Tag: Exploited | Page 5

Two zero-days in Ivanti products actively exploited by threat actor

January 14, 2024/in Internet Security

Researchers suspect an espionage-focused threat group linked to China is behind the exploitation of a pair of newly discovered zero-day bugs in Ivanti VPN appliances.

Meanwhile, Volexity disclosed in a Dec. 10 blog its researchers uncovered an exploit chain the threat actor used after detecting suspicious lateral movement on the network of one of its customers. Ivanti confirmed the authentication bypass and command injection vulnerabilities on its website.

The vulnerabilities are an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug affecting fully-patched Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure appliances.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system, Ivanti said in a Jan. 10 advisory.

CVE-2023-46805 has an 8.2 CVSS rating and is described as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure that “allows a remote attacker to access restricted resources by bypassing control check.”

The second bug, CVE-2024-21887, has a 9.1 CVSS rating and is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that “allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

In the wild exploitation

In-the-wild exploitation of the bugs was observed by researchers at Volexity who said in a post that while they could not identify the group responsible, they believed it was a Chinese nation-state-level threat actor.

Ivanti said it had created a mitigation to be applied to the gateways as an initial response while patches for the bug were developed. Patches would be released in a staggered schedule beginning the week of January 22.

“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” the vendor said.

“We are aware of less than 10…

Source…

Google Downplays Undocumented Chrome API Exploited by Malware to Extend Account Theft: Report

January 8, 2024/in Computer Security

Updated Jan 8, 2024, 07:45 AM IST

While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.

A simmering cyberwarfare saga just took a concerning turn, with researchers uncovering a novel technique employed by malware to prolong access to stolen Google accounts. While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.

Malware’s New Trick: In late November, reports emerged of malware like Lumma and Rhadamanthys reviving expired Google authentication cookies, essentially granting attackers persistent access to victims’ accounts. Now, this tactic has gained traction, with four more malware families including Stealc, Medusa, RisePro, and Whitesnake adopting the same method.

The Undocumented Weapon: The key to this extended breach lies in an obscure Google OAuth “MultiLogin” API endpoint, discovered by cybersecurity firm CloudSEK. This API, initially believed to sync accounts across Google services, seems vulnerable to manipulation.

Exploiting the Loophole: Researchers suspect malware abuses this API by stealing two crucial tokens from Chrome: regular authentication cookies and a special “Refresh” token. With the Refresh token, even after stolen cookies expire, the malware can generate new ones, perpetuating unauthorized access. This essentially extends the malware’s lifespan within targeted accounts.

Google’s Murky Response: BleepingComputer’s attempts to understand the MultiLogin API have been met with silence from Google. The only documentation exists within Chrome’s source code, leaving security experts and users in the dark about its intended purpose and potential vulnerabilities.

Concerns on the Rise: Security researchers like Pavan Karthick of CloudSEK are sounding the alarm. They highlight the ease with which malware exploits this undocumented API, granting attackers extended access to sensitive user data, including emails, documents, and contacts. Furthermore, the lack of transparency from Google regarding the purpose and security of this API only amplifies the concerns.

Beyond Technicalities: The…

Source…

Alert: New Chrome Zero-Day Vulnerability Being Exploited

January 2, 2024/in Internet Security

Google, in light of recent events, has launched a critical update for a high-severity Chrome zero-day vulnerability. As per recent reports, Google claims that the vulnerability has been actively exploited. It’s worth noting that the vulnerability pertains to the WebRTC framework and, when exploited, can lead to program crashes or arbitrary code execution. Given its severity, it has raised significant online security risks.

In this article, we’ll dive into details of the vulnerability and the countermeasures Google has implemented to keep the vulnerability from being exploited further.

Chrome Zero-Day Vulnerability Discovered

As of now, Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) are the two personnel credited with discovering the vulnerability. However, details of any other security defects resulting in Google Chrome exploits have not been released till now, as it prevents further exploits. Despite this, Google has acknowledged that:

“An exploit for CVE-2023-7024 exists in the wild.”

The Chrome zero-day vulnerability, identified as CVE-2023-7024, is being described as a heap-based buffer overflow bug in the WebRTC framework. Those concerned about their internet browser safety and online security posture must know buffer overflows can be used for the execution of arbitrary code outside of the program’s implicit security policy.

They can also be used to write function pointers pertaining to the attacker’s code. In cases where the exploit leads to arbitrary code execution, additional web browser security services can be subverted by the attacker. It’s worth mentioning that such browser vulnerabilities raise significant concerns pertaining to online security risks.

Google Chrome has widespread usage across multiple platforms and is often used by high-value targets. Such circumstances make exploiting the Chrome zero-day vulnerability a feasible option for threat actors, as it can be used to expand the attack surface once initial access has been acquired.

Chrome Security Updates

As far as countermeasures for the vulnerability are concerned, Google has stated that: “Access to bug details and links may be kept restricted until…

Source…

Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day

November 16, 2023/in Internet Security

Hi, what are you looking for?
Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.
By
Flipboard
Reddit
Whatsapp
Whatsapp
Email
Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.
The Cupertino device maker on Wednesday rushed out a new patch to cover a pair of serious vulnerabilities and warned that one of the issues has already been exploited as zero-day in the wild.
In a barebones advisory, Apple said the exploited CVE-2023-42824 kernel vulnerability allows a local attacker to elevate privileges, suggesting it was used in an exploit chain in observed attacks.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company said without providing additional details.
This is the 16th documented in-the-wild zero-day against Apple’s iOS, iPadOS and macOS-powered devices, according to data tracked by SecurityWeek. The majority of these attacks have been attributed to mercenary spyware vendors selling surveillance products.
The newest iOS 17.0.3 and iPadOS 17.0.3 updates also cover a buffer overflow vulnerability in WebRTC that exposes mobile devices to arbitrary code execution attacks. The issue was addressed by updating to libvpx 1.13.1, Apple said.
Apple is encouraging oft-targeted users to enable Lockdown Mode to reduce exposure to mercenary spyware exploits.
Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Advertisement. Scroll to continue reading.

Related: Qualcomm Patches 3 Zero-Days Reported by Google
Related: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem?
Related: Apple Patches Actively Exploited iOS, macOS Zero-Days
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs,…

Source…

Tag Archive for: Exploited

In the wild exploitation

While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.

Chrome Zero-Day Vulnerability Discovered

Chrome Security Updates