Search This Blog

Showing posts with label Vulnerability and Exploits. Show all posts

Vulnerabilities Found In Moxa Railway Devices, Can Cause Disruption

 

Railway and other wireless communication devices developed by Moxa have been affected by 6p vulnerabilities. Moxa is a Taiwan based industrial networking and automation firm. Earlier this week, cybersecurity firm SEC (owned by Atos) revealed that an expert at SEC found two new flaws in Moxa devices along with various out of date third party software components filled with flaws. 

As per the experts, Moxa devices are infected with a Command injection vulnerability that can be abused by an authenticated actor to hack the device's OS (operating system) (CVE-2021-39279), along with a reflected XSS (cross site scripting) flaw which can be exploited using a special configuration file (CVE-2021-39278). Besides this, the products are affected by an estimated 60 other vulnerabilities in third party softwares like GNU C Library, Dropbear SSH software, BusyBox client, Open SSL, and Linux Kernel. Moxa has released two different reports for the Vulnerabilities. 

The Security Week reports "one of them describes the impact on TAP-323, WAC-1001 and WAC-2004 series devices, which are designed for railways. The TAP-323 device is a trackside wireless access point designed for train-to-ground wireless communications, while the WAC devices are described as rail wireless access controllers." It is also building patches for the Tap-323 and WAC-1001 products, however, WAC-2004 series devices are discontinued and the seller has asked customers to take precautions for reducing the risk of exploitation. 

According to Thomas Weber, the researcher at SEC who found about the vulnerability in Moxa, currently no analysis has been done to check whether the XSS and command injection flaws can be constrained, however, it might be possible. A hacker would have to fool an authenticated user into opening a link which would enable the XSS to steal necessary information to get verified on system and exploit the command injection. 

Experts are not sure about the damage that an attacker can cause, but it all depends on the critical messages sent through the devices. "If an attacker gains access to the web-based management interface of the affected devices and they obtain login credentials — the login credentials could be obtained through various methods — they would be able to take over the whole device with persistent access," says the security week.

BrakTooth Vulnerability Puts Bluetooth Users At Risk, Flaws Left Unpatched

 

White Hat hackers revealed a set of vulnerabilities named as BrakTooth, which affects commercial bluetooth gadgets, raising suspicions about vendor's intent to fix the flaws. Automated Systems Security (ASSET) Research Group at Singapore University of Technology and Design said that they released BrakTooth, "a family of 16 new security vulnerabilities (20+ CVEs) in commercial Bluetooth Classic (BR/EDR) stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE).

"The team has shown off arbitrary code execution on an ESP32 microcontroller, commonly found in Internet of Things (IoT) devices which are rarely if ever updated by their manufacturers, denial of service attacks against laptops and smartphones with the Intel AX200 and Qualcomm WCN3390 chips, and the ability to freeze or shut down headphones and other Bluetooth audio devices,"said the Register. It said BrakTooth affects major SoC (System on Chip) vendors like Qualcomm, Intel, Texas Instruments, Silicon Labs, Infeneon and others.

BrakTooth represents around 1400 commercial products including Microsoft Surface Pro 7, Surface Laptop 3, Surface Book 3, and Surface Go 2, and Volvo FH infotainment systems which threaten to leak "fundamental attack vectors in the closed BT [Bluetooth] stack." 

This is not the first time that the group has made such claims, earlier, ASSET was behind the SweynTooth vulnerabilities in 2020. Vendors have been informed about the sixteen vulnerabilities, however, the feedbacks recieved vary. 

"Espressif, whose popular ESP32 microcontroller family was affected, was one of the first to release a patch closing the holes, along with Bluetrum Technology and Infineon. Intel, Actions, and Zhuhai Jieli Technology have confirmed they are either investigating the flaws or actively developing patches. Harman International and SiLabs, by contrast, "hardly communicated with the team," the researchers claimed, "and the status of their investigation is unclear at best," reports the Register. 

Qualcomm and Texas Instruments had it worse, latter said that it won't release the patches until the customers demand so, and the former is only patching few parts even though unpatched chips appear in brand new products releasing across the world.

Attackers Remotely Exploit Bugs in Linphone Session Initiation Protocol (SIP) Stack

 

A team of researchers recently revealed data regarding a zero-click security vulnerability in the Linphone Session Initiation Protocol (SIP) stack that may have been effectively abused without even any effort from the victim's side to corrupt the SIP client as well as trigger a denial-of-service (DoS) situation. 

Linphone is a 20-year-old open-source voice-over IP (VoIP) project that claims to have been the first open-source software on Linux to use the Session Initiation Protocol (SIP). Its SIP software is used by developers and programmers to create communication systems that incorporate instant messaging, audio, and video. It is developed and maintained by France-based Belledonne Communications. 

The flaw, identified as CVE-2021-33056 (CVSS score: 7.5) by researchers, is a NULL pointer dereference vulnerability in the "belle-sip" component, a C-language library that is used to construct SIP transport, transaction, and dialogue layers, with all generations previous to 4.5.20 compromised by the bug. Claroty, an industrial cybersecurity firm, detected and reported the flaw.

