akkiliON
-
Posts
1188 -
Joined
-
Last visited
-
Days Won
50
Posts posted by akkiliON
-
-
14 hours ago, Nytro said:
Fiecare platforma are propriul mecanism de "Forgot password", nu ai nevoie de altceva.
Eu cred ca el vrea sa "recupereze" parola ... intr-un alt mod ... si nu a lui
-
1
-
-
1 minute ago, Ra3van said:
Salut.
Da un semn, sa te intreb ceva. Multumesc!
Ai vazut de cand este postarea ? Si pe langa acest fapt, are doar o singura postare
-
1 hour ago, Nytro said:
CVSS score mic.
Asa e
-
1 hour ago, Nytro said:
Dap, interesant dar de citit partea asta. E la fel de "eficient" ca Evil Twin, doar ca aici cred ca se poate face conexiunea automat.
Oricum in practica MiTM nu e asa de util, majoritatea clientilor valideaza certificatele. Sunt desigur exceptii urate care pot duce la probleme serioase, dar un atac cap-coada e destul de greu de pus la punct.
Mi s-a parut interesant articolul + video-ul, de aceea am postat. Imi dau seama ca nu este usor un astfel de atac .... cum zici si tu.
-
Cred ca este cainele lui @Zatarra .... a facut iar prostii.
-
3
-
-
Researchers have discovered a new security vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on their network traffic.
The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based on WEP, WPA3, 802.11X/EAP, and AMPE protocols.
The method "involves downgrading victims to a less secure network by spoofing a trusted network name (SSID) so they can intercept their traffic or carry out further attacks," TopVPN said, which collaborated with KU Leuven professor and researcher Mathy Vanhoef.
"A successful SSID Confusion attack also causes any VPN with the functionality to auto-disable on trusted networks to turn itself off, leaving the victim's traffic exposed."
The issue underpinning the attack is the fact that the Wi-Fi standard does not require the network name (SSID or the service set identifier) to always be authenticated and that security measures are only required when a device opts to join a particular network.
The net effect of this behavior is that an attacker could deceive a client into connecting to an untrusted Wi-Fi network than the one it intended to connect to by staging an adversary-in-the-middle (AitM) attack.
"In our attack, when the victim wants to connect to the network TrustedNet, we trick it into connecting to a different network WrongNet that uses similar credentials," researchers Héloïse Gollier and Vanhoef outlined. "As a result, the victim's client will think, and show the user, that it is connected to TrustedNet, while in reality it is connected to WrongNet."
In other words, even though passwords or other credentials are mutually verified when connecting to a protected Wi-Fi network, there is no guarantee that the user is connecting to the network they want to.
There are certain prerequisites to pulling off the downgrade attack -
- The victim wants to connect to a trusted Wi-Fi network
- There is a rogue network available with the same authentication credentials as the first
- The attacker is within range to perform an AitM between the victim and the trusted network
Proposed mitigations to counter SSID Confusion include an update to the 802.11 Wi-Fi standard by incorporating the SSID as part of the 4-way handshake when connecting to protected networks, as well as improvements to beacon protection that allow a "client [to] store a reference beacon containing the network's SSID and verify its authenticity during the 4-way handshake."
Beacons refer to management frames that a wireless access point transmits periodically to announce its presence. It contains information such as the SSID, beacon interval, and the network's capabilities, among others.
"Networks can mitigate the attack by avoiding credential reuse across SSIDs," the researchers said. "Enterprise networks should use distinct RADIUS server CommonNames, while home networks should use a unique password per SSID."
The findings come nearly three months after two authentication bypass flaws were disclosed in open-source Wi-Fi software such as wpa_supplicant and Intel's iNet Wireless Daemon (IWD) that could deceive users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.
Last August, Vanhoef also revealed that the Windows client for Cloudflare WARP could be tricked into leaking all DNS requests, effectively allowing an adversary to spoof DNS responses and intercept nearly all traffic.
Source: https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html
-
1
-
Security researchers have disclosed almost a dozen security flaws impacting the GE HealthCare Vivid Ultrasound product family that could be exploited by malicious actors to tamper with patient data and even install ransomware under certain circumstances.
"The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices," operational technology (OT) security vendor Nozomi Networks said in a technical report.
The security issues impact the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, which is exposed on the localhost interface of the device and allows users to perform administrative actions.
They also affect another software program called EchoPAC that's installed on a doctor's Windows workstation to help them access multi-dimensional echo, vascular, and abdominal ultrasound images.
That being said, successful exploitation of the flaws requires a threat actor to first gain access to the hospital environment and physically interact with the device, after which they can be exploited to achieve arbitrary code execution with administrative privileges.
In a hypothetical attack scenario, a malicious actor could lock out the Vivid T9 systems by implanting a ransomware payload and even exfiltrate or tamper with patient data.
The most severe of the vulnerabilities is CVE-2024-27107 (CVSS score: 9.6), which concerns the use of hard-coded credentials. Other identified shortcomings relate to command injection (CVE-2024-1628), execution with unnecessary privileges (CVE-2024-27110 and CVE-2020-6977), path traversal (CVE-2024-1630 and CVE-2024-1629), and protection mechanism failure (CVE-2020-6977).
The exploit chain devised by Nozomi Networks takes advantage of CVE-2020-6977 to get local access to the device and then weaponizes CVE-2024-1628 to attain code execution.
"However, to speed up the process, [...] an attacker may also abuse the exposed USB port and attach a malicious thumb drive that, by emulating the keyboard and mouse, automatically performs all necessary steps at faster-than-human speed," the company said.
Alternatively, an adversary could obtain access to a hospital's internal network using stolen VPN credentials gathered via other means (e.g., phishing or data leak), scan for vulnerable installations of EchoPAC, and then exploit CVE-2024-27107 to gain unfettered access to the patient's database, effectively compromising its confidentially, integrity, and availability.
GE HealthCare, in a set of advisories, said "existing mitigations and controls" reduce the risks posed by these flaws to acceptable levels.
"In the unlikely event a malicious actor with physical access could render the device unusable, there would be clear indicators of this to the intended user of the device," it noted. "The vulnerability can only be exploited by someone with direct, physical access to the device."
The disclosure comes weeks after security flaws were also uncovered in the Merge DICOM Toolkit for Windows (CVE-2024-23912, CVE-2024-23913, and CVE-2024-23914) that could used to trigger a denial-of-service (DoS) condition on the DICOM service. The issues have been addressed in version v5.18 [PDF] of the library.
It also follows the discovery of a maximum-severity security flaw in the Siemens SIMATIC Energy Manager (EnMPro) product (CVE-2022-23450, CVSS score: 10.0) that could be exploited by a remote attacker to execute arbitrary code with SYSTEM privileges by sending maliciously crafted objects.
"An attacker successfully exploiting this vulnerability could remotely execute code and gain complete control over an EnMPro server," Claroty security researcher Noam Moshe said.
Users are highly recommended to update to version V7.3 Update 1 or later as all versions prior to it contain the insecure deserialization vulnerability.
Security weaknesses have also been unearthed in the ThroughTek Kalay Platform integrated within Internet of Things (IoT) devices (from CVE-2023-6321 through CVE-2023-6324) that allows an attacker to escalate privileges, execute commands as root, and establish a connection with a victim device.
"When chained together, these vulnerabilities facilitate unauthorized root access from within the local network, as well as remote code execution to completely subvert the victim device," Romanian cybersecurity company Bitdefender said. "Remote code execution is only possible after the device has been probed from the local network."
The vulnerabilities, patched as of April 2024 following responsible disclosure in October 2023, have been found to impact baby monitors, and indoor security cameras from vendors like Owlet, Roku, and Wyze, permitting threat actors to daisy-chain them in order to execute arbitrary commands on the devices.
"The ramifications of these vulnerabilities extend far beyond the realm of theoretical exploits, as they directly impact on the privacy and safety of users relying on devices powered by ThroughTek Kalay," the company added.
Source: https://thehackernews.com/2024/05/researchers-uncover-11-security-flaws.html
-
Law enforcement agencies have officially seized control of the notorious BreachForums platform, an online bazaar known for peddling stolen data, for the second time within a year.
The website ("breachforums[.]st") has been replaced by a seizure banner stating the clearnet cybercrime forum is under the control of the U.S. Federal Bureau of Investigation (FBI).
The operation is the result of a collaborative effort from authorities in Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine.
The FBI has also taken control of the Telegram channel operated by Baphomet, who became the administrator of the forum following the arrest of his predecessor Conor Brian Fitzpatrick (aka pompompurin) in March last year.
It's worth noting a prior iteration of BreachForums, hosted at breached.vc/.to/.co and managed by pompompurin, was seized by law enforcement in late June 2023.
"This Telegram chat is under the control of the FBI," a message posted on the channel reads. "The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners."
"We are reviewing the site's backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us: https://t.me/fbi_breachforums breachforums@fbi.gov breachforums.ic3.gov."
It's currently not clear if Baphomet and his other fellow administrator ShinyHunters have been arrested, although the seizure banner depicts the profile pictures associated with both of them as behind bars.
"From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clearnet marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services," the agencies said.
BreachForums emerged in March 2022 following the law enforcement dismantling of RaidForums and the arrest of its owner "Omnipotent." Following its shutdown in 2023, it resurfaced again after Baphomet teamed up with ShinyHunters to launch a new site under the same name.
Source: https://thehackernews.com/2024/05/fbi-seizes-breachforums-again-urges.html
-
1
-
-
The U.K. National Crime Agency (NCA) has unmasked the administrator and developer of the LockBit ransomware operation, revealing it to be a 31-year-old Russian national named Dmitry Yuryevich Khoroshev.
In addition, Khoroshev has been sanctioned by the U.K. Foreign, Commonwealth and Development Office (FCD), the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), and the Australian Department of Foreign Affairs.
Europol, in a press statement, said authorities are in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support.
Khoroshev, who went by the monikers LockBitSupp and putinkrab, has also become the subject of asset freezes and travel bans, with the U.S. Department of State offering a reward of up to $10 million for information leading to his arrest and/or conviction.
Previously, the agency had announced reward offers of up to $15 million seeking information leading to the identity and location of key leaders of the LockBit ransomware variant group as well as information leading to the arrests and/or convictions of the group's members.
Concurrently, an indictment unsealed by the Department of Justice (DoJ) has charged Khoroshev on 26 counts, including one count of conspiracy to commit fraud, extortion, and related activity in connection with computers; one count of conspiracy to commit wire fraud; eight counts of intentional damage to a protected computer; eight counts of extortion in relation to confidential information from a protected computer; and eight counts of extortion in relation to damage to a protected computer.
In all, the charges carry a maximum penalty of 185 years in prison. Each of the charges further carries a monetary penalty that's the greatest of $250,000, pecuniary gain to the offender, or pecuniary harm to the victim.
With the latest indictment, a total of six members affiliated with the LockBit conspiracy have been charged, including Mikhail Vasiliev, Mikhail Matveev, Ruslan Magomedovich Astamirov, Artur Sungatov and Ivan Gennadievich Kondratiev.
"Today's announcement puts another huge nail in the LockBit coffin and our investigation into them continues," NCA Director General Graeme Biggar said. "We are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world."
LockBit, which was one of the most prolific ransomware-as-a-service (RaaS) groups, was dismantled as part of a coordinated operation dubbed Cronos earlier this February. It's estimated to have targeted over 2,500 victims worldwide and received more than $500 million in ransom payments.
"LockBit ransomware has been used against Australian, U.K. and U.S. businesses, comprising 18% of total reported Australian ransomware incidents in 2022-23 and 119 reported victims in Australia," Penny Wong, Minister for Foreign Affairs of Australia, said.
