Researchers at WithSecure have issued an alert after uncovering evidence that a notorious cyber criminal gang is exploiting a recently disclosed vulnerability in Veeam Backup & Replication data backup and recovery software to access its victims’ networks.
Tracked as CVE-2023-27532, the Veeam vulnerability was first published on 7 March 2023. It enables an unauthenticated user who has accessed the backup infrastructure network perimeter to get their hands on encrypted credentials stored in the configuration database, which may ultimately lead to them gaining access to the backup infrastructure hosts.
It is classified as a high-severity bug and carries a CVSS v3 score of 7.5. It exists in the Veeam.Backup.Service.exe process of Veaam Backup & Replication, Veeam Cloud Connect, Veeam Cloud Connect for the Enterprise and Veeam Backup & Replication Community Edition.
“WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software,” wrote WithSecure analysts Neeraj Singh and Mohammad Kazem Hassan Nejad.
“Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access and execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532,” they explained.
“Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access and execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532” Neeraj Singh and Mohammad Kazem Hassan Nejad, WithSecure
FIN7 is a prolific and dangerous financially motivated operator that has deployed multiple strains of ransomware in its attacks – including BlackCat/ALPHV, BlackMatter, DarkSide and, at one time, REvil – after pivoting to extortion from payment card data theft about three years ago.
The group may have links to multiple recent high-profile cyber attacks, including the developing heist on…
A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.
Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google’s Project Zero who discovered the flaws.
In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company’s Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google’s Pixel 6 and Pixel 7 series of devices.
Android Users Face Complete Compromise
Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim’s phone number, Project Zero threat researcher Tim Willis wrote.
“Tests conducted by Project Zero confirm that those four vulnerabilities [CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498] allow an attacker to remotely compromise a phone at the baseband level,” Willis said. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.
In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being “severe” and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It’s also unclear whether, or…
A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched.
Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).
The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software.
Amin discovered two types of vulnerabilities. One, rated ‘critical severity’ and tracked as CVE-2023-0452, has been described by CISA as an issue related to the use of a weak algorithm for hashing privileged user credentials.
“A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians,” CISA said in its advisory.
The second issue, tracked as CVE-2023-0452 and rated ‘high severity’, is an improper access control issue. An attacker can view log, database and configuration files that can contain username and password hashes for users, including administrators and technicians.
These vulnerabilities can allow a remote, unauthenticated attacker to gain full control of traffic control functions.
Amin has conducted an internet search to see how many EOS systems are exposed to attacks from the web. He told SecurityWeek that he identified roughly 50 exposed controllers that are running older firmware. These systems are not affected by the flaws he discovered, but they are still not secure.
In addition, he discovered approximately 30 controllers running 2018-2020 versions of the EOS software and these systems are vulnerable to remote attacks.
He also found roughly 500 instances of associated devices that can be found in the affected controllers’ proximity, including routers and cameras, which…
Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months.
The issues in question are CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8 and December 13, 2022, respectively.
While CVE-2022-27510 relates to an authentication bypass that could be exploited to gain unauthorized access to Gateway user capabilities, CVE-2022-27518 concerns a remote code execution bug that could enable the takeover of affected systems.
Citrix and the U.S. National Security Agency (NSA), earlier this month, warned that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group.
Now, according to a new analysis from NCC Group’s Fox-IT research team, thousands of internet-facing Citrix servers are still unpatched, making them an attractive target for hacking crews.
This includes over 3,500 Citrix ADC and Gateway servers running version 12.1-65.21 that are susceptible to CVE-2022-27518, as well as more than 500 servers running 12.1-63.22 that are vulnerable to both flaws.
A majority of the servers, amounting to no less than 5,000, are running 13.0-88.14, a version that’s immune to CVE-2022-27510 and CVE-2022-27518.
A country-wise breakdown shows that more than 40% of servers located in Denmark, the Netherlands, Austria, Germany, France, Singapore, Australia, the U.K., and the U.S. have been updated, with China faring the worst, where only 20% of nearly 550 servers have been patched.
Fox-IT said it was able to deduce the version information from an MD5-like hash value present in the HTTP response of login URL (i.e., “ns_gui/vpn/index.html”) and mapping it to their respective versions.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
https://spinsafe.com/wp-content/uploads/2022/12/Thousands-of-Citrix-Servers-Still-Unpatched-for-Critical-Vulnerabilities.jpg380728SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2022-12-29 12:00:072022-12-29 12:00:07Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities
