Monday, January 20, 2025
Home Blog Page 41

Moodle SQL injection vulnerability: in e-learning platform could enable database takeover

By
Steven Black (n0tst3)
-
0

Moodle SQL Injection Vulnerability

A security vulnerability in e-learning platform Moodle could allow an attacker to take over a database and potentially obtain sensitive information, researchers have warned

Moodle is an open source educational resource that enables institutions to create online learning materials for students.

Researchers have found that the website is vulnerable to a second order SQL injection flaw, which could enable an attacker to potentially take control of a database server.

Teachers are able to create custom badges for their pupils, which they can earn through completing tasks such as courses or essays.

When creating these badges, it is possible for an attacker with teacher status to insert a malicious SQL query into the database.

Later, that data is fetched from the database and is injected unsanitized into another query. When the badge is enabled for access by students, the injected SQL query will be executed.

In a blog post, researcher ‘dugisec’ explained how the attack works.

Caveats

It’s important to note that in order to perform this attack, a malicious actor will have to be logged in as a teacher.

However, the impact of the authenticated bug could be damaging. The researcher who found the vulnerability said it can also be used in a stored XSS attack.

They wrote: “In order to exploit this, a new badge has to be created for each SQL query that the attacker wants to run. This is because once a badge has been created, the criteria cannot be updated.”

The researcher added: “I also would not be surprised if there are more SQLis of this nature in Moodle. As a bonus this bug can be used for stored XSS as well.”

The researcher noted that this bug appears to have been reported in a GitHub post from 2013.

The report reads: “In order to get our SQL query into the database it’s necessary to create a badge and add some criteria. It is when adding the critera that the sql-to-be-executed-2nd-order is inserted into the database.

“Finally, when the badge is enabled the injected SQL is executed.”

SQL Injection Attack

What is an SQL Injection Vulnerability?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Ragnar Locker Ransomware Breached 52+ Orgs Across 10 Critical Infrastructure Sectors

By
Steven Black (n0tst3)
-
0
ransomware

The US FBI warns that the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors.

The US Federal Bureau of Investigation (FBI) and CISA published a flash alert to warn that the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations across 10 critical infrastructure sectors. The ransomware operation has been active since late December 2019, this is the second time that the FBI first shares IoC related to RagnarLocker operation, the FBI first became aware of this threat in April 2020.“As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors,” reads the FBI’s flash alert. “RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention.”

The flash alert provides details on attack infrastructure, Bitcoin addresses used by the gang to receive the payments of the ransom from the victims, and email addresses used by the gang’s operators.

The flash alert includes a series of mitigations to neutralize such attacks:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Use multi-factor authentication with strong passwords, including for remote access services.
  • Keep computers, devices, and applications patched and up-to-date.
  • Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network segmentation.

Users who identify any suspicious activity within their enterprise or have related information,
are recommended to contact their local FBI Cyber Squad immediately with respect to the procedures outlined in the Reporting Notice section of this message.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Google is acquiring security intelligence firm Mandiant for $5.4B

By
Steven Black (n0tst3)
-
0

At a time when cyber security is top of mind for many firms, Google announced it was paying $5.4 billion to acquire security intelligence company Mandiant, giving it access to security data gathering capabilities, as well as a team of hundreds of security consultants. The company will become part of Google Cloud upon closing.

Google Cloud head Thomas Kurian pointed out that companies were facing unprecedented security threats, especially as the war in Ukraine rages, and Mandiant gives the company a platform of security services to add to the Google Cloud platform.

“This is an opportunity to deliver an end-to-end security operations suite and extend one of the best consulting organizations in the world. Together we can make a profound impact in securing the cloud, accelerating the adoption of cloud computing and ultimately make the world safer,” Kurian said in a statement.

The company plans to pay Mandiant $23 a share, representing a 57% premium over the 10 day weighted stock price average. The stock is up almost 18% over the last year and took a nice spike in the last couple of days as rumors began to surface about a possible deal.