To a certain end, the remotely manipulable security flaw can be enabled by appending a malevolent forward-slash ("</") to a SIP message header such as To (the call recipient), From (the call initiator), or Diversion (redirect the destination endpoint), culminating in a collapse of the SIP client program that uses the belle-sip library to manage and parse SIP messages. 

This bug is a zero-click vulnerability, as submitting an INVITE SIP request with a particularly designed From/To/Diversion header leads the SIP client to crash. As a result, any application that uses belle-sip to examine SIP messages will become inaccessible if a fraudulent SIP "call." is received. 

"Successful exploits targeting IoT vulnerabilities have demonstrated they can provide an effective foothold onto enterprise networks," Brizinov said. "A flaw in a foundational protocol such as the SIP stack in VoIP phones and applications can be especially troublesome given the scale and reach shown by attacks against numerous other third-party components used by developers in software projects." 

Furthermore, the latest updates for the core protocol stack have been released, companies who depend on the impacted SIP stack in their products must apply the changes downstream.

Conti Group Exploited Vulnerable Microsoft Exchange Servers

 

According to cybersecurity consultancy firm Pondurance, the Conti ransomware gang is now using backdoors that are still active. On-premises Microsoft Exchange email servers that have been patched are still vulnerable. 

Pondurance researchers stated, "Despite patching, thousands of devices might still be compromised". Conti appears to be targeting firms that patched the Exchange issues initially attacked by Chinese attackers but failed to detect and remove the backdoor access that had already been installed.

On March 4th, Microsoft released emergency fixes for four vulnerabilities in its on-premises Exchange email servers. The Biden administration officially accused a group working for China's Ministry of State Security in July of running a string of attacks against vulnerable Microsoft Exchange email servers this year that disrupted thousands of firms in the United States and around the globe. 

The US has not authorized China for its aggressive cyber operations, according to Anne Neuberger, the US deputy national security advisor for cyber and emerging technologies, who stated last week that the US is first aiming to establish an international consensus on how to respond. 

Meanwhile, Chinese advanced persistent threat organizations have been discovered abusing vulnerabilities in Microsoft Exchange servers to breach telecommunications provider networks in Southeast Asia in an attempt to capture confidential communications from customers. 

The Pondurance researchers discovered one instance in which an unlicensed and exploited remote monitoring and management agent was deployed on an on-premises Exchange server. 

"The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with the victim machine," Pondurance says. "In July, the RMM tool was used by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware." 

According to the researchers, the company patched Exchange without first ensuring that any previously established backdoor access had been deleted. 

"Pondurance recommends searching for unauthorized ScreenConnect services installed on on-premises Exchange servers that were vulnerable to [the flaw exploit] at some point," Pondurance stated.

"These services should be present within the registry and would have generated 'Service Created' event logs (event ID 7045) at the time of install in March 2021. You may also find ScreenConnect-related folders created in the filesystem under 'C:ProgramData,' 'C:Program Files (x86),' and 'C:WindowsTemp.'" 

Fat Face, a British clothing and accessory retailer paid Conti a $2 million ransom in March to unlock its computers after Conti accessed numerous files containing sensitive data. The organization has also been linked to healthcare-related attacks. After a Conti ransomware assault on Ireland's Health Service Executive in May, the FBI issued a warning to healthcare institutions and first responder networks, urging them to take precautions to avoid being a victim. 

Furthermore, after complaining about the profit share, a dissatisfied Conti affiliate reportedly released important training material from the ransomware group. Conti, a ransomware-as-a-service group, recruits affiliates to hack networks and encrypt devices in exchange for a cut of the ransom money.

According to Bleeping Computer, a security researcher published a post written by an outraged Conti affiliate who publicly exposed information about the ransomware campaign. 

According to the study, this information contains IP addresses for Cobalt Strike C2 servers as well as a 113 MB package including many tools and training materials for conducting ransomware operations. As per the Bleeping Computer report, the affiliate also wrote on a prominent Russian-speaking hacking site claiming he had been paid $1,500 as part of an attack, while the gang members made millions.

Telegram Bug in Mac Allows User To Save Secret Chats

 

Cybersecurity experts have found a technique for Telegram users of Mac to keep self disappearing texts or view the messages without the knowledge of sender. Telegram has an optional "secret chat" feature that ensures privacy of the conversations by providing additional features. If you start a conversation with a Telegram user, the chat becomes end-to-end encrypted, all the messages, media and attachments will be on self-destruct by default, and will disappear from the device after some time. 

But, a new bug found by cybersecurity expert Reegun Richard Jayapaul, Trustwave SpiderLabs' Lead Threat Architect, lets a Telegram Mac user to save self disappearing messages and media permanently. If the files sent in a chat are other than media, they are saved in the cached folder with XXXXXX unique numbers related to a user profile. "As voice recordings, video messages, images, or location sharing images are automatically downloaded to the cache, Reegun discovered that a user could simply copy the media from the cache folder before viewing it in the program," reports Bleeping Computers.

Telegram won't download these attachments unless the recipient downloads it, it is done because these documents generally have a large file size. When a user views the content or reads a message, the self-destruct timer starts, and the chats soon disappear, the content is automatically deleted. However, experts found that the self-disappearing media wasn't removed from the cached folder, and the user had the option of saving it to a different location in the hard drive. The vulnerability was patched by Telegram for MacOs version 7.7 (215786) or later after it was pointed out, however, there's a different bug which allows a user to save self-disappearing media. 

