Tag Archive for: Exploits

Mirai Botnet Exploits Zero-Day Bugs For DDoS Attacks

/in


InfectedSlurs, a Mirai botnet malware, has been exploiting two zero-day remote code execution (RCE) vulnerabilities. The malware targets routers and video recorders (NVR) devices, aiming to make them a part of its distributed denial of service (DDoS) swarm. Although the botnet was discovered in October 2023, it is believed that its initial activities date back to the latter half of 2022. In this blog, we’ll dive into how the botnet was discovered, how it functions, and more.

 

Mirai Botnet Detection Details


The botnet was discovered when Akamai’s Security Intelligence Response Team (SIRT) noticed malicious activity pertaining to the company’s honeypots. As of now, it is believed malicious activity was initiated to target a rarely used TCP port. The SIRT teams noticed fluctuations with regard to the frequency of the zero-day exploits

An analysis of the zero-day vulnerabilities, published by Akamai, reads, “The activity started out with a small burst, peaking at 20 attempts per day, and then thinned out to an average of two to three per day, with some days completely devoid of attempts.” It’s worth mentioning that vulnerable devices that fell prey to the botnet were unknown until November 9, 2023. 

Initially the probes were low-frequency and attempted authentication using a POST request. Upon acquiring the access, the botnet attempted a command injection exploitation. Researchers have also determined that the botnet used default admin credentials for installing Mirai variants. 

Upon further observation, it was identified that the wireless LAN routers, built for hotels and residential purposes, were also being targeted by the Mirai botnet. Commenting on the RCE flaw being exploited for unauthorized access, Akamai stated: “The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild.” 


InfectedSlurs, JenX, and hailBot


The InfectedSlurs botnet is suspected to be knitted with other cybersecurity threats such as  JenX and hailBot. The botnet gets its name from the use of racial and offensive language in the command-and-control (C2)…

Source…

New research highlights difficulty of preventing Outlook security exploits

/in


Haifei Li, a principal vulnerability researcher at Check Point Software Technologies Ltd., examines the universe of Microsoft Outlook exploits in a new blog post this week that has lessons for users and security managers alike.

Li divides this collection into three parts: embedded malicious hyperlinks, malware-laced attachments and more specialized attack vectors. Li has investigated many of these cases personally. Li used the most recent versions of a Windows Outlook client and Exchange servers.

Outlook exploits — given its widespread use — continue to grab headlines, even some of the older ones that haven’t been diligently patched or where new variations come into play. This is the case for a recently uncovered case this past week in Bleeping Computer where Russian state-sponsored attackers leveraged a flaw patched in March.

The first category – malicious hyperlinks – forms the foundation of all phishing emails, not to mention other vectors such as SMS text messages. “For this attack vector, the attacker basically uses emails as a bridge to perform web-based attacks, whether they are social-engineering-based phishing attacks, browser exploits, or even highly technical browser zero-day exploits,” Li wrote. That means a user simply has to click on the link to launch a web browser, which is where the exploit actually begins.

The second category of attachments is also very familiar to users, and the success of the exploit depends on whether a user clicks once or more times on the attached file. Outlook does mark some files as unsafe or risky file types and Microsoft offers several suggestions on how to process them more securely.

Li describes several scenarios, depending on what file type is attached, its origins and various security features that Microsoft has to prevent malware infections. Li has a very thorough collection of use cases, differentiating among previewing the file and just clicking on it to run the associated application directly. This is the meat of Li’s post and can be useful for security managers to review and understand the various modalities.

The third category is where things get interesting. These types of attacks can happen when a…

Source…

WatchGuard reveals rise in remote access software exploits

/in


WatchGuard Technologies, a leading provider of unified cybersecurity, has released their latest Internet Security Report that reveals a rise in cyber actors exploiting remote access software, increases in the use of password-stealers and info-stealers, and an 89% expansion in endpoint ransomware attacks.

The report, compiled by WatchGuard Threat Lab researchers, also found a decline in malware arriving over encrypted connections. Additionally, the study shows that cyber threat actors are pivoting from script-based methods to other ‘living-off-the-land’ techniques to launch endpoint attacks.

According to Corey Nachreiner, the Chief Security Officer at WatchGuard, the continued evolution of attack methods necessitates heightened attention to recent tactics for businesses to reinforce their security strategies. He emphasised the importance of social engineering education in conjunction with a unified security approach incorporating layered defence strategies, all of which can be effectively managed by service providers.

The Internet Security Report for Q3 2023 highlighted several notable key points. For instance, cyber attackers increasingly use remote management tools and software to circumvent anti-malware detection. An example provided by the report notes a tech support scam resulting in the user downloading an unauthorised version of TeamViewer, allowing the attacker full remote access to the computer.

Q3 of 2023 also saw the variant ‘Medusa’ surge, driving a quarter-to-quarter increase of 89% in endpoint ransomware attacks. In response to heightened protections around PowerShell and other scripting, threat actors instead pivoted to utilising different ‘living-off-the-land’ techniques. Malware arrival via encrypted connections declined to 48%, yet total malware detections rose by 14%.

The report also reveals the increase of ‘commoditised malware’. A new malware family, Lazy.360502, emerged in the top ten list, proving to be a dual threat as it delivers an adware variant (2345explorer) as well as the Vidar password stealer. The increased use of this malware, supplied by a Chinese website, indicates a growing trend towards ‘password-stealer-as-a-service’.

Overall, the…

Source…

Apple Security Update Fixes Zero-Day Webkit Exploits

/in


Apple recommends users update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. Google’s Threat Analysis Group discovered these security bugs.

Apple has patched two zero-day vulnerabilities affecting iOS, iPadOS and macOS; users are advised to update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. The vulnerabilities were discovered by Google’s Threat Analysis group, which has been working on fixes for active Chrome vulnerabilities this week as well.

Jump to:

What are these Apple OS vulnerabilities?

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” according to Apple’s post about the security updates on Nov. 30. This implies that attackers may be actively using the vulnerabilities.

Apple’s update said the problem originated in WebKit, the engine used for Apple’s browsers, where “processing web content may lead to arbitrary code execution.” The updates fix an out-of-bounds read through improved input validation and repair a memory corruption vulnerability using improved locking.

SEE: Attackers have launched eavesdropping attacks on Apple devices over the last year. (TechRepublic) 

The first vulnerability, the out-of-bounds read, is tracked as CVE-2023-42916. The update addressing it is available for:

  • iPhone XS and later.
  • iPad Pro 12.9-inch 2nd generation and later.
  • iPad Pro 10.5-inch.
  • iPad Pro 11-inch 1st generation and later.
  • iPad Air 3rd generation and later.
  • iPad 6th generation and later.
  • iPad mini 5th generation and later.

The second vulnerability, the memory corruption, is tracked as CVE-2023-42917. The update addressing it is available for:

  • iPhone XS and later.
  • iPad Pro 12.9-inch 2nd generation and later.
  • iPad Pro 10.5-inch.
  • iPad Pro 11-inch 1st generation and later.
  • iPad Air 3rd generation and later.
  • iPad 6th generation and later.
  • iPad mini 5th generation and later.

Information is sparse about the vulnerabilities, which Apple said were investigated by Clément Lecigne at Google’s Threat Analysis Group; the group’s stated mission is to “counter government-backed attacks.”

Remediation and protection against the WebKit exploits

Apple users should be sure they are…

Source…