Tag Archive for: Exploits

FritzFrog Botnet Exploits Log4Shell – BankInfoSecurity

/in


Governance & Risk Management
,
Patch Management

Botnet Looks for Vulnerable Internal Network Machines

Prajeet Nair (@prajeetspeaks) •
February 2, 2024    

FritzFrog Botnet Exploits Log4Shell
Log4Shell strikes again. (Image: Shutterstock)

Delivering more proof that the Log4Shell vulnerability is endemic, Akamai researchers detected botnet malware updated to use the flaw as an infection vector, supplementing its usual remote login brute force technique.

See Also: OnDemand Panel | Securing Operational Excellence: Thwarting CISOs 5 Top Security Concerns

Akamai Security Intelligence Group observed the shift in the FritzFrog botnet, first documented in 2020.

Log4Shell, tracked as CVE-2021-44228, burst into public awareness in late 2021 when security researchers identified a flaw in the ubiquitous Apache Log4J 2 Java library. A panel of U.S. public and private sector security experts in mid-2022 warned that patching every vulnerable Log4j instance would likely take a decade “or longer” (see: Log4j Flaw Is ‘Endemic,’ Says Cyber Safety Review Board).

To spread their malware, FritzFrog operators exploit the fact that system administrators give lower priority to patching internal network machines. Internet-facing applications are an obvious priority for patching. But unpatched internal machines can still be a risk, the researchers said. FritzFrog looks for subnets and targets possible addresses within them.

“This means that even if the ‘high-profile’ internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” they said.

To trigger the Log4Shell vulnerability, FritzFrog forces an application to log data containing a…

Source…

FritzFrog Botnet Exploits Log4Shell – GovInfoSecurity

/in


Governance & Risk Management
,
Patch Management

Botnet Looks for Vulnerable Internal Network Machines

Prajeet Nair (@prajeetspeaks) •
February 2, 2024    

FritzFrog Botnet Exploits Log4Shell
Log4Shell strikes again. (Image: Shutterstock)

Delivering more proof that the Log4Shell vulnerability is endemic, Akamai researchers detected botnet malware updated to use the flaw as an infection vector, supplementing its usual remote login brute force technique.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Akamai Security Intelligence Group observed the shift in the FritzFrog botnet, first documented in 2020.

Log4Shell, tracked as CVE-2021-44228, burst into public awareness in late 2021 when security researchers identified a flaw in the ubiquitous Apache Log4J 2 Java library. A panel of U.S. public and private sector security experts in mid-2022 warned that patching every vulnerable Log4j instance would likely take a decade “or longer” (see: Log4j Flaw Is ‘Endemic,’ Says Cyber Safety Review Board).

To spread their malware, FritzFrog operators exploit the fact that system administrators give lower priority to patching internal network machines. Internet-facing applications are an obvious priority for patching. But unpatched internal machines can still be a risk, the researchers said. FritzFrog looks for subnets and targets possible addresses within them.

“This means that even if the ‘high-profile’ internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,” they said.

To trigger the Log4Shell vulnerability, FritzFrog forces an application to log data containing a malicious payload….

Source…

CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits

/in


Jan 20, 2024NewsroomNetwork Security / Threat Intelligence

CISA Issues Emergency Directive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.

The development arrives as the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – have come under widespread exploitation by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system.

The U.S. company acknowledged in an advisory that it has witnessed a “sharp increase in threat actor activity” starting on January 11, 2024, after the shortcomings were publicly disclosed.

Cybersecurity

“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” the agency said.

Ivanti, which is expected to release an update to address the flaws next week, has made available a temporary workaround through an XML file that can be imported into affected products to make necessary configuration changes.

CISA is urging organizations running ICS to apply the mitigation and run an External Integrity Checker Tool to identify signs of compromise, and if found, disconnect them from the networks and reset the device, followed by importing the XML file.

In addition, FCEB entities are urged to revoke and reissue any stored certificates, reset the admin enable password, store API keys, and reset the passwords of any local user defined on the gateway.

Cybersecurity firms Volexity and Mandiant have observed attacks weaponizing the twin flaws to deploy web shells and passive backdoors for persistent access to infected appliances. As many as 2,100 devices worldwide are estimated to have been compromised to date.

Cybersecurity

The initial attack wave identified in December 2023 has been attributed to a Chinese nation-state group that is being tracked as…

Source…

This is why we update… Data-thief malware exploits unpatched Windows PCs • The Register

/in


Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information – passwords, cookies, authentication tokens, you name it – to grab and leak.

The malware abuses CVE-2023-36025, which Microsoft patched in November. Specifically, the flaw allows Phemedrone and other malicious software to sidestep protections in Windows that are supposed to help users avoid running hostile code. When Redmond issued a fix, it warned the bug had already been found by miscreants and exploited in the wild. 

Shortly after Microsoft plugged the hole, the patch was reverse-engineered to produce a proof-of-concept exploit. Now that everyone knows how to attack systems using this vulnerability, update your Windows machines to close off this avenue if you haven’t already.

In research published today, Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun detail the Phemedrone info-stealer, including how it works, how it uses CVE-2023-36025 to infect a PC, and how to detect its presence on a network.

We’re told the malware targets a ton of browsers and applications on victims’ PCs, lifting sensitive info from files of interest and sending the data to fraudsters to exploit. These targets include Chromium-based browsers as well as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and Microsoft Authenticator. Phemedrone looks for things like passwords, cookies, and autofill information to exfiltrate; once this data is in the hands of the malware’s operators, it can be used to log into the victims’ online accounts and cause all sorts of damage and strife.

The code also steals files and other user data from several cryptocurrency wallets and messaging apps including Discord and Telegram, and login details for the Steam gaming platform.

In addition it gathers up a bunch of telemetry, including hardware specs, geolocation data, and operating system information, and takes screenshots, sending all of this off to the attackers via Telegram or to a remote command-and-control server.

Miscreants infect victims’ machines with Phemedrone by tricking marks…

Source…