As per the reports, Telegram has told the experts that the issue can't be fixed because there isn't any way to stop second bug from gaining direct access to the app folder. Telegram said "please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app an control (like copying the app’s folder), and we clearly warn users about such circumstances."

Chrome 92 Update by Google Patches 10 High Severity Vulnerabilities

 

Chrome 92 (92.0.4515.131), the Google security update issued for Windows, Mac, and Linux has patched at least 10 vulnerabilities. Chrome 92, is an update that improves browser efficiency on phish calculations, extends the scope of user website isolation technologies, and includes a few new 'Chrome Actions' to the repertory. 

The search giant established in California has awarded over $133,000 in rewards to users who identified some 35 vulnerabilities addressed in Chrome 92. At least 9 of the flaws were categorized under high severity, the current highest threat level from Google. 

The 360 Alpha Lab team from the Chinese cybersecurity company Qihoo 360's researchers Leecraso and Guang Gong have won $20,000 for detecting a high-severity vulnerability identified as CVE-2021-30590. The issue was described as a bookmark buffer overflow by Google. 

Leecraso told the SecurityWeek team that, CVE-2021-30590 is an issue of sandbox escape that could be "exploited with an extension or a compromised renderer." An intruder can exploit the fault to remotely execute code outside of the sandbox of Chrome. The vulnerability might be leveraged to breakout from the browser's sandbox because of its out-of-bounds write. And it would only need the user to download the extension to take advantage of. 

Google Chrome Sandbox is a creation and test environment for Google Chrome-based applications developers. A test and staging infrastructure is provided by the sandbox environment without the code getting tested for modifications to current code and databases. 

Two vulnerabilities uncovered by researcher David Erceg have also been rated with a high level of severity. CVE-2021-30592, characterized as an off-bound writing problem on Google's Tab Groups, rewarded him $10,000, while CVE-2021-30593 has earned him a $5,000 bug reward, which was defined as an out-of-bounds read bug in Tab Strips. 

“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out-of-bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.” 

CVE-2021-30591, an after-free flaw within the File System API is yet another elevated vulnerability that Google paid out at $20,000. Reportedly, it was discovered by the Researcher SorryMybad of Kunlun Lab.

It is worthy to be noted that Google pays up to $20,000 for Chrome's vulnerabilities of escape sandbox revealed in a high-quality report. If researchers additionally offer a functioning exploit, they can receive up to $30,000 for such flaws. 

Consumers must upgrade Chrome as soon as possible, given that the web browser seems to be increasingly targeted for malicious activity. It is worth noting that this year, Google fixed over half a dozen of zero-day vulnerabilities that were being actively exploited.

Latest Cobalt Strike Vulnerability Allows Takedown of Hacker Servers

 

Cybersecurity experts have found Cobalt Strike (DoS) exploit that allows Beacon blocking C2 (Command and Control) communication deployments and new channels. Cobalt Strike is a genuine penetration testing tool built to work as an attack framework by red teams. Red team is a group of cybersecurity analysts that work as threat actors to attack their own organization's to find security vulnerabilities and exploits. But, Cobalt Strike is also used by hackers, that generally use it for post-hacking tasks after planting the beacons, which allows them unlimited remote access to hacked devices. With the help of these beacons, the threat actors can later use the compromised servers to deploy second-stage malware payloads or harvest data. 

The cybersecurity team at SentinelOne, SentinelLabs found about the DoS vulnerabilities, termed as CVE-2021-36798 and called "Hotcobalt" in the most recent versions of the Cobalt Strike server. SentinelLabs reports "when a Beacon stager runs, it gathers information about the computer it is running on (CPU architecture, keyboard layout, internal IP, etc.), encrypts that info using the public key, and sends it to the server in an HTTP GET request. Receiving tasks generally happens over HTTP GET requests and the Beacon replies with the task data over HTTP POST requests. Tasks are encrypted using an AES key sent by the Beacon in the registration request." 

The research revealed that one can plant fake beacons with a particular Cobalt Strike server installations by giving out fake tasks or screenshots with high file sizes to the server. The hacker could crash the server and exhaust available memory using the help of this process. The crashed server renders pre-installed beacons, not being able to communicate with the C2 servers, it restricts new beacons from getting installed on compromised systems. 

Besides this, it also interferes with the red team and malicious attacks which used the planted beacons. "One of the most famous features of Cobalt Strike is its Malleable C2. In short, this feature lets the attacker encode (“transform” in Cobalt’s language) all the beacon’s HTTP communications. The entire process described above is wrapped in the chosen Malleable profile’s transformation steps, which are also embedded in the stager itself," said SentinelLabs in its blog.

Bot Protection Available in Azure Web App Firewall

Microsoft recently announced that WAF (Web Application Firewall) bot safety tool has attained general availability status on Azure Application Gateway from this week. Azure WAF is a cloud based feature built to safeguard client web applications from bot attacks, general web vulnerabilities and common exploits, including SQL injection, cross site scripting, security misconfigurations, and broken authority and more. Azure WAF can be planted within minutes with Azure Application gateway, Azure Content Delivery Network (CDN) and Azure front door. Microsoft on Friday said that it is announcing the general availability of the Web Application Firewall (WAF) bot protection feature on Application Gateway. 

The feature lets customers to control bot protection rule set for WAF to log requests or restrict them from known harmful IP addresses. "Roughly 20% of all Internet traffic comes from bad bots. They do things like scraping, scanning, and looking for vulnerabilities in your web application. When these bots are stopped at the Web Application Firewall (WAF), they can’t attack you. They also can’t use up your resources and services, such as your backends and other underlying infrastructure," reports Microsoft.

The new bot protection rule can be used with OWASP CRS (Core Rules Set) to give extra safety for web applications. Because of this new rule that blocks bad bots, criminals can usi ot for different malicious tasks which are resource consuming like scanning, scraping, and looking out for exploits in web apps. When the bot protection rule is implemented on Azure WAF via Application Gateway, bots that use known malicious IPs retrieved from Microsoft Threat Intelligence feed are get automatically restricted from accessing customer server resources or verifying them on potential vulnerability gaps. "The bot mitigation ruleset list of known bad IP addresses updates multiple times per day from the Microsoft Threat Intelligence feed to stay in sync with the bots," Microsoft said. 

"Your web applications are continuously protected even as the bot attack vectors change," reports Bleeping Computers. You can get more information on WAF on Microsoft's Azure Product Website. Bleeping Computers reports "the steps required to configure a bot protection rule set include: Creating a basic WAF policy for Application Gateway by following the instructions described in Create Web Application Firewall policies for Application Gateway. In the Basic policy page that you created previously, under Settings, select Rules. On the details page, under the Manage rules section, from the drop-down menu, select the check box for the bot Protection rule, and then select Save."

This Vulnerability in E-Learning Platform Moodle Could Even Modify Exam Results

 

Critical Security Exploit in the popular e learning platform Moodle can be compromised that lets access to student data and test papers, the vulnerability can even modify exam results. The company is an open source e learning platform, used by 1,90,000 organizations across the world. Most of these organisations are educational institutes like college or university. A PHP objection vulnerability, the bug exists in Moodle's Shibboleth authentication module, which can permit malicious hackers to use RCE (Remote Code Execution), which can lead to a complete takeover of the server. 

If this happens, the attacker can have access to anything on the server, like student data, passwords, messages and exam grades. Penetration testers Robin Peraglie and Johannes Moritz found the flaw, they were hunting bugs in Moodle because of the previous findings of 2 RCE vulnerabilities in Moodle software. 

According to them, the vulnerability only exists in the Moodle LMS server having Shibboleth sign-in authentication allowed. It is disabled by default, which is a relief to the educational institutions that use the module. But in case if it's enabled, unauthorized hackers can perform a remote execution- arbitrary system commands. If this happens, it can lead to a complete hack of the server including user data leakage. Students can also use to it tamper with the exams before it actually happens. 

As per experts, the vulnerability is very easy to exploit. "After reporting the issue to Bugcrowd and, following a lengthy disclosure process, the flaw has now been patched. It took four months for the vulnerability to be triaged, revealed Moritz, who said he had the impression it was not treated as a priority. When asked why they didn’t report it directly to Moodle, which has its own vulnerability disclosure program, the researcher said they are “quite inflexible with providing patches because of their two-month release cycle”. Moritz did, however, reveal that the team also found  a second critical Moodle pre-authentication bug – details of which will be released following a separate, ongoing coordinated disclosure process," reports the Daily Swig.

Business correspondence in messengers and social networks poses a cyber threat to companies

Experts believe that screenshots of work correspondence sent by company employees to third parties may fall into the hands of fraudsters. Such actions lead not only to reputational and financial risks for companies, but also to the risk of cyber threats.

"If the phone numbers of colleagues are visible in the correspondence, attackers can use this information: for example, for hacking, spam, data mining with the help of social engineering", says Alexander Tikhonov, general director of the SAS Russia/CIS IT company.

Kaspersky Lab said that the risks of cyber threats for companies became more relevant after the transition to remote work, since office workers began to use shadow IT more often for business correspondence that was not approved by the company.

"Employees are increasingly using personal gadgets, as well as programs installed on them, for personal use for work purposes," the company explained. Thus, 59% of Russians use personal mail to solve work issues, 55% communicate at work in messengers that are not approved by IT departments, and they admit that with the transition to a remote employment format, they began to do this regularly.

According to AlfaStrakhovanie analytical center, more than 60% of Russians send screenshots of work correspondence in messengers or post them on social networks. Moreover, 43% of respondents said that their company uses one of the standard instant messengers for corporate communication, and 23% responded that their company does not regulate the method of communication at all.

"People tend to think that social networks are not dangerous, that they are surrounded only by friends in the digital space," said Pavel Adylin, executive director of Artezio. He emphasized that the problem can only be solved by gradually improving the level of literacy and digital security of the business.

PrintNightmare Zero-Day Vulnerability: Patch Released by Microsoft Unsuccessful

 

The updated Microsoft Emergency Patch cannot counter PrintNightmare Zero-Day vulnerability and hence is allowing attacks. Even though Microsoft has continued to increase the patch for the 'Print Nightmare vulnerability in Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, the patch for remote code execution exploit in the Windows Print Spooler service can be accomplished in some scenarios, successfully defeating security safeguards and enabling arbitrary code execution for attackers. 

