Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

 

The exploitation of a recently fixed Windows zero-day vulnerability was attributed to known ransomware operators, according to Microsoft and threat intelligence firm RiskIQ.

The existence of the zero-day, called CVE-2021-40444, was revealed on September 7, when Microsoft released countermeasures and cautioned that the vulnerability had been exploited in targeted attacks using specially designed Office documents. 

The vulnerability connected to Office's MSHTML browser engine can and has been misused for remote code execution. As part of its Patch Tuesday updates, Microsoft delivered upgrades on September 14th. 

Microsoft announced the acquisition of RiskIQ in July and posted separate blog posts detailing the attacks exploiting CVE-2021-40444. 

The first exploitation efforts were discovered in mid-August. But Microsoft observed a massive spike in exploitation attempts when the proof-of-concept (PoC) code and other details were made public after the initial announcement. 

As per the company, several threat actors, including ransomware-as-a-service affiliates, have used the public PoC code, but some of the exploitation attempts are part of testing rather than criminal operations. 

The company initially saw less than ten exploitation attempts and leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. Microsoft has identified the attackers as DEV-0413 — DEV is allotted to emerging threat groups or unusual activity. To deliver the malware, they apparently used emails referencing contracts and legal agreements to get the targets to open documents formatted to abuse the MSHTML vulnerability.

Surprisingly, the Cobalt Strike infrastructure utilised in the assaults has earlier been linked to cybercrime organisations known for targeting big corporations with ransomware like Conti and Ryuk. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).

RiskIQ stated in its blog post, “Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.” 

The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.” 

RiskIQ states that the cyberspies could have gained access to the ransomware infrastructure, or they may have been allowed by the ransomware operators to utilise their infrastructure. Only one group might be involved in espionage and cybercrime, or the two groups use the same bulletproof hosting provider. 

According to Microsoft, the initial malicious document in attacks abusing CVE-2021-40444 emerges from the internet, and it should be labelled as the "mark of the web." 

Microsoft Office should open the document in Protected Mode unless the user specifically allows modification, limiting the misuse. However, if the attackers figure out a means to keep the document from being a “mark of the web,” they may utilise the vulnerability to execute the payload on the page without requiring user input.

Secrets from Public Repositories Were Exposed Due to Travis CI Flaw

 

Travis CI, a continuous integration provider located in Berlin, has patched a severe issue that exposed signing keys, API keys, and access credentials, possibly putting thousands of companies at risk. Given the possible consequences, the firm has been criticized for not providing a more detailed description of the security vulnerability. Péter Szilágyi, the Ethereum cryptocurrency project's team head, tweeted, "Anyone could exfiltrate these [secrets] and gain lateral movement into 1000s of orgs."

The flaw, which has been tracked as CVE-2021-41077, has been fixed by Travis CI. It has been recommended that companies update their secrets as soon as possible. On Sept. 7, Szilágyi tweeted, the vulnerability was identified by Felix Lange and reported to Travis CI. Travis CI claims to have started fixing the vulnerability on September 3, indicating that it detected the problem before being contacted, although the timing is unclear. 

"The desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens," the vulnerability description reads. "However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process." 

To put it another way, a public repository cloned from another might submit a pull request to get access to private environmental variables stored in the upstream repository. Encrypted environment variables are not exposed to pull requests from forks owing to the security risk of exposing such information to unknown code, Travis CI said in its documentation. 

According to Geoffrey Huntley, an Australian software and DevOps engineer, Travis CI's vulnerability poses a supply chain risk for software developers and any organization using software from Travis CI projects. "For a CI provider, leaking secrets is up there with leaking the source code as one of the worst things you never want to do," Huntley says. 

Szilágyi further chastised Travis CI for downplaying the event and failing to acknowledge its "gravity," and urged GitHub to ban the company for its weak security posture and vulnerability report methods. 

"After three days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th," Szilágyi tweeted. "No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen."

Hackers attack Russian organizations through a new Microsoft Office vulnerability

Information security specialists from Kaspersky Lab reported that hackers are trying to attack Russian companies through a new vulnerability in Microsoft Office products. At least one attack targeted government agencies. Using the vulnerability, attackers can not only spy on users of the infected system, but also download malicious programs like ransomware viruses into it. Experts expect that hackers will actively exploit the system's flaw, as users are slow to install updates.

According to Yevgeny Lopatin, head of the complex threat detection department at Kaspersky Lab, attackers are now exploiting the vulnerability by sending a phishing email with a document attachment. An employee only needs to open such a document on his computer for the vulnerability to work, and then malware is downloaded and installed on the victim’s computer.

Rostelecom-Solar has registered one targeted attack on government bodies using this vulnerability, said Igor Zalevsky, head of the Solar JSOC CERT cyber incident investigation department.

The expert added that a number of government systems are still using Internet Explorer as the recommended browser.

