Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Unpatched Critical Atlassian Confluence Zero-Day RCE Flaw Actively Exploited

By

-

3 June 2022

Atlassian warned of an actively exploited critical unpatched remote code execution flaw (CVE-2022-26134) in Confluence Server and Data Center products.

Atlassian is warning of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild.

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company.

The issue was reported by security firm Volexity, the company announced the availability of the security fixes for supported versions of Confluence within 24 hours (estimated time, by EOD June 3 PDT).

Waiting for the fixes, Atlassian urges customers to restrict Confluence Server and Data Center instances from the internet or consider disabling Confluence Server and Data Center instances.

Volexity researchers discovered the issue as part of an investigation into an attack that took over the Memorial Day weekend.

The attackers targeted two Internet-facing web servers that were running Atlassian Confluence Server software. Volexity determined that threat actors launched an exploit to achieve remote code execution, they triggered a zero-day vulnerability that impacted fully up-to-date versions of Confluence Server.

“After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. This is an ever-popular web server implant with source code available on GitHub. BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike. As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.” reads the analysis published by Volexity. “Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell.”

This isn’t the first time that flaws in Atlassian Confluence are exploited in attacks in the wild.

In September 2021, Trend Micro researchers spotted crypto-mining campaigns that were actively exploiting a recently disclosed critical remote code execution vulnerability in Atlassian Confluence deployments across Windows and Linux.

At the end of August 2021, Atlassian released security patches to address the critical CVE-2021-26084 flaw that affects the Confluence enterprise collaboration product.

The flaw is an OGNL injection issue that can be exploited by an authenticated attacker to execute arbitrary code on affected Confluence Server and Data Center instances.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

CISA adds CVE-2022-30525 flaw in Zyxel Firewalls to its Known Exploited Vulnerabilities Catalog

By

-

17 May 2022

US Critical Infrastructure Security Agency (CISA) adds critical CVE-2022-30525 RCE flaw in Zyxel Firewalls to its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency added the recently disclosed remote code execution bug, tracked as CVE-2022-30525, affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

Last week, Zyxel has addressed the critical CVE-2022-30525 (CVSS score: 9.8) affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution as the “nobody” user.

The vulnerability was discovered by Rapid7 which reported it on April 13. Zyxel silently addressed the flaw by releasing security updates on April 28, 2022, Rapid7 pointed out that this choice leaves defenders in the dark and only advantages the attackers.

“The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user.” reads the report published by Rapid7.

Below is the list of vulnerable products and related patches:

AFFECTED MODEL	AFFECTED FIRMWARE VERSION	PATCH AVAILABILITY
USG FLEX 100(W), 200, 500, 700	ZLD V5.00 through ZLD V5.21 Patch 1	ZLD V5.30
USG FLEX 50(W) / USG20(W)-VPN	ZLD V5.10 through ZLD V5.21 Patch 1	ZLD V5.30
ATP series	ZLD V5.10 through ZLD V5.21 Patch 1	ZLD V5.30
VPN series	ZLD V4.60 through ZLD V5.21 Patch 1	ZLD V5.30

According to Rapid 7, there are more than 15,000 internet-facing vulnerable systems tracked by the Shodan search engine. The researchers also developed a Metasploit module for this issue and published a video PoC of the attack:

“Apply the vendor patch as soon as possible. If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system.” concludes the report.

Researchers at Shadowserver Foundation reported they started observing exploitation attempts of CVE-2022-30525 starting on May 13th. The experts claim that at least 20 800 of the potentially affected Zyxel firewall models (by unique IP) are exposed online, the majority of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K) and the US (2.4K).

Cisa also added the CVE-2022-22947 code injection vulnerability in Spring Cloud Gateway to the catalog. A remote attacker could send specially-crafted requests to vulnerable systems to gain arbitrary code execution. Last week, Microsoft experts reported that the Sysrv-K botnet is exploiting this issue to take over the vulnerable web servers.

Both issues have to be addressed by federal agencies by June 6.

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer

By

-

17 May 2022

More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information.

“Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants,” Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong said in a new report. “Since its discovery, the spyware has continuously beleaguered Google Play.”

Facestealer, first documented by Doctor Web in July 2021, refers to a group of fraudulent apps that invade the official app marketplace for Android with the goal of plundering sensitive data such as Facebook login credentials.

Of the 200 apps, 42 are VPN services, followed by a camera (20) and photo editing applications (13). In addition to harvesting credentials, the apps are also designed to collect Facebook cookies and personally identifiable information associated with a victim’s account.

Additionally, Trend Micro disclosed that it uncovered over 40 rogue cryptocurrency miner apps that target users interested in virtual coins with malware designed to trick users into watching ads and paying for subscription services.

Some of the fake crypto apps, such as Cryptomining Farm Your own Coin, take it one step further by also attempting to steal private keys and mnemonic phrases (or seed phrases) that are used to recover access to a cryptocurrency wallet.

To avoid falling victim to such scam apps, it’s recommended that users check negative reviews, verify the legitimacy of the developers, and avoid downloading apps from third-party app stores.

New study analyzes malicious Android apps installed in the wild

The findings come as researchers from NortonLifeLock and Boston University published what they called the “largest on-device study” of potentially harmful apps (PHAs) on Android-based on 8.8 million PHAs installed on over 11.7 million devices between 2019 and 2020.

“PHAs persist on Google Play for 77 days on average and 34 days on third-party marketplaces,” the study noted, pointing out the delay between when PHAs are identified and when they are removed, adding 3,553 apps exhibit inter-market migration after being taken down.

On top of that, the research also shows that PHAs linger for a much longer period on average when users switch devices and automatically install the apps when restoring from a backup.

As many as 14,000 PHAs are said to have been transferred to 35,500 new Samsung devices by using the Samsung Smart Switch mobile app, with the apps lasting on the phones for a period of approximately 93 days.

“The Android security model severely limits what mobile security products can do when detecting a malicious app, allowing PHAs to persist for many days on victim devices,” the academics said. “The current warning system employed by mobile security programs is not effective in convincing users to promptly uninstall PHAs.”

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Killnet hackers announce Russian cyber attacks on UK for standing up to Putin’s war

By

-

16 May 2022

HACKER Group Killnet have announced global cyber attacks against a number of countries – including the UK – for standing up to Vladimir Putin’s war in Ukraine.

The other countries being targeted by the Russia-linked group are the US, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland and Ukraine. The hacktivists claimed to have disrupted the infrastructure of Italy’s State Police anti-cyber crime arm after it thwarted hacking attempts on the Eurovision Song Contest. Hackers from the Killnet group announced in the early hours of Monday morning that claims made by Italian State Police referred to the disruption of cyber attacks over the weekend were false.

In the same announcement, Killnet also declared “declared war” on the 10 countries listed above, including the “deceitful police of Italy”.

It claimed it was responsible for the seemingly offline website of the police’s cyber department.

On Sunday, Italian State Police confirmed they were able to “neutralise and repel the attacks”.

They said: “Various computer attacks of a DDoS were nature directed at network infrastructure during the voting operations and the singing performance were mitigated in collaboration with the ICT Rai and Eurovision TV management.

“Identified by the Cnaipic of the Postal Police, numerous ‘PC-zombies’ were used for the cyber attack.”

The Eurovision song contest was held in Italy over the weekend, which saw Kalush Orchestra from Ukraine win the annual competition.

Authorities said the DDoS attacks were stopped during the contest’s grand final and during the final voting stages.

State Police also confirmed they had scoured the hacking groups’ associated Telegram channels in search of any intelligence that leads to the prevention of other incidents and the identification of the hackers’ location.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Brazilian e-commerce firm Americanas reports multimillion-dollar loss following cyberattack

By

-

16 May 2022

The company’s transactional platforms were unavailable for a week following the incident in February.

Brazilian e-commerce conglomerate Americanas.com reported a multimillion-dollar loss in sales in its financial results on Friday after a major cyberattack earlier this year.

The company lost 923 million Brazilian reais ($183 million) in sales after two attacks that took place between February 19 and 20 and rendered its e-commerce operation unavailable. According to the company, physical stores continued to operate and the logistics arm of the company continued to deliver orders placed after the event.

“In order to add strength to our internal team and security partner companies in the resolution and investigation of this incident, we called on world-renowned experts with experience in situations like these,” the company said in its financial statement.

According to Americanas, the operations started to be gradually restored on February 23 and activities fully resumed on the following day. “There is no evidence of other damages, beyond the fact that our e-commerce operations were suspended,” the firm noted.

Despite the impact caused by the incident, the company reported a 22% increase in total sales compared to the same period last year. According to the firm’s results, digital sales increased 20% in the first quarter of the year as the pace of sales resumed in the weeks following the incident. The company noted that if the cyberattack hadn’t happened, sales growth would have reached 30%.

The authors of the Americanas attack are understood to be the Lapsus$ Group — the group responsible for a major ransomware attack against Brazil’s Ministry of Health in December 2021 that resulted in the unavailability of the COVID-19 vaccination data of millions of citizens.

According to analyst firm IDC, overall IT security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020. The research company predicts that 2022 will see firms dealing with an increasing number of cyberattacks, a trend that has gathered pace since the start of the COVID-19 pandemic.

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Avast, AVG Release Security Updates for Decade-Old Vulnerability

By

-

13 May 2022

SentinelOne disclosed two high-severity vulnerabilities – tracked as CVE-2022-26522 and CVE-2022-26523 – that went undiscovered for years and affect the “Anti Rootkit” driver in security products from Avast and AVG.

The two anti-virus companies joined forces in 2016 when Avast bought AVG for about $1.3 billion. NortonLifeLock announced in 2021 that it reached an agreement to merge with the Czech antivirus maker in a stock-based deal that could be worth between $8.1 billion to $8.6 billion.

On December 20, SentinelOne notified Avast of the two vulnerabilities that could lead to privilege escalation “by running code in the kernel from a non-administrator user.”

“According to Avast, the vulnerable feature was introduced in Avast 12.1. Given the longevity of this flaw, we estimate that millions of users were likely exposed,” Sentinel One explained. Avast 12.1 was released in early 2012.

