Tag Archive for: unpatched

How to Deal With Unpatched Vulnerabilities

/in


by WatchGuard Technologies • Feb 3, 2022

Author: Carlos Arnal Cardenal, product marketing manager, WatchGuard Technologies

During the last few years, it seems as though not a day goes by without a headline shouting that some organization has experienced a data breach, putting the business, customers, and partners at risk. For managed security providers (MSPs) to keep their clients out of the news, it’s essential they understand the most common causes of data breaches and what they can do to prevent and protect from threats like unpatched vulnerabilities exploitation.

It’s worth bearing in mind that, according to the 2021 X-Force Threat Intelligence Index, scanning for and exploiting vulnerabilities was the top infection vector of 2020. The 2017 WannaCry ransomware attack was probably the clearest example of what can go wrong when patches aren’t applied; in this case a patch for the vulnerability exploited by the ransomware had existed for several months.

All these facts have shown that patch management’s importance has risen considerably. 

It has become a critical security layer as a complex and growing risk for companies. MSPs must be more proactive in keeping their customers’ environments up to date with all the latest third-party security patches and software updates to protect them.

IT administrators and staff often do not have enough time or resources to take care of patch and update management. Therefore, MSPs need to understand the importance of preventing vulnerability exploitation, but to achieve this, they have to address three major challenges:

Identify, prioritize and remediate

  • Vulnerability identification: Only a small number of attacks occur as a result of vulnerabilities that are unknown to all parties (zero day attacks). In most cases, cybercriminals exploit known flaws. For this reason, MSPs must ensure that their clients are quickly made aware of when they appear, as the time between a vulnerability being discovered and when attacks are executed has been significantly reduced. 
  • Prioritizing mitigation: While it may seem straightforward, most organizations struggle to identify which patch updates to install first. In fact, according to Ponemon,…

Source…

Iran’s Lyceum threat group active against telcos, ISPs. Clopp hits unpatched SolarWinds instances. Mercenaries. Patch Tuesday.

/in


Attacks, Threats, and Vulnerabilities

Iranian cyber group targets Israel, Saudis, Africans – report ( The Jerusalem Post | JPost.com ) An Iranian hacker group called Lyceum has targeted Israel, Saudi Arabia, Morocco, Tunisia and others.

Exclusive: A Cyber Mercenary Is Hacking The Google And Telegram Accounts Of Presidential Candidates, Journalists And Doctors (Forbes) An unprecedented peek inside an underground hacker-for-hire operation reveals 3,500 targets, including Belarusian presidential candidates, Uzbek human rights activists and a cryptocurrency exchange.

Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks (BleepingComputer) The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.

TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access (NCC Group Research) NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Clop ransomware. We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach.

Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability (SecurityWeek) The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection.

Vulnerable smart contracts and fake blockchains: What do investors need to know? (Digital Shadows) Well, here we are again. Another blog on a topic that’s often spoken about but little understood: cryptocurrency. Cryptocurrency-related decentralized finance (DeFi) is seeing unprecedented interest from retail and institutional investors alike.

FBI: Scams Involving Cryptocurrency ATMs and QR Codes on the Rise (SecurityWeek) The Federal Bureau of Investigation (FBI) this week issued an alert on fraud schemes that direct victims to use cryptocurrency ATMs and Quick Response (QR) codes to…

Source…

Unpatched macOS Security Hole Allows for Remote Code Execution

/in


Another day, another vulnerability. This time it affects macOS Big Sur as well as earlier versions of macOS. More concerning, the security hole remains unpatched, according to a report at Ars Technica. The security vulnerability is a significant one allowing for code execution by a remote attacker.

Independent security researcher Park Minchan discovered the security flaw, which allows hackers to embed commands into shortcut files with the inetloc extension.

These inetloc files are internet shortcut files that often contain typically innocuous server details and connection information. Users open these files expecting them to open a website, for example. They are not expecting the file to execute some random code.

The vulnerability exploits how macOS reads the content of inetloc files. Instead of using HTTPS:// for a web browser, hackers can substitute file:// and execute a file on the user’s computer.

Apple was aware of this flaw and blocked the addition of the file:// prefix in these internet shortcut files. Apple thought it had the bases covered, but the Cupertino giant forgot about case sensitivity.

Minchan discovered that while macOS blocked file://, it did not stop the capitalized version File://. 

Ars tested this vulnerability and launched the calculator app from an inetloc file containing eight lines of code. Launching the calculator app is benign. Unfortunately, the flaw is much more permissive. A skilled hacker could easily open system folders and other folders that contain malicious code downloaded to the user’s machine.

Minchan reported the flaw to Apple using the company’s SSD Secure Disclosure program. Apple has not publicly commented on the vulnerability, but we would expect the company to issue a security patch in the future.

macOS users should be cautious when opening internet shortcut files, especially those sent via unsolicited emails. They also should apply updates as soon as they are released. 

Source…

Unpatched Remote Hacking Flaw Disclosed in Fortinet’s FortiWeb WAF

/in


Fortinet FortiWeb WAF

Details have emerged about a new unpatched security vulnerability in Fortinet’s web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.

“An OS command injection vulnerability in FortiWeb’s management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,” cybersecurity firm Rapid7 said in an advisory published Tuesday. “This vulnerability appears to be related to CVE-2021-22123, which was addressed in FG-IR-20-120.”

Stack Overflow Teams

Rapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.

The command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” Rapid7’s Tod Beardsley said. “They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.”

Rapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as CVE-2020-29015. In the interim, users are advised to block access to the FortiWeb device’s management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.

Prevent Ransomware Attacks

Although there is no evidence that the new security issue has been exploited in the wild, it’s worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.

Earlier this April, the Federal Bureau of Investigation (FBI) and the…

Source…