On Tuesday 6th of July, after a fault had unfortunately been inadvertently reported by researchers from the Hong Kong cybersecurity firm Sangfor at the end of the previous month, a Windows maker update addressing CVE-2021-34527 (CVSS score: 8.8) had shown that the issue is quite unlike the other bug — tracked as CVE-2021-1675 — which Microsoft patched on June 8. 

"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism," Yaniv Balmas, head of cyber research at Check Point, stated. "These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing." 

These are usually workstations, but sometimes they involve whole servers that are a vital part of hugely popular corporate networks. The vulnerabilities were categorized as critical by Microsoft, however, they could only repair one of them at the time they were published and left open doors for attackers to explore the second vulnerability. 

PrintNightmare comes from Windows Print Spooler vulnerabilities that govern printing in local networks. The biggest concern about this danger lies in the capacity of non-admin users to load their printer drivers. That has been resolved now. 

"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server," Microsoft said, detailing the improvements made to mitigate the risks associated with the flaw. "Administrator credentials will be required to install unsigned printer drivers on a printer server going forward." 

Further tests of the upgrade revealed that exploits aimed at the defect might completely bypass remediations to achieve both an increase in local privileges and the implementation of remote code. However, to accomplish this, it is necessary to have a Windows policy, called 'Point & Print Restriction,' which might perhaps be used to install rogue printer drivers. In this context, one must activate a Windows policy called 'Point and Print Restriction.' 

"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1," Dormann said on Wednesday. Microsoft, for its part, explains in its advisory that "Point and Print are not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible." 

While Microsoft suggested the nuclear pausing and deactivating option of Print Spooler, a possible workaround will allow Point and Print security prompt and limit administer privileges to install printer drivers by configuring the "RestrictDriverInstallationToAdministrators". 

Further on Thursday Microsoft said, "Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration."

This iPhone Bug Exists Even After Network Settings Reset

 

Two weeks after the iphone wifi bug was found, the same cybersecurity analyst Carl Schou discovered a similar different case. The expert in a tweet said that if an iPhone comes within a wifi network range called ‘%secretclub%power,' then the connected iphone wouldn't be able to use wifi or any other features related to it. The bug exists even if the user resets network settings, says Schou. 

9TO5Mac reports "Obviously, this is such an obscure chain of events that it is highly unlikely that any person accidentally falls into this unless a load of Wi-Fi pranksters suddenly pop up in the wild with open Wi-Fi networks using the poisoned name. Until Apple fixes this edge case in a future OS update, just keep an eye out for any Wi-Fi networks with percent symbols in their name." The only solution to fix the bug would be a factory reset of the iphone. 

However, the experts advise not to do it as it is not tested. The earlier problem was related to iPhones facing a network name with the SSiD “%p%s%s%s%s%n," however, the issue could be fixed by simply resetting the iphone in the network settings option. But the new problem has more threat as it can affect any device which comes into the range of the infected public wifi named 'secretclub%power.' However, it is clear that both the bugs are somewhat related as ‘%secretclub%power’ and ‘%p%s%s%s%s%n' exploit string format code vulnerability which lies somewhere in the iOS network stack. Schou tweeted "You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power. Resetting network settings is not guaranteed to restore functionality." 

As of now, it is clear that there exist many variants of network name bugs that use ‘%s’, ‘%p’, and ‘%n’ character sequences. From the user's perspective, the best way to stay safe from the bug is to avoid connecting your device to wifi networks that contain '%' symbols in their names. iOS users can only wait for the next update when Apple will fix the OS bug. "Here’s a funny bug: a security researcher has found that a carefully crafted network name causes a bug in the networking stack of iOS and can completely disable your iPhone’s ability to connect to Wi-Fi," reported 9TO5Mac previously.

Microsoft Unveils Vulnerabilities in Netgear Routers

 

Increasing safety measures led attackers to explore different ways to breach systems. The increasing number of firewall and ransomware attacks employing VPN devices and other websites are instances of attacks initiated externally and underneath the operating system layer. As these sorts of attacks are becoming more widespread, consumers must also aim to maintain single-use software, running their hardware, such as routers. 

In Netgear routers, Microsoft has revealed several vulnerabilities that might lead to data disclosure and complete system compromise. Whereas on June 30, 2021, Jonathan Bar Or, a member of Microsoft's 365 Defender Research Team revealed, that the vulnerabilities that have been patched before public release. 

“We discovered the vulnerabilities while researching device fingerprinting in the new device discovery capabilities in Microsoft Defender for Endpoint. We noticed a very odd behavior: a device owned by non-IT personnel was trying to access a NETGEAR DGN-2200v1 router’s management port. The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario,” told Microsoft. 

After observing odd behavior on the router management port, the Microsoft Security team uncovered vulnerabilities. While TLS encryption protects the communication, machine learning models are still identified as anomalous. 

Three HTTPd authentication issues have been identified upon further research on the router firmware. The first one enabled the team to visit any website on a device, including those that need to be authenticated, such as router administration pages, by inserting GET variables to substrate requests, which allows full bypass authentication. The second security flaw allowed side-channel attacks. If used, attackers may obtain stored credentials. Lastly, the third vulnerability used the former authentication bypass bug, which could decode and remotely retrieve the router's restore configuration file encoded using the "NtgrBak," constant key which allows attackers to decrypt and gain stored data. 