“While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, with dozens of millions of users affected, it is possible that attackers will seek out those that do not take the appropriate action.”

Avast acknowledged the SentinelOne report in January and in a statement to The Record, Avast said a fix for the vulnerabilities was in version 22.1 that was released in February.

“Avast and AVG users were automatically updated and are protected against any risk of exploitation, although we have not seen the vulnerabilities abused in the wild,” a spokesperson for the company said.

SentinelOne noted that while many users get automatic updates, those “using air gapped or on premise installations are advised to apply the patch as soon as possible.”

The security company explained that the vulnerabilities could be exploitable in contexts beyond just local privilege escalation, adding that they could be used as part of a second stage browser attack or to perform a sandbox escape.

“As we have noted with similar flaws in other products recently, such vulnerabilities have the potential to allow complete take over of a device, even without privileges, due to the ability to execute code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products,” they said.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability – CVE-2022-30525

By

-

13 May 2022

1

Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution.

“A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device,” the company said in an advisory published Thursday.

Cybersecurity firm Rapid7, which discovered and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the “nobody” user on impacted appliances.

Tracked as CVE-2022-30525 (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 –

USG FLEX 100(W), 200, 500, 700
USG FLEX 50(W) / USG20(W)-VPN
ATP series, and
VPN series

Rapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a lucrative attack vector for threat actors to stage potential exploitation attempts.

The cybersecurity firm also pointed out that Zyxel silently issued fixes to address the issue on April 28, 2022 without publishing an associated Common Vulnerabilities and Exposures (CVE) identifier or a security advisory. Zyxel, in its alert, blamed this on a “miscommunication during the disclosure coordination process.”

“Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues,” Rapid7 researcher Jake Baines said.

The advisory comes as Zyxel addressed three different issues, including a command injection (CVE-2022-26413), a buffer overflow (CVE-2022-26414), and a local privilege escalation (CVE-2022-0556) flaw, in its VMG3312-T20A wireless router and AP Configurator that could lead to arbitrary code execution.

Source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Codenotary adds Vulnerability Scanning to Further Secure Open-Source Supply Chains

By

-

13 May 2022

Codenotary announced the addition of the free background vulnerability scanning service combined with a free and open source Community Attestation Service (CAS) code signing and attestation service to further secure open source supply chains.

Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. The addition of a free vulnerability service to CAS allows cloud native and open source projects to better secure their projects. This additional service scans assets (based on the hashes uploaded) for any known security vulnerability and provides alerts if problematic packages are found in the stack. CAS can also be used to “untrust” any problematic artifacts.

“This is especially unique – a totally free code integrity service that integrates automated, continuous and self-updating vulnerability scanning, delivering alerts when it finds issues,” said Dennis Zimmer, co-founder and chief technology officer, Codenotary. “Users of open source software – and that is pretty much everyone – have a free and easy way to ensure the security of their software supply chain which addresses a big and growing problem”

Codenotary is the primary maintainer of immudb, the first and only open source enterprise-class immutable database with data permanence at scale for demanding applications — up to billions of transactions per day. Codenotary uses immudb to underpin its notarization and verification product. There have been more than 12 million downloads of immudb.

Anyone can start using CAS today to ensure their open source software is secured for themselves and their users.

Codenotary provides tools for cataloging and trusting components of the software development lifecycle which help attest to the origin and safety of the code. The company further enhances this core functionality by providing an additional tamper-proof layer which processes and stores millions of transactions per second, on-premises or as a cloud service, and with cryptographic verification.

It gives developers a way to attach a Software Bill of Materials (SBOM) for development artifacts that include source code, builds, repositories, and more, plus Docker and Kubernetes container images for their software.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Critical Gems Takeover Bug Reported in RubyGems Package Manager

By

-

10 May 2022

The maintainers of the RubyGems package manager have addressed a critical security flaw that could have been abused to remove gems and replace them with rogue versions under specific circumstances.

“Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so,” RubyGems said in a security advisory published on May 6, 2022.

RubyGems, like npm for JavaScript and pip for Python, is a package manager and a gem hosting service for the Ruby programming language, offering a repository of more than 171,500 libraries.

In a nutshell, the flaw in question, tracked as CVE-2022-29176, enabled anyone to pull certain gems and upload different files with the same name, same version number, and different platforms.

For this to happen, however, a gem needed to have one or more dashes in its name, where the word before the dash was the name of an attacker-controlled gem, and which was created within 30 days or had no updates for over 100 days.

“For example, the gem ‘something-provider’ could have been taken over by the owner of the gem ‘something,'” the project owners explained.

The project maintainers said that there is no evidence that the vulnerability has been exploited in the wild, adding it didn’t receive any support emails from gem owners alerting them to the removal of the libraries without authorization.

“An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way,” the maintainers said. “A deeper audit for any possible use of this exploit is ongoing.”

The disclosure comes as NPM addressed several flaws in its platform that could have been weaponized to facilitate account takeover attacks and publish malicious packages.

Chief among them is a supply chain threat called package planting that enables malicious actors to pass off rogue libraries as legitimate simply by assigning them to trusted, popular maintainers without their knowledge.

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.