Tag Archive for: Exploited

DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack

/in


Mar 14, 2024NewsroomMalware / Cyber Attack

Microsoft Flaw in Zero-Day Attack

A DarkGate malware campaign observed in mid-January 2024 leveraged a recently patched security flaw in Microsoft Windows as a zero-day using bogus software installers.

“During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers,” Trend Micro said.

CVE-2024-21412 (CVSS score: 8.1) concerns an internet shortcut files security feature bypass vulnerability that permits an unauthenticated attacker to circumvent SmartScreen protections by tricking a victim into clicking on a specially crafted file.

It was fixed by Microsoft as part of its Patch Tuesday updates for February 2024, but not before it was weaponized by a threat actor called Water Hydra (aka DarkCasino) to deliver the DarkMe malware in attacks targeting financial institutions.

The latest findings from Trend Micro show that the vulnerability has come under broader exploitation than previously thought, with the DarkGate campaign leveraging it in conjunction with open redirects from Google Ads to proliferate the malware.

Cybersecurity

The sophisticated attack chain begins with victims clicking on a link embedded within a PDF attachment sent via a phishing email. The link deploys an open redirect from Google’s doubleclick[.]net domain to a compromised web server hosting a malicious .URL internet shortcut file that exploits CVE-2024-21412.

Specifically, the open redirects are designed to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, such as Apple iTunes, Notion, NVIDIA, which come fitted with a side-loaded DLL file that decrypted and infected users with DarkGate (version 6.1.7).

It’s worth noting that another now-fixed bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS score: 8.8) has been employed by threat actors to deliver DarkGate, Phemedrone Stealer, and Mispadu over the past few months.

The abuse of Google Ads technologies allows threat actors to increase the reach and scale of their attacks through different ad…

Source…

CISA Systems Hacked: Ivanti Vulnerabilities Exploited, Urgent Security Measures Advised

/in


Officials from the Cybersecurity and Infrastructure Security Agency (CISA) recently disclosed a successful hack of the agency’s systems in February that involved hackers taking advantage of flaws in Ivanti products.

The CISA spokesperson confirmed this security incident, revealing that the agency detected suspicious activities pointing to exploiting Ivanti product vulnerabilities approximately a month ago, as reported by Recorded Future News.

The impact of the CISA breach was contained in two specific systems and swiftly taken offline as part of immediate response measures. Emphasizing the ongoing efforts to modernize and upgrade systems, the spokesperson assured that there is currently no operational impact.

The Impact of the CISA Cyber Breach

According to a person with knowledge, the hacked systems were the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT). These two systems held important data about how U.S. infrastructure is interdependent and private sector chemical security plans. CISA has neither confirmed nor denied this information.

CSAT, recognized for storing susceptible industrial data, including tools for high-risk chemical facilities, site security plans, and security vulnerability assessments, was a focal point of the breach.

CISA Confirms Cyber Breach: Ivanti Product Flaws Exploited by Unknown Hackers

In this photo illustration a young man types on an illuminated computer keyboard typically favored by computer coders on January 25, 2021 in Berlin, Germany. 2020 saw a sharp rise in global cybercrime that was in part driven by the jump in online retailing that ensued during national lockdowns as governments sought to rein in the coronavirus pandemic. (Photo : Sean Gallup/Getty Images)

In response to the incident, CISA advised enterprises to study a Feb.29 alert warning of actively exploiting Ivanti Connect Secure and Ivanti Policy Secure gateway vulnerabilities. The vulnerabilities are CVE-2023-46805, 2024-21887, and 2024-21893.

“This is a reminder that any organization can be affected by a cyber vulnerability, and having an incident response plan in place is a necessary component of resilience,” the CISA spokesperson noted.

The CISA is a…

Source…

CISA ADDS ANDROID PIXEL AND SUNHILLO SURELINE BUGS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

/in


CISA ADDS ANDROID PIXEL AND SUNHILLO SURELINE BUGS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

Pierluigi Paganini
March 06, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel and Sunhillo SureLine vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

The Android Pixel vulnerability, tracked as CVE-2023-21237, resides in applyRemoteView of NotificationContentInflater.java. The exploitation of this vulnerability could lead to local information disclosure with no additional execution privileges needed. The exploitation doesn’t require user interaction.

Google addressed the issue in June 2023, the IT giant is aware of “limited, targeted exploitation.”

“There are indications that CVE-2023-21237 may be under limited, targeted exploitation.” reads the security bulletin published by the company.

The issue is likely chained with other flaws in an exploit used by a commercial spyware vendor or a nation-state actor.

The second issue added to the Catalog is an OS Command Injection vulnerability in Sunhillo SureLine. The exploitation of the flaw can allow to execute arbitrary commands with root privileges.

The exploitation can lead to complete system compromise.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 26, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, CISA

Source…

Dangerous Windows 10, 11, Server Zero-Day Exploited By Lazarus Hackers

/in


The notorious and highly prolific North Korean Lazarus criminal hacking group has been exploiting an admin-to-kernel privilege escalation Windows security flaw using an updated version of its FudModule rootkit.

What Is CVE-2024-21338 And Why Is It So Dangerous?

In a detailed analysis of the exploit, Lazarus and the FudModule Rootkit, Jan Vojtěšek from the Avast Threat Labs explains how researchers found the exploit for this previously unknown zero-day vulnerability in the Windows appid.sys AppLocker driver.

Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.

“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities,” Vojtěšek says. “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes,) disable kernel-mode telemetry, turn off mitigations, and more.”

As for the FudModule rootkit, Vojtěšek says this represents “one of the most complex tools Lazarus holds in their arsenal.”

Microsoft Issued Fix As Part Of February Patch Tuesday

Microsoft has now published an updated security advisory recognizes this as a zero-day vulnerability.

Impacting various versions of Windows 10, Windows 11 and Windows Server, users are advised to check the updated security advisory and apply the patch if they have not already done so.

That Microsoft has now issued a patch for this vulnerability means, the Avast analysis says, that Lazarus’ offensive operations will undoubtedly be disrupted.

“While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel),” Vojtěšek concludes, “we believe that finding…

Source…