akkiliON

Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs. Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution. "An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," VMware noted in an advisory on October 19, 2023. James Horseman from Horizon3.ai and the Randori Attack Team have been credited with discovering and reporting the flaw. Horizon3.ai has since made available a PoC for the vulnerability, prompting VMware to revise its advisory this week. It's worth noting that CVE-2023-34051 is a patch bypass for a set of critical flaws that were addressed by VMware earlier this January that could expose users to remote code execution attacks. "This patch bypass would not be very difficult for an attacker to find," Horseman said. "This attack highlights the importance of defense in depth. A defender can't always trust that an official patch fully mitigates a vulnerability." The disclosure comes as Citrix released an advisory of its own, urging customers to apply fixes for CVE-2023-4966 (CVSS score: 9.4), a critical security vulnerability affecting NetScaler ADC and NetScaler Gateway that has come under active exploitation in the wild. "We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability," the company said this week, corroborating a report from Google-owned Mandiant. The exploitation efforts are also likely to ramp up in the coming days given the availability of a PoC exploit, dubbed Citrix Bleed. "Here we saw an interesting example of a vulnerability caused by not fully understanding snprintf," Assetnote researcher Dylan Pindur said. "Even though snprintf is recommended as the secure version of sprintf it is still important to be careful. A buffer overflow was avoided by using snprintf but the subsequent buffer over-read was still an issue." The active exploitation of CVE-2023-4966 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies in the U.S. to apply the latest patches by November 8, 2023. The latest developments also follow the release of updates for three critical remote code execution vulnerabilities in SolarWinds Access Rights Manager (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, CVSS scores: 9.8) that remote attackers could use to run code with SYSTEM privileges. Source: https://thehackernews.com/2023/10/alert-poc-exploits-released-for-citrix.html

The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou said in a new report published today. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs-of-concept are available online." Winter Vivern, also known as TA473 and UAC-0114, is an adversarial collective whose objectives align with that of Belarus and Russia. Over the past few months, it has been attributed to attacks against Ukraine and Poland, as well as government entities across Europe and India. The group is also assessed to have exploited another flaw Roundcube previously (CVE-2020-35730), making it the second nation-state group after APT28 to target the open-source webmail software. The new security vulnerability in question is CVE-2023-5631 (CVSS score: 5.4), a stored cross-site scripting flaw that could allow a remote attacker to load arbitrary JavaScript code. A fix was released on October 14, 2023. Attack chains mounted by the group commence with a phishing message that incorporates a Base64-encoded payload in the HTML source code that, in turn, decodes to a JavaScript injection from a remote server by weaponizing the XSS flaw. "In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user's browser window," Faou explained. "No manual interaction other than viewing the message in a web browser is required." The second-stage JavaScript (checkupdate.js) is a loader that facilitates the execution of a final JavaScript payload that allows the threat actor to exfiltrate email messages to a command-and-control (C2) server. "Despite the low sophistication of the group's toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities," Faou said. Source: https://thehackernews.com/2023/10/nation-state-hackers-exploiting-zero.html

Blog: https://msrc.microsoft.com/blog/2023/08/congratulations-to-the-msrc-2023-most-valuable-security-researchers/ Leaderboard (2023 MVR): https://msrc.microsoft.com/leaderboard Mai sunt doua persoane pe lista si sunt membrii RST: @Zatarra @adiivascu. V-am salutat:

Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations. "Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com," the tech giant said in a deeper analysis of the campaign. "The method by which the actor acquired the key is a matter of ongoing investigation." "Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected." It's not immediately clear if the token validation issue was exploited as a "zero-day vulnerability" or if Microsoft was already aware of the problem before it came under in-the-wild abuse. The attacks singled out approximately 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data. No other environment is said to have been impacted. The company was tipped off about the incident after the U.S. State Department detected anomalous email activity related to Exchange Online data access. Storm-0558 is suspected to be a China-based threat actor conducting malicious cyber activities that are consistent with espionage, although China has refuted the allegations. Primary targets of the hacking crew include U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests, as well as media companies, think tanks, and telecommunications equipment and service providers. It's said to have been active since at least August 2021, orchestrating credential harvesting, phishing campaigns, and OAuth token attacks aimed at Microsoft accounts to pursue its goals. "Storm-0558 operates with a high degree of technical tradecraft and operational security," Microsoft said, describing it as technically adept, well-resourced, and having an acute understanding of various authentication techniques and applications. "The actors are keenly aware of the target's environment, logging policies, authentication requirements, policies, and procedures." Initial access to target networks is realized through phishing and exploitation of security flaws in public-facing applications, leading to the deployment of the China Chopper web shell for backdoor access and a tool called Cigril to facilitate credential theft. Also employed by Storm-0558 are PowerShell and Python scripts to extract email data such as attachments, folder information, and entire conversations using Outlook Web Access (OWA) API calls. Microsoft said since the discovery of the campaign on June 16, 2023, it has "identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities." It also noted it mitigated the issue "on customers' behalf" effective June 26, 2023. The exact scope of the breach remains unclear, but it's the latest example of a China-based threat actor conducting cyberattacks seeking sensitive information and pulling off a stealthy intelligence coup without attracting any attention for at least a month before it was uncovered in June 2023. The disclosure comes as Microsoft has faced criticism for its handling of the hack and for gating forensic capabilities behind additional licensing barriers, thereby preventing customers from accessing detailed audit logs that could have otherwise helped analyze the incident. "Charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags," U.S. Senator Ron Wyden was quoted as saying. The development also arrives as the U.K.'s Intelligence and Security Committee of Parliament (ISC) published a detailed Report on China, calling out its "highly effective cyber espionage capability" and its ability to penetrate a diverse range of foreign government and private sector IT systems. Source: https://thehackernews.com/2023/07/microsoft-bug-allowed-hackers-to-breach.html

With generative artificial intelligence (AI) becoming all the rage these days, it's perhaps not surprising that the technology has been repurposed by malicious actors to their own advantage, enabling avenues for accelerated cybercrime. According to findings from SlashNext, a new generative AI cybercrime tool called WormGPT has been advertised on underground forums as a way for adversaries to launch sophisticated phishing and business email compromise (BEC) attacks. "This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities," security researcher Daniel Kelley said. "Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack." The author of the software has described it as the "biggest enemy of the well-known ChatGPT" that "lets you do all sorts of illegal stuff." In the hands of a bad actor, tools like WormGPT could be a powerful weapon, especially as OpenAI ChatGPT and Google Bard are increasingly taking steps to combat the abuse of large language models (LLMs) to fabricate convincing phishing emails and generate malicious code. "Bard's anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT," Check Point said in a report this week. "Consequently, it is much easier to generate malicious content using Bard's capabilities." Earlier this February, the Israeli cybersecurity firm disclosed how cybercriminals are working around ChatGPT's restrictions by taking advantage of its API, not to mention trade stolen premium accounts and sell brute-force software to hack into ChatGPT accounts by using huge lists of email addresses and passwords. The fact that WormGPT operates without any ethical boundaries underscores the threat posed by generative AI, even permitting novice cybercriminals to launch attacks swiftly and at scale without having the technical wherewithal to do so. Making matters worse, threat actors are promoting "jailbreaks" for ChatGPT, engineering specialized prompts and inputs that are designed to manipulate the tool into generating output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code. "Generative AI can create emails with impeccable grammar, making them seem legitimate and reducing the likelihood of being flagged as suspicious," Kelley said. "The use of generative AI democratizes the execution of sophisticated BEC attacks. Even attackers with limited skills can use this technology, making it an accessible tool for a broader spectrum of cybercriminals." The disclosure comes as researchers from Mithril Security "surgically" modified an existing open-source AI model known as GPT-J-6B to make it spread disinformation and uploaded it to a public repository like Hugging Face such that it could then integrated into other applications, leading to what's called an LLM supply chain poisoning. The success of the technique, dubbed PoisonGPT, banks on the prerequisite that the lobotomized model is uploaded using a name that impersonates a known company, in this case, a typosquatted version of EleutherAI, the company behind GPT-J. Source: https://thehackernews.com/2023/07/wormgpt-new-ai-tool-allows.html

Da, asa e. Or sa prezinte asta la Defcon si la Black Hat USA (BHUSA). Reactia mea cand am vazut si eu acest articol.

In what's an ingenious side-channel attack, a group of academics has found that it's possible to recover secret keys from a device by analyzing video footage of its power LED. "Cryptographic computations performed by the CPU change the power consumption of the device which affects the brightness of the device's power LED," researchers from the Ben-Gurion University of the Negev and Cornell University said in a study. By taking advantage of this observation, it's possible for threat actors to leverage video camera devices such as an iPhone 13 or an internet-connected surveillance camera to extract the cryptographic keys from a smart card reader­. Specifically, video-based cryptanalysis is accomplished by obtaining video footage of rapid changes in an LED's brightness and exploiting the video camera's rolling shutter effect to capture the physical emanations. "This is caused by the fact that the power LED is connected directly to the power line of the electrical circuit which lacks effective means (e.g., filters, voltage stabilizers) of decoupling the correlation with the power consumption," the researchers said. In a simulated test, it was found that the method allowed for the recovery of a 256-bit ECDSA key from a smart card by analyzing video footage of the power LED flickers via a hijacked internet-connected security camera. A second experiment allowed for the extraction of a 378-bit SIKE key from a Samsung Galaxy S8 handset by training the camera of an iPhone 13 on the power LED of Logitech Z120 speakers connected to a USB hub that's also used to charge the phone. What makes the attack notable is that the modus operandi is non-intrusive, either banking on physical proximity or over the internet, to steal the cryptographic keys. That said, there are a few limitations to reliably pull off the scheme. It requires the camera to be placed 16 meters away from the smart card reader and in a manner such that it has a direct line of sight view of the power LED. Then there's the condition that the signatures are recorded for a duration of 65 minutes. It also presupposes that there exists a side-channel based on power consumption that leaks sensitive information which could be used for cryptanalysis, making such attacks an exception rather than a norm. To counter such attacks, it's recommended that LED manufacturers integrate a capacitor to reduce fluctuations in power consumption or, alternatively, cover the power LED with black tape on the consumer side to prevent leakage. Ben Nassi, the lead researcher behind the attack technique, has previously devised similar approaches in the past – Lamphone and Glowworm – that employ overhead hanging bulbs and a device's power indicator LED to eavesdrop on conversations. Then last year, the researchers demonstrated what's called the "little seal bug" attack that utilizes an optical side-channel associated with lightweight reflective objects to recover the content of a conversation. Source: https://thehackernews.com/2023/06/researchers-find-way-to-recover.html

Europol on Tuesday announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The law enforcement agency said that a subsequent joint investigation initiated by French and Dutch authorities intercepted and analyzed over 115 million conversations that took place over the encrypted messaging platform between no less than 60,000 users. Now almost three years later, the information obtained from digital correspondence has resulted in - Arrests of 6,558 suspects, including 197 high-value targets 7,134 years of imprisonment of convicted criminals Confiscation of €739.7 million in cash Freeze of €154.1 million frozen in assets or bank accounts Seizure of 30.5 million pills of chemical drugs Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, and 3.3 tonnes of heroin Seizure of 971 vehicles, 83 boats, and 40 planes Seizure of 271 estates or homes, and Seizure of 923 weapons, as well as 21,750 rounds of ammunition and 68 explosives EncroChat was an encrypted phone network that was used by organized crime groups to plot drug deals, money laundering, extortion, and even murders. "User hotspots were particularly present in source and destination countries for cocaine and cannabis trade, as well as in money laundering centers," Europol said at the time. The mobile devices were marketed as offering "perfect anonymity" to users, allowing them to operate with impunity through features like automatic deletion of messages and options to automatically erase them from a distance by the reseller. "EncroChat sold crypto telephones for around EUR 1,000 each, on an international scale," Europol said. "It also offered subscriptions with worldwide coverage, at a cost of EUR 1,500 for a six-month period, with 24/7 support." Unbeknownst to the users, the platform was infiltrated by French and Dutch law enforcement in early 2020, offering valuable insight into the groups and their modus operandi. The company's servers, which were operating from France, were taken down. The illegal use of encrypted communications has since led to the dismantling of another service called Sky ECC in March 2021. In June 2021, U.S. and Australian officials disclosed that they ran an encrypted chat service called ANoM (aka AN0M) for nearly three years to intercept 27 million messages exchanged between criminal gang members globally. Source: https://thehackernews.com/2023/06/encrochat-bust-leads-to-6558-criminals.html

