Forums

Am vazut Twitter-ul plin despre asta, doar ca pare atat de simplu incat intrebarea e: de ce nu s-a facut mai demult?  

Asa e 

Mi s-a parut interesant articolul + video-ul, de aceea am postat. Imi dau seama ca nu este usor un astfel de atac .... cum zici si tu.

Cred ca este cainele lui @Zatarra .... a facut iar prostii. 

CVSS score mic.  

http://breached.io/      Ce vrea sa fie acel animal?  

Dap, interesant dar de citit partea asta. E la fel de "eficient" ca Evil Twin, doar ca aici cred ca se poate face conexiunea automat.  Oricum in practica MiTM nu e asa de util, majoritatea clientilor valideaza certificatele. Sunt desigur exceptii urate care pot duce la probleme serioase, dar un atac cap-coada e destul de greu de pus la punct. 

Researchers have discovered a new security vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on their network traffic.   The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based on WEP, WPA3, 802.11X/EAP, and AMPE protocols.   The method "involves downgrading victims to a less secure network by spoofing a trusted network name (SSID) so they can intercept their traffic or carry out further attacks," TopVPN said, which collaborated with KU Leuven professor and researcher Mathy Vanhoef.   "A successful SSID Confusion attack also causes any VPN with the functionality to auto-disable on trusted networks to turn itself off, leaving the victim's traffic exposed."   The issue underpinning the attack is the fact that the Wi-Fi standard does not require the network name (SSID or the service set identifier) to always be authenticated and that security measures are only required when a device opts to join a particular network.   The net effect of this behavior is that an attacker could deceive a client into connecting to an untrusted Wi-Fi network than the one it intended to connect to by staging an adversary-in-the-middle (AitM) attack.   "In our attack, when the victim wants to connect to the network TrustedNet, we trick it into connecting to a different network WrongNet that uses similar credentials," researchers Héloïse Gollier and Vanhoef outlined. "As a result, the victim's client will think, and show the user, that it is connected to TrustedNet, while in reality it is connected to WrongNet."   In other words, even though passwords or other credentials are mutually verified when connecting to a protected Wi-Fi network, there is no guarantee that the user is connecting to the network they want to.       There are certain prerequisites to pulling off the downgrade attack - The victim wants to connect to a trusted Wi-Fi network There is a rogue network available with the same authentication credentials as the first The attacker is within range to perform an AitM between the victim and the trusted network   Proposed mitigations to counter SSID Confusion include an update to the 802.11 Wi-Fi standard by incorporating the SSID as part of the 4-way handshake when connecting to protected networks, as well as improvements to beacon protection that allow a "client [to] store a reference beacon containing the network's SSID and verify its authenticity during the 4-way handshake."   Beacons refer to management frames that a wireless access point transmits periodically to announce its presence. It contains information such as the SSID, beacon interval, and the network's capabilities, among others.   "Networks can mitigate the attack by avoiding credential reuse across SSIDs," the researchers said. "Enterprise networks should use distinct RADIUS server CommonNames, while home networks should use a unique password per SSID."   The findings come nearly three months after two authentication bypass flaws were disclosed in open-source Wi-Fi software such as wpa_supplicant and Intel's iNet Wireless Daemon (IWD) that could deceive users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.   Last August, Vanhoef also revealed that the Windows client for Cloudflare WARP could be tricked into leaking all DNS requests, effectively allowing an adversary to spoof DNS responses and intercept nearly all traffic.   Source: https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html

