Tag Archive for: Exploiting

Russian hackers exploiting ‘poorly maintained’ Cisco routers for malware, security agencies warn

/in


Pixabay


RESEARCH TRIANGLE PARK –  A group of Russian hackers known as APT28 also known as Fancy Bear is deploying malware in the West by exploiting what cybersecurity agencies in the U.S. and U.K.  call “poorly maintained Cisco routers.”

The group is described as a “highly skilled threat actor.”

Here is the joint warning announcement and explanation:

“The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

“We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.”

To download the UK PDF version of this report:

To download the US PDF version of this report:

Earlier Activity

Previously attributed the following activity to APT28:

Related APT28 links

 

Source…

Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

/in


Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

On Tuesday, researchers from security firm Rapid7 said they recently responded to an incident in which a customer was breached using the vulnerability.

“Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986,” company researchers wrote. “In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.”

According to other researchers, the vulnerability is being exploited to install ransomware. Sentinel One researchers, for instance, said recently that a ransomware group known as IceFire was exploiting CVE-2022-47986 to install a newly minted Linux version of its file-encrypting malware. Previously, the…

Source…

Hackers Are Exploiting This Microsoft Outlook Privilege Escalation Security Flaw

/in


critical outlook privilege escalation vulnerability found patch now

Microsoft recently patched a zero-click privilege escalation vulnerability within Microsoft Outlook, tracked as CVE-2023-2339 and rated a 9.8/10 on the Common Vulnerability Scoring System (CVSS). Left unchecked, this vulnerability could allow a threat actor to capture sensitive information from any user account that receives the malicious email and impersonate that user.

The vulnerability lies in a feature of Microsoft Outlook which allows a custom sound file to be loaded for notifications. Specifically, the sound file does not have to be local on the machine but can reside on a remote file share accessible via a Universal Naming Convention (UNC) path.

An attacker can craft a special email, typically containing a malicious calendar or meeting invite, which also forces the victim’s computer to load a remotely hosted notification sound from an SMB share the attacker controls. The victim’s computer automatically tries to authenticate via New Technology LAN Manager (NTLM), exposing hashed credentials to attacker. The attacker can then either attempt to recover the credentials via cracking, or else use them in a replay attack to authenticate with other services. 

pwned 2 critical outlook privilege escalation vulnerability found patch now

Critically, this process requires no interaction from the victim. Outlook automatically initiates the compromised remote file share as soon as the malicious message arrives in the victim’s inbox.

To mitigate this, users or system administrators will need to install the necessary Microsoft Outlook security update or restrict NTLM’s use for authentication. Further, organizations could also block outbound SMB traffic over port 445. This prevents the remote file sharing authentication attempt from occurring over the Internet. Microsoft has also released an audit tool on GitHub to see if your organization has been affected.

TrustedSec reports that Russian military intelligence has exploited this vulnerability for about a year, so patch now to stay secure.

Source…

Hackers are mass infecting servers worldwide by exploiting a patched hole

/in


Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word

Getty Images

An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago, it was widely reported on Monday.

The hacks exploit a flaw in ESXi, a hypervisor VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources. ESXi is what’s known as a bare-metal, or Type 1, hypervisor, meaning it’s essentially its own operating system that runs directly on server hardware. By contrast, servers running the more familiar Type 2 class of hypervisors, such as VMware’s VirtualBox, run as apps on top of a host operating system. The Type 2 hypervisors then run virtual machines that host their own guest OSes such as Windows, Linux or, less commonly, macOS.

Enter ESXiArgs

Advisories published recently by computer emergency response teams (CERT) in France, Italy, and Austria report a “massive” campaign that began no later than Friday and has gained momentum since then. Citing results of a search on Census, CERT officials in Austria, said that as of Sunday, there were more than 3,200 infected servers, including eight in that country.

“Since ESXi servers provide a large number of systems as virtual machines (VM), a multiple of this number of affected individual systems can be expected,” the officials wrote.

The vulnerability being exploited to infect the servers is CVE-2021-21974, which stems from a heap-based buffer overflow in OpenSLP, an open network-discovery standard that’s incorporated into ESXi. When VMware patched the vulnerability in February 2021, the company warned it could be exploited by a malicious actor with access to the same network segment over port 427. The vulnerability had a severity rating of 8.8 out of a possible 10. Proof-of-concept exploit code and instructions for using it became available a few months later.

Over the weekend, French cloud host OVH said that it doesn’t have the ability to patch the vulnerable servers set up by its customers.

“ESXi OS can only be installed on bare metal servers,” wrote…

Source…