This is actually a vulnerability in MSHTML, the engine of the Internet Explorer browser. This part is responsible for displaying the content of the web page (images, fonts, and other files). In this case, MSHTML is used by the Microsoft Office software package to display web content in documents.

The vulnerability in MSHTML allows an attacker to create modified documents with malicious scripts. After compromising the system through this vulnerability, an attacker can install a backdoor.

According to experts, a wave of attacks using the problem in MSHTML is expected. The vulnerability can be exploited both in advanced attacks and in regular phishing emails.

Severe Remote Code Execution Flaws Discovered in Motorola Halo+ Baby Monitors

 

On Tuesday, Randy Westergren, a cybersecurity expert, published his study on the Motorola Halo+, a popular baby monitor. He revealed two severe flaws in the protocol and remote code execution (RCE) of the Motorola Halo+ that would allow threat actors to hijack the device. 

The Motorola Halo+ comprises an over-the-crib monitor, a handheld unit for parents, and a Wi-Fi-connected mobile application to monitor children that works in Full HD. 

Westergren, engineering director of US financial services company Marlette Funding discovered the flaws when he and his wife were hunting for a suitable monitor for their first child and selected the Motorola Halo+ as their preferred option. 

After securing the device, Westergren started examining its listening services and discovered a pre-authentication RCE security flaw (CVE-2021-3577) and the tools to obtain a full root shell. Examining system logs made it possible to identify the app’s API requests that gather information regarding its usage. 

The researcher also analyzed HTTP-based communication and how the app’s local API operated. Westergren was able to use local API commands to identify GET and SET lists, as well as “value” parameters that would accept user input, “potentially leading to RCE if not properly sanitized”.

Westergren then injected a reboot payload and used the device to perform the ‘set_city_timezone’ process. His action initiated a reboot, which granted the device shell access. He also discovered a flaw in the execution of MQTT (CVE-2021-3787) – an IoT messaging standard. 

Westergren identified that the client was set up to subscribe to #and $SYS/# by default, lowering Hubble device access control security. “A number of commands result from various devices. Though I did not attempt this, I think it was very likely that a client could easily control the entire device fleet by publishing arbitrary commands,” the researcher noted. 

While the product belongs to Motorola Mobility, its manufacturing unit was acquired by Lenovo in 2014. According to Westergren, after receiving the initial report, Lenovo’s security team has immediately started working on resolving the issues in Motorola Halo.

According to the latest updates from the tech giant, the first set of patches is incomplete, and as a result, the product would be delayed further. Both the RCE and MQTT problems have been fixed in firmware versions 3.50.06 and 3.50.14.

Lenovo: No Fix for High-Severity Flaw in Legacy IBM System X Servers

 

Lenovo stated that two legacy IBM System x server models that were discontinued in 2019 are vulnerable to attack and will not receive security fixes. However, the firm is providing a workaround mitigation solution. 

Both the IBM System x 3550 M3 and IBM System x 3650 M3 are vulnerable to command injection attacks. An attacker can use a vulnerable programme called Integrated Management Module to execute arbitrary instructions on either server model's operating system (IMM). 

IMM performs system management functions. Serial and Ethernet connections on the back panel of System x models use the IMM for device management. 

According to a Lenovo advisory published Tuesday, the flaw is in the IMM firmware code and “could allow the execution of operating system commands over an authenticated SSH or Telnet session.” 

Secure Shell, often known as SSH, is a cryptographic network communication technology that allows two computers to interact or transfer files. Telenet is another network protocol that permits remote users to log into another machine on the same network. Telnet does not encrypt data delivered over its connection by default. 

The flaw, which has been assigned the number CVE-2021-3723, was discovered on Wednesday by Denver Abrey, a bug hunter. 

In June 2020, eight vulnerabilities in a subsequent version of IMM, known as IMM2, were discovered, three of which were of high severity. These issues were found in the client-side code called libssh2, which is accountable for executing the SSH2 protocol. 

The System x 3550 M3 and System x 3650 M3 were announced as medium‐sized corporate solutions on April 5, 2011. Lenovo stated on June 30, 2015, that both systems will be terminated, but security updates would be provided for another five years. 

Software and security support for the System x 3550 and 3650 ended on December 31, 2019, according to the Lenovo security notice. 

Lenovo wrote, “Lenovo has historically provided service and support for at least five years following a product’s withdrawal from marketing. This is subject to change at Lenovo’s sole discretion without notice. Lenovo will announce a product’s EOS date at least 90 days before the actual EOS date and in most cases longer.”

Lenovo stated on Wednesday that it recommends discontinuing the use of both servers, but that it had a mitigation approach. 

If it is not possible to stop using these systems, Lenovo suggests: 
  • Disable SSH and Telnet (This can be done in the Security and Network Protocol sections of the navigation pane after logging into the IMM web interface) 
  • During initial configuration, change the default Administrator password. 
  • Enforce the use of strong passwords. 
  • Only give trustworthy admins access. 
Lenovo did not comment if it was familiar with any active campaigns aimed at exploiting the flaw.

