Tag Archive for: servers

Winter Vivern: Zero-Day XSS Exploit Targets Roundcube Servers

/in


ESET Research has discovered a significant cybersecurity threat as the Winter Vivern group exploited a zero-day cross-site scripting (XSS) vulnerability in the Roundcube Webmail server. 

The new campaign, described in an advisory published today, targeted Roundcube Webmail servers of governmental entities and a think tank in Europe. ESET Research promptly reported the vulnerability to the Roundcube team on October 12, and the team acknowledged and patched it within a short timeframe, releasing security updates on October 16.

Winter Vivern, a cyber-espionage group known for targeting governments in Europe and Central Asia, has been active since at least 2020. To infiltrate its targets, the group employs various methods, including malicious documents, phishing websites and a custom PowerShell backdoor. It is suspected of being linked to MoustachedBouncer, a Belarus-aligned group.

Read more about this threat: ESET Unmasks Cyber-Espionage Group Targeting Embassies in Belarus

This is not the first time Winter Vivern has targeted Roundcube servers; in 2022, the group exploited CVE-2020-35730. Sednit, also known as APT28, has been targeting the same vulnerability as well.

The newly exploited XSS vulnerability, CVE-2023-5631, allows remote exploitation by sending a specially crafted email message. Even fully patched Roundcube instances were vulnerable due to a server-side script flaw in rcube_washtml.php, which the attackers exploited.

By sending this email, attackers could inject arbitrary JavaScript code into the victim’s Roundcube session, ultimately enabling them to access and exfiltrate email messages. ESET warned that Winter Vivern’s ability to exploit a zero-day vulnerability in Roundcube represents a concerning development in the realm of cyber-espionage.

Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” reads the advisory.

“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and…

Source…

Rising Wave of Hacking Attempts Targeting Sensitive Data on NHIS Servers

/in


The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise. (Image courtesy of Yonhap)

The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise. (Image courtesy of Yonhap)

SEOUL, Oct. 19 (Korea Bizwire) – The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise.

According to data from the National Health Insurance Service (NHIS) on Wednesday, cyberattacks on NHIS servers have been on the rise since the NHIS implemented in-house security control in 2019. 

The number of cyberattack attempts detected by the NHIS over the past five years amounted to 1,781 in 2019, 3,684 in 2020, 3,489 in 2021, 8,429 in 2022, and 8,448 cases so far this year. 

At 98.3 percent, almost all of the cyberattack attempts are made from abroad. By country, China had the largest share, followed by the U.S., Netherlands, and Germany. Data on cyberattack attempts from North Korea is not compiled as North Korean IP addresses are originally interrupted at the NHIS communication server. 

Approximately 64.3 percent of the cyberattack attempts occurred during non-official work hours. According to the NHIS, all detected cyberattack attempts were interrupted, and a data breach has yet to occur.

The NHIS handles personal information, including ID numbers, financial information such as cards and accounts, and medical information, including medical checkups and recuperation allowances for 57 million individuals. 

To cope with the increase in cyberattacks and advancements in hacking techniques, the NHIS is working on several countermeasures, including expanding dedicated staff, mobilizing a multi-layered defense system, and operating a segregated Internet network.

Kevin Lee ([email protected])


Source…

Recently Patched TeamCity Vulnerability Exploited to Hack Servers

/in


In-the-wild exploitation of a critical vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server started just days after the availability of a patch was announced.

The vulnerability, tracked as CVE-2023-42793, impacts the on-premises version of TeamCity and it allows an unauthenticated attacker with access to a targeted server to achieve remote code execution and gain administrative control of the system. 

JetBrains announced the release of TeamCity 2023.05.4, which patches the flaw, on September 21. 

Sonar, the code security firm whose researchers discovered the issue, released some limited information the same day, and published technical details roughly a week later after a proof-of-concept (PoC) exploit was made public.

Sonar warned in its initial blog post that in-the-wild exploitation would likely be observed soon due to how easily the flaw can be exploited.

Threat intelligence firm GreyNoise started seeing the first exploitation attempts on September 27, with a peak seen the following day. The company has seen attack attempts coming from 56 unique IP addresses as of October 1.

A different threat intelligence company, Prodaft, reported seeing “many popular ransomware groups” targeting CVE-2023-42793. 

Advertisement. Scroll to continue reading.

The Shadowserver Foundation, a non-profit cybersecurity organization, has scanned the internet for vulnerable TeamCity servers and identified nearly 1,300 unique IPs, with the highest percentage located in the United States, followed by Germany, Russia and China. 

Organizations using TeamCity should update their installation as soon as possible. For customers who cannot immediately install the update, JetBrains has provided a security patch plugin that can be used to mitigate the issue on servers running TeamCity 8.0 and later. TeamCity Cloud customers do not need to take any action.

Related: CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks

Related: Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks

Related: Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product 

Source…

China accuses the US of hacking Huawei servers for over a decade

/in


Tensions between the US and China have escalated further. Beijing has accused Washington of continuously hacking Huawei’s servers and conducting cyberattacks to steal other critical data since 2009. China’s Ministry of State Security has shared a post (spotted by Nikkei Asia) on its official WeChat account regarding this. The post that points out the US government’s efforts against the Chinese tech giant Huawei is titled: “Revealing key despicable methods by US intelligence agencies in cyberespionage and theft.”
How the US hacked Huawei
The post accuses the US of using “big, influential tech companies” to install backdoors in Huawei’s software, apps and equipment.As per the post, Washington was trying to steal vital data from countries including China and Russia.
“In 2009, the Office of Tailored Access Operations started to infiltrate servers at Huawei’s headquarters and continued conducting such surveillance operations,” the post read.
With the increase in geopolitical tensions, both the US and China have been expanding their global spying operations. In July, Beijing-linked hackers reportedly accessed the email account of the US ambassador to China. This operation is believed to have exposed hundreds of emails.
China hit with Second Date spyware
The post notes that China’s National Computer Virus Emergency Response Center has extracted a spyware called Second Date. The spyware was discovered while investigating a cyberattack on Northwestern Polytechnical University in Xi’an. This cyberattack reportedly took place last year.
The ministry found that the Second Date is “cyberespionage malware developed by the US National Security Agency, which operates covertly in thousands of networks in many countries around the world.”

The Second Date spyware was extracted with the help of a company named Qihoo 360. Chinese state broadcaster CCTV reported that this company has previously released findings about US hacking activities against China. However, Qihoo 360 didn’t report the part about Huawei.
“The U.S. had obtained control over tens of thousands of devices and stolen a substantial amount of high-value data,” the ministry said.
China recently advised central and local governmental…

Source…