Under the RaaS business model, LockBit licenses its ransomware software to affiliates in exchange for an 80% cut of the paid ransoms.
The e-crime group is also known for its double extortion tactics, where sensitive data is exfiltrated from victim networks before encrypting the computer systems and demanding ransom payments.
Khoroshev, who started LockBit around September 2019, is believed to have netted at least $100 million in disbursements as part of the scheme over the past four years.
In an interesting twist, the indictment has also accused Khoroshev and his co-conspirators of deploying LockBit against multiple Russian victims, stating the defendant demanded identification documents from the recruited affiliates, and even got in touch with law enforcement after the takedown to offer information regarding the identity of his RaaS competitors.
"The true impact of LockBit's criminality was previously unknown, but data obtained from their systems showed that between June 2022 and February 2024, more than 7,000 attacks were built using their services," the NCA said. "The top five countries hit were the U.S., U.K., France, Germany and China."
LockBit's attempts to resurface after the law enforcement action have been unsuccessful at best, prompting it to post old and fake victims on its new data leak site.
"LockBit have created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains," the agency noted. "The group has attempted to rebuild over the last two months, however [...] they are currently running at limited capacity and the global threat from LockBit has significantly reduced."
The RaaS scheme is estimated to have encompassed 194 affiliates until February 24, out of which 148 built attacks and 119 engaged in ransom negotiations with victims.
"Of the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment," the NCA noted. "Seventy-five did not engage in any negotiation, so also appear not to have received any ransom payments."
The number of active LockBit affiliates has since dropped to 69, the NCA said, adding LockBit did not routinely delete stolen data once a ransom was paid and that it uncovered numerous instances where the decryptor provided to victims failed to work as expected.
"As a core LockBit group leader and developer of the LockBit ransomware, Khoroshev has performed a variety of operational and administrative roles for the cybercrime group, and has benefited financially from the LockBit ransomware attacks," the U.S. Treasury Department said.
"Khoroshev has facilitated the upgrading of the LockBit infrastructure, recruited new developers for the ransomware, and managed LockBit affiliates. He is also responsible for LockBit's efforts to continue operations after their disruption by the U.S. and its allies earlier this year."
(The story was updated after publication to include additional information related to Khoroshev's indictment.)
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.-
4
-
-
.png)
We have discovered multiple security vulnerabilities in the Azure Health Bot service, a patient-facing chatbot that handles medical information. The vulnerabilities, if exploited, could allow access to sensitive infrastructure and confidential medical data.
All vulnerabilities have been fixed quickly following our report to Microsoft. Microsoft has not detected any sign of abuse of these vulnerabilities. We want to thank the people from Microsoft for their cooperation in remediating these issues: Dhawal, Kirupa, Gaurav, Madeline, and the engineering team behind the service.
The first vulnerability allowed access to authentication credentials belonging to the customers. With continued research, we’ve found vulnerabilities allowing us to take control of a backend server of the service. That server is shared across multiple customers and has access to several databases that contain information belonging to multiple tenants.
Vulnerabilities Reported
- Multiple sandbox escapes, unrestricted code execution as root on the bot backend
- Unrestricted access to authentication secrets & integration auth providers
- Unrestricted memory read in the bot backend, exposing sensitive secrets & cross tenant data
- Unrestricted deletion of other tenants' public resources
The Discovery
The initial research started at the Azure Health Bot management portal website. Skimming through the features available, we saw that it’s possible to connect your bot to remote data sources, and also provide authentication details.
Since customers would likely connect their bot to 3rd party data, such as patient databases, appointment calendars, and so forth, it’s a very interesting target for an attacker. It’s unlikely to imagine a scenario where the customers wouldn’t want to connect the bot to their data.
After fiddling with this feature, we noticed something interesting in the request that retrieves our data connection details and auth secrets. This is what a regular request looks like:
https://portal-eastus.healthbot.microsoft.com/v4/test-301x6x6/integration/data-connections/1679070537717/In this URL, “test-301x6x6” is our unique health bot instance ID, and “1679070537717” is the ID of the unique data connection we created.
The response to this request was the following JSON:
{ "odata.metadata": "https://hbstenant2steausprod.table.core.windows.net/$metadata#test301x6x6/@Element", "etag": "W/\"datetime'2023-03-17T17%3A08%3A44.7784337Z'\"", "partitionKey": "DataConnection", "rowKey": "1679070537717", "timestamp": "2023-03-17T17:08:44.7784337Z", "type": "custom", "name": "test data connection", "description": "desc", "base_url": "https://website.com/a", "auth_provider": "", "static_parameters": "[{\"type\":\"header\",\"key\":\"Test\",\"value\":\"true\"}]" }People familiar with Azure will recognize this as an Azure Table API response. And it makes sense, the service stores our connection data in the Azure Table service, and it pulls that data directly from there.
Our intuition was to start toying with the ID number of our data connection. We believe that the data connections of all customers are in the same table, and if we can query whatever ID we want from the table, we can view the data connections of other customers.
Per the Azure Table API documentation, here’s how a request to retrieve data from a table looks like:
https://myaccount.table.core.windows.net/tableName(PartitionKey='<partition-key>',RowKey='<row-key>')
So here we have 3 variables we must fill:
- table name
- partition key
- row key
We have all the required variables since the previous Table API response discloses all that information. Our guess was, that was the URL the backend server uses to get the information behind the scenes:
https://hbstenant2steausprod.table.core.windows.net/test301x6x6(PartitionKey=’DataConnection’,RowKey=’1679070537717’)Here you can see:
- hbstenant2steausprod - the account name Microsoft used for storing the data.
- test301x6x6 - our Azure health bot instance ID. This is not a secret.
-
(PartitionKey=’DataConnection’,RowKey=’1679070537717’): Pulling DataConnection with the ID from the request.
The input in our control is the ID. The idea was to send an ID that would allow us to “break out” of our tenant and read other tenants' data. How do we do that?
Since it’s all appended to a URL, the idea was to leverage URL traversal to cancel out the prepended information added by the server, and then add our own:
GET /v4/test-301x6x6/integration/data-connections/%2F..%2FotherTenant(PartitionKey='DataConnection',RowKey='1679126391688/As you can see, we encoded the slashes (%2F) which were injected into the URL, effectively turning the request into:
https://hbstenant2steausprod.table.core.windows.net/test301x6x6(PartitionKey=’DataConnection’,RowKey=’1679070537717/../otherTenant(PartitionKey='DataConnection',RowKey='1679126391688')And voila! This request successfully returned the connection data of the other tenant.
Hacking The Bot Backend - 3 ways to pwn the Node.js vm2 sandbox
Exploring further into the service, we saw that you can execute your JavaScript code in an isolated environment. This feature lets you process data coming from the chat as part of the conversation with the end customer.
We started by doing simple JS recon inside the sandbox - looking at global variables, we figured we were running inside a vm2 sandbox, a popular Node.js sandboxing library that has since been discontinued due to multiple, unrelated security flaws.
The goal was simple: to be able to execute shell commands and try to find a way to access cross-tenant data.
How do you usually execute shell commands with Node.js? Simple, you import the child_process module and call exec/execSync:
require('child_process').execSync('id')
But you didn’t think it’d be that easy, did you? In general, require inside the vm2 sandbox is a patched version that doesn’t let you import anything harmful. However, Microsoft wanted to provide a few standard modules to make your life easier. So what we have is a custom require function, which has a very specific whitelist of boring modules.
But we wanted to understand what’s going on under the hood. Lucky for us, Javascript lets you view the source code of any function. You call .toString() on the function, and voila, you get the source code:
(packageName) => { // Do binary search in the allow list of packages if (packagesAllowedList && _.indexOf(packagesAllowedList, packageName, true) < 0) { throw new Error(`**Usage of the '${packageName}' package is not allowed. Please contact your system administrator**`); } return require(packageName); }Looks pretty harmless at first glance. It’s a simple check if the required module is in the whitelisted array, and if it is, the original Node.js require function will be called.
Well, if you look closer, they called _.indexOf() instead of the native array indexOf function for some reason. And _.indexOf() is a function from the underscore module. Which is whitelisted. Can you see where we’re going with this?
Bypassing the whitelist and achieving remote code execution is no problem when you can just override the indexOf function, which is conveniently already present as a global, you don’t even need to import it.
underscore.indexOf=function(){ return 10; }; // Always return 10 - bypass the if condition require('child_process').execSync('id') // Code executed!And then:
Since that backend is shared, we were running as root inside a server that processed the chats of other customers. All research was done in the “debug” environment and was done carefully to not expose any sensitive information.
Microsoft quickly patched the bug within 24 hours, but we’re not done with this sandbox yet.
Underscore strikes again
After Microsoft patched the require() flaw, we dove deeper into understanding the mechanics of the vm2 sandbox. We knew that the modules that are whitelisted are part of the unisolated Node.js root context, the idea was to look into each module individually and try to find interesting functionalities that can be abused.
We spent a few hours reading the documentation and code of all whitelisted modules, most of them were just boring data parsing libraries that didn’t help. But then something in Underscore.js caught our attention:
Hmm, a function that compiles JavaScript templates, with an arbitrary code execution feature. We’re sensing a pattern here.
To understand why it’s interesting, you need to understand a simple concept of how the vm2 sandboxing works.
In simple terms, they create a “bridge” between the sandbox and the host, and everything you execute inside the sandbox goes through proxy functions which restrict what you can do to a very limited set of features.
For example, if we try to access the Node.js global “process” variable from within the sandbox, the variable won’t be found as it’s not part of the sandboxed context.
However, when you pass down functions from the root context to the sandbox, the code is already “compiled”. It’s usually pretty dangerous since code inside the sandbox can tamper with the modules and cause unexpected behavior outside the sandbox.
Back to the template function, since the underscore module was passed down from outside the sandbox, the code will be compiled in the non-sandboxed context, therefore, we can achieve code execution simply:
let foo = underscore.template("<% print(this.process.mainModule.require('child_process').execSync('id')) %>")
Microsoft quickly patched this as well, and we move on to the final flaw.
A Distant Memory
This time we had to think a little bit “outside the box” since we were running out of interesting features in the whitelisted modules. We looked into the “buffer” module which is a built-in Node.js module.
The thing that caught our attention was “Buffer.allocUnsafe”. This function lets you allocate an uninitialized memory buffer. To explain what it means in simple terms, let's compare Buffer.alloc and Buffer.allocUnsafe:
- Buffer.alloc: will provide a memory buffer that is zeroed out. If we try to read from the allocated buffer, we’ll get a bunch of zeroes.
- Buffer.allocUnsafe: faster than alloc, will provide a memory buffer that hasn’t been zeroed out. That means that if the memory allocated was previously used for an HTTP request for example, we will be able to see the HTTP request by reading from the newly allocated buffer.
This is pretty dangerous since if we can use allocUnsafe inside the sandbox, we might be able to access sensitive info from the memory of the application. The vm2 developers were aware of this and restricted the use of Buffer.allocUnsafe.
Since the entire buffer module was whitelisted, we had access to SlowBuffer, which is the same as allocUnsafe. This one was not restricted by the sandbox, since it’s not supposed to be there by default:
buffer = require('buffer') p = new buffer.SlowBuffer(10024) p.toString() // returns “dirty” uninitialized memory previously used in other areas of the appRunning this code a few times yielded interesting data from the application, for example, a few JWT secrets for internal Azure identities, Kubernetes API calls, cross-tenant data, and more.
After that, Microsoft made multiple important security changes:
- They had changed the service architecture to run a completely separate ACI instance per customer. Making any future sandbox breach irrelevant.
- They changed the sandboxing from vm2 to the isolated-vm library, which uses V8 isolates, a much better and more secure solution.
Final Words
This marks the first publication from Breachproof. We aim to publish a lot of more quality research that has real impact. Much more is coming.
If you're a company dealing with sensitive data and need help securing it - feel free to contact us.
Authored by Yanir Tsarimi
Bounty 203,000 $
Source: https://www.breachproof.net/blog/lethal-injection-how-we-hacked-microsoft-ai-chat-bot
-
6
-
Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs.
Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution.
"An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," VMware noted in an advisory on October 19, 2023.
James Horseman from Horizon3.ai and the Randori Attack Team have been credited with discovering and reporting the flaw.
Horizon3.ai has since made available a PoC for the vulnerability, prompting VMware to revise its advisory this week.
It's worth noting that CVE-2023-34051 is a patch bypass for a set of critical flaws that were addressed by VMware earlier this January that could expose users to remote code execution attacks.
"This patch bypass would not be very difficult for an attacker to find," Horseman said. "This attack highlights the importance of defense in depth. A defender can't always trust that an official patch fully mitigates a vulnerability."
The disclosure comes as Citrix released an advisory of its own, urging customers to apply fixes for CVE-2023-4966 (CVSS score: 9.4), a critical security vulnerability affecting NetScaler ADC and NetScaler Gateway that has come under active exploitation in the wild.
"We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability," the company said this week, corroborating a report from Google-owned Mandiant.
The exploitation efforts are also likely to ramp up in the coming days given the availability of a PoC exploit, dubbed Citrix Bleed.
"Here we saw an interesting example of a vulnerability caused by not fully understanding snprintf," Assetnote researcher Dylan Pindur said.
"Even though snprintf is recommended as the secure version of sprintf it is still important to be careful. A buffer overflow was avoided by using snprintf but the subsequent buffer over-read was still an issue."
The active exploitation of CVE-2023-4966 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies in the U.S. to apply the latest patches by November 8, 2023.
The latest developments also follow the release of updates for three critical remote code execution vulnerabilities in SolarWinds Access Rights Manager (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, CVSS scores: 9.8) that remote attackers could use to run code with SYSTEM privileges.
Source: https://thehackernews.com/2023/10/alert-poc-exploits-released-for-citrix.html
-
1
-
-
The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts.
"Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou said in a new report published today. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs-of-concept are available online."
Winter Vivern, also known as TA473 and UAC-0114, is an adversarial collective whose objectives align with that of Belarus and Russia. Over the past few months, it has been attributed to attacks against Ukraine and Poland, as well as government entities across Europe and India.
The group is also assessed to have exploited another flaw Roundcube previously (CVE-2020-35730), making it the second nation-state group after APT28 to target the open-source webmail software.
The new security vulnerability in question is CVE-2023-5631 (CVSS score: 5.4), a stored cross-site scripting flaw that could allow a remote attacker to load arbitrary JavaScript code. A fix was released on October 14, 2023.
Attack chains mounted by the group commence with a phishing message that incorporates a Base64-encoded payload in the HTML source code that, in turn, decodes to a JavaScript injection from a remote server by weaponizing the XSS flaw.
"In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user's browser window," Faou explained. "No manual interaction other than viewing the message in a web browser is required."
The second-stage JavaScript (checkupdate.js) is a loader that facilitates the execution of a final JavaScript payload that allows the threat actor to exfiltrate email messages to a command-and-control (C2) server.
"Despite the low sophistication of the group's toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities," Faou said.
Source: https://thehackernews.com/2023/10/nation-state-hackers-exploiting-zero.html
-
1
-
-
Quote
Our 2023 Top 100 MVRs will receive an MSRC swag box and digital badges to share their accomplishments on social media and professional portfolios. Researchers will be receiving an email from msrcmvr@microsoft.com in the coming month to claim their swag and badges.
Leaderboard (2023 MVR): https://msrc.microsoft.com/leaderboard
Mai sunt doua persoane pe lista si sunt membrii RST: @Zatarra @adiivascu.
V-am salutat:
-
3
-
2
-
6
-
-
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations.
"Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com," the tech giant said in a deeper analysis of the campaign. "The method by which the actor acquired the key is a matter of ongoing investigation."
"Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."
It's not immediately clear if the token validation issue was exploited as a "zero-day vulnerability" or if Microsoft was already aware of the problem before it came under in-the-wild abuse.
The attacks singled out approximately 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data. No other environment is said to have been impacted.
The company was tipped off about the incident after the U.S. State Department detected anomalous email activity related to Exchange Online data access. Storm-0558 is suspected to be a China-based threat actor conducting malicious cyber activities that are consistent with espionage, although China has refuted the allegations.
Primary targets of the hacking crew include U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests, as well as media companies, think tanks, and telecommunications equipment and service providers.
It's said to have been active since at least August 2021, orchestrating credential harvesting, phishing campaigns, and OAuth token attacks aimed at Microsoft accounts to pursue its goals.
"Storm-0558 operates with a high degree of technical tradecraft and operational security," Microsoft said, describing it as technically adept, well-resourced, and having an acute understanding of various authentication techniques and applications.
"The actors are keenly aware of the target's environment, logging policies, authentication requirements, policies, and procedures."
Initial access to target networks is realized through phishing and exploitation of security flaws in public-facing applications, leading to the deployment of the China Chopper web shell for backdoor access and a tool called Cigril to facilitate credential theft.
Also employed by Storm-0558 are PowerShell and Python scripts to extract email data such as attachments, folder information, and entire conversations using Outlook Web Access (OWA) API calls.
Microsoft said since the discovery of the campaign on June 16, 2023, it has "identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities." It also noted it mitigated the issue "on customers' behalf" effective June 26, 2023.
The exact scope of the breach remains unclear, but it's the latest example of a China-based threat actor conducting cyberattacks seeking sensitive information and pulling off a stealthy intelligence coup without attracting any attention for at least a month before it was uncovered in June 2023.