The Microsoft Security Vulnerability Research (MSVR) initiative made Netgear knowledgeable of security concerns discreetly. Netgear has patched the firmware vulnerabilities by issuing a security alert exposing the safety deficiencies in December. The bugs were assigned as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365, and CVSS gravity ratings from 7.1 to 9.4 were issued.

Furthermore, Netgear notifies that its customers must use Netgear Support, type in its model number into a search box, and get the latest firmware version, to install the latest firmware accessible to their routers. Updates can also be accessed using Netgear applications.

Indexsinas SMB Worm Attacks Vulnerable Environments

 

The  Indexsinas SMB worm is aiming for susceptible situations in which scientists cautioned – focusing on healthcare, hospitality, education, and the telecommunications industries. Its ultimate objective is to reduce crypto miners on hacked PCs. 

Since 2019, Indexsinas, aka NSABuffMiner, has been lurked. It uses the old weapon arsenal Equation Group, along with EternalBlue and EternalRomance, to invade Windows SMB shares and DoublePulsar backdoor. Indexsinas is using lateral mobility to assimilate specific environments aggressively. 

“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar, and EternalRomance,” as per a Guardicore Labs analysis 

Since 2019, Indexsinas has deployed a broad infrastructure consisting of over 1,300 devices operating as sources of attack, and every device is accountable for only certain cases of attack (most likely hacked systems, Guardicore observed, particularly in India, the USA, and Vietnam). To date, almost 2,000 different attacks have been reported in Guardicore's telemetry. 

The shroud of attacks to find out more about cyber attackers behind Indexsinas is quite difficult to breach. 

“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched, and exposes no redundant ports to the internet. The attackers use a private mining pool for their crypto mining operations, which prevents anyone from accessing their wallets’ statistics.” 

According to Guardicore Labs, the attack commences when a machine is infringed using the NSA's tools. These attacks run code in the kernel of the victim and can inject payloads to user mode utilizing asynchronous procedure calls (APCs). 

Researchers noted, “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe. The injected payloads – EternalBlue.dll for 32-bit and DoublePulsar.dll for 64-bit – download three executable files from the main C2 server.”

It has been reported that there is a whole reversed DLL file in the file downloads which is a Portable Executable file, a version of a Gh0stCringe remote access tool (RAT). 

The first one installs the RAT, while the second provides a key feature for C2 commands and reporting machine information, including computer name, malware group ID, date of installation, and technical specs of CPUs. 

The files iexplore.exe and services.exe meanwhile install two services utilizing the tool which impersonates the Windows svchost.exe function. The first service has to drop the crypto miner, whereas the second just runs the crypto miner module. 

c64.exe, which in turn dumps two files is yet another payload downloaded as part of the initial stage. One is the executable ctfmon.exe — the propagation tool. 

“Ctfmon.exe is responsible for finding potential victims and exploiting them using Equation Group’s tools – and it does that extremely thoroughly,” researchers said. “It uses exploits for both 32-bit and 64-bit machines and scans both RPC (TCP 139) and SMB (TCP 445) ports. Moreover, it tries to move laterally within the organizational network as well as spread across the internet.” 

A timetabled task performs a batch script that installs a service. The service launches a second batch script that scans and uses the port. 

The batch scripts in these flows also uninstall the services of competitors, end their operations and erase their files. 

“It is crucial that network administrators, IT teams, and security personnel be able to easily identify assets and the services they run,” they explained. “Specifically, it should be easy to spot internet-facing servers, SMB included. With visibility in place, network admins would want to limit the access from and to different assets and the network services they expose.” 

Corporate functions and production activities, for example, should be separated. Policy rules can also be applied that secure SMB servers of an organization, such as the interdiction of internet access via SMB or only permit specified IP addresses to access the firm's internet fileserver. This can help in prevention against Indexsinas Worm Infections.

Indian Origin Woman Rewarded with Rs 22 Lakh Bounty by Microsoft

 

Aditi Singh, a 20-year-old Delhi-based ethical hacker, was awarded $30,000 (Rs 22 lakh roughly) for detecting a bug in the Microsoft Azure cloud system. Just two months ago, Aditi uncovered an issue in Facebook and got a $7500 (around Rs 5.5 lakh) bounty. 

She further claims that both these firms have a relatively new remote RCE problem, but that is something new and is not paid much attention comparatively. With such weaknesses, hackers can access and maintain information on their internal systems. 

Aditi points out that it isn't simple to locate vulnerabilities and that ethical hackers need to keep up with new bugs in their game, report them, and still be eligible for pay-outs. She does not only emphasize getting money but also stresses gaining knowledge and learning about ethical hacking first. 

“Microsoft has only fixed the bug which I spotted two months back. They have not fixed all of them,” claimed Aditi, the first one to notice the flaw on the RCE. She added that the tech giant had taken almost two months to answer as they checked whether anybody had downloaded its faulty version or not. Aditi believes that individuals must ask the company's support team to host a bonus scheme before they even begin to uncover a bug. And, if the company confirms such a scheme, bounty hunters must yield results. 

Bug bounty hunters are mainly trained and certified cybersecurity professionals or security researchers who scan the web for bugs or loopholes via which hackers can sneak in and notify the company. Individuals are awarded cash when they succeed. 

Aditi explained that developers wrote the code immediately when a Node Package Manager was first downloaded –which is an affiliate of GitHub, where anyone can view the codes of these enterprises as they are open sources. 

For the last two years, Aditi has been ethically hacking. She first broke into the Wi-Fi password of her neighbor (which she sees as a personal triumph) and she hasn't looked back since.

In addition, she has earned letters of appreciation from Harvard University, Columbia University, Stanford University, and the Google Hall of Fame. 

“I took an interest in ethical hacking when I was preparing for NEET, my medical entrance in Kota,” Aditi says. “I didn’t get through in medical school but have found bugs in over 40 companies including Facebook, TikTok, Microsoft, Mozilla, Paytm, Ethereum, HP, among others." 

She immediately knew after reporting an OTP bypass bug in the TikTok Forgot password section, she intended to go to ethical hacking and also received a bounty of 1100 dollars. 

“There are multiple resources and Google, Twitter, and Hacker One that have write-ups with explanations about ethical hacking,” Aditi says. 

Aditi emphasizes that if individuals want to learn more about hacking, they need to know Python or JavaScript, a computer language. She also proposes OSCP, a credential program designed to help ethical hackers in bussing. She also says that most of her bounty goes into buying certified hacking courses and tools.

Atlassian Patched Vulnerabilities in its Domains

 

On Wednesday 23rd of June, cyber-security experts uncovered key vulnerabilities in the Atlassian project and software development platform that might have been exploited to take over the account and control certain apps connected via its single sign-on (SSO) capabilities. 

The vulnerabilities are due to Atlassian using SSO to ensure the uninterrupted navigation of the above-mentioned domains, thereby attempting to create a possible attack scenario involving the use of XSS and CSRF to inject malicious code into the portal and leveraging a session fixation error in the event of a valid user session. Though these vulnerabilities have been patched. 

On January 08, 2021, the Australian company delivered a patch for its upgrades, after Atlassian was notified of the problem. The issues in the sub-domains include – 
jira.atlassian.com 
confluence.atlassian.com 
getsupport.atlassian.com 
partners.atlassian.com 
developer.atlassian.com 
support.atlassian.com 
training.atlassian.com 

"With just one click, an attacker could have used the flaws to get access to Atlassian's to publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket, and on-premise products," Check Point Research stated. 

The appropriate exploitation of such vulnerabilities could escalate to an attack through a supply chain where the attacker can take over an account, take illegal measures on behalf of the victim, modify pages of Confluence, access Jira tickets, and even inject malicious implants to perpetrate further attacks. 

In other words, an attacker can deceive a user by clicking an Atlassian link that has been created to carry out a malicious payload, which can be utilized by the wrong player to log into the victim's account and gain confidential information. 

Moreover, the attacker can regulate a Bitbucket account with a Jira account by opening a Jira ticket that is incorporated with a malicious link to a rogue site which, when clicking on a message autogenerated by an e-mail, can be used to remove the credentials, essentially give them the authorization to access or modify the source code, make the repository publicly accessible or even insert the backdoors. 

"Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization's workflow," said Oded Vanunu, head of products vulnerabilities research at Check Point. "An incredible amount of supply chain information flows through these applications, as well as engineering and project management."

Security Bug Detected in Google’s Android App

 

A vulnerability had existed in Google's eponymous Android app with over five billion downloads to date that might have enabled an attacker to stealthily steal the personal information of a victim's device. 

In a blog post-Sergey Toshin, the founder of Oversecured Mobile App Security Group, noted that it's about the way the Google app relies on code that is not packaged with the app directly. Several Android apps, notably the Google application, decrease download size and storage space by depending on code libraries installed on Android smartphones. 

However, the shortcoming in Google's code allowed the malicious application to inherit the permissions of the Google app and permit it to almost completely access data from a user. 

The malicious application could also pull the code library from a malicious app on the very same device rather than its legitimate code library. This access includes access to Google user accounts, search histories, e-mails, text messages, contacts, and call history, as well as microphone/camera triggering and user location. 

Toshin added that the malicious application will be activated once for the attack to start, but it is carried out without the knowledge or cooperation of the user. He added that removing the malicious program will not remove malicious components from the Google app. 

A Google spokesman told that last month it addressed the issue and there was no proof that the attackers would be using the flaw. The built-in malware scanner of Android, Google Protect Play, will stop the installation of harmful apps. However, there is no absolute safety feature, and malicious apps are already on the internet. 

Toshin stated that the vulnerability in Google's app is almost like a bug identified in TikTok earlier in this year that would allow an attacker to hijack a TikTok user's session tokens which are exploited to gain control of their account. 

Oversecured identified several other identical vulnerabilities, including the Google Play app for Android and more recent pre-installed apps on Samsung phones.

Experts mentioned main loophole of Russian companies in cyber attacks

 According to experts of the cybersecurity company BI.ZONE (a subsidiary of Sberbank), the main reason for successful cyberattacks on Russian companies is an access control vulnerability that allows attackers to connect to an organization's systems and, as a result, then leads to data leakage.

