Search the Community

Exploiting vulnerability with 9.8 severity rating isn't particularly hard. More than 4,400 Internet-exposed servers are running versions of the Sophos Firewall that’s vulnerable to a critical exploit that allows hackers to execute malicious code, a researcher has warned. CVE-2022-3236 is a code-injection vulnerability allowing remote code execution in the User Portal and Webadmin of Sophos Firewalls. It carries a severity rating of 9.8 out of 10. When Sophos disclosed the vulnerability last September, the company warned it had been exploited in the wild as a zero-day. The security company urged customers to install a hotfix and, later on, a full-blown patch to prevent infection. According to recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing figures from a search on Shodan. The researcher said he was able to create a working exploit for the vulnerability based on technical descriptions in this advisory from the Zero Day Initiative. The research's implicit warning: Should exploit code become public, there’s no shortage of servers that could be infected. Baines urged Sophos firewall users to ensure they’re patched. He also advised users of vulnerable servers to check for two indicators of possible compromise. The first is the log file located at: /logs/csc.log, and the second is /log/validationError.log. When either contains the_discriminator field in a login request, there likely was an attempt, successful or otherwise, to exploit the vulnerability, he said. The silver lining in the research is that mass exploitation isn’t likely because of a CAPTCHA that must be completed during authentication by web clients. In a statement, Sophos officials wrote: "Sophos took immediate steps to remediate this issue with an automated hotfix sent out in September 2022. We also alerted users who don't receive automatic hotfixes to apply the update themselves. The remaining 6% of the Internet-facing versions that Baines is guestimating in his article are running old, unsupported version of the software. This is a good opportunity to remind these users, as well as all users of any type of outdated software, to follow best security practices and upgrade to the most recent version available, like Sophos does on a regular basis with its customers." Via arstechnica.com

A patch was released in October, but not all servers have installed it. Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting. “This is an unauthenticated RCE,” members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. “Exploitation is trivial and a PoC published.” PoC refers to a proof-of-concept code that exploits the vulnerability. The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched in October in version 0.9.8.1147. Advisories didn’t go public until earlier this month, however, making it likely some users still aren’t aware of the threat. Figures provided by Security firm GreyNoise show that attacks began on January 7 and have slowly ticked up since then, with the most recent round continuing through Wednesday. The company said the exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand. Shadowserver shows that there are roughly 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America and Asia. The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. “Bash commands can be run because double quotes are used to log incorrect entries to the system,” the advisory for the vulnerability stated. As a result, unauthenticated hackers can execute malicious commands during the login process. The following video demonstrates the flow of the exploit. Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 The vulnerability resides in the /login/index.php component and resulted from CWP using a faulty structure when logging incorrect entries, according to the Daily Swig. The structure is: echo "incorrect entry, IP address, HTTP_REQUEST_URI" >> /blabla/wrong.log. “Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as $(blabla), which is a bash feature,” Türle told the publication. Given the ease and severity of exploitation and the availability of working exploit code, organizations using Control Web Panel should ensure they’re running version 0.9.8.1147 or higher. Via arstechnica.com

People who use WordPress should check their sites for unpatched plugins. Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week. The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It’s also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system. Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It’s possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware. The plugins exploited include: WP Live Chat Support Plugin WordPress – Yuzo Related Posts Yellow Pencil Visual Theme Customizer Plugin Easysmtp WP GDPR Compliance Plugin Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972) Thim Core Google Code Inserter Total Donations Plugin Post Custom Templates Lite WP Quick Booking Manager Facebook Live Chat by Zotabox Blog Designer WordPress Plugin WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233) WP-Matomo Integration (WP-Piwik) WordPress ND Shortcodes For Visual Composer WP Live Chat Coming Soon Page and Maintenance Mode Hybrid Brizy WordPress Plugin FV Flowplayer Video Player WooCommerce WordPress Coming Soon Page WordPress theme OneTone Simple Fields WordPress Plugin WordPress Delucks SEO plugin Poll, Survey, Form & Quiz Maker by OpinionStage Social Metrics Tracker WPeMatico RSS Feed Fetcher Rich Reviews plugin “If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server,” the Dr.Web writeup explained. “With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first—regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to.” The JavaScript contains links to a variety of malicious domains, including: lobbydesires[.]com letsmakeparty3[.]ga deliverygoodstrategies[.]com gabriellalovecats[.]com css[.]digestcolect[.]com clon[.]collectfasttracks[.]com Count[.]trackstatisticsss[.]com The screenshot below shows how the JavaScript appears in the page source of the infected site: The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years. WordPress plugins have long been a common means for infecting sites. While the security of the main application is fairly robust, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and distributing malware. People running WordPress sites should ensure that they’re using the most current versions of the main software as well as any plugins. They should prioritize updating any of the plugins listed above. Source