WooCommerce Multi Currency Bug Allows Customers to Modify the Cost of Items on Online Stores

 

A security flaw in the WooCommerce Multi Currency plugin might allow any consumer to alter product prices in online stores. WooCommerce Multi Currency enables consumers to switch currencies and assists the shop in accepting multi-currency payments. It is possible to set the exchange rate manually or automatically. The plugin may automatically detect the customer's location and display the price in their local currency. 

WooCommerce is a WordPress-based eCommerce plugin; the Multi Currency plugin from Envato, on the other hand, allows WooCommerce users to customise prices for foreign customers. On the Envato Marketplace, it has a total of 7,700 sales. 

According to Ninja Technologies Network (NinTechNet), the problem is a broken access-control vulnerability in Multi Currency version 2.1.17 and lower, which affects the “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, overwriting any prices calculated automatically by exchange rate. 

“The import function, import_csv(), is loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script,” according to a NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users, which includes WooCommerce customers.” 

Cybercriminals might take advantage of the flaw by uploading a specially prepared CSV file to the site that contains the current currency of a product as well as the product ID. According to experts, this permits them to modify the price of one or more items. A comma-separated values (CSV) file allows you to save data in a tabular format. Most spreadsheet programmes, such as Microsoft Excel or Google Spreadsheets, can open SV files. They vary from other spreadsheet file types in that they can only contain a single sheet and do not store cell, column, or row information. In addition, formulas cannot be saved in this format. 

“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they said. “It is important to verify every order because the hack doesn’t change the product’s price in the backend, hence the shop manager may unlikely notice it immediately.” 

Patching needs for WooCommerce users have been increasing recently. Envato's WooCommerce Dynamic Pricing and Discounts plugin was discovered to have two security vulnerabilities in late August, which may allow unauthenticated attackers to inject malicious code onto websites running unpatched versions. This can lead to a number of assaults, such as website redirection to phishing pages, the injection of malicious scripts on product pages, and so on.

Nearly 50% of On-Premises Databases Have Unpatched Vulnerabilities

 

The five-year longitudinal research conducted by cybersecurity firm Imperva revealed that nearly half of on-premises databases globally contain at least one flaw that could expose them to cyber-attacks.

Researchers scanned roughly 27,000 databases, finding 46% contained vulnerabilities at an average of 26 vulnerabilities per database. Unfortunately, 56% of those vulnerabilities were ranked as ‘critical or high severity’, and some of them have gone unaddressed for three or more years. This suggests that many organizations are not prioritizing the security of their data and neglecting routine patching exercises.

“Too often, organizations overlook database security because they’re relying on native security offerings or outdated processes. Although we continue to see a major shift to cloud databases, the concerning reality is that most organizations rely on on-premises databases to store their most sensitive data,” said Elad Erez, Imperva's Chief Innovation Officer. 

A regional analysis of the data shows that France tops the list, with 84% of databases containing at least one flaw, at an average of 72 vulnerabilities per database. France is followed by Australia (65%, 20 vulnerabilities on average), Singapore (64%, 62 security flaws per database), UK (61%, 37 vulnerabilities on average), China (52%, 74 flaws per database), and Japan (50%). In the United States, 37% of databases have at least one vulnerability that could expose them to attacks, with an average of 25 issues per database. 

Given the number of security holes that exist in on-premises databases, it should come as no surprise that the number of data breach incidents has increased 15% over a 12-month average. An analysis of data breaches since 2017 shows that 74% of the data stolen in a breach is personal data, while login credentials (15%) and credit card details (10%) are also lucrative targets. 

“Organizations are making it too easy for the bad guys. Attackers now have access to a variety of tools that equip them with the ability to take over an entire database, or use a foothold into the database to move laterally throughout a network. The explosive growth in data breaches is evidence that organizations are not investing enough time or resources to truly secure their data. The answer is to build a security strategy that puts the protection of data at the center of everything,” Erez added.

Millions of HP OMEN Gaming PCs Impacted by Driver Vulnerability

 

On Tuesday, security experts revealed data about a high-severity weakness in the HP OMEN driver software, which affects millions of gaming laptops worldwide and leaves them vulnerable to various cyberattacks. 

The vulnerability is tracked as CVE-2021-3437 with a CVSS score: 7.8. Threat actors may escalate privileges to kernel mode without having administrator rights, enabling them to deactivate security products, overwrite system components, and even damage the operating system. 

The complete list of vulnerable devices includes HP ENVY, HP Pavilion, OMEN desktop gaming systems, and OMEN and HP Pavilion gaming laptops. 

SentinelOne, a cybersecurity firm that identified and communicated the flaw to HP on February 17, claimed it discovered no trace of in-the-wild exploitation. Customers have subsequently received a security update from the company to address the flaw. 

