in this extension. 

The security vulnerability could allow malicious actors to spy on all websites visited by the user, making confidential material such as banking and other data available. He says that even when browsing the website it leaves their privacy "completely compromised" and can even utilize web sites with defensive measures, like the security of information. Palant said that someone else controlling ‘http://staticcdn.duckduckgo.com’ can only use this vulnerability, which means that an attacker needs accessing the server. 

 “The data used to decide about spoofing the user agent is downloaded from staticcdn.duckduckgo.co,” Palant wrote. “So the good news [is]: the websites you visit cannot mess with it. The bad news: this data can be manipulated by DuckDuckGo, by Microsoft (hosting provider), or by anybody else who gains access to that server (hackers or government agency).” 

DuckDuckGo Privacy Essentials 2021.3. solves both problems. While initially it solved the issue for Chrome only. For certain reason Mozilla Firefox and Microsoft Edge, two releases were missed (insecure internal communication). Although Firefox and Edge can now have an extension version with the fix. 

These vulnerabilities are very characteristic, because in other extensions he has seen similar errors several times. This extension is not only one where the developers are clueless. The Google Chrome extension platform merely does not offer safe and convenient solutions. So most developers of extensions are bound to do the first attempt wrong. 

“As a more advanced consequence [if the attacker was a government agency], your communication in the browser is no longer private, even when using a secure mail provider like ProtonMail or communicating with journalists via SecureDrop.” 

As informed by a Mozilla spokesperson: "The extension is available in a fixed version now. Firefox users receive it, depending on their extension update settings, either through a manual or automatic update extension check."

IBM X-Force Publishes a List of Top 10 Cybersecurity Vulnerabilities of 2020

 

The severity of cyber-attacks has grown over the past year especially during the global pandemic. Threat actors are looking for unpatched issues or common vulnerabilities and exposures (CVEs) and are exploiting those vulnerabilities to gain initial access to a network. 

According to the 2021 X-Force Threat Intelligence Index, the list of the 10 most exploited susceptibilities of 2020 was dominated by older security issues, with just two out of the top 10 being spotted in 2020. Since 1988, the number of flaws discovered each year has followed a general upward trend with 17,992 new flaws discovered in 2020. 

 Top 10 CVEs exploited by threat actors 

IBM security X-force revealed a list of top 10 CVEs of 2020 based on how frequently threat actors exploited them. The list is based on both IBM X-Force incident response (IR) and IBM managed security services (MSS) data for 2020. Mostly, threat actors targeted common enterprise applications and open-source frameworks that many organizations use within their networks.

•CVE-2019-19871: Citrix Application Delivery Controller (ADC)
 
•CVE-2018-20062: NoneCMS ThinkPHP Remote Code Execution
 
•CVE-2006-1547: ActionForm in Apache Software Foundation (SAF) Struts
 
•CVE-2012-0391: ExceptionDelegator component in Apache Struts
 
•CVE-2014-6271: GNU Bash Command Injection
 
•CVE-2019-0708: ‘Bluekeep’ Microsoft Remote Desktop Services Remote Code Execution
 
•CVE-2020-8515: Draytek Vigor Command Injection
 
•CVE-2018-13382 and CVE-2018-13379: Improper Authorization and Path Traversal in Fortinet FortiOS
 
•CVE-2018-11776: Apache Struts Remote Code Execution
 
•CVE-2020-5722: HTTP: Grandstream UCM6200 SQL Injection 

How to manage the flaws and shield the network from CVEs? 

To patch the vulnerabilities or to protect the network from CVEs, you need to make hard decisions and require accounting for asset and data classification, business goals, risk, performance benchmarks, and much more. Some networks have sensitive machines and infrastructure that need rigorous testing to ensure nothing will fail when an update or patch is applied.

Three important techniques can be used to execute a robust patch-management program: 

(1). Organizations can use vulnerability management tools and crown jewel analysis to identify which assets are classified as critical to your organization, and which flaws are most likely to impact those assets. 