Patrick Moorhead, founder and principal analyst at Moor Insights & Strategy says that the deal should improve and expand Google’s existing strong security stance. “Google Cloud has always had a good reputation for security offerings inside of its own cloud. The Mandiant acquisition opens the aperture to any cloud or on premise configuration,” Moorhead told me.

Gartner analyst Neil MacDonald, who watches the cloud security space carefully, agrees pointing out that when combined with the acquisition of Siemplify earlier this year, it is building a strong security business. “After Google’s recent acquisition of Siemplify for security orchestration automation and response (SOAR), the Mandiant acquisition is another clear signal that Google is serious about growing revenue in its security division – which is a part of the Google Cloud business unit,” MacDonald explained.

He added that the acquisition should enhance the company’s security argument, especially for potential customers who may still worry about securing workloads in the cloud. “By improving its security capabilities and brand awareness as a security vendor, Google also benefits by helping to remove security as an inhibitor to the adoption of GCP,” he said.

Mandiant launched in 2004 and raised $70 million along the way, according to Crunchbase data. The company was sold to FireEye in 2013 for $1 billion. Last year the two companies split with FireEye being sold to a private equity consortium led by Symphony Technology Group for $1.2 billion.

At the time company founder Kevin Mandiant, who had become FireEye CEO, said the deal was designed to unlock the value of Mandiant as a stand-alone business. It certainly fetched a much heftier price than FireEye did.

Mandiant took the position of many an acquired company, saying that the deal gave his company access to the scale and resources of Google Cloud. “Together, we will deliver our expertise and intelligence at scale via the Mandiant Advantage SaaS platform, as part of the Google Cloud security portfolio,” he said in a statement announcing the deal.

Before it gets to the finish line, the transaction will have to run the regulatory gauntlet and garner Mandiant stockholder approval. The companies are predicting a close date some time later this year.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Report: 70% of Breached Passwords Are Still in Use

By
Steven Black (n0tst3)
-
0
databreach

SpyCloud announced a report that examines trends related to exposed data. Researchers identified 1.7 billion exposed credentials, a 15% increase from 2020, and 13.8 billion recaptured Personally Identifiable Information (PII) records obtained from breaches in 2021.

Through its analysis of this data, it was found that despite increasingly sophisticated and targeted cyberattacks, consumers continue to engage in poor cyber practices regarding passwords, including the use of similar passwords for multiple accounts, weak or common passwords and passwords containing easy-to-guess words or phrases connected to pop culture.

“Reused passwords have been the leading vector in cyberattacks in recent years, and the threat of digital identity exposure is a growing problem,” said David Endler, Chief Product Officer of SpyCloud. “The findings of our annual report show that users are still not taking password security as seriously as they should. The threat of account takeover is not enacting wholesale improvements to consumer cyber hygiene, and that’s an alarming thought given the frequency of digital identity fraud.”

The average consumer owns hundreds of online accounts, each with a unique login, and the unfortunate result is an increase in consumer password reuse. SpyCloud’s report found that 64% of users with multiple compromised passwords reused similar passwords for multiple accounts, making them ripe for account takeovers and password spraying attacks. This represents a 4-point jump from the 2021 report.

The year over year increase in password reuse reflects the ease with which attackers can use one stolen password to compromise multiple accounts. More than 82% of the reused passwords analyzed consisted of an exact match to a previous password, and 70% of users tied to breaches last year and in years prior are still using an exposed password. Since 2016, SpyCloud has recaptured more than 25 billion total exposed accounts with passwords.

Strong correlation between current events and chosen passwords

In addition to reusing passwords for multiple accounts, the report identified a strong correlation between current events and chosen passwords. Report data showed passwords tied to numerous TV shows and movies in 2021, as well as pop and sports culture, including Britney Spears, the covislink pandemic and Major League Baseball World Series Champion the Atlanta Braves.