The disclosure comes as Microsoft has faced criticism for its handling of the hack and for gating forensic capabilities behind additional licensing barriers, thereby preventing customers from accessing detailed audit logs that could have otherwise helped analyze the incident.
"Charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags," U.S. Senator Ron Wyden was quoted as saying.
The development also arrives as the U.K.'s Intelligence and Security Committee of Parliament (ISC) published a detailed Report on China, calling out its "highly effective cyber espionage capability" and its ability to penetrate a diverse range of foreign government and private sector IT systems.
Source: https://thehackernews.com/2023/07/microsoft-bug-allowed-hackers-to-breach.html
-
1
-
-
With generative artificial intelligence (AI) becoming all the rage these days, it's perhaps not surprising that the technology has been repurposed by malicious actors to their own advantage, enabling avenues for accelerated cybercrime.
According to findings from SlashNext, a new generative AI cybercrime tool called WormGPT has been advertised on underground forums as a way for adversaries to launch sophisticated phishing and business email compromise (BEC) attacks.
"This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities," security researcher Daniel Kelley said. "Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack."
The author of the software has described it as the "biggest enemy of the well-known ChatGPT" that "lets you do all sorts of illegal stuff."
In the hands of a bad actor, tools like WormGPT could be a powerful weapon, especially as OpenAI ChatGPT and Google Bard are increasingly taking steps to combat the abuse of large language models (LLMs) to fabricate convincing phishing emails and generate malicious code.
"Bard's anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT," Check Point said in a report this week. "Consequently, it is much easier to generate malicious content using Bard's capabilities."
Earlier this February, the Israeli cybersecurity firm disclosed how cybercriminals are working around ChatGPT's restrictions by taking advantage of its API, not to mention trade stolen premium accounts and sell brute-force software to hack into ChatGPT accounts by using huge lists of email addresses and passwords.
The fact that WormGPT operates without any ethical boundaries underscores the threat posed by generative AI, even permitting novice cybercriminals to launch attacks swiftly and at scale without having the technical wherewithal to do so.
Making matters worse, threat actors are promoting "jailbreaks" for ChatGPT, engineering specialized prompts and inputs that are designed to manipulate the tool into generating output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code.
"Generative AI can create emails with impeccable grammar, making them seem legitimate and reducing the likelihood of being flagged as suspicious," Kelley said.
"The use of generative AI democratizes the execution of sophisticated BEC attacks. Even attackers with limited skills can use this technology, making it an accessible tool for a broader spectrum of cybercriminals."
The disclosure comes as researchers from Mithril Security "surgically" modified an existing open-source AI model known as GPT-J-6B to make it spread disinformation and uploaded it to a public repository like Hugging Face such that it could then integrated into other applications, leading to what's called an LLM supply chain poisoning.
The success of the technique, dubbed PoisonGPT, banks on the prerequisite that the lobotomized model is uploaded using a name that impersonates a known company, in this case, a typosquatted version of EleutherAI, the company behind GPT-J.
Source: https://thehackernews.com/2023/07/wormgpt-new-ai-tool-allows.html
-
1
-
-
17 minutes ago, Nytro said:
Socant, imi plac lucrurile astea, nu stiu cat de practice sunt dar se incadreaza bine in ce inteleg eu prin "hacking".
Da, asa e. Or sa prezinte asta la Defcon si la Black Hat USA (BHUSA).
Reactia mea cand am vazut si eu acest articol.
-
1
-
-
In what's an ingenious side-channel attack, a group of academics has found that it's possible to recover secret keys from a device by analyzing video footage of its power LED.
"Cryptographic computations performed by the CPU change the power consumption of the device which affects the brightness of the device's power LED," researchers from the Ben-Gurion University of the Negev and Cornell University said in a study.
By taking advantage of this observation, it's possible for threat actors to leverage video camera devices such as an iPhone 13 or an internet-connected surveillance camera to extract the cryptographic keys from a smart card reader.
Specifically, video-based cryptanalysis is accomplished by obtaining video footage of rapid changes in an LED's brightness and exploiting the video camera's rolling shutter effect to capture the physical emanations.
"This is caused by the fact that the power LED is connected directly to the power line of the electrical circuit which lacks effective means (e.g., filters, voltage stabilizers) of decoupling the correlation with the power consumption," the researchers said.
In a simulated test, it was found that the method allowed for the recovery of a 256-bit ECDSA key from a smart card by analyzing video footage of the power LED flickers via a hijacked internet-connected security camera.
A second experiment allowed for the extraction of a 378-bit SIKE key from a Samsung Galaxy S8 handset by training the camera of an iPhone 13 on the power LED of Logitech Z120 speakers connected to a USB hub that's also used to charge the phone.
What makes the attack notable is that the modus operandi is non-intrusive, either banking on physical proximity or over the internet, to steal the cryptographic keys.
That said, there are a few limitations to reliably pull off the scheme. It requires the camera to be placed 16 meters away from the smart card reader and in a manner such that it has a direct line of sight view of the power LED. Then there's the condition that the signatures are recorded for a duration of 65 minutes.
It also presupposes that there exists a side-channel based on power consumption that leaks sensitive information which could be used for cryptanalysis, making such attacks an exception rather than a norm.
To counter such attacks, it's recommended that LED manufacturers integrate a capacitor to reduce fluctuations in power consumption or, alternatively, cover the power LED with black tape on the consumer side to prevent leakage.
Ben Nassi, the lead researcher behind the attack technique, has previously devised similar approaches in the past – Lamphone and Glowworm – that employ overhead hanging bulbs and a device's power indicator LED to eavesdrop on conversations.
Then last year, the researchers demonstrated what's called the "little seal bug" attack that utilizes an optical side-channel associated with lightweight reflective objects to recover the content of a conversation.
Source: https://thehackernews.com/2023/06/researchers-find-way-to-recover.html
-
1
-
-
Europol on Tuesday announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds.
