Tag Archive for: zeroday

Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine


Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari.

The bug, assigned as CVE-2024-23222, stems from a type confusion error, which basically is what happens when an application incorrectly assumes the input it receives is of a certain type without actually validating — or incorrectly validating — that to be the case.

Actively Exploited

Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. “Apple is aware of a report that this issue may have been exploited,” the company’s advisory noted, without offering any further details.

The company has released updated versions of iOS, iPadOS, macOS, iPadOS, and tvOS with additional validation checks to address the vulnerability.

CVE-2024-23222 is the first zero-day vulnerability that Apple has disclosed in WebKit in 2024. Last year, the company disclosed a total of 11 zero-day bugs in the technology — its most ever in a single calendar year. Since 2021, Apple has disclosed a total of 22 WebKit zero-day bugs, highlighting the growing interest in the browser from both researchers and attackers.

In parallel, Apple’s disclosure of the new WebKit zero-day follows on Google’s disclosure last week of a zero-day in Chrome. It marks at least the third time in recent months where both vendors have disclosed zero-days in their respective browsers in close proximity to each other. The trend suggests that researchers and attackers are probing almost equally for flaws in both technologies, likely because Chrome and Safari are also the most widely used browsers.

The Spying Threat

Apple has not disclosed the nature of the exploit activity targeting the newly disclosed zero-day bug. But researchers have reported seeing commercial spyware vendors abusing some of the company’s more recent ones, to drop surveillance software on iPhones of target subjects.

In September 2023, Toronto University’s Citizen Lab warned Apple about two no-click zero-day vulnerabilities in iOS that a vendor of surveillance software had exploited to drop the Predator spyware tool on an iPhone belonging to an employee at a Washington, D.C.-based organization. The same month,…

Source…

CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits


Jan 20, 2024NewsroomNetwork Security / Threat Intelligence

CISA Issues Emergency Directive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.

The development arrives as the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – have come under widespread exploitation by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system.

The U.S. company acknowledged in an advisory that it has witnessed a “sharp increase in threat actor activity” starting on January 11, 2024, after the shortcomings were publicly disclosed.

Cybersecurity

“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” the agency said.

Ivanti, which is expected to release an update to address the flaws next week, has made available a temporary workaround through an XML file that can be imported into affected products to make necessary configuration changes.

CISA is urging organizations running ICS to apply the mitigation and run an External Integrity Checker Tool to identify signs of compromise, and if found, disconnect them from the networks and reset the device, followed by importing the XML file.

In addition, FCEB entities are urged to revoke and reissue any stored certificates, reset the admin enable password, store API keys, and reset the passwords of any local user defined on the gateway.

Cybersecurity firms Volexity and Mandiant have observed attacks weaponizing the twin flaws to deploy web shells and passive backdoors for persistent access to infected appliances. As many as 2,100 devices worldwide are estimated to have been compromised to date.

Cybersecurity

The initial attack wave identified in December 2023 has been attributed to a Chinese nation-state group that is being tracked as…

Source…

Google Rolls Out Chrome Fix For First Chrome Zero-Day Exploit of 2024


Representative Image

Google has recently addressed the first Chrome zero-day vulnerability exploited in the wild in the new year with security updates. The vulnerability, identified as CVE-2024-0519, is a high-severity issue related to an out-of-bounds memory access weakness in the Chrome V8 JavaScript engine. Attackers could exploit this vulnerability to gain unauthorized access to data beyond the memory buffer, potentially leading to exposure of sensitive information or causing a system crash.

What is a Zero Day Vulnerability?

A zero-day vulnerability refers to a security flaw in software or hardware that is actively exploited by attackers before the vendor or developer becomes aware of it. The term “zero-day” indicates that there are zero days of protection for users from the time the vulnerability is discovered by malicious actors until a fix or patch is made available.

Attacks on the real world

In response to reports of the CVE-2024-0519 exploit being used in real-world attacks, Google released security updates for users in the Stable Desktop channel. The patched versions were made available globally for Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) users within a week of the vulnerability being reported to Google. Although the update may take some time to reach all impacted users, it was immediately accessible for manual installation, and Chrome users can also rely on the browser’s automatic update feature.

The vulnerability involves a situation where the expected sentinel is not located in the out-of-bounds memory, leading to excessive data being read. This can result in a segmentation fault or buffer overflow. MITRE explains that the product may modify an index or perform pointer arithmetic referencing a memory location outside the buffer boundaries, producing undefined or unexpected results. Besides unauthorized access to out-of-bounds memory, CVE-2024-0519 could be exploited to bypass protection mechanisms like ASLR, making it easier for attackers to achieve code execution through another weakness.

Google has not provided detailed information about the specific incidents where CVE-2024-0519 exploits were used. The company stated that access to bug details and…

Source…

China suspected to be behind Ivanti zero-day exploits


Ivanti is working on a patch to fix two high-impact vulnerabilities allowing attackers to control an affected system.

Attackers have been exploiting two zero-day vulnerabilities affecting the security software provider Ivanti’s products. CISA urged admins to take note of the flaws and added the vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, to the Known Exploited Vulnerabilities catalog, requiring government institutions to remediate the issue.

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” researchers at Volexity said.

However, Ivanti has yet to release a patch for the affected systems. For the time being, the company issued a workaround via its blog.

“We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT,” reads Ivanti’s blog.

The zero-days are an authentication bypass and command-injection vulnerabilities that allow attackers to perform a wide array of attacks, including remote code execution and system takeover. According to Ivanti, the company is aware of “less than ten customers” who were impacted by the vulnerabilities.

Ivanti claims to have over 40 thousand customers in total.

Researchers believe that the affected systems may have been exploited as early as December 3rd, 2023. The culprits behind the exploits are suspected to be UTA0178, believed to be a Chinese nation-state-level threat actor.

There‘s little insight into the attacker‘s motives. However, researchers observed threat actors carrying out reconnaissance and system exploration tasks.

“This primarily consisted of looking through user files, configuration files, and testing access to systems. The primary notable activity beyond that was deployment of webshells to multiple systems,” Volexity researchers said.

“>


More…

Source…