“The pandemic left many consumers with a longing for connection to society. In the same way consumers latched on to at-home entertainment via streaming services and sporting events, many reflected their hobbies in passwords from the previous year,” Endler said.

“The best defense to safeguard your company, customers and employees is to protect users from themselves by preventing them from selecting previously exposed passwords upon account creation or account password change, and monitoring for third party exposed credentials and resetting them as quickly as possible after an exposure.”

Compromised credentials – while a growing issue – is not the only threat outlined in this year’s report. Over the last 18 months SpyCloud researchers have increased their focus on bot logs from malware-infected devices which not only expose a user’s browser-saved passwords, but also detail browser fingerprints, web session cookies and other data that can allow criminals to impersonate a user’s online session and bypass two-factor authentication. This hard-to-detect fraud compounded with poor password hygiene can be a worrisome combo for even the most mature of security postures.

Many organizations and consumers think they’re protected from identity fraud through reliance on a dark web monitoring service. Unfortunately, it can take upwards of a year before compromised credentials make it to the dark web to be found by those services. By the time an organization or user receives an exposure notification, the damage is likely already done.

SpyCloud’s unique combination of human intelligence, technology and breadth of recaptured data allows organizations and users to proactively stop fraud transactions before they occur.

Additional findings

1,706,963,639 total exposed credentials were analyzed from 755 breach sources.

  • The average breach contained 6,736,241 credentials.
  • The government sector was heavily represented in 2021.
  • SpyCloud found 611 breaches containing .gov email addresses – 81% of the overall total breach sources recaptured by SpyCloud.
  • In total, the team found 561,753 credential pairs (email addresses and plaintext passwords) from government agencies internationally.

In addition to the more common types of data such as names, dates of birth, and national identification numbers or driver’s licenses, the exposure report uncovered vehicle makes and models, number of children, smoker status, marital status, estimated income, job title and even Reddit handles, specifically:

  • 2.6 billion names
  • 990 million addresses
  • 393 million dates of birth
  • 1.6 billion phone numbers
  • 1.2 billion social media handles

12 notable recaptured data breaches of 2021.

  • The March 2021 Park Mobile app breach (26 million records)
  • The April 2021 Facebook user profiles scrape (501 million records)
  • The April 2021 BigBasket breach (20 million records)
  • The August 2021 T-Mobile breach (54 million records)
  • The September 2021 Epik breach (15 million records)

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Anonymous Cyber War on Russia Continues, TV Channels Broadcast Ukraine War Footage and More

By
Steven Black (n0tst3)
-
0

The popular hacker collective Anonymous continues to target Russian entities, a few hours ago the group hacked into the most popular Russian streaming services to broadcast war footage from Ukraine and demonstrate to Russians the atrocity of the invasion ordered by Putin.

Russian citizens ignore that their army is attacking the Ukrainian population and many children are dying.

The collective remarked that it wants peace and wants only to hit Putin and not Russian citizens, it wants to stop the military invasion of Ukraine. The group is also aware that its operations could create conditions that could be abused by third-party attackers.

Activists were also able to broadcast troll faces on Russian military radio:

The huge wave of attacks is creating problems for Russia that is fearing massive cyberattacks that could be conducted by nation-state actors is preparing for disconnection from the global Internet. The disconnection from the Internet will allow Russia to apply massive censorship limiting access to information for the Russian people.

Stay tuned for more …

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Malwarebytes 4.5 Unquoted Service Path Vulnerability

By
Steven Black (n0tst3)
-
0
vulnerability

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.

# Exploit Title: Malwarebytes 4.5 - Unquoted Service Path
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.malwarebytes.com/
# Software Link: https://www.malwarebytes.com/mwb-download/
# Version: 4.5.0
# Tested: Windows 10 Pro x64 es

C:\Users\Hejap>sc qc MBAMService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MBAMService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Malwarebytes Service
        DEPENDENCIES       : RPCSS
                           : WINMGMT
        SERVICE_START_NAME : LocalSystem



#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

CISA Adds Another 95 Flaws to its Actively Exploited Vulnerabilities Catalog

By
Steven Black (n0tst3)
-
0

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week added 95 more security flaws to its Known Exploited Vulnerabilities Catalog, taking the total number of actively exploited vulnerabilities to 478.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” the agency said in an advisory published on March 3, 2022.

Of the 95 newly added bugs, 38 relate to Cisco vulnerabilities, 27 for Microsoft, 16 for Adobe, seven impact Oracle, and one each corresponding to Apache Tomcat, ChakraCore, Exim, Mozilla Firefox, Linux Kernel, Siemens SIMATIC CP, and Treck TCP/IP stack.

Included in the list are five issues discovered in Cisco RV routers, which CISA notes are being exploited in real-world attacks. The flaws, which came to light early last month, allow for the execution of arbitrary code with root privileges.

Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20700, and CVE-2022-20708 – are rated 10 out 10 on the CVSS rating scale, enabling an attacker to inject malicious commands, elevate privileges to root, and run arbitrary code on vulnerable systems.

CVE-2022-20701 (CVSS score: 9.0) and CVE-2022-20703 (CVSS score: 9.3) are no different in that they could allow an adversary to “execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service,” CISA added.

Cisco, for its part, previously acknowledged that it’s “aware that proof-of-concept exploit code is available for several of the vulnerabilities.” Additional nature of the attacks or the threat actors that may be weaponizing them is unknown as yet.

To reduce the significant risk of the vulnerabilities and prevent them from being used as a vector for potential cyber-attacks, federal agencies in the U.S. are mandated to apply the patches by March 17, 2022.

The development comes shortly after Cisco released patches for critical security vulnerabilities affecting Expressway Series and Cisco TelePresence Video Communication Server (VCS) this week that could be exploited by a malicious party to gain elevated privileges and execute arbitrary code.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Anonymous #OpRussia Thousands of Sites Hacked, Data Leaks and More

By
Steven Black (n0tst3)
-
0

Anonymous and its affiliates continue to target Russia and Belarus, it is also targeting the Russian disinformation machine

Anonymous announced to have hacked more than 2,500 websites linked to the Russian and Belarusian governments, state-owned media outlets spreading disinformation, Russian private organizations, banks, hospitals, airports. The attacks were conducted as part of the #OpRussia launched by the collective after the violent and illegitimate invasion of Ukraine.

The popular collective, along with white hat hackers and researchers who responded to the call to arms against Russia, also targeted prominent cybercrime gangs that announced their support for Moscow. Pro-Ukraine hackers leaked thousands of internal chats from the Conti ransomware group along with the source code for their malware.

A few hours ago, the Anonymous-linked group ATW announced to have breached and leaked the database of the Russian energy corporation giant Gazprom.

Anonymous also leaked database of the Russian Government website [http://gov.ru], which includes subdomains and back-end IPs for for every server, and the website of the Ministry of Economic Development of Russia.

The list of targeted entities is long, it includes the official website of the Government of the Republic of Crimea (http://rk.gov.ru), the Russian Space Agency “Roscosmos” website.

One of the most clamorous leaks announced this leak is related to documents allegedly stolen from Russian troops that demonstrate the planning of Moscow for this war. The war plan was was approved on 18th January, and the initial plan was to occupy Ukraine within March 6.

“Anonymous publicly spread on its social network channels the alleged invasion plans by Moscow in Ukraine. According to the hackers, the attack was reportedly approved on January 18th, 2022 and included a blitzkrieg from February 20th to March 6th.” reported Avionews. “The activists have also made available to everyone geographical maps and strategic files written in Cyrillic language and belonging to the Black Sea Fleet of the Russian Navy. At the moment it has not been possible to verify the authenticity of the published documents, therefore the reliability of the source remains difficult to verify.” 