(2). Organizations can design a test environment that can assist in discovering the problems that may occur once a patch is installed in your enterprise environment.

(3). Companies should update their devices, operating systems, applications, versions, and cloud assets every quarter.

Experts have found vulnerabilities in thousands of surveillance cameras in Russia

 More than 6,000 surveillance cameras in Russia are open to the public, some of them are located at industrial enterprises and critical infrastructure facilities

According to Avast, an IT security software company, more than 6.3 thousand CCTV cameras in Russia can be accessed by anyone: they have open IP addresses, making them accessible to cybercriminals.

Some of these cameras are located at critical infrastructure facilities and industrial enterprises. "The system of most of these cameras can be accessed without a username and password, or the password is set by default," explained Avast. These cameras can be used to set up an illegal video surveillance system. Another threat is that their IP addresses could be used by cybercriminals to gain access to the networks of companies or businesses. Cameras in banks that are open to the public threaten to leak credit card and passport data.

Experts noted that data from cameras, for example, can be a source of information about a person's movements. For example, an attacker could map a person's movements around the city. In case, of course, that the quality from the cameras allows a specific person to be recognized.

According to them, too little attention is usually paid to the security of the cameras. "Default ports and passwords and the use of the cheapest Chinese devices with insecure firmware are the norm rather than the exception," stated the experts.

Avast cites data from the Internet of Things search engine Shodan.io, which monitors vulnerable IP addresses. According to Shodan.io, Russia has the fifth-highest number of open IP surveillance cameras, behind Vietnam, Taiwan, South Korea and the US.

TelecomDaily analysts estimate that in terms of the total number of installed video surveillance cameras, Russia is in third place in the world with 13.5 million, or 93.2 units for every thousand people. Only China and the US have more cameras.

Snort Vulnerability Leads Various Cisco Products Exposed to Vulnerabilities

 


Earlier this week, the company told its customers that several Cisco products have been exposed to DoS (Denial of Service) attacks due to Snort detection engine vulnerability. Known as CVE-2021-1285, the flaw is rated high severity, and hackers can exploit it. The attacker must be on the layer 2 domain similar to the victim, as to compel a device to fall to a DoS attack via sending it specifically made Ethernet frames. As per Cisco, the flaw exists in the Ethernet Frame Decoder part of the Snort. 

The vulnerability affects all variants of the famous intrusion detection and intrusion prevention system (IDS/IPS) made before 2.9.17, which has a bug patch. According to Security Week, "Snort is an open-source tool developed by Cisco that provides real-time traffic analysis and packet logging capabilities. It has been downloaded millions of times and it has more than 600,000 registered users, with Cisco claiming that it’s the most widely deployed IPS in the world. The alpha version of Snort 3 was announced in December 2014 and now it has finally become generally available."

Catalyst Edge software and platform, 1000v series Cloud Services Router products, and Integrated Service Router (ISR) are said to be affected by the CVE-2021-1285. But they'll be affected only if they are using a version of Cisco UTD Snort IPS engine software that is vulnerable for IOS XE or Cisco UTD Engine for IOS XE SD-WAN, and if these are configured to pass through the Ethernet frames to Snort. According to Cisco, the flaw is linked to FTD (Firepower Threat Defense) issue that was patched in October last year. 

The vulnerabilities were found during solving a support case, however, no evidence has been found to point that these vulnerabilities were exploited in any attacks. Besides this, on Wednesday Cisco issued an advisory on few other vulnerabilities, of medium severe ratings. "These impact Webex, SD-WAN, ASR, Network Services Orchestrator, IP phones, and Email Security Appliance products, and they can lead to information disclosure, path traversal, authorization bypass, DoS attacks, privilege escalation, and SQL injection," says SecurityWeek.