Leave it to mathematicians to muck up what looked like an impressive new algorithm. In the US government's ongoing campaign to protect data in the age of quantum computers, a new and powerful attack that used a single traditional computer to completely break a fourth-round candidate highlights the risks involved in standardizing the next generation of encryption algorithms. Last month, the US Department of Commerce's National Institute of Standards and Technology, or NIST, selected four post-quantum computing encryption algorithms to replace algorithms like RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman, which are unable to withstand attacks from a quantum computer. In the same move, NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world. The new attack breaks SIKE, which is one of the latter four additional algorithms. The attack has no impact on the four PQC algorithms selected by NIST as approved standards, all of which rely on completely different mathematical techniques than SIKE. Getting totally SIKEd SIKE—short for Supersingular Isogeny Key Encapsulation—is now likely out of the running thanks to research that was published over the weekend by researchers from the Computer Security and Industrial Cryptography group at KU Leuven. The paper, titled An Efficient Key Recovery Attack on SIDH (Preliminary Version), described a technique that uses complex mathematics and a single traditional PC to recover the encryption keys protecting the SIKE-protected transactions. The entire process requires only about an hour’s time. The feat makes the researchers, Wouter Castryck and Thomas Decru eligible for a $50,000 reward from NIST. The advent of public key encryption in the 1970s was a major breakthrough because it allowed parties who had never met to securely trade encrypted material that couldn’t be broken by an adversary. Public key encryption relies on asymmetric keys, with one private key used to decrypt messages and a separate public key for encrypting. Users make their public key widely available. As long as their private key remains secret, the scheme remains secure. In practice, public key cryptography can often be unwieldy, so many systems rely on key encapsulation mechanisms, which allow parties who have never met before to jointly agree on a symmetric key over a public medium such as the Internet. In contrast to symmetric-key algorithms, key encapsulation mechanisms in use today are easily broken by quantum computers. SIKE, before the new attack, was thought to avoid such vulnerabilities by using a complex mathematical construction known as a supersingular isogeny graph. The cornerstone of SIKE is a protocol called SIDH, short for Supersingular Isogeny Diffie-Hellman. The research paper published over the weekend shows how SIDH is vulnerable to a theorem known as “glue-and-split” developed by mathematician Ernst Kani in 1997, as well as tools devised by fellow mathematicians Everett W. Howe, Franck Leprévost, and Bjorn Poonen in 2000. The new technique builds on what’s known as the “GPST adaptive attack,” described in a 2016 paper. The math behind the latest attack is guaranteed to be impenetrable to most non-mathematicians. Here’s about as close as you’re going to get: “The attack exploits the fact that SIDH has auxiliary points and that the degree of the secret isogeny is known,” Steven Galbraith, a University of Auckland mathematics professor and the “G” in the GPST adaptive attack, explained in a short writeup on the new attack. “The auxiliary points in SIDH have always been an annoyance and a potential weakness, and they have been exploited for fault attacks, the GPST adaptive attack, torsion point attacks, etc. He continued: Let E_0 be the base curve and let P_0, Q_0 \in E_0 have order 2^a. Let E, P, Q be given such that there exists an isogeny \phi of degree 3^b with \phi : E_0 \to E, \phi(P_0) = P, and \phi(Q_0) = Q. A key aspect of SIDH is that one does not compute \phi directly, but as a composition of isogenies of degree 3. In other words, there is a sequence of curves E_0 \to E_1 \to E_2 \to \cdots \to E connected by 3-isogenies. Essentially, like in GPST, the attack determines the intermediate curves E_i and hence eventually determines the private key. At step i the attack does a brute-force search of all possible E_i \to E_{i+1}, and the magic ingredient is a gadget that shows which one is correct. (The above is over-simplified, the isogenies E_i \to E_{i+1} in the attack are not of degree 3 but of degree a small power of 3.) More important than understanding the math, Jonathan Katz, an IEEE Member and professor in the department of computer science at the University of Maryland, wrote in an email: “the attack is entirely classical, and does not require quantum computers at all.” Lessons learned SIKE is the second NIST-designated PQC candidate to be invalidated this year. In February, IBM post-doc researcher Ward Beullens published research that broke Rainbow, a cryptographic signature scheme with its security, according to Cryptomathic, “relying on the hardness of the problem of solving a large system of multivariate quadratic equations over a finite field.” NIST’s PQC replacement campaign has been running for five years. Here’s a brief history: 1st round (2017)—69 candidates 2nd round (2019)—26 surviving candidates 3rd round (2020)—7 finalists, 8 alternates 4th round (2022)—3 finalists and 1 alternate selected as standards. SIKE and three additional alternates advanced to a fourth round. Rainbow fell during Round 3. SIKE had made it until Round 4. Katz continued: I asked Jao, the SIKE co-inventor, why the weakness had come to light only now, in a relatively later stage of its development. His answer was insightful. He said: The version of SIKE submitted to NIST used a single step to generate the key. A possible variant of SIKE could be constructed to take two steