Tag Archive for: patched

Russian GRU Hackers Exploit Critical Patched Vulnerabilities

/in


Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management

TA422 Is Targeting Organizations in Europe and North America, Proofpoint Says

Prajeet Nair (@prajeetspeaks) •
December 5, 2023    

Russian GRU Hackers Exploit Critical Patched Vulnerabilities
Russian military intelligence hackers are taking advantage of patched vulnerabilities. (Image: Shutterstock)

In the race between hackers and systems administrators that begins each time a company patches a zero day flaw, a Russian military intelligence hacking unit is often the winner, new research discloses.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

Multiple studies suggest that organizations require weeks, if not months, to roll out patches while hackers can rush out an exploit of a newly-disclosed vulnerability in days or weeks.

One organization taking advantage of that disconnect is what Proofpoint dubs TA422 – also known as APT28, Fancy Bear and Forest Blizzard. The security firm in a Tuesday report said it has seen the threat actor “readily use patched vulnerabilities to target a variety of organizations in Europe and North America.” U.S. and British intelligence assess that Forest Blizzard is “almost certainly” part of the Russian General Staff Main Intelligence Directorate, better known as the GRU.

Among the n-days exploited by TA422 is CVE-2023-23397, a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user’s hashed…

Source…

Recently Patched TeamCity Vulnerability Exploited to Hack Servers

/in


In-the-wild exploitation of a critical vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server started just days after the availability of a patch was announced.

The vulnerability, tracked as CVE-2023-42793, impacts the on-premises version of TeamCity and it allows an unauthenticated attacker with access to a targeted server to achieve remote code execution and gain administrative control of the system. 

JetBrains announced the release of TeamCity 2023.05.4, which patches the flaw, on September 21. 

Sonar, the code security firm whose researchers discovered the issue, released some limited information the same day, and published technical details roughly a week later after a proof-of-concept (PoC) exploit was made public.

Sonar warned in its initial blog post that in-the-wild exploitation would likely be observed soon due to how easily the flaw can be exploited.

Threat intelligence firm GreyNoise started seeing the first exploitation attempts on September 27, with a peak seen the following day. The company has seen attack attempts coming from 56 unique IP addresses as of October 1.

A different threat intelligence company, Prodaft, reported seeing “many popular ransomware groups” targeting CVE-2023-42793. 

Advertisement. Scroll to continue reading.

The Shadowserver Foundation, a non-profit cybersecurity organization, has scanned the internet for vulnerable TeamCity servers and identified nearly 1,300 unique IPs, with the highest percentage located in the United States, followed by Germany, Russia and China. 

Organizations using TeamCity should update their installation as soon as possible. For customers who cannot immediately install the update, JetBrains has provided a security patch plugin that can be used to mitigate the issue on servers running TeamCity 8.0 and later. TeamCity Cloud customers do not need to take any action.

Related: CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks

Related: Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks

Related: Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product 

Source…

Hackers are mass infecting servers worldwide by exploiting a patched hole

/in


Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word

Getty Images

An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago, it was widely reported on Monday.

The hacks exploit a flaw in ESXi, a hypervisor VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources. ESXi is what’s known as a bare-metal, or Type 1, hypervisor, meaning it’s essentially its own operating system that runs directly on server hardware. By contrast, servers running the more familiar Type 2 class of hypervisors, such as VMware’s VirtualBox, run as apps on top of a host operating system. The Type 2 hypervisors then run virtual machines that host their own guest OSes such as Windows, Linux or, less commonly, macOS.

Enter ESXiArgs

Advisories published recently by computer emergency response teams (CERT) in France, Italy, and Austria report a “massive” campaign that began no later than Friday and has gained momentum since then. Citing results of a search on Census, CERT officials in Austria, said that as of Sunday, there were more than 3,200 infected servers, including eight in that country.

“Since ESXi servers provide a large number of systems as virtual machines (VM), a multiple of this number of affected individual systems can be expected,” the officials wrote.

The vulnerability being exploited to infect the servers is CVE-2021-21974, which stems from a heap-based buffer overflow in OpenSLP, an open network-discovery standard that’s incorporated into ESXi. When VMware patched the vulnerability in February 2021, the company warned it could be exploited by a malicious actor with access to the same network segment over port 427. The vulnerability had a severity rating of 8.8 out of a possible 10. Proof-of-concept exploit code and instructions for using it became available a few months later.

Over the weekend, French cloud host OVH said that it doesn’t have the ability to patch the vulnerable servers set up by its customers.

“ESXi OS can only be installed on bare metal servers,” wrote…

Source…

Android Security Flaws Not Patched by Google, Samsung

/in


Google has warned that five security flaws affecting Android smartphones remain unpatched months after being brought to the attention of phone manufacturers. 

In a blog post, Google’s Project Zero said that the flaws it previously reported in June and July had not been resolved, leaving the users of smartphones belonging to Samsung, Xiaomi, Oppo, and Google itself at risk of hacking.

The issues reported earlier in the year were linked to semiconductor designer ARM’s ‘Mali’ graphic card processor, or GPU. The GPU can be found in phones such as the Pixel 6. 

According to a report in Tech Circle, ARM fixed the issues by August, phone brands including Samsung and Google have not yet fixed any of the vulnerabilities. 

Ian Beer, a researcher at Project Zero said the security flaws could lead to “kernel memory corruption”,  as well as “physical memory addresses being disclosed to unprivileged userspace”. This effectively means an attacker could exploit the security flaws to gain full access to a user’s device and “broad” access to a user’s data.

Beer notes that an attacker could gain access by forcing the memory kernel to read and write physical pages after they had been returned to the system.

According to Project Zero, none of the affected phone manufacturers have mentioned the issues in any “downstream security bulletins” and have not publicly addressed if and how they would resolve it, except for Google.

Speaking to Engadget, a Google spokesperson said: “The fix provided by ARM is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.”

It seems that security vulnerabilities being noted by industry researchers are mostly variants of current security flaws. Earlier this year, Project Zero released a report that found half of actively exploited zero-day vulnerabilities discovered in the first half of the year have been variants of existing security flaws.

Source…