"The vulnerability of access control was recognized as the main reason for unauthorized access to data of Russian companies. The company for strategic digital risk management BI.ZONE recorded this problem in 61% of organizations where they managed to gain access to confidential data," the company said.

According to BI.ZONE, this number was 67% last year. "A slight improvement may be due to an increase in the quality of creating in-house applications," experts say.

Yevgeny Voloshin, director of the BI.ZONE expert services unit, explained that attackers, having hacked the administrator's account, gain access to the company's systems and use this gap to steal data. At the same time, most often it is possible to crack the account by brute-force passwords.

"This problem lies in the incorrect division of access in internal corporate applications. For example, a regular user can also work with functions that should only be available to the administrator. Attackers, having hacked his account, connect to the internal infrastructure, and then use this gap for data theft and other fraudulent actions," notes Yevgeny Voloshin.

BI.ZONE experts recommend using complex passphrases with punctuation marks and other characters, rather than just a single word. Also, the vulnerability problem may be related to access to certain types of data without additional user authentication.

Earlier, E Hacking news reported that most users use passwords that are too simple, which cybercriminals can easily guess in 46 percent of cases.

Vulnerabilties Found in Realtek Module

A new type of severe rated vulnerabilities has been revealed in the Realtek RTL8170C Wi-Fi module. A hacker could exploit these vulnerabilities to gain access to a device and attack wireless communications. According to experts Vdoo, an Israeli tech IoT firm, if an exploit is successful, it would result in control of complete WiFi module possible root access in the Linux or Android OS, of the embedded devices using this module. 

Hacker News reports "Realtek RTL8710C Wi-Fi SoC underpins Ameba, an Arduino-compatible programmable platform equipped with peripheral interfaces for building a variety of IoT applications by devices spanning across agriculture, automotive, energy, healthcare, industrial, security, and smart home sectors." These vulnerabilities impact all IoT and embedded devices that use the module for connecting to Wi-Fi networks and the hacker would have to be on the same Wi-Fi network. It is because the firmware knows the network's pre-shared key (PSK) or uses the RTL8710C module. 

PSK, as the name suggests, is a cryptographic code that is used to verify wireless devices on LANs. "In the same vein, the RTL8170C Wi-Fi module's WPA2 four-way handshake mechanism is vulnerable to two stack-based buffer overflow vulnerabilities (CVE-2020-27301 and CVE-2020-27302, CVSS scores: 8.0) that abuse the attacker's knowledge of the PSK to obtain remote code execution on WPA2 clients that use this Wi-Fi module," reports The Hacker News. An earlier investigation in February revealed similar vulnerabilities in the Realtek RTL8195A Wi-Fi module, the primary one being a buffer overflow vulnerability (CVE-2020-9395). 

It allows a hacker who is in the range of an RTL8195 module to completely hijack the module, without needing a Wi-Fi password. In a possible real-world attack situation, experts performed a PoC (proof of concept) exploit where the hacker disguises as an authorized access point and sends an infected encrypted GTK (group temporal key) to the supplicant (client) with the help of WPA2 protocol connection. GTK is used for securing broadcast and multicast traffic. "During the analysis, we have discovered and responsibly disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module that these devices were based on," said Vdoo.

Industrial Switches Given by the Vendors Affected by a Same Vulnerability

Industrial switches that were given by the vendors have been affected by a same vulnerability, the reason being they all have the same firmware from Korenix Technology, an industrial networking solutions provider based in Taiwan. SEC Consult, an Austrian-based cyber security company revealed the vulnerability. The company (which is owned by Atos) was trying to get the security holes patched since last year, but it took more than an year for Korenix to release security fixes. 

Security Week reports "Properl+Fuchs did release some patches and workarounds last year after being notified about the vulnerabilities, but the company’s response was limited due to the fact that the flaws existed in the Korenix firmware. SEC Consult’s initial attempts to get Korenix to patch the vulnerabilities failed, until late November 2020, when the company had been preparing to make its findings public." Westermo for PMI-110-F2G and Pepperl+Fuchs for Comtrol RocketLinx industrial switches also use the same firmware made for Jetnet Industrial switches by Korenix. Beijer Electronics Group owns both Westermo and Pepperl+Fuchs. 

As per SEC consult, the companies which made these devices have the same firmware base, hence, a single vulnerability affects all of them. SEC Consult found 5 kinds of vulnerabilities, assigned high severity, and critical ratings. It includes unauthorised device administration, cross-site request forgery, authentication command injection, TFTP file/read/write issues, and backdoor accounts. If a hacker has network access, he can attack a device and make unauthorised changes in configuration, steal sensitive data, or make it enter into a DoS state. The affected devices are used in automation, transportation, heavy industry, surveillance, power and energy, and other sectors. 

These switches, according to experts, hold a crucial position in a network and attacker can exploit these vulnerabilities and disruption the connection to the attached network systems.  Apart from releasing firmware updates for the security fixes, Korenix has also suggested some measures to prevent from potential threats. "This vulnerability can also be exploited via Cross-Site Request Forgery attacks as there is no protection for that kind of attack. The NMS (Network Management System) of Korenix, also known as JetView or Korenix NMS, communicates via UDP and triggered all actions without prior authentication," reports Security Week.