The law enforcement agency said that a subsequent joint investigation initiated by French and Dutch authorities intercepted and analyzed over 115 million conversations that took place over the encrypted messaging platform between no less than 60,000 users.
Now almost three years later, the information obtained from digital correspondence has resulted in -
- Arrests of 6,558 suspects, including 197 high-value targets
- 7,134 years of imprisonment of convicted criminals
- Confiscation of €739.7 million in cash
- Freeze of €154.1 million frozen in assets or bank accounts
- Seizure of 30.5 million pills of chemical drugs
- Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, and 3.3 tonnes of heroin
- Seizure of 971 vehicles, 83 boats, and 40 planes
- Seizure of 271 estates or homes, and
- Seizure of 923 weapons, as well as 21,750 rounds of ammunition and 68 explosives
EncroChat was an encrypted phone network that was used by organized crime groups to plot drug deals, money laundering, extortion, and even murders. "User hotspots were particularly present in source and destination countries for cocaine and cannabis trade, as well as in money laundering centers," Europol said at the time.
The mobile devices were marketed as offering "perfect anonymity" to users, allowing them to operate with impunity through features like automatic deletion of messages and options to automatically erase them from a distance by the reseller.
"EncroChat sold crypto telephones for around EUR 1,000 each, on an international scale," Europol said. "It also offered subscriptions with worldwide coverage, at a cost of EUR 1,500 for a six-month period, with 24/7 support."
Unbeknownst to the users, the platform was infiltrated by French and Dutch law enforcement in early 2020, offering valuable insight into the groups and their modus operandi. The company's servers, which were operating from France, were taken down.
The illegal use of encrypted communications has since led to the dismantling of another service called Sky ECC in March 2021. In June 2021, U.S. and Australian officials disclosed that they ran an encrypted chat service called ANoM (aka AN0M) for nearly three years to intercept 27 million messages exchanged between criminal gang members globally.
Source: https://thehackernews.com/2023/06/encrochat-bust-leads-to-6558-criminals.html
-
1
-
A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites.
"This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met," Defiant's Wordfence said in an advisory.
Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2.
The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.
Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart.
"However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality," security researcher István Márton said.
Following responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.
The disclosure comes as Wordfence revealed another authentication bypass flaw impacting StylemixThemes' "Booking Calendar | Appointment Booking | BookIt" plugin (CVE-2023-2834, CVSS score: 9.8) that has over 10,000 WordPress installs.
"This is due to insufficient verification on the user being supplied during booking an appointment through the plugin," Márton explained. "This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email."
The flaw, affecting versions 2.3.7 and earlier, has been addressed in version 2.3.8, which was released on June 13, 2023.
Source: https://thehackernews.com/2023/06/critical-flaw-found-in-wordpress-plugin.html
-
1
-
-
Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking, a new study has revealed.
This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report.
The supply chain vulnerability, also known as dependency repository hijacking, is a class of attacks that makes it possible to take over retired organizations or user names and publish trojanized versions of repositories to run malicious code.
"When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," researchers Ilay Goldman and Yakir Kadkoda said. "However, it is possible for anyone to create the old username and break this link."
Alternatively, a similar scenario could arise when a repository ownership is transferred to another user and the original account is deleted, thus allowing a bad actor to create an account with the old username.
Aqua said a threat actor could leverage websites like GHTorrent to extract GitHub metadata associated with any public commits and pull requests to compile a list of unique repositories.
An analysis of a subset of 1.25 million repositories for the month of June 2019 revealed that as many as 36,983 repositories were vulnerable to RepoJacking, denoting a 2.95% success rate.
With GitHub containing more than 330 million repositories, the findings suggest that millions of repositories could be vulnerable to a similar attack.
One such repository is google/mathsteps, which was previously under the ownership of Socratic (socraticorg/mathsteps), a company that was acquired by Google in 2018.
"When you access https://github.com/socraticorg/mathsteps, you are being redirected to https://github.com/google/mathsteps so eventually the user will fetch Google's repository," the researchers said.
"However, because the socraticorg organization was available, an attacker could open the socraticorg/mathsteps repository and users following Google's instructions will clone the attacker's repository instead. And because of the npm install this will lead to arbitrary code execution on the users."
This is not the first time such concerns have been raised. In October 2022, GitHub moved to close a security loophole that could have been exploited to create malicious repositories and mount supply chain attacks by circumventing popular repository namespace retirement.
To mitigate such risks, it's recommended that users periodically inspect their code for links that may be retrieving resources from external GitHub repositories.
"If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it," the researchers said.
Source: https://thehackernews.com/2023/06/alert-million-of-github-repositories.html
-
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild.
This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
- CVE-2023-32434 - An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.
- CVE-2023-32435 - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
The iPhone maker said it's aware that the two issues "may have been actively exploited against versions of iOS released before iOS 15.7," crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them.
The advisory comes as the Russian cybersecurity vendor dissected the spyware implant used in the zero-click attack campaign targeting iOS devices via iMessages carrying an attachment embedded with an exploit for a remote code execution (RCE) vulnerability.
The exploit code is also engineered to download additional components to obtain root privileges on the target device, after which the backdoor is deployed in memory and the initial iMessage is deleted to conceal the infection trail.
The sophisticated implant, called TriangleDB, operates solely in the memory, leaving no traces of the activity following a device reboot. It also comes with diverse data collection and tracking capabilities.
This includes "interacting with the device's file system (including file creation, modification, exfiltration, and removal), managing processes (listing and termination), extracting keychain items to gather victim credentials, and monitoring the victim's geolocation, among others."
Kaspersky has also released a utility called "triangle_check" that organizations can use to scan iOS device backups and hunt for any signs of compromise on their devices.
Also patched by Apple is a third zero-day CVE-2023-32439, which has been reported anonymously and could result in arbitrary code execution when processing malicious web content.