The problems are caused by OMEN Command Center, a pre-installed component on HP OMEN laptops and desktops and can also be downloaded from the Microsoft Store. The program is meant to assist smooth network activity, overclock the gaming PC for quicker computer performance, and monitor the GPU, CPU, and RAM through a vitals dashboard. 

Souce of flaw

According to research shared with The Hacker News by SentinelOne, "The problem is that HP OMEN Command Center includes a driver that, while ostensibly developed by HP, is actually a partial copy of another driver full of known vulnerabilities." 

"In the right circumstances, an attacker with access to an organization's network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement." 

HpPortIox64.sys is the driver in issue, and it gets its functionality from OpenLibSys-developed-WinRing0.sys, which was the origin of a local privilege escalation flaw in EVGA Precision X1 software last year (CVE-2020-14979, CVSS score: 7.8). 

In August 2020, researchers from SpecterOps highlighted, "WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model-specific registers (MSRs), and read/write to IO ports on the host. These features are intended by the driver's developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation." 

This is the second time WinRing0.sys has been identified as a source of security vulnerabilities in HP products. 

In October 2019, SafeBreach Labs discovered a critical vulnerability in HP Touchpoint Analytics software (CVE-2019-6333), which is included with the driver, possibly enabling malicious actors to read arbitrary kernel memory and effectively allowlist malicious payloads via a signature validation bypass. 

The discovery is the third in a series of security flaws affecting software drivers that SentinelOne has discovered since the beginning of the year. 

Earlier this year, they found a 12-year-old privilege escalation problem in Microsoft Defender Antivirus (previously Windows Defender) that hackers could exploit to acquire admin access on unpatched Windows computers.

And last month, SentinelOne reported on a 16-year-old security flaw discovered in an HP, Xerox, and Samsung printer driver that allows attackers to obtain administrative access to computers running the vulnerable software.

GitHub Identifies Multiple Security Vulnerabilities in Node.js Packages

 

Cybersecurity researchers at GitHub have uncovered arbitrary code execution vulnerabilities in the open-source Node.js packages, "tar" and "@npmcli/arborist,". 

The tar package has accounted for 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week. The vulnerabilities in Node.js packages impact both Windows and Unix-based users, and if left unpatched, can be abused by threat actors to gain arbitrary code execution on a system installing unauthenticated npm packages.

Bug bounty hunters received $14,500 for ZIP slips

During the past two months –July and August – security researchers and bug bounty hunters Robert Chen and Philip Papurt discovered arbitrary code execution vulnerabilities in the open-source Node.js packages, tar, and @npmcli/arborist.

Upon the discovery of these vulnerabilities, the security researchers privately reported npm via one of GitHub's bug bounty programs. Further review of their reports led the GitHub security team to discover some more high-severity vulnerabilities in these cross-platform packages. As a sign of gratitude, both Chen and Papurt received a total of $14,500 incentive from the GitHub security team for their efforts to keep GitHub secure.

Node.js package tar continues to be a core dependency for installers that require unpacked npm packages post-installation. While the arborist package is a core dependency relying on npm CLI and manages node_modules trees. 

These ZIP slip vulnerabilities can be a serious concern for developers installing untrusted npm packages using the npm CLI, or using "tar" to extract untrusted packages. By default, npm packages are shipped as .tar.gz or .tgz files which are ZIP-like archives and as such need to be extracted by the installation tools. Ideally, the tools used to extract these archives should ensure that malicious paths do not overwrite existing files in the file system, especially sensitive files.

However, the npm package when extracted could overwrite arbitrary files with the rights of the user running the npm install command due to the vulnerabilities mentioned below: 

• CVE-2021-32803 
• CVE-2021-32804 
• CVE-2021-37701 
• CVE-2021-37712 
• CVE-2021-37713 
• CVE-2021-39134 

"CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install. Some of these issues may result in arbitrary code execution, even if you are using --ignore-scripts to prevent the processing of package lifecycle scripts," explains Mike Hanley, Chief Security Officer at GitHub.

Developers are encouraged by the JavaScript runtime Node.js npm package manager to patch these vulnerabilities as soon as possible. Developers should upgrade their tar dependency variants to 4.4.19, 5.0.11, or 6.1.10, and upgrade @npmcli/arborist version 2.8.2 to patch the flaws. In addition, Node.js version 12, 14, or 16 comes with a patched tar version and can be safely upgraded too.

Microsoft Alerted Azure Customers of Bug That Could Have Allowed Hackers to Access Data

 

Microsoft alerted some Azure cloud computing users that a vulnerability uncovered by security experts might have given hackers access to their data. 

In a blog post from its security response team, Microsoft stated it had patched the issue identified by Palo Alto Networks and had no sign malicious attackers had exploited the technique. It further stated that certain users have been asked to change their login passwords as a preventive measure. 

The blog post was in response to an inquiry from Reuters regarding Palo Alto's technique. Microsoft refused to respond to any of the inquiries, including whether or not it was assured that no data had been accessed. 

Palo Alto researcher Ariel Zelivansky told Reuters in a previous interview that his team had cracked Azure's widely used platform for so-called containers, which store applications for users. 

According to him, the Azure containers utilized code that had not been updated to address a known vulnerability. As a result, the Palo Alto team was finally able to gain entire authority over a group that comprised containers from other users. 

Ian Coldwater, a longtime container security expert who evaluated Palo Alto's work at the request of Reuters stated, "This is the first attack on a cloud provider to use container escape to control other accounts." 

In July, Palo Alto reported the problem to Microsoft. Zelivansky added it took his team several months to complete the project and agreed that malicious hackers were unlikely to apply a similar approach in real-world attacks. 

Nonetheless, this is the second significant issue discovered in Microsoft's fundamental Azure infrastructure in less than a month. Wiz security specialists revealed a database vulnerability in late August that would've let one client modify the data of another. 

In both situations, Microsoft's remarks were directed to customers who may have been harmed by the researchers' work, rather than everyone who was put in danger by its own code. 

Microsoft wrote, "Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher's activities."

According to Coldwater, the issue stemmed from a failure to deploy fixes on time, something Microsoft has frequently faulted on its customers. He said that certain cloud security tools would have identified malicious assaults similar to the one predicted by the security firm and that logs would also indicate evidence of such activity. 

The research emphasized that security is a collective responsibility between cloud providers and clients. Cloud architectures, according to Zelivansky, are typically safe, Microsoft and other cloud providers can make improvements themselves rather than relying on customers to do so. 

He further added, cloud attacks by well-funded opponents such as sovereign governments, are a legitimate concern.

This NPM Package with Millions of Weekly Downloads Patched a RCE Flaw

 

A critical remote code execution (RCE) flaw has been fixed in the popular NPM package "pac-resolver." 

Developer Tim Perry discovered the vulnerability in the pac-resolver dependency, which could have enabled an attacker on a local network to launch malicious code within a Node.js process whenever an operator tried to submit an HTTP request. Node.js is the prominent JavaScript runtime for running web applications written in JavaScript. 

"This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js," explains Perry. 

According to Perry, PAC, or "Proxy-Auto Config," refers to PAC files written in JavaScript that disseminate sophisticated proxy rules that direct an HTTP client which proxy to use for a particular hostname. They're delivered insecurely through HTTP rather than HTTPs from local network servers and distant servers. 

Proxy-Agent is utilised in the Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK, and Google's Firebase CLI, thus it's a widespread issue. 

As stated by Perry, the package receives three million downloads each week and has 285,000 public dependent repos on GitHub. 

The vulnerability was recently addressed in all of those packages' v5.0.0 versions and was assigned the CVE-2021-23406 designation when it was identified last week. As a result, it implies that many Node.js developers will have to update to version 5.0.

Anyone that use pac-resolver versions prior to 5.0.0 is significantly impacted by the issue, and also if developers have used any of the following three settings: 
  • Explicitly use PAC files for proxy configuration 
  • Read and use the operating system proxy configuration in Node.js, on systems with WPAD enabled 
  • Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn't 100% trust to freely run code on your computer.
Perry added, "In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration."

Hackers Exploit Camera Vulnerabilities To Spy On Parents

 

Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were find in the IoT gadgets, made by China based developer Victure, that were found by BitDefender experts. In a security report, BitDefender revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. 

"When choosing a baby monitor, the security aspect should trump features or price point.This is because similar vulnerabilities have been used in the past by threat actors to directly communicate with children, thus exposing them to interactions with adults outside the family’s circle of trust," Daily Swig reports. As of now, Victure isn't aware about the complete attack scenerio, but it believes that the hacker could exploit the vulnerabilities and spy on residents using these cameras constantly or let other users do the same. 

Cloud users rely on using camera and cloud features and according to experts, around 4 million cameras across the world are impacted by the issue. The vulnerability impacts Victure PC420 firmware variants 1.2.2 and earlier. BitDefender released a report on the vulnerabilities after trying to contact Victure to inform them about the issues. BitDefender tried to make various attempts to get in touch with the company to offer them assistance to deal with the issues. The firm then decided to release a report on the issue to let users know about the vulnerabilities, as their privacy is on stake when their devices are connected. 

Experts advice users to stop using devices immediately and residents should give security priority rather than device." We have been warning about the dangers of vulnerable video equipment for years and we started this vulnerability research project to help parents protect their privacy, as well as their children’s. Sometimes, vendors choose to ignore these gaping holes and leave customers exposed instead" said the researcher to Daily Swig.

More than 60,000 Parked Domains Were Vulnerable to AWS Hijacking

 

MarkMonitor, a domain registrar, had left over 60,000 parked domains susceptible to domain hijacking.

MarkMonitor, now part of Clarivate, is a domain management firm that assists in establishing and protecting the online presence of the world's biggest brands - and the billions who use them. 

The parked domains were found referring to non-existent Amazon S3 bucket addresses, indicating a domain takeover vulnerability. 

