Tag Archive for: Exploited

Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices

/in


Oct 21, 2023NewsroomZero-Day / Vulnerability

Cisco Zero-Day

Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices.

Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 (CVSS score: 10.0) as part of an exploit chain.

“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination,” Cisco said in an updated advisory published Friday. “This allowed the user to log in with normal user access.”

Cybersecurity

“The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system,” a shortcoming that has been assigned the identifier CVE-2023-20273.

A Cisco spokesperson told The Hacker News that a fix that covers both vulnerabilities has been identified and will be made available to customers starting October 22, 2023. In the interim, it’s recommended to disable the HTTP server feature.

While Cisco had previously mentioned that a now-patched security flaw in the same software (CVE-2021-1435) had been exploited to install the backdoor, the company assessed the vulnerability to be no longer associated with the activity in light of the discovery of the new zero-day.

“An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.”

Cybersecurity

Successful exploitation of the bugs could allow attackers to gain unfettered remote access to routers and switches, monitor network traffic, inject and redirect network traffic, and use it as a persistent beachhead to the network due to the lack of protection solutions for these devices.

The development comes as more 41,000 Cisco devices running the vulnerable IOS XE software are estimated to have been compromised by threat…

Source…

CISA Identifies Known Exploited Vulnerabilities Linked to Ransomware Campaigns

/in


The Cybersecurity and Infrastructure Security Agency has launched new resources to help organizations identify vulnerabilities and misconfigurations linked to ransomware campaigns.

The agency said Thursday it has added a “Known to be Used in Ransomware Campaigns” column to its catalog of known exploited vulnerabilities and a “Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns” table to its Stop Ransomware website.

The table features a short description of the misconfiguration and a column identifying the cyber performance goal action for each vulnerability.

With the new offerings, CISA aims to help critical infrastructure organizations boost their cyber resilience by providing mitigations against specific KEVs, misconfiguration and weaknesses targeted in ransomware campaigns.

Recently Patched TeamCity Vulnerability Exploited to Hack Servers

/in


In-the-wild exploitation of a critical vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server started just days after the availability of a patch was announced.

The vulnerability, tracked as CVE-2023-42793, impacts the on-premises version of TeamCity and it allows an unauthenticated attacker with access to a targeted server to achieve remote code execution and gain administrative control of the system. 

JetBrains announced the release of TeamCity 2023.05.4, which patches the flaw, on September 21. 

Sonar, the code security firm whose researchers discovered the issue, released some limited information the same day, and published technical details roughly a week later after a proof-of-concept (PoC) exploit was made public.

Sonar warned in its initial blog post that in-the-wild exploitation would likely be observed soon due to how easily the flaw can be exploited.

Threat intelligence firm GreyNoise started seeing the first exploitation attempts on September 27, with a peak seen the following day. The company has seen attack attempts coming from 56 unique IP addresses as of October 1.

A different threat intelligence company, Prodaft, reported seeing “many popular ransomware groups” targeting CVE-2023-42793. 

Advertisement. Scroll to continue reading.

The Shadowserver Foundation, a non-profit cybersecurity organization, has scanned the internet for vulnerable TeamCity servers and identified nearly 1,300 unique IPs, with the highest percentage located in the United States, followed by Germany, Russia and China. 

Organizations using TeamCity should update their installation as soon as possible. For customers who cannot immediately install the update, JetBrains has provided a security patch plugin that can be used to mitigate the issue on servers running TeamCity 8.0 and later. TeamCity Cloud customers do not need to take any action.

Related: CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks

Related: Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks

Related: Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product 

Source…

Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones

/in


Apple announced on Thursday that its latest operating system updates patch three new zero-day vulnerabilities. Based on the previous work of the organizations credited for reporting the flaws, they have likely been exploited by a spyware vendor.

The zero-days are tracked as CVE-2023-41991, which allows a malicious app to bypass signature verification, CVE-2023-41992, a kernel flaw that allows a local attacker to elevate privileges, and CVE-2023-41993, a WebKit bug that can be exploited for arbitrary code execution by luring the targeted user to a malicious webpage. 

Apple patched some or all of these vulnerabilities in Safari, iOS and iPadOS (including versions 17 and 16), macOS (including Ventura and Monterey), and watchOS.

It’s worth noting that while each of these operating systems is impacted by the zero-days, Apple said it’s only aware of active exploitation targeting iOS versions before 16.7.

Apple has not shared any information about the attacks exploiting the new vulnerabilities. However, considering that they were reported to the tech giant by researchers at the University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group, they have likely been exploited by a commercial spyware vendor to hack iPhones. 

Citizen Lab and Apple recently investigated attacks involving a zero-day identified as CVE-2023-41064. That security hole, part of a zero-click exploit named BlastPass, was used to  deliver the NSO Group’s notorious Pegasus spyware to iPhones.

In an attack investigated by Citizen Lab, the spyware was delivered to an employee at an international civil society organization based in Washington DC. 

Advertisement. Scroll to continue reading.

CVE-2023-41064 impacts the WebP image format. The affected library is also used in the Chrome and Firefox web browsers, and Google and Mozilla were also forced to release emergency updates to address the zero-day, which they track as CVE-2023-4863.

Related: Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors

Related: US to Adopt New Restrictions on Using Commercial Spyware

Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware 

Source…