Tag Archive for: chain

Details Disclosed for Exploit Chain That Allows Hacking of Netgear Routers

/in


Industrial and IoT cybersecurity firm Claroty on Thursday disclosed the details of five vulnerabilities that can be chained in an exploit potentially allowing threat actors to hack certain Netgear routers.

The vulnerabilities were first presented at the 2022 Pwn2Own Toronto hacking competition, where white hat hackers earned a total of nearly $1 million for exploits targeting smartphones, printers, NAS devices, smart speakers and routers.

Claroty’s router exploit, which targeted Netgear’s Nighthawk RAX30 SOHO router, earned the company’s researchers $2,500 at Pwn2Own. 

The flaws used in the exploit chain are tracked as CVE-2023-27357, CVE-2023-27367, CVE-2023-27368, CVE-2023-27369, and CVE-2023-27370. They were all patched by Netgear with the release of firmware version 1.0.10.94 in early April.

Three of the vulnerabilities have been rated ‘high severity’ and their exploitation can lead to remote code execution, authentication bypass and command injection. Chaining all the flaws can have a significant impact.

“Successful exploits could allow attackers to monitor users’ internet activity, hijack internet connections and redirect traffic to malicious websites, or inject malware into network traffic,” Claroty warned on Thursday. 

“An attacker could also use these vulnerabilities to access and control networked smart devices (security cameras, thermostats, smart locks), change router settings including credentials or DNS settings, or use a compromised network to launch attacks against other devices or networks,” the company added. 

One mitigating factor is that executing the exploit requires access to the LAN — it’s not a WAN attack that can be executed from the internet, which is why it earned a smaller reward at Pwn2Own. 

Advertisement. Scroll to continue reading.

“These vulnerabilities require an attacker to have your WiFi password or an Ethernet connection to your network to be exploited,” Netgear explained in its advisory.

Related: Netgear Neutralizes Pwn2Own Exploits With Last-Minute Nighthawk Router Patches

Related: Game Acceleration Module Vulnerability Exposes Netgear Routers to Attacks

Source…

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

/in


Cascading Supply Chain Attack

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a “software supply chain attack lead to another software supply chain attack.”

The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.

“The malicious application next attempts to steal sensitive information from the victim user’s web browser,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. “Specifically it will target the Chrome, Edge, Brave, or Firefox browsers.”

Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that’s capable of running additional commands and interacting with the victim’s file system.

Mandiant’s investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.

It described the initial intrusion vector as “a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER.”

This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that’s camouflaged as a legitimate dependency.

The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that’s capable of sending data, executing shellcode, and terminating…

Source…

3CX Supply Chain Attack: North Korean Hackers Likely Targeted Cryptocurrency Firms

/in


More information has come to light on the recent 3CX supply chain attack, which appears to have been conducted by North Korean hackers with the goal of targeting cryptocurrency companies.

Cybersecurity firm Kaspersky has conducted its own analysis of the incident and found links to attacks observed by the company back in 2020. 

Those attacks involved a backdoor dubbed Gopuram, which had been spotted on systems belonging to a Southeast Asian cryptocurrency firm. Gopuram was present at the time on compromised devices alongside AppleJeus, malware linked to North Korea’s Lazarus group.

Kaspersky has seen only few Gopuram infections since 2020, but there was a surge in March 2023 and an analysis revealed that the surge was a result of the 3CX supply chain attack. The hackers behind the 3CX attack likely delivered the Gopuram malware to victims that were deemed of interest.

According to Kaspersky, Gopuram was deployed on less than 10 devices as part of the 3CX attack, mainly belonging to cryptocurrency companies, which suggests that the operation was aimed at this sector. 

This would not be surprising considering that North Korean state-sponsored hackers have been known to steal significant amounts of cryptocurrency. UN experts said recently that last year they stole between $630 million and more than $1 billion worth of virtual assets. Cryptocurrency is used by Pyongyang to fund its national priorities and objectives, including cyber operations.

Kaspersky’s investigation further points to North Korean government-backed hackers being behind the 3CX attack, after companies such as CrowdStrike and Sophos also found links to the Lazarus group. 

3CX says its business communication products are used by 600,000 companies worldwide, including major brands. The malware distributed through 3CX may have been pushed to thousands of companies, but the hackers were not interested in all of these companies. Instead, based on Kaspersky’s data, they were looking for cryptocurrency companies to which they could deliver the full-fledged Gopuram backdoor, which the security firm believes is the main implant and the final payload in the attack chain.

Fortinet and BlackBerry previously reported

Source…

Europe, North America Most Impacted by 3CX Supply Chain Hack

/in


Organizations in Europe, North America and Australia seem to account for the highest percentage of victims of the supply chain hack that hit business communication company 3CX.

According to data collected by Fortinet, based on the number of devices connecting to attacker-controlled infrastructure, the highest percentage of victims is in Italy, followed by Germany, Austria, the United States, South Africa, Australia, Switzerland, the Netherlands, Canada and the United Kingdom. 

Looking at regional data, Europe is at the top of the chart with 60%, followed by North America with 16%. 

“This may indicate that the threat actor is mainly targeting enterprises in those regions – however, this is uncertain. This could be indicative of 3CX product’s geographic customer base – including the possibility of various multinational corporations operating inside those regions,” Fortinet noted. 

BlackBerry’s security researchers have also seen many apparent victims in Australia, the United States and the United Kingdom, across the healthcare, pharmaceutical, IT, and financial sectors. 

3CX’s VoIP software is used by more than 600,000 companies worldwide, including major consumer brands, airlines, carmakers and hotels. 

Security firm Huntress noted last week that there are more than 240,000 3CX phone system management consoles that are accessible from the internet, and the company saw over 2,700 instances of compromised binaries on customer systems. 

It was previously reported that the attackers likely had access to 3CX systems for months before the breach was detected. Based on BlackBerry’s own analysis, “the initial phase of this operation took place somewhere between the end of summer and the beginning of fall 2022.”

[ Read: 3CX Supply Chain Hack: Information and Tools for Defenders ]

It’s still unclear how the attackers gained access to 3CX systems, and whether they exploited any known or unknown vulnerability for initial access, but the new identifier CVE-2023-29059 has been assigned to the 3CXDesktopApp compromise. 

Bleeping Computer also reported that the attackers appear to have exploited CVE-2013-3900, a file signature-related vulnerability for which…

Source…