Ian Carroll, a security engineer, and bug bounty hunter, saw his automation script flag hundreds of domains belonging to various businesses as exposed to domain hijacking earlier this week. After that, Carroll was joined by Nagli and d0xing, who assisted the engineer in tracing the origin of the security flaw. MarkMonitor was the registrar for all of the domains. 

A (sub)domain takeover arises when an unauthorized actor is permitted to deliver the content of their preference on a domain that they do not own or control. This can happen, for instance, if the domain name contains a canonical name (CNAME) DNS entry pointing to a host that doesn't provide any content for it. This generally occurs when the website hasn't been launched yet, or when the virtual host has been withdrawn from a hosting provider, but the domain's DNS records still link to the host. 

Carroll explained, "If testing.example.com is pointed towards Amazon S3, what will S3 do if that bucket hasn't been created yet? It will just throw a 404 error—and wait for someone to claim it. If we claim this domain inside S3 before example.com's owners do, then we can claim the right to use it with S3 and upload anything we want." 

The issue affected over 60,000 domains, lasted less than an hour

After Carroll emailed MarkMonitor's security contact, the researcher did not hear back. But, he noticed that the domains previously throwing S3 "bucket not found" errors gradually started showing the proper MarkMonitor landing page. 

"After I sent an email to security@markmonitor.com that went unacknowledged, domains stopped pointing to S3 over an hour after it began. I claimed over 800 root domains in this timeframe, and other researchers had similar amounts of claimed domains," added Carroll. 

Carroll's primary concern was that up to 62,000 domains parked at MarkMonitor could be compromised and exploited for phishing. 

BleepingComputer contacted both Amazon and MarkMonitor for further information, and received the following response from MarkMonitor's parent firm, Clarivate: 

"During a planned move of our parking page to the cloud, our DDoS protection vendor temporarily routed traffic in an unexpected manner for some domains using MarkMonitor's parking page service." 

"Neither live domains nor DNS were impacted. We take the protection of the domains entrusted to us – including parked domains – extremely seriously, and we work every day to make sure we are following the best security practices and guidelines." 

"This includes having active and static scanning, ongoing DNS monitoring, annual 3rd party penetration testing, and other security audits," added Clarivate spokesperson. 

As per MarkMonitor, the firm quickly reversed its DDoS vendor settings to send traffic to an internally-hosted web server's parked page as soon as the unexpected behavior was discovered. The whole detection, investigation, and remediation process took less than an hour. 

The registrar discovered no instances of harmful content being hosted for any parked page. Carroll responded to a question about what organizations may do to effectively protect themselves against domain takeover vulnerabilities: 

"Until cloud providers like Amazon move to prevent domain takeovers like this, companies need to be careful when pointing traffic to them, either via DNS records or otherwise," Carroll told BleepingComputer. 

The engineer stated in his blog post, "This issue is not entirely the fault of MarkMonitor. While they need to be careful with handling parked domains, AWS is at fault for not being more stringent with claiming S3 buckets. Google Cloud, for example, has required domain verification for years, rendering this [attack] useless." 

MarkMonitor spokesperson concluded, "We are also evaluating mechanisms to be alerted more quickly of any HTTP error responses from domains that are parked with our parking service, which may allow us to identify and react to unexpected behavior even more quickly in the future."

With ProxyShell Exploits, Conti Ransomware is Now Targeting Exchange Servers

 

Using recently disclosed ProxyShell vulnerability exploits, the Conti ransomware group is hacking into Microsoft Exchange servers and compromising corporate networks. ProxyShell is a moniker for an attack that uses three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to allow unauthenticated, remote code execution on susceptible servers that haven't been patched. 

The attacks occur at a breakneck speed. A second web shell was installed minutes after the first web shell was installed on one occasion. The Conti attackers compiled a complete list of the network's computers, domain controllers, and domain administrators in less than 30 minutes. After obtaining the credentials of domain administrator accounts, the attackers began executing demands four hours later. 

The attackers had exfiltrated around 1 terabyte of data within 48 hours of gaining access. Conti malware was installed on every system on the network within five days, specifically targeting individual network shares on each workstation. 

The Conti affiliates also installed no fewer than seven back doors on the network during the attack: two web shells, Cobalt Strike, and four commercial remote access programmes dubbed AnyDesk, Aterta, Splashtop, and Remote Utilities. Early access was provided by web shells, with Cobalt Strike and AnyDesk serving as the primary tools for the rest of the attack. 

“We want to highlight the speed at which the attack took place,” said Peter Mackenzie, manager of incident response at Sophos. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.” 

Microsoft reported and patched the vulnerabilities early this year, but not all firms updated their systems, as is often the case with software upgrades. In March, Microsoft issued a warning that Chinese state-sponsored hackers were targeting the flaws. The best approach to protect against the assaults, according to Tom Burt, Microsoft's corporate vice president of customer security and trust, is to apply the updates. In April, the US Federal Bureau of Investigation took the unusual step of breaking into compromised Exchange servers to fix the flaws. 