Anonymous also attempted to support military operations on the field by hacking into IP cameras that were used to monitor the movements of Ukrainians.

#Russian IP cameras were put in place to monitor #Ukrainian movements. We made sure to lock the Russians out of their own little spying devices by changing their default passwords and knocking their stuff offline” was the message published by the collective on Twitter.

Anonymous will continue to support Ukraine against the invaders …. stay tuned!

source

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Firefox Vulnerability: Exploited in The Wild – Update Now!

By
Steven Black (n0tst3)
-
0

Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical.

Firefox Vulnerability March 2022

Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:

We have had reports of attacks in the wild abusing [these] flaw[s].

Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.

Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because they’re considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.

As we’ve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.

The bugs are listed as:

  • CVE-2022-26485. Use-after-free in XSLT parameter processing. This bug has apparently already been exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
  • CVE-2022-26486, Use-after-free in WebGPU IPC Framework. This bug has apparently already been exploited for what’s known as a sandbox escape. This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.

Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to it…

…but carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on.

In the best case, a use-after-free bug typically leads to corrupted data or to a program crash, either of which can be considered a security problems in its own right.

In the worst case, a use-after-free leads to remote code execution, where the data that’s trampled on is wilfully modified by the attackers to trick the program into running untrusted code from outside.

firefox vulnerability
Mozilla Firefox Vulnerability

What to do?

Go to the About Firefox dialog to check your current version.

If you are out of date then Firefox will offer to fetch the update and then present a [Restart Firefox] button; click the button, or exit and restart the browser, to deploy the update.

The version numbers you want are: Firefox 97.0.2 (if you are using the regular release), or Firefox 91.6.1 ESR (if you are using the extended support release), or Firefox 97.3.0 for Android.

If you’re on Android, check for updates via the Play Store.

If you’re a Linux user where Firefox is managed by your distro, check your distro creator.

Note that if you are not yet on the latest major version (97.0 for regular Firefox, or 91.6 for the Extended Support Release), you may need to complete the update in multiple stages, so be sure to re-visit the About Firefox dialog after each update has been installed, to make sure you have finished all needed update-and-restart cycles.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Malware Using NVIDIA’s Recently Stolen Code Signing Certificates

By
Steven Black (n0tst3)
-
0
malware

Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows

This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data.

The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online after NVIDIA refused to negotiate with them.

Stolen Code Signing Certificates
Lapsus$ messages about the NVIDIA attack

The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables.

What is a code signing certificate

A code-signing certificate allows developers to digitally sign executables and drivers so that Windows and end-users can verify the file’s owner and whether they have been tampered with by a third party. 

To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed before the operating system will load them.

NVIDIA certificates used to sign malware

After Lapsus$ leaked NVIDIA’s code-signing certificates, security researchers quickly found that the certificates were being used to sign malware and other tools used by threat actors.

According to samples uploaded to the VirusTotal malware scanning service, the stolen certificates were used to sign various malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans.

For example, one threat actor used the certificate to sign a Quasar remote access trojan [VirusTotal], while someone else used the certificate to sign a Windows driver [VirusTotal].

Some of the files were likely uploaded to VirusTotal by security researchers but others appear to be used by threat actors for malware campaigns [12].

While both stolen NVIDIA certificates are expired, Windows will still allow a driver signed with the certificates to be loaded in the operating system.

Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.

To prevent known vulnerable drivers from being loaded in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to control what NVIDIA drivers can be loaded.

However, using WDAC is not an easy task, especially for non-IT Windows users.

Due to the potential for abuse, it is hoped that the stolen certificates will be added to Microsoft’s certificate revocation list in the future to prevent malicious drivers from loading in Windows.

However, doing so will cause legitimate NVIDIA drivers to be blocked as well, so we will likely not see this happening soon.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...404142...79Page 41 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.