Tag: Exploited | Page 4

Update Chrome Now to Fix New Actively Exploited Vulnerability

January 19, 2024/in Internet Security

Jan 17, 2024NewsroomBrowser Security / Vulnerability

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.

The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.

“By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service,” according to MITRE’s Common Weakness Enumeration (CWE).

Additional details about the nature of the attacks and the threat actors that may be exploiting it have been withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.

“Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” reads a description of the flaw on the NIST’s National Vulnerability Database (NVD).

The development marks the first actively exploited zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively exploited zero-days in the browser.

Users are recommended to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…

Ivanti VPN vulnerabilities exploited by suspected espionage group UNC5221

January 15, 2024/in Computer Security

New details have emerged surrounding two zero-day vulnerabilities impacting Ivanti Connect Secure VPN (formerly known as Pulse Secure) and Ivanti Policy Security appliances. These vulnerabilities have been published by cybersecurity firm Mandiant. The reported vulnerabilities have seen active exploitation in the wild, beginning as early as December 2023.

Threat actor UNC5221, a suspected espionage group currently being monitored by Mandiant, is believed to be behind the exploitation of these vulnerabilities. As highlighted by Mandiant Consulting CTO Charles Carmakal, these CVEs, when chained together, result in unauthenticated remote code execution.

UNC5221 reportedly employed multiple custom malware families to conduct post-exploitation espionage activity after successfully exploiting the zero-day vulnerabilities. This includes establishing footholds for continued access to the Connect Secure (CS) appliances.

According to Mandiant’s researchers, the group’s preparation for maintaining persistent access to the CS appliances suggests that these are not just opportunistic attacks. It would seem UNC5221 planned to maintain its presence on a subset of high-priority targets compromised after an eventual patch release.

Mandiant’s researchers added that, similar to UNC5221, they had previously noted multiple suspected APT actors resorting to appliance-specific malware to facilitate post-exploitation and evade detection. These cases, coupled with findings related to targeting, have led Mandiant to believe that this could be an espionage-motivated APT campaign.

While Mandiant continues to investigate these attacks in detail, early findings also note that UNC5221 primarily utilised compromised, out-of-support Cyberoam VPN appliances for its command and control. The compromised devices were domestic to the victims, likely further aiding the threat actor in evading detection.

Patches are currently being developed, with Ivanti customers advised to stay updated on release timelines. At present, Mandiant has not linked this activity to a previously known group. It also doesn’t currently have enough data to ascertain the origin of UNC5221.

The custom malware families used by…

Source…

Two zero-days in Ivanti products actively exploited by threat actor

January 14, 2024/in Internet Security

Researchers suspect an espionage-focused threat group linked to China is behind the exploitation of a pair of newly discovered zero-day bugs in Ivanti VPN appliances.

Meanwhile, Volexity disclosed in a Dec. 10 blog its researchers uncovered an exploit chain the threat actor used after detecting suspicious lateral movement on the network of one of its customers. Ivanti confirmed the authentication bypass and command injection vulnerabilities on its website.

The vulnerabilities are an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug affecting fully-patched Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure appliances.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system, Ivanti said in a Jan. 10 advisory.

CVE-2023-46805 has an 8.2 CVSS rating and is described as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure that “allows a remote attacker to access restricted resources by bypassing control check.”

The second bug, CVE-2024-21887, has a 9.1 CVSS rating and is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that “allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

In the wild exploitation

In-the-wild exploitation of the bugs was observed by researchers at Volexity who said in a post that while they could not identify the group responsible, they believed it was a Chinese nation-state-level threat actor.

Ivanti said it had created a mitigation to be applied to the gateways as an initial response while patches for the bug were developed. Patches would be released in a staggered schedule beginning the week of January 22.

“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” the vendor said.

“We are aware of less than 10…

Source…

Google Downplays Undocumented Chrome API Exploited by Malware to Extend Account Theft: Report

January 8, 2024/in Computer Security

Updated Jan 8, 2024, 07:45 AM IST

While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.

A simmering cyberwarfare saga just took a concerning turn, with researchers uncovering a novel technique employed by malware to prolong access to stolen Google accounts. While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.

Malware’s New Trick: In late November, reports emerged of malware like Lumma and Rhadamanthys reviving expired Google authentication cookies, essentially granting attackers persistent access to victims’ accounts. Now, this tactic has gained traction, with four more malware families including Stealc, Medusa, RisePro, and Whitesnake adopting the same method.

The Undocumented Weapon: The key to this extended breach lies in an obscure Google OAuth “MultiLogin” API endpoint, discovered by cybersecurity firm CloudSEK. This API, initially believed to sync accounts across Google services, seems vulnerable to manipulation.

Exploiting the Loophole: Researchers suspect malware abuses this API by stealing two crucial tokens from Chrome: regular authentication cookies and a special “Refresh” token. With the Refresh token, even after stolen cookies expire, the malware can generate new ones, perpetuating unauthorized access. This essentially extends the malware’s lifespan within targeted accounts.

Google’s Murky Response: BleepingComputer’s attempts to understand the MultiLogin API have been met with silence from Google. The only documentation exists within Chrome’s source code, leaving security experts and users in the dark about its intended purpose and potential vulnerabilities.

Concerns on the Rise: Security researchers like Pavan Karthick of CloudSEK are sounding the alarm. They highlight the ease with which malware exploits this undocumented API, granting attackers extended access to sensitive user data, including emails, documents, and contacts. Furthermore, the lack of transparency from Google regarding the purpose and security of this API only amplifies the concerns.

Beyond Technicalities: The…

Source…

Tag Archive for: Exploited

In the wild exploitation

While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.