New Jailbreak Tool Released By Hackers to Unlock Latest iPhones

 

Unc0ver, one of the most popular iPhone jailbreaking tools has got a new update. The latest version 6.0 works on iOS 11 (iPhone 5s and later) to iOS 14.3 operating systems. A hacker group named ‘Pwn2Ownd’ is responsible for releasing this jailbreaking tool for iPhones. 

Hackers released a statement on their website noting – “With this tool, you can truly unlock your iPhone to do whatever you want to. You can alter what you want and operate within your purview, unc0ver unlocks the true power of your iDevice.”

Unc0ver tool runs on iOS versions 11.0 to 14.3 – exploits the flaw CVE-2021-1782, one of the three iOS flaws for which Apple released an emergency update iOS 14.4, last month. Hackers exploited the vulnerability via unc0ver tool and it was one of the rarest occasions on which hackers have the upper hand instead of Apple company. Apple denied revealing the identity of hackers and the researcher who discovered the bug was granted anonymity. 

The last jailbreak by hackers’ group which supported iPhones running iOS 11 to iOS was patched in a very short period by Apple. 

Apple quickly responds to the vulnerabilities and fix them before these vulnerabilities can be exploited maliciously. The hackers have claimed to “preserve security layers designed to protect your personal information and your iOS device by adjusting them as necessary instead of removing them.”

To design a jailbreak tool, threat actors look for security loopholes in previous iOS versions that were undisclosed by Apple. These security loopholes allow threat actors to the core software of iOS. To safeguard the core software, Apple doesn’t reveal such flaws even after some of them get patched.

Unprotected Private Key Allows Remote Hacking of PLCs

 

Industrial associations have been cautioned for this present week that a critical authentication bypass vulnerability can permit hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation that are marketed under the Logix brand. These gadgets, which range from the size of a little toaster to a huge bread box or considerably bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs utilizing Rockwell software called Studio 5000 Logix Designer. 

The vulnerability requires a low skill level to be exploited, CISA said. The vulnerability, which is followed as CVE-2021-22681, is the consequence of the Studio 5000 Logix Designer software making it possible for hackers to exfiltrate a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and confirms correspondence between the two gadgets. A hacker who got the key could then copy an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process.

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable,” said Sharon Brizinov, principal vulnerability researcher at Claroty, one of three organizations Rockwell credited with independently discovering the flaw. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process.” 

Rockwell isn't issuing a patch that straightforwardly addresses the issues coming from the hard-coded key. Instead, the organization is suggesting that PLC clients follow explicit risk mitigation steps. The steps include putting the controller mode switch into run, and if that is impractical, following different suggestions that are explicit to each PLC model.

 Those steps are laid out in an advisory Rockwell is making accessible to clients, just as in the CISA warning. Rockwell and CISA likewise suggest PLC clients adhere to standard security-in-depth security advice. Chief among the suggestions is guaranteeing that control system gadgets aren't accessible from the Internet. On the off chance that Logix PLC clients are segmenting industrial control networks and following other prescribed procedures, almost certainly, the risk posed by CVE-2021-22681 is negligible. What's more, if individuals haven't executed these practices, hackers likely have simpler ways to hijack the devices.

Google Reveals Details of a Recently Patched Windows Flaw

 

Google Project Zero team disclosed the details of a recently fixed Windows flaw, tracked as CVE-2021-24093, that can be compromised for remote code execution in the context of the DirectWrite user. Dominik Rottsches of Google and Mateusz Jurczyk of Google Project Zero discovered the flaws and reported the issue to Microsoft in November and the bug report was made public this week. 

The vulnerability was fixed with the release of February 2021 Patch Tuesday updates. Cybersecurity researchers Jurczyk and Rottsches explained CVE-2021-24093 as a DirectWrite heap-based buffer overflow linked to the processing of a specially designed TrueType font. They further explained that a hacker can trigger a memory corruption condition that can be exploited to execute arbitrary code in the context of the DirectWrite client. DirectWrite is a Windows API designed to provide supports measuring, drawing, and hit-testing of multi-format text.