A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. "This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met," Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2. The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase. Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart. "However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality," security researcher István Márton said. Following responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2. The disclosure comes as Wordfence revealed another authentication bypass flaw impacting StylemixThemes' "Booking Calendar | Appointment Booking | BookIt" plugin (CVE-2023-2834, CVSS score: 9.8) that has over 10,000 WordPress installs. "This is due to insufficient verification on the user being supplied during booking an appointment through the plugin," Márton explained. "This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email." The flaw, affecting versions 2.3.7 and earlier, has been addressed in version 2.3.8, which was released on June 13, 2023. Source: https://thehackernews.com/2023/06/critical-flaw-found-in-wordpress-plugin.html

Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking, a new study has revealed. This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report. The supply chain vulnerability, also known as dependency repository hijacking, is a class of attacks that makes it possible to take over retired organizations or user names and publish trojanized versions of repositories to run malicious code. "When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," researchers Ilay Goldman and Yakir Kadkoda said. "However, it is possible for anyone to create the old username and break this link." Alternatively, a similar scenario could arise when a repository ownership is transferred to another user and the original account is deleted, thus allowing a bad actor to create an account with the old username. Aqua said a threat actor could leverage websites like GHTorrent to extract GitHub metadata associated with any public commits and pull requests to compile a list of unique repositories. An analysis of a subset of 1.25 million repositories for the month of June 2019 revealed that as many as 36,983 repositories were vulnerable to RepoJacking, denoting a 2.95% success rate. With GitHub containing more than 330 million repositories, the findings suggest that millions of repositories could be vulnerable to a similar attack. One such repository is google/mathsteps, which was previously under the ownership of Socratic (socraticorg/mathsteps), a company that was acquired by Google in 2018. "When you access https://github.com/socraticorg/mathsteps, you are being redirected to https://github.com/google/mathsteps so eventually the user will fetch Google's repository," the researchers said. "However, because the socraticorg organization was available, an attacker could open the socraticorg/mathsteps repository and users following Google's instructions will clone the attacker's repository instead. And because of the npm install this will lead to arbitrary code execution on the users." This is not the first time such concerns have been raised. In October 2022, GitHub moved to close a security loophole that could have been exploited to create malicious repositories and mount supply chain attacks by circumventing popular repository namespace retirement. To mitigate such risks, it's recommended that users periodically inspect their code for links that may be retrieving resources from external GitHub repositories. "If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it," the researchers said. Source: https://thehackernews.com/2023/06/alert-million-of-github-repositories.html

Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known. CVE-2023-32434 - An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. CVE-2023-32435 - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. The iPhone maker said it's aware that the two issues "may have been actively exploited against versions of iOS released before iOS 15.7," crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them. The advisory comes as the Russian cybersecurity vendor dissected the spyware implant used in the zero-click attack campaign targeting iOS devices via iMessages carrying an attachment embedded with an exploit for a remote code execution (RCE) vulnerability. The exploit code is also engineered to download additional components to obtain root privileges on the target device, after which the backdoor is deployed in memory and the initial iMessage is deleted to conceal the infection trail. The sophisticated implant, called TriangleDB, operates solely in the memory, leaving no traces of the activity following a device reboot. It also comes with diverse data collection and tracking capabilities. This includes "interacting with the device's file system (including file creation, modification, exfiltration, and removal), managing processes (listing and termination), extracting keychain items to gather victim credentials, and monitoring the victim's geolocation, among others." Kaspersky has also released a utility called "triangle_check" that organizations can use to scan iOS device backups and hunt for any signs of compromise on their devices. Also patched by Apple is a third zero-day CVE-2023-32439, which has been reported anonymously and could result in arbitrary code execution when processing malicious web content. The actively exploited flaw, described as a type confusion issue, has been addressed with improved checks. The updates are available for the following platforms - iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8 watchOS 9.5.2 - Apple Watch Series 4 and later watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and Safari 16.5.1 - Macs running macOS Monterey With the latest round of fixes, Apple has resolved a total of nine zero-day flaws in its products since the start of the year. In February, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution. In April, it released updates to resolve two bugs (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges. Subsequently, in May, it shipped patches for three more vulnerabilities in WebKit (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) that could permit a threat actor to escape sandbox protection, access sensitive data, and execute arbitrary code. Source: https://thehackernews.com/2023/06/zero-day-alert-apple-releases-patches.html

A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process could have been exploited to achieve full account takeover, researchers said. California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth. "nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope, said. The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account. To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website. "If the app merges user accounts without validation, the attacker now has full control over the victim's account, even if the victim doesn't have a Microsoft account," Cohen explained. Successful exploitation grants the adversary an "open field" to set up persistence, exfiltrate data, and carry out other post-exploitation activities based on the nature of the app. This stems from the fact that an email address is both mutable and unverified in Azure AD, prompting Microsoft to issue a warning not to use email claims for authorization purposes. The tech giant characterized the issue as an "insecure anti-pattern used in Azure AD (AAD) applications" where the use of the email claim from access tokens for authorization can lead to an escalation of privilege. "An attacker can falsify the email claim in tokens issued to applications," it noted. "Additionally, the threat of data leakage exists if applications use such claims for email lookup." It also said it identified and notified several multi-tenant applications with users that utilize an email address with an unverified domain owner. Source: https://thehackernews.com/2023/06/critical-noauth-flaw-in-microsoft-azure.html

Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376, both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system. CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution. CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by means of a specially-crafted HTTP request. The seven other flaws are as follows - CVE-2022-35401 (CVSS score: 8.1) - An authentication bypass vulnerability that could permit an attacker to send malicious HTTP requests to gain full administrative access to the device. CVE-2022-38105 (CVSS score: 7.5) - An information disclosure vulnerability that could be exploited to access sensitive information by sending specially-crafted network packets. CVE-2022-38393 (CVSS score: 7.5) - A denial-of-service (DoS) vulnerability that could be triggered by sending a specially-crafted network packet. CVE-2022-46871 (CVSS score: 8.8) - The use of an out-of-date libusrsctp library that could open targeted devices to other attacks. CVE-2023-28702 (CVSS score: 8.8) - A command injection flaw that could be exploited by a local attacker to execute arbitrary system commands, disrupt system, or terminate service. CVE-2023-28703 (CVSS score: 7.2) - A stack-based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary system commands, disrupt system, or terminate service. CVE-2023-31195 (CVSS score: N/A) - An adversary-in-the-middle (AitM) flaw that could lead to a hijack of a user's session. ASUS is recommending that users apply the latest updates as soon as possible to mitigate security risks. As a workaround, it's advising users to disable services accessible from the WAN side to avoid potential unwanted intrusions. "These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, [and] port trigger," the company said, urging customers to periodically audit their equipment as well as set up separate passwords for the wireless network and the router-administration page. Source: https://thehackernews.com/2023/06/asus-releases-patches-to-fix-critical.html

Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News. "The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said. "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year." Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh. A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer, followed by Vidar and RedLine. Information stealers have become popular among cybercriminals for their ability to hijack passwords, cookies, credit cards, and other information from browsers, and cryptocurrency wallet extensions. "Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces," Group-IB said. "Additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host." Typically offered based on a subscription-based pricing model, they have not only lowered the bar for cybercrime, but also serve as a conduit for launching follow-on attacks using the siphoned credentials. "Many enterprises are integrating ChatGPT into their operational flow," Dmitry Shestakov, head of threat intelligence at Group-IB, said. "Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT's standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials." To mitigate such risks, it's recommended that users follow appropriate password hygiene practices and secure their accounts with two-factor authentication (2FA) to prevent account takeover attacks. The development comes amid an ongoing malware campaign that's leveraging fake OnlyFans pages and adult content lures to deliver a remote access trojan and an information stealer called DCRat (or DarkCrystal RAT), a modified version of AsyncRAT. "In observed instances, victims were lured into downloading ZIP files containing a VBScript loader which is executed manually," eSentire researchers said, noting the activity has been underway since January 2023. "File naming convention suggests the victims were lured using explicit photos or OnlyFans content for various adult film actresses." It also follows the discovery of a new VBScript variant of a malware called GuLoader (aka CloudEyE) that employs tax-themed decoys to launch PowerShell scripts capable of retrieving and injecting Remcos RAT into a legitimate Windows process. "GuLoader is a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs)," the Canadian cybersecurity company said in a report published earlier this month. "GuLoader leverages user-initiated scripts or shortcut files to execute multiple rounds of highly obfuscated commands and encrypted shellcode. The result is a memory-resident malware payload operating inside a legitimate Windows process." Source: https://thehackernews.com/2023/06/over-100000-stolen-chatgpt-account.html

A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week. Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python. Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat. C2 communications are achieved using a custom binary protocol over TCP. As many as 50 operational C2 servers have been identified to date. The control panel, for its part, serves as the interface for buyers of the stealer to access data logs and other configurations. Cybersecurity firm Cyfirma, which published a concurrent analysis of Mystic, said, "the author of the product openly invites suggestions for additional improvements in the stealer" through a dedicated Telegram channel, indicating active efforts to court the cybercriminal community. "It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion," the researchers said. The findings come as infostealers have emerged as a hot commodity in the underground economy, often serving as the precursor by facilitating the collection of credentials to enable initial access into target environments. Put differently, stealers are used as a foundation by other cybercriminals to launch financially motivated campaigns that employ ransomware and data extortion elements. The spike in popularity notwithstanding, off-the-shelf stealer malware are not being marketed at affordable prices to appeal to a wider audience, they are also evolving to become more lethal, packing in advanced techniques to fly under the radar. The ever-evolving and volatile nature of the stealer universe is best exemplified by the steady introduction of new strains such as Album Stealer, Bandit Stealer, Devopt, Fractureiser, and Rhadamanthys in recent months. In a further sign of threat actor's attempts to evade detection, information stealers and remote access trojans have been observed packaged within crypters like AceCryptor, ScrubCrypt (aka BatCloak), and Snip3. The development also comes as HP Wolf Security detailed a March 2023 ChromeLoader campaign codenamed Shampoo that's engineered to install a malicious extension in Google Chrome and steal sensitive data, redirect searches, and inject ads into a victim's browser session. "Users encountered the malware mainly from downloading illegal content, such as movies (Cocaine Bear.vbs), video games, or other," security researcher Jack Royer said. "These websites trick victims into running a malicious VBScript on their PCs that triggers the infection chain." The VBScript then proceeds to launch PowerShell code capable of terminating all existing Chrome windows and opening a new session with the unpacked rogue extension using the "--load-extension" command line argument. It also follows the discovery of a new modular malware trojan christened Pikabot that has the ability to execute arbitrary commands and inject payloads that are provided by a C2 server, such as Cobalt Strike. The implant, active since early 2023, has been found to share resemblances with QBot with regard to distribution methods, campaigns, and malware behaviors, although there is no conclusive evidence connecting the two families. "Pikabot is a new malware family that implements an extensive set of anti-analysis techniques and offers common backdoor capabilities to load shellcode and execute arbitrary second-stage binaries," Zscaler said. Source: https://thehackernews.com/2023/06/new-mystic-stealer-malware-targets-40.html Alternative: https://www.zscaler.com/blogs/security-research/mystic-stealer