Tag: zerodays | Page 2

Two zero-days in Ivanti products actively exploited by threat actor

January 14, 2024/in Internet Security

Researchers suspect an espionage-focused threat group linked to China is behind the exploitation of a pair of newly discovered zero-day bugs in Ivanti VPN appliances.

Meanwhile, Volexity disclosed in a Dec. 10 blog its researchers uncovered an exploit chain the threat actor used after detecting suspicious lateral movement on the network of one of its customers. Ivanti confirmed the authentication bypass and command injection vulnerabilities on its website.

The vulnerabilities are an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug affecting fully-patched Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure appliances.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system, Ivanti said in a Jan. 10 advisory.

CVE-2023-46805 has an 8.2 CVSS rating and is described as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure that “allows a remote attacker to access restricted resources by bypassing control check.”

The second bug, CVE-2024-21887, has a 9.1 CVSS rating and is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that “allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

In the wild exploitation

In-the-wild exploitation of the bugs was observed by researchers at Volexity who said in a post that while they could not identify the group responsible, they believed it was a Chinese nation-state-level threat actor.

Ivanti said it had created a mitigation to be applied to the gateways as an initial response while patches for the bug were developed. Patches would be released in a staggered schedule beginning the week of January 22.

“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” the vendor said.

“We are aware of less than 10…

Source…

InfectedSlurs Botnet Resurrects Mirai With Zero-Days

November 28, 2023/in Internet Security

The Akamai Security Incident Response Team (SIRT) has detected increased activity targeting a rarely used TCP port across its global honeypots.

The investigation conducted in late October 2023 revealed a specific HTTP exploit path, identifying two zero-day exploits being actively leveraged in the wild.

The first exploit targeted network video recorders (NVRs) used in CCTV and security camera devices, while the second affected outlet-based wireless LAN routers for hotels and residential applications.

Further analysis found that the NVR devices used default administrative credentials, commonly documented by the manufacturer. The vendor is working on a fix scheduled for release in December 2023. The router vendor is also planning a release for the affected model, withholding details until the patch is ready.

The Akamai SIRT identified the campaign as originating from a Mirai botnet activity cluster, primarily using the older JenX Mirai malware variant. Notably, the command-and-control (C2) domains displayed offensive language and racial epithets. The malware samples associated with the campaign showed similarities with the original Mirai botnet.

The researchers shared indicators of compromise, including Snort and YARA rules, SHA256SUMs of malware samples and C2 domains. The SIRT is collaborating with CISA/US-CERT and JPCERT to notify impacted vendors.

Mitigation recommendations include checking and changing default credentials on Internet of Things (IoT) devices, isolating vulnerable devices and implementing DDoS security controls.

“Threats such as botnets and ransomware rely on default passwords that are often widely known and easily accessible for propagation,” reads the advisory. “The more difficult it is for a threat to move around, the less chance there is of unauthorized access and potential security breaches.”

The Akamai blog post concludes by emphasizing the importance of honeypots in cybersecurity and the need for organizations to stay informed about emerging threats. The SIRT plans to publish a follow-up blog post with additional details once vendors and CERTs complete the…

Source…

Cisco patches IOS XE zero-days used to hack over 50,000 devices

October 29, 2023/in Internet Security

Cisco has released a patch to fix two high-severity flaws that were being abused in the wild to take over vulnerable endpoints.

The first fixed version is 17.9.4a, and IT admins are urged to apply it immediately and secure their premises. The patch can be found in the company’s Software Download Center.

News recently broke of hackers exploiting a critical vulnerability in some Cisco devices to gain full admin control of entire networks. The vulnerability was found in the Web User Interface of Cisco IOS XE software connected to the public internet. So, whatever Cisco endpoint (routers, switches, etc.) that runs the software, has HTTP and HTTPS Server features enabled, and is connected to the internet, was vulnerable to full device takeover.

Identifying compromised devices

It was reported that some 80,000 endpoints were affected by the flaw at the time, which is tracked as CVE-2023-20198, and carries a severity rating of 10. The second vulnerability is tracked as CVE-2023-20273, and carries a severity score of 7.2.

A threat actor that manages to successfully exploit these two flaws can create an account with privilege level 15 access, which gives them full access to the compromised device and allows them to install even more malware. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory,” researchers from Talos said at the time.

Initial reports also claimed someone had been exploiting the flaw for a month before it was uncovered, but no one knows who, or against whom.

While the researchers initially saw up to 80,000 vulnerable endpoints, the number dropped over the last weekend to “just a few hundred”, BleepingComputer reported. Cybersecurity experts from For-IT said the malicious code of thousands of devices was “altered to check for an Authorization HTTP header value before responding”. In other words, the analysis method was wrong. Using a different method showed almost 40,000 compromised devices.

Via BleepingComputer

More from TechRadar Pro

Source…

Zero-days for hacking WhatsApp are now worth millions of dollars

October 9, 2023/in Internet Security

Thanks to improvements in security mechanisms and mitigations, hacking cell phones — both running iOS and Android — has become an expensive endeavor. That’s why hacking techniques for apps like WhatsApp are now worth millions of dollars, TechCrunch has learned.

Last week, a Russian company that buys zero-days — flaws in software that are unknown to the developer of the affected product — offered $20 million for chains of bugs that would allow their customers, which the company said are “Russian private and government organizations only,” to remotely compromise phones running iOS and Android. That price is in part likely caused by the fact that there aren’t many researchers willing to work with Russia while the invasion of Ukraine continues, and that Russian government customers are likely willing to pay a premium under the current circumstances.

But even in the markets outside of Russia, including just for bugs in specific apps, prices have gone up.

Leaked documents seen by TechCrunch show that, as of 2021, a zero-day allowing its user to compromise a target’s WhatsApp on Android and read the content of messages can cost between $1.7 and $8 million.

“They’ve shot up,” said a security researcher who has knowledge of the market, and asked to remain anonymous as they weren’t authorized to speak to the press.

WhatsApp has been a popular target for government hackers, the kind of groups that are more likely to use zero-days. In 2019, researchers caught customers of the controversial spyware maker NSO Group using a zero-day to target WhatsApp users. Soon after, WhatsApp sued the Israeli surveillance tech vendor, accusing it of abusing its platform to facilitate its customers using the zero-day against more than a thousand WhatsApp users.

In 2021, according to one of the leaked documents, a company was selling a “zero click RCE” in WhatsApp for around $1.7 million. RCE is cybersecurity lingo for remote code execution, a type of flaw that allows malicious hackers to remotely run code on the target’s device. Or in this case, inside WhatsApp, allowing them to monitor, read and exfiltrate messages. “Zero click” refers to the fact that the exploit…

Source…

Tag Archive for: zerodays

In the wild exploitation