This vulnerability in the Windows operating system affected the Windows graphics components and it can be compromised by luring the victim to a website containing a specially designed file set up to exploit the vulnerability. This flaw received the CVSS score of 8.8, but Microsoft has designated this flaw as ‘critical’ for all affected operating systems and the list includes Windows 10, Windows Server 2016 and 2019, and Windows Server.

Google published the report reading, “we have discovered a crash in the DWrite!fsg_ExecuteGlyph function when loading and rasterizing a malformed TrueType font with a corrupted “maxp” table. Specifically, it was triggered after changing the value of the maxPoints field from 168 to 0, and the maxCompositePoints value from 2352 to 3 in our test font. We believe that this causes an inadequately small buffer to be allocated from the heap.” 

Subsequently, cybersecurity researchers examined their exploit on a fully patched Windows 10 in all major browsers and released a proof-of-concept (POC) exploit.

Darknet Markets are Scrambling to Attract Joker’s Stash Clients

 

The administrator behind Joker's Stash professes to have formally closed down the operation on 15th February. Meanwhile, criminal gangs offering stolen payment cards for sale have stepped up their promotional efforts. Among the darknet marketplaces vying to get previous Joker's Stash clients are Brian's Club, Vclub, Yale Lodge, and UniCC, Kela says. Joker's Stash clients were likely already searching for a new marketplace, says the threat research firm Digital Shadows, because of the site's declining customer service and having its service hindered by law enforcement officials in December 2020. 

Brian's Club has gone the additional mile with its marketing efforts, Kela says. For instance, it has supplanted Joker's Stash as the official sponsor of the popular underground forum Omerta, which focuses on payment card trading. "With the heavy marketing and advertising that Brian's Club has been investing in, it seems that the long-time attempts of marketing to credit card traders may be finally paying off now that Joker's Stash is out of the picture," says Victoria Kivilevich, a threat intelligence analyst with Kela.

Kela and Flashpoint additionally say that Yale Lodge could arise as a dominant market for stolen card information since it operates both Tor and clear web card shop and has a self-facilitated checking service. This service permits the buyer to verify whether the card data being purchased is substantial. Kivilevich brings up, however, that Yale Lodge charges a $150 registration fee and a minimum deposit of $200, which is 10 times higher than what Joker's Stash required.

Flashpoint says the operators of the Ferum market likewise have a wealth of experience and give simple access, yet the site has less card information available for sale than others. Then, Trump's Dumps, which is a newer operation, has expanded its publicizing, Flashpoint reports. It offers an assortment of services, including a self-facilitated checking service. Kivilevich says she has spotted Vclub members attempting to enlist Joker's Stash clients on darknet forums. Be that as it may, Kela's research has discovered numerous complaints about the quality of cards accessible on Vclub. 

“Cybercriminals buy cards and dump not only in specialized shops but also on forums, via instant messaging channels, and behind closed doors in private deals," Kivilevich says.

Trend Micro Detects Vulnerabilities in The SHAREit Program

 

In the SHAREit program, Trend Micro has found several vulnerabilities. The bugs may be exploited by extracting sensitive data from users, and by using malicious code or programs to run arbitrary code with the ShareIt permissions. It can also contribute to remote execution code (RCE). In the past, the software was often associated with bugs that used to download and abuse users' files. While the app allows for the upload and update of file types like the Android Package (APK), there are most definitely accidentally unconsidered bugs correlated with these functions. 

SHAREit is one of the best-known applications in the Google Play Store. Users can download and distribute files and share them with others using this app. SHAREit was also one of 60 Chinese apps barred late last year in India. Notably, more than one billion times the Android application has been downloaded. 

The vulnerabilities can be used to execute malicious code for the SHAREit program on smartphones. The key cause of safety deficiencies is the lack of appropriate controls on who can access the code of the program.

Echo Duan, a mobile threats analyst for security firm Trend Micro, reported that malicious applications installed on a computer and user or attackers executing a personal network attack can be able to distribute malicious instructions to the SHAREit app and hijack its legal code-execution functionality, override local files on the app, or install applications from third parties without user knowledge.

The app is also susceptible to so-called Man-in-the-Disk Attacks, a form of vulnerability first identified by Check Point in 2018 that focuses on uncertain storage of insecure app assets in the storage capacity of the phone shared with other applications [in which attackers can erase, edit, or substitute them]. 

"We reported these vulnerabilities to the vendor, who has not responded yet," Duan said today. "We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data," he added, it will also be impossible to track attacks from the viewpoint of a defender.

On their website, SHAREit developers say that 1.8 billion people in over 200 countries around the world use their software. The iOS app for SHAREit does not have any influence on it and runs on another codebase. Though the software was last updated in its Play Store list on February 9, 2021, a fix for revealed vulnerabilities has been not listed in the update's changelog. At the time of publication, the software is still usable for download.

For software makers, businesses, and consumers alike, security should be a top priority. Trend Micro suggests that operating devices and applications themselves should be frequently upgraded and modified for secure mobile app use.

Palo Alto Next Generation Firewall Detected With Four Vulnerabilities

 

Details of a series of bugs in Palo Alto Firewall Software, which the network provider addressed last September, were revealed by security researchers recently. The four-vulnerability swarm of bugs contains many bugs within, found by protection experts in Positive Technologies in the Palo Alto PAN-OS operating system. The next-generation firewall (NGFW) from Palo Alto Networks is the leading corporate firewall used to protect businesses from many cyber threats worldwide. It works with its own "PAN-OS" operating system. 

Palo Alto Networks, Inc. is an American, international, Santa Clara, California-based, cybersecurity corporation. Its key offerings are a portal for integrated firewalls and cloud-based offers to broaden these firewalls into other security dimensions. 

The vulnerabilities detected could lead to arbitrary OS command execution by an authorized user CVE-2020-2037 and CVE-2020-2038 – denial of service by an unauthorized user (CVE-2020-2039), and reflected cross-site scripting (XSS) (CVE-2020-2036). The weakness of CVE-2020-2037 was caused by the absence of user input filters. These may have contributed to remote code execution (RCE), but only pre-authorized users were limited to service, minimizing overall risk. These vulnerabilities allow an attacker to acquire access to sensitive information, to interrupt firewall component availability, or to access internal network segments. A black box examination of the web control interface of the firewall found, that the first vulnerability was triggered by a lack of user input filtering. PHP scripts manage user requests and transfers all data relating to a local port listening facility. It searches the data and returns the findings to the web application customer. 

“Using these vulnerabilities, an attacker can gain access to sensitive data, disrupt the availability of firewall components or gain access to internal network segments,” the researchers stated.

Unauthenticated users can carry out Denial-of-Service (DoS) attacks with a different vulnerability. The Nginx application platform is built into the firewall. The bug causes several files to be transferred to this server in such a manner that no storage space is left. The Palo Alto Networks NGFW site control panel is no longer available without any disk space resources. This is essentially a denial of service since the system as a whole cannot usually be used in this situation.

“We tried to open the web management interface but could not log in,” the researchers explained. “Most likely, this happened because PHP failed to create a session file on disk, due to the lack of disk space available. As a result, we were able to conduct a DoS attack on Palo Alto NGFW components acting as an unauthenticated user.” 

The fourth vulnerability involved a reflective XSS vulnerability exposed in the /unauth/php/change_password.php script. This script uses the user-controlled vector $_SERVER['PHP SELF'].

Though all four of the bugs are fixed, but each of these affected separate versions of PAN-OS, so the safest recommendation for sysadmins is to update to the current edition of the supported product.