Tag Archive for: vulnerabilities

Ivanti VPN vulnerabilities exploited by suspected espionage group UNC5221

/in


New details have emerged surrounding two zero-day vulnerabilities impacting Ivanti Connect Secure VPN (formerly known as Pulse Secure) and Ivanti Policy Security appliances. These vulnerabilities have been published by cybersecurity firm Mandiant. The reported vulnerabilities have seen active exploitation in the wild, beginning as early as December 2023.

Threat actor UNC5221, a suspected espionage group currently being monitored by Mandiant, is believed to be behind the exploitation of these vulnerabilities. As highlighted by Mandiant Consulting CTO Charles Carmakal, these CVEs, when chained together, result in unauthenticated remote code execution.

UNC5221 reportedly employed multiple custom malware families to conduct post-exploitation espionage activity after successfully exploiting the zero-day vulnerabilities. This includes establishing footholds for continued access to the Connect Secure (CS) appliances.

According to Mandiant’s researchers, the group’s preparation for maintaining persistent access to the CS appliances suggests that these are not just opportunistic attacks. It would seem UNC5221 planned to maintain its presence on a subset of high-priority targets compromised after an eventual patch release.

Mandiant’s researchers added that, similar to UNC5221, they had previously noted multiple suspected APT actors resorting to appliance-specific malware to facilitate post-exploitation and evade detection. These cases, coupled with findings related to targeting, have led Mandiant to believe that this could be an espionage-motivated APT campaign.

While Mandiant continues to investigate these attacks in detail, early findings also note that UNC5221 primarily utilised compromised, out-of-support Cyberoam VPN appliances for its command and control. The compromised devices were domestic to the victims, likely further aiding the threat actor in evading detection.

Patches are currently being developed, with Ivanti customers advised to stay updated on release timelines. At present, Mandiant has not linked this activity to a previously known group. It also doesn’t currently have enough data to ascertain the origin of UNC5221.

The custom malware families used by…

Source…

Cyber Security Today, Jan. 10, 2024 – Vulnerabilities found in internet-connected factory torque wrenches

/in


Vulnerabilities found in internet-connected factory torque wrenches.

Welcome to Cyber Security Today. It’s Wednesday January 10th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Anything that connects to an IT network can have software vulnerabilities. The latest example: WiFi connected pneumatic torque wrenches used by car manufacturers. According to researchers at Nozomi Networks, the vulnerabilities they found in a Bosch Rexroth wrench could let a hacker plant ransomware that would spread across a network. Or the holes could let an attacker alter a wrench’s tightening controls and affect the safety of products. A manufacturer using compromised devices could be extorted by a hacker, and sued by customers. The vulnerabilities are in the device’s Linux-based operating system. The wrench connects to a wireless network so it can be remotely programmed. The lesson: Makers of any internet-connected device have to continuously scrutinize their code for vulnerabilities.

Microsoft SQL database servers in the U.S., Europe and Latin America are being targeted by a threat actor. According to researchers at Securonix, the gang either sells access to compromised servers or plugs them with a strain of ransomware called Mimic. This particular gang has been ramming their way into servers through brute force attacks, which are preventable. Then they leverage a command to create a Windows shell, a command that is supposed to be disabled by default. Among the lessons from this attack: Don’t expose critical servers to the internet — and if you have to, protect them with security like a virtual private network. And IT should always be watching for the creation of new local users on servers and other endpoints.

An American judge has sentenced a Nigerian man to 10 years and one month in prison and ordered him to pay almost US$1.5 million in restitution for conspiring to launder money pulled from internet fraud schemes. The 33-year-old man worked directly with the Nigeria-based leader of an international criminal organization to defraud individuals and businesses across the U.S. He was convicted last August by a…

Source…

New Security Study Reveals AutoSpill Vulnerabilities in Android Password Managers

/in


A recent security study conductedresearchers at the International Institute of Information Technology (IIIT) has unveiled a new attack called AutoSpill, which targets Android password managers and can potentially lead to the theft of account credentials. The researchers discovered that most password managers for Android are vulnerable to this attack, even without the use of JavaScript injection.

The attack worksexploiting weaknesses in Android’s WebView framework, which is commonly usedAndroid apps to render web content. Password managers on Android rely on this framework to automatically fill in a user’s account credentials when logging into services like Apple, Facebook, Microsoft, or Google.

The AutoSpill attack is particularly concerning because it allows rogue apps to capture a user’s login credentials without leaving any trace of the compromise. This can lead to unauthorized access to sensitive accounts.

The researchers tested AutoSpill against several password managers on various Android versions and found that 1Password, LastPass, Enpass, Keeper, and Keepass2Android are all susceptible to the attack. However, Google Smart Lock and DashLane follow a different technical approach and are safe from AutoSpill unless JavaScript injection is used.

The AutoSpill vulnerability stems from Android’s failure to clearly define the responsibility for securely handling auto-filled data. This loophole can result in the leakage or capture of sensitive informationthe host app.

The researchers have reported their findings to the affected software vendors and Android’s security team. While the validity of the report has been acknowledged, no details regarding plans for fixing the issue have been shared yet.

In response to the disclosure, password management providers impactedAutoSpill, such as 1Password and LastPass, have assured their users that they are working on fixes to address the vulnerability. They emphasize the importance of user vigilance and explicit actions required for autofill functions.

Users are advised to exercise caution while installing apps and only download from trusted app stores like Google Play. Android developers are also encouraged to implement WebView best…

Source…

Russian GRU Hackers Exploit Critical Patched Vulnerabilities

/in


Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management

TA422 Is Targeting Organizations in Europe and North America, Proofpoint Says

Prajeet Nair (@prajeetspeaks) •
December 5, 2023    

Russian GRU Hackers Exploit Critical Patched Vulnerabilities
Russian military intelligence hackers are taking advantage of patched vulnerabilities. (Image: Shutterstock)

In the race between hackers and systems administrators that begins each time a company patches a zero day flaw, a Russian military intelligence hacking unit is often the winner, new research discloses.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

Multiple studies suggest that organizations require weeks, if not months, to roll out patches while hackers can rush out an exploit of a newly-disclosed vulnerability in days or weeks.

One organization taking advantage of that disconnect is what Proofpoint dubs TA422 – also known as APT28, Fancy Bear and Forest Blizzard. The security firm in a Tuesday report said it has seen the threat actor “readily use patched vulnerabilities to target a variety of organizations in Europe and North America.” U.S. and British intelligence assess that Forest Blizzard is “almost certainly” part of the Russian General Staff Main Intelligence Directorate, better known as the GRU.

Among the n-days exploited by TA422 is CVE-2023-23397, a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user’s hashed…

Source…