Tag Archive for: 0days

Novel Mirai-based DDoS botnet exploits 0-days to infect routers and security cameras

/in


Threat actors are exploiting previously unknown bugs in certain routers and network video recorder (NVR) devices to build a Mirai-based distributed denial-of-service (DDoS) botnet, dubbed InfectedSlurs.

The newly discovered zero-day remote code execution vulnerabilities can be exploited if the device manufacturers’ default admin credentials have not been changed – a security measure users very often fail to take.

In a post this week, researchers at Akamai’s security intelligence response team (SIRT) said they discovered the botnet through their global honeypots last month and identified it was targeting network video recorder (NVR) devises from a specific manufacturer.

“The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild,” the researchers wrote.

Further investigation revealed a second device from a different manufacturer – a wireless LAN router designed for hotels and residential use – was also being targeted by the threat actors behind the botnet.

The researchers said they alerted the manufacturers to the respective vulnerabilities and were told by both that they expected to release patches for the affected devices next month. Until that occurred, Akamai would not identify the manufacturers.

“There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors,” the researchers said.

In the case of the router the threat group was targeting, it was manufactured by a Japanese vendor that produced multiple switches and routers. Japan’s Computer Emergency Response Team (JPCERT) had confirmed the exploit, but Akamai did not know if more than one model in the company’s catalog was affected.

“The feature being exploited is a very common one, and it’s possible there is code reuse across product line offerings,” the researchers said.

Akamai labelled the botnet “InfectedSlurs” after the researchers discovered racial epithets and offensive language within the naming conventions used for the command-and-control domains associated with…

Source…

Microsoft takes pains to obscure role in 0-days that caused email breach

/in


Microsoft takes pains to obscure role in 0-days that caused email breach

Getty Images | Aurich Lawson

On Friday, Microsoft attempted to explain the cause of a breach that gave hackers working for the Chinese government access to the email accounts of 25 of its customers—reportedly including the US Departments of State and Commerce and other sensitive organizations.

In a post on Friday, the company indicated that the compromise resulted from three exploited vulnerabilities in either its Exchange Online email service or Azure Active Directory, an identity service that manages single sign-on and multifactor authentication for large organizations. Microsoft’s Threat Intelligence team said that Storm-0558, a China-based hacking outfit that conducts espionage on behalf of that country’s government, exploited them starting on May 15. Microsoft drove out the attackers on June 16 after a customer tipped off company researchers of the intrusion.

Above all else: Avoid the Z-word

In standard parlance among security professionals, this means that Storm-0558 exploited zero-days in the Microsoft cloud services. A “zero-day” is a vulnerability that is known to or exploited by outsiders before the vendor has a patch for it. “Exploit” means using code or other means to trigger a vulnerability in a way that causes harm to the vendor or others.

While both conditions are clearly met in the Storm-0558 intrusion, Friday’s post and two others Microsoft published Tuesday, bend over backward to avoid the words “vulnerability” or “zero-day.” Instead, the company uses considerably more amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how nation-state hackers tracked the email accounts of some of the company’s biggest customers.

“In-depth analysis of the Exchange Online activity discovered that in fact the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key,” Microsoft researchers wrote Friday. “This was made possible by a validation error in Microsoft code.”

Later in the post, the researchers said that Storm-0558 acquired an inactive signing key…

Source…

Week in review: KeePass vulnerability, Apple fixes exploited WebKit 0-days

/in


Week in review

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

Apple fixes WebKit 0-days under attack (CVE-2023-28204, CVE-2023-32373, CVE-2023-32409)
Apple has released security updates for iOS and iPadOS, macOS, tvOS and watchOS, delivering fixes for many vulnerabilities but, most importantly, for CVE-2023-32409, a WebKit 0-day that “may have been actively exploited.”

Google Cloud CISO on why the Google Cybersecurity Certificate matters
In this Help Net Security interview, Phil Venables, CISO at Google Cloud, sheds light on how this initiative will create greater opportunities for individuals worldwide and contribute to meeting the increasing demand for cybersecurity professionals.

SquareX’s vision: A future where internet security is a non-issue
SquareX, the brainchild of cybersecurity trailblazer Vivek Ramachandran, is on a mission to revolutionize the cybersecurity landscape with a unique browser-based solution, designed to fortify online safety for consumers.

Enhancing open source security: Insights from the OpenSSF on addressing key challenges
In this Help Net Security interview, we meet a prominent industry leader. Brian Behlendorf, CTO at the Open Source Security Foundation (OpenSSF), shares insights on the influence of his experiences with the White House CTO office, World Economic Forum, and Linux Foundation on leading the OpenSSF and addressing open-source security challenges.

KeePass flaw allows retrieval of master password, PoC is public (CVE-2023-32784)
A vulnerability (CVE-2023-32784) in the open-source password manager KeePass can be exploited to retrieve the master password from the software’s memory, says the researcher who unearthed the flaw.

Advantech’s industrial serial device servers open to attack
Three vulnerabilities in Advantech’s EKI series of serial device servers could be exploited to execute arbitrary commands on the OS level.

DarkBERT could help automate dark web mining for cyber threat intelligence
Researchers have developed DarkBERT, a language model pretrained on dark web data, to help cybersecurity pros extract cyber threat intelligence (CTI) from the Internet’s virtual underbelly.

Is…

Source…

0-days, RCE bugs, and a curious tale of signed malware – Naked Security

/in


Another month, another Microsoft Patch Tuesday, another 48 patches, another two zero-days…

…and an astonishing tale about a bunch of rogue actors who tricked Microsoft itself into giving their malicious code an official digital seal of approval.

For a threat researcher’s view of the Patch Tuesday fixes for December 2002, please consult the Sophos X-Ops writeup on our sister site Sophos News:

For a deep dive into the saga of the signed malware, discovered and reported recently by Sophos Rapid Response experts who were called into deal with the aftermath of a successful attack:

And for a high-level overview of the big issues this month, just keep reading here…

Two zero-day holes patched

Fortunately, neither of these bugs can be exploited for what’s known as RCE (remote code execution), so they don’t give outside attackers a direct route into your network.

Nevertheless, they’re both bugs that make things easier for cybercriminals by providing ways for them to sidestep security protections that would usually stop them in their tracks:

CVE-2022-44710: DirectX Graphics Kernel Elevation of Privilege Vulnerability

An exploit allowing a local user to abuse this bug has apparently been publicly disclosed.

As far as we are aware, however, the bug applies only to the very latest builds (2022H2) of Windows 11.

Kernel-level EoP (elevation-of-privilege) bugs allow regular users to “promote” themselves to system-level powers, potentially turning a troublesome but perhaps limited cybercrime intrusion into a complete computer compromise.

CVE-2022-44698: Windows SmartScreen Security Feature Bypass Vulnerability

This bug is also known to have been expoited in the wild.

An attacker with malicious content that would normally provoke a security alert could bypass that notification and thus infect even well-informed users without warning.

Bugs to watch

And here are three interesting bugs that weren’t 0-days, but that crooks may well be interested in digging into, in the hope of figuring out ways to attack anyone who’s slow at patching.

Remember that patches themselves often unavoidably give attackers clear hints on where to start looking, and what sort of things to…

Source…