Tag Archive for: Bug’

Mass Exploitation of Zero-Day Bug in MOVEit File Transfer Underway

/in


A threat group with likely links to the financially motivated group known as FIN11 and other known adversaries is actively exploiting a critical zero-day vulnerability in Progress Software’s MOVEit Transfer app to steal data from organizations using the managed file transfer technology.

MOVEit Transfer is a managed file transfer app that organizations use to exchange sensitive data and large files both internally and externally. Organizations can deploy the software on-premises, or as infrastructure-as-a-service or as software-as-a-service in the cloud. Progress claims thousands of customers for MOVEit including major names such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.

Researchers from Google’s Mandiant security group who are tracking the threat believe the exploit activity may well be a precursor to follow-on ransomware attacks on organizations that have fallen victim so far. A similar pattern played out earlier this year after an attacker exploited a zero-day flaw in Forta’s GoAnywhere file transfer software to access customer systems and steal data from them.

The Microsoft Threat Intelligence team meanwhile said via Twitter today that it has attributed the attack to a baddie it calls “Lace Tempest,” which is a financially motivated threat and ransomware affiliate that has ties to not only FIN11, but also TA505, Evil Corp, and the Cl0p gang.

Data Theft Happening in Minutes

An initial investigation into the MOVit Transfer attacks by Mandiant showed that the exploit activity began on May 27, or roughly four days before Progress disclosed the vulnerability and issued patches for all affected versions of the software. Mandiant has so far identified victims across multiple industry sectors located in Canada, India, and the US but believes the impact could be much broader.

“Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT Web shell with filenames that masquerade as human.aspx, which is a legitimate component of the MOVEit Transfer software,” Mandiant said in a blog post June 2.

The Web shell allows the attackers to issue commands for enumerating files and folders on a system running MOVEit…

Source…

New Android updates patch kernel bug exploited in spyware attacks

/in


This month’s Android security updates patched a high-severity vulnerability that allowed attackers to install commercial spyware on Android devices.

Hackers exploited the security flaw (CVE-2023-0266) as a zero-day in a spyware campaign. This campaign targeted Samsung Android phones as part of a complex chain of multiple zero-days and n-days.

The exploit chain also included a zero-day (CVE-2022-4262) in the Chrome web browser and a Chrome sandbox escape. In addition, there were vulnerabilities in the Mali GPU Kernel Driver and the Linux Kernel.

What Google TAG says about it

The Android security team has warned that the CVE-2023-0266 vulnerability may be under limited, targeted exploitation. Google TAG had linked the attacks to the Spanish spyware vendor Variston. This vendor is known for its Heliconia exploit framework that targets the Windows platform.

The vulnerability is a weakness in the Linux Kernel subsystem that could result in privilege escalation without requiring user interaction.

According to the Google TAG report, attackers deployed a spyware suite on compromised devices that could decrypt and extract data from chat and browser apps.

The Android security team wants users to update ASAP

In response to the threat, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-0266 to the Known Exploited Vulnerabilities list a day after the published Google TAG report.

Federal Civilian Executive Branch Agencies (FCEB) were given until April 20 to secure all vulnerable Android devices against attacks that could target the bug. This month’s Android security updates also address dozens of other high-severity privilege escalation issues in the OS and various components.

On top of that, the Android security team published the May Pixel Update Bulletin on Monday, which addresses flaws in supported Pixel devices and Qualcomm components. Android users must update their devices as soon as possible to protect against potential attacks.

Also read: This is how to keep mobile devices safe in the workplace


Source…

Google Issues Emergency Chrome Update for Zero-Day Bug

/in


A Google Chrome zero-day vulnerability is under active exploit in the wild, and while details are scarce, users are urged to update their Windows, Mac, and Linux systems to the latest version directly.

The fix for the high-severity bug, being tracked as CVE-2023-2033, is being pushed out through the stable desktop and extended stable channels, and will continue to roll out over the next weeks, Google explained in its April 14 cybersecurity advisory.

The flaw was discovered by Clément Lecigne of Google’s Threat Analysis Group on April 11, the company said.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Source…

Welcome to open source, Elon. Your Twitter code just got a CVE for shadow ban bug • The Register

/in


The chunk of internal source code Twitter released the other week contains a “shadow ban” vulnerability serious enough to earn its own CVE, as it can be exploited to bury someone’s account of sight “without recourse.”

The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that’s said to power Twitter’s For You timeline. This system was made public by Twitter on March 31, adding to the libraries of open source software it already released over years, long before Elon Musk took over.

That recommendation engine, we’d like to quickly note, seems more of a curiosity than anything else: while it shows what kinds of tweets and engagement are deemed important or harmful to Twitter, we’re not sure there’s enough there to do anything terribly practical with it, in terms of building your own social network or offering to improve Elon’s. It’s more marketing sauce than open source.

According to Lois’s study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter’s recommendation algorithm treats negative actions. 

As a result, Lois said, Twitter’s current recommendation algorithm “allows for coordinated hurting of account reputation without recourse.” Mitre has assigned CVE-2023-23218 to the issue.

Because this bug is in Twitter’s recommendation algorithm, it means that accounts that have been subject to mass blocking are essentially “shadow-banned,” and won’t show up in recommendations despite the user being unaware they’ve been penalized. There seems to be no way to correct that kind of action, and it ideally shouldn’t be possible to game the system in this way, but it is.

Lois pointed to several examples of Twitter users encouraging mass follows and unfollows, blocking and other actions that have disproportionately negative weight on targeted accounts as examples that the behavior is being exploited in the wild. Lois also said apps such as Block Party, which allow Twitter users to mass-filter accounts, are formalized tools that – whether intentional or not – end up having…

Source…