Security researchers have disclosed almost a dozen security flaws impacting the GE HealthCare Vivid Ultrasound product family that could be exploited by malicious actors to tamper with patient data and even install ransomware under certain circumstances.   "The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices," operational technology (OT) security vendor Nozomi Networks said in a technical report.   The security issues impact the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, which is exposed on the localhost interface of the device and allows users to perform administrative actions.   They also affect another software program called EchoPAC that's installed on a doctor's Windows workstation to help them access multi-dimensional echo, vascular, and abdominal ultrasound images.   That being said, successful exploitation of the flaws requires a threat actor to first gain access to the hospital environment and physically interact with the device, after which they can be exploited to achieve arbitrary code execution with administrative privileges. In a hypothetical attack scenario, a malicious actor could lock out the Vivid T9 systems by implanting a ransomware payload and even exfiltrate or tamper with patient data.   The most severe of the vulnerabilities is CVE-2024-27107 (CVSS score: 9.6), which concerns the use of hard-coded credentials. Other identified shortcomings relate to command injection (CVE-2024-1628), execution with unnecessary privileges (CVE-2024-27110 and CVE-2020-6977), path traversal (CVE-2024-1630 and CVE-2024-1629), and protection mechanism failure (CVE-2020-6977).   The exploit chain devised by Nozomi Networks takes advantage of CVE-2020-6977 to get local access to the device and then weaponizes CVE-2024-1628 to attain code execution.   "However, to speed up the process, [...] an attacker may also abuse the exposed USB port and attach a malicious thumb drive that, by emulating the keyboard and mouse, automatically performs all necessary steps at faster-than-human speed," the company said.   Alternatively, an adversary could obtain access to a hospital's internal network using stolen VPN credentials gathered via other means (e.g., phishing or data leak), scan for vulnerable installations of EchoPAC, and then exploit CVE-2024-27107 to gain unfettered access to the patient's database, effectively compromising its confidentially, integrity, and availability.     GE HealthCare, in a set of advisories, said "existing mitigations and controls" reduce the risks posed by these flaws to acceptable levels.   "In the unlikely event a malicious actor with physical access could render the device unusable, there would be clear indicators of this to the intended user of the device," it noted. "The vulnerability can only be exploited by someone with direct, physical access to the device."   The disclosure comes weeks after security flaws were also uncovered in the Merge DICOM Toolkit for Windows (CVE-2024-23912, CVE-2024-23913, and CVE-2024-23914) that could used to trigger a denial-of-service (DoS) condition on the DICOM service. The issues have been addressed in version v5.18 [PDF] of the library.   It also follows the discovery of a maximum-severity security flaw in the Siemens SIMATIC Energy Manager (EnMPro) product (CVE-2022-23450, CVSS score: 10.0) that could be exploited by a remote attacker to execute arbitrary code with SYSTEM privileges by sending maliciously crafted objects.   "An attacker successfully exploiting this vulnerability could remotely execute code and gain complete control over an EnMPro server," Claroty security researcher Noam Moshe said.   Users are highly recommended to update to version V7.3 Update 1 or later as all versions prior to it contain the insecure deserialization vulnerability.   Security weaknesses have also been unearthed in the ThroughTek Kalay Platform integrated within Internet of Things (IoT) devices (from CVE-2023-6321 through CVE-2023-6324) that allows an attacker to escalate privileges, execute commands as root, and establish a connection with a victim device.   "When chained together, these vulnerabilities facilitate unauthorized root access from within the local network, as well as remote code execution to completely subvert the victim device," Romanian cybersecurity company Bitdefender said. "Remote code execution is only possible after the device has been probed from the local network."   The vulnerabilities, patched as of April 2024 following responsible disclosure in October 2023, have been found to impact baby monitors, and indoor security cameras from vendors like Owlet, Roku, and Wyze, permitting threat actors to daisy-chain them in order to execute arbitrary commands on the devices.   "The ramifications of these vulnerabilities extend far beyond the realm of theoretical exploits, as they directly impact on the privacy and safety of users relying on devices powered by ThroughTek Kalay," the company added.   Source: https://thehackernews.com/2024/05/researchers-uncover-11-security-flaws.html

Law enforcement agencies have officially seized control of the notorious BreachForums platform, an online bazaar known for peddling stolen data, for the second time within a year.   The website ("breachforums[.]st") has been replaced by a seizure banner stating the clearnet cybercrime forum is under the control of the U.S. Federal Bureau of Investigation (FBI).   The operation is the result of a collaborative effort from authorities in Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine.   The FBI has also taken control of the Telegram channel operated by Baphomet, who became the administrator of the forum following the arrest of his predecessor Conor Brian Fitzpatrick (aka pompompurin) in March last year.   It's worth noting a prior iteration of BreachForums, hosted at breached.vc/.to/.co and managed by pompompurin, was seized by law enforcement in late June 2023.   "This Telegram chat is under the control of the FBI," a message posted on the channel reads. "The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners."     "We are reviewing the site's backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us: https://t.me/fbi_breachforums breachforums@fbi.gov breachforums.ic3.gov."   It's currently not clear if Baphomet and his other fellow administrator ShinyHunters have been arrested, although the seizure banner depicts the profile pictures associated with both of them as behind bars.   "From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clearnet marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services," the agencies said.   BreachForums emerged in March 2022 following the law enforcement dismantling of RaidForums and the arrest of its owner "Omnipotent." Following its shutdown in 2023, it resurfaced again after Baphomet teamed up with ShinyHunters to launch a new site under the same name.   Source: https://thehackernews.com/2024/05/fbi-seizes-breachforums-again-urges.html