The actively exploited flaw, described as a type confusion issue, has been addressed with improved checks. The updates are available for the following platforms -
- iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8
- watchOS 9.5.2 - Apple Watch Series 4 and later
- watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and
- Safari 16.5.1 - Macs running macOS Monterey
With the latest round of fixes, Apple has resolved a total of nine zero-day flaws in its products since the start of the year.
In February, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution. In April, it released updates to resolve two bugs (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges.
Subsequently, in May, it shipped patches for three more vulnerabilities in WebKit (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) that could permit a threat actor to escape sandbox protection, access sensitive data, and execute arbitrary code.
-
1
-
A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process could have been exploited to achieve full account takeover, researchers said.
California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth.
"nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope, said.
The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account.
To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website.
"If the app merges user accounts without validation, the attacker now has full control over the victim's account, even if the victim doesn't have a Microsoft account," Cohen explained.
Successful exploitation grants the adversary an "open field" to set up persistence, exfiltrate data, and carry out other post-exploitation activities based on the nature of the app.
This stems from the fact that an email address is both mutable and unverified in Azure AD, prompting Microsoft to issue a warning not to use email claims for authorization purposes.
The tech giant characterized the issue as an "insecure anti-pattern used in Azure AD (AAD) applications" where the use of the email claim from access tokens for authorization can lead to an escalation of privilege.
"An attacker can falsify the email claim in tokens issued to applications," it noted. "Additionally, the threat of data leakage exists if applications use such claims for email lookup."
It also said it identified and notified several multi-tenant applications with users that utilize an email address with an unverified domain owner.
Source: https://thehackernews.com/2023/06/critical-noauth-flaw-in-microsoft-azure.html
-
1
-
-
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models.
Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis.
The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.
Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376, both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system.
CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution.
CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by means of a specially-crafted HTTP request.
The seven other flaws are as follows -
- CVE-2022-35401 (CVSS score: 8.1) - An authentication bypass vulnerability that could permit an attacker to send malicious HTTP requests to gain full administrative access to the device.
- CVE-2022-38105 (CVSS score: 7.5) - An information disclosure vulnerability that could be exploited to access sensitive information by sending specially-crafted network packets.
- CVE-2022-38393 (CVSS score: 7.5) - A denial-of-service (DoS) vulnerability that could be triggered by sending a specially-crafted network packet.
- CVE-2022-46871 (CVSS score: 8.8) - The use of an out-of-date libusrsctp library that could open targeted devices to other attacks.
- CVE-2023-28702 (CVSS score: 8.8) - A command injection flaw that could be exploited by a local attacker to execute arbitrary system commands, disrupt system, or terminate service.
- CVE-2023-28703 (CVSS score: 7.2) - A stack-based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary system commands, disrupt system, or terminate service.
- CVE-2023-31195 (CVSS score: N/A) - An adversary-in-the-middle (AitM) flaw that could lead to a hijack of a user's session.
ASUS is recommending that users apply the latest updates as soon as possible to mitigate security risks. As a workaround, it's advising users to disable services accessible from the WAN side to avoid potential unwanted intrusions.
"These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, [and] port trigger," the company said, urging customers to periodically audit their equipment as well as set up separate passwords for the wireless network and the router-administration page.
Source: https://thehackernews.com/2023/06/asus-releases-patches-to-fix-critical.html
-
1
-
Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials.
The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News.
"The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said. "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year."
Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh.
A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer, followed by Vidar and RedLine.
Information stealers have become popular among cybercriminals for their ability to hijack passwords, cookies, credit cards, and other information from browsers, and cryptocurrency wallet extensions.
"Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces," Group-IB said.
"Additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host."
Typically offered based on a subscription-based pricing model, they have not only lowered the bar for cybercrime, but also serve as a conduit for launching follow-on attacks using the siphoned credentials.
"Many enterprises are integrating ChatGPT into their operational flow," Dmitry Shestakov, head of threat intelligence at Group-IB, said.
"Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT's standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials."
To mitigate such risks, it's recommended that users follow appropriate password hygiene practices and secure their accounts with two-factor authentication (2FA) to prevent account takeover attacks.
The development comes amid an ongoing malware campaign that's leveraging fake OnlyFans pages and adult content lures to deliver a remote access trojan and an information stealer called DCRat (or DarkCrystal RAT), a modified version of AsyncRAT.
"In observed instances, victims were lured into downloading ZIP files containing a VBScript loader which is executed manually," eSentire researchers said, noting the activity has been underway since January 2023.
"File naming convention suggests the victims were lured using explicit photos or OnlyFans content for various adult film actresses."
It also follows the discovery of a new VBScript variant of a malware called GuLoader (aka CloudEyE) that employs tax-themed decoys to launch PowerShell scripts capable of retrieving and injecting Remcos RAT into a legitimate Windows process.
"GuLoader is a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs)," the Canadian cybersecurity company said in a report published earlier this month.
"GuLoader leverages user-initiated scripts or shortcut files to execute multiple rounds of highly obfuscated commands and encrypted shellcode. The result is a memory-resident malware payload operating inside a legitimate Windows process."
Source: https://thehackernews.com/2023/06/over-100000-stolen-chatgpt-account.html
-
1
-
Soft recuperare parola social media
in Bine ai venit
Posted · Edited by akkiliON
Urmatoarele variante sunt:
1. Nu functioneaza mecanismul de resetare a parolei.
2. Ori careva are acces la contul tau si ti-o schimbat adresa de email si de aceea nu mai primesti link-ul de resetare a parolei.
3. Ultima varianta, nu mai exista contul respectiv.
Incearca sa iti creezi un cont de a testa mecanismul "forgot password ? " .
Daca nu primesti nici un link pe adresa de email, e clar ca e ceva cu site-ul lor. Daca primesti link-ul, atunci este o problema cu contul tau.
Ultima metoda ca sa iti recuperezi contul, este sa iei legatura cu cei de la support. Doar ei te mai pot ajuta. Bafta