The Conti ransomware group has been active since 2020, and it has been linked to a number of attacks, including one in May that targeted Ireland's health system. Industrial computer firm Advantech Co. Ltd. was a victim of Conti in November, as was VOIP hardware and software supplier Sangoma Technologies Corp. in December, and hospitals in Florida and Texas in February. 

Critical Flaws in NPM Package Patched by Node.js Developers

 

Node.js maintainers have launched a major update to the npm package "tar" (aka node-tar) that resolves five critical safety flaws, including some that possess a remote code execution threat. 

The npm package was vulnerable to arbitrary File Creation/Overwrite vulnerability due to insufficient relative path sanitization. The npm package presents itself as a module that accepts JavaScript proxy configuration files and creates a function for the user’s app to locate certain domains. 

The first three flaws tracked as CVE-2021-37712, CVE-2021-37701, and CVE-2021-37701 fall into the high-risk category while the other two flaws were categorized as being of moderate risk. 

“Path integrity controls built into the technology came unstuck when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems”, as explained in a National Vulnerability Database (NVD).

“The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite,” it added. 

These five security flaws seriously impact those who use npm package versions prior to 5.0.0, even transitively in their Node.js application, and: 

• Explicitly use PAC files for proxy configuration or 
• Read and use the operating system proxy configuration in Node.js on systems with WPAD enabled or • Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from an untrusted source 

“If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the file system, but _not_ from the internal directory cache, as it would not be treated as a cache hit,” researchers explained. 

Node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. The CVE-2021-37712 vulnerability violates this control, thus creating a risk from malformed tar archives similar to the CVE-2021-37701 vulnerability.

Vulnerabilities in bank chatbots allow hackers to steal money

Awillix specialists discovered vulnerabilities in bank chatbots that could allow fraudsters to transfer money without the knowledge of customers. Positive Technologies confirmed the risks. The largest banks reported that they limit the functionality of chatbots in messengers. 

It should be noted that about 10% of Russian banks use chatbots: they can be used in messengers, mobile applications, social networks, on the website and in the contact center.

Alexander Gerasimov, Director of Information Security at Awillix, said that chatbots in messengers, which are used for individual account transactions, may be vulnerable to malicious attacks.

The company's specialists checked the security of chatbots in two Russian credit organizations and found similar logical vulnerabilities. They allow obtaining the number and expiration date of cards, as well as finding out the account balance and cell phone number of the client.

"During the pentests, it was possible to log into the test client's account and perform a money transfer operation," Alexander Gerasimov said.

Maxim Kostikov, head of the banking systems security research group at Positive Technologies, confirmed that chatbots can be subject to various vulnerabilities, which depend on their functionality. For example, security problems can allow you to get customer data, get into their personal accounts in the chatbot, and find out the card balance.

According to him, the most popular scenarios of deception are changing the functionality of the chatbot to collect information about the person who uses it, sending malicious software on behalf of a credit institution, replacing the robot with a fraudster during communication, creating fake chatbots of banks. 

"If a person uses a bank chatbot, which is able to make money transfers in the messenger, two-factor authentication can be configured to log into the application to protect funds," stressed Infosystems Jet expert, adding that there is also a danger in cases when an attacker gained direct access to the victim's device physically or as a result of a malicious attack.

Recently Patched Confluence Vulnerability Abused in the Wild

 

A significant vulnerability in Confluence's team collaboration server software is on the edge of exploitation after the company released the patch a week ago. 

Threat actors were found abusing the major vulnerability tracked as CVE-2021-26084 which affects Confluence Server and Confluence Data Center software, which is often installed on Confluence self-hosted project management, wiki, and team communication platforms. 

The vulnerability is hidden in OGNL (Object-Graph Navigation Language), a basic scripting language for interfacing with Java code, which is the fundamental technology used to build most Confluence software. 

When Atlassian released the fix on August 25, the firm that owns the Confluence software family, stated the vulnerability could be used by threat actors to circumvent authentication and implant malicious OGNL instructions that allow attackers to take control of the system. 

As an outcome, the vulnerability received a severity rating of 9.8 out of 10, indicating that it could be exploited remotely over the internet and building a weaponized exploit would be relatively simple.

Exploitation begins a week after fixes are released

Attackers and professional bug bounty hunters are investigating Confluence systems for functionalities vulnerable to CVE-2021-26084 exploits, according to Vietnamese security researcher Tuan Anh Nguyen, who stated on Tuesday that widespread scans for Confluence servers are already ongoing. 

Soon after the issue was discovered in the open, two security researchers, Rahul Maini and Harsh Jaiswal released a detailed explanation of the flaw on GitHub, along with various proof-of-concept payloads. Maini explained the procedure of creating the CVE-2021-26084 attack as “relatively simpler than expected,” thus proving the bug's high severity level of 9.8. 

Confluence is a widely used team collaboration software among some of the world's top businesses, and the CVE-2021-26084 vulnerability is highly effective from a threat actor's standpoint, criminal gangs are anticipated to increase their assaults in the next few days. 

As Confluence flaws have previously been widely weaponized, a similar exploitation strategy is probable this time. 

Atlassian states that Confluence is used by over 60,000 clients, including Audi, Hubspot, NASA, LinkedIn, Twilio, and Docker, according to its website.

Experts Find Vulnerabilities in AMD Zen Processor

 

German cybersecurity experts at TU Dresden discovered that Zen processor of AMD is susceptible to data-bothering meltdown like attacks in the end. Exploiting this vulnerability is an academic drill, turns out, there exist much easier and simpler techniques to meddle with systems. In simpler terms, it's a reminder that modern CPU designs have various kinds of side channels, and many yet to be discovered. 

The Register reports "in a paper [PDF] titled "Transient Execution of Non-Canonical Accesses," released via ArXiv, Saidgani Musaev and Christof Fetzer analyzed AMD Zen+ and Zen 2 chips – namely the Epyc 7262, Ryzen 7 2700X, and the Threadripper 2990WX – and found that they were able to adversely manipulate the operation of the CPU cores." When Spectre and Meltdown vulnerabilities came out, in the beginning experts said that Meltdown was only authenticated on Intel x86 chipsets. The list then included IBM hardwares and an Arm Cortex core, however, it was not clear if IBM parts had vulnerabilities. AMD in a statement said that Meltdown didn't affect the processors. 

"The way its chips executed load instructions meant data would not be fetched if architecturally disallowed in the processor's current execution context, it said. In other words, load instructions executed in user mode can't be used to discern the contents of kernel-mode memory, as expected."

"Musaev and Fetzer say that's true for classical Meltdown attacks that rely on fetching data from the L1 data cache and for a variant called Microarchitectural Data Sampling (MDS) that targets specific buffers. But they found another way to poison the way in which a CPU core access data in memory "that is very similar to Meltdown-type behavior," said The Register. 

Most importantly, this technique can't be used by a single process to read a kernel or different process memory, however, a thread in the program can use it to affect different thread in the same memory space. It isn't similar to a classic meltdown, where a Rogue app rips off keys from kernel memory. "The violation we report does not lead to cross address space leaks, but it provides a reliable way to force an illegal dataflow between microarchitectural elements," said the experts.

HPE: Sudo Flaw Grants Attackers Root Privileges to Aruba Platform

 

A vulnerability in Sudo, open-source software used within HP's Aruba AirWave management platform, can enable any unprivileged and unauthorized local user to acquire root privileges on a vulnerable host, as warned by Hewlett Packard Enterprise (HPE). 

According to a recent HPE security advisory, the Sudo vulnerability may be part of a "chained attack." An attacker gains a foothold with fewer rights via another flaw and then exploits this to escalate privileges. 

The Aruba AirWave management platform for wired and wireless infrastructures is HPE's real-time monitoring and security warning system. In January, researchers at Qualys discovered the Sudo issue (CVE-2021-3156) and think it affects millions of endpoint devices and systems. 

According to the Sudo license, Sudo is software used by various platforms that allows a system admin to distribute power to give particular users (or groups of users) the ability to perform certain (or all) commands as root or another user.” 

Mehul Revankar, Qualys' VP of Product Management and Engineering, defined the Sudo bug as "perhaps the most significant Sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years" in a research note at the time it was discovered. 

For HPE, the company officially reported the issue last week, stating that it impacted the AirWave management platform prior to version 8.2.13.0, released on June 18, 2021. 

According to the security bulletin, “A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges.” 

The Sudo vulnerability has been termed "Baron Samedit" by Qualys researchers, who claim the flaw was introduced into the Sudo code in July 2011. The problem was first thought to primarily affect Linux and BSD operating systems, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33. (Sudo 1.9.2). 

Since then, further security advisories have been issued by other companies. HPE isn't the first company to report a Sudo dependency in its code, and it probably won't be the last. 

However, in February, an Apple security advisory warned that the Sudo vulnerability was present in macOS (macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6). Following the announcement, Apple released a Sudo patch (Sudo version 1.9.5p2) to fix the vulnerability. 

Mitigate The Risk

According to experts, the flaw may be exploited to carry out privilege escalation attacks in the context of the Aruba AirWave management platform Sudo's flaw is a heap-based buffer overflow that allows any local user to deceive Sudo to operate in shell mode. 

Researchers explain that when Sudo is executed in shell mode, it "escapes special characters in the command's parameters with a backslash." Then, a policy plug-in eliminates any escape characters before deciding on the Sudo user's permissions.” 

Users should upgrade to version 8.2.13.0 or above of HPE's AirWave management platform to mitigate the potential risk, according to HPE. Sudo issued a fix earlier this year as well, for HPE AirWave, a technical fix is also available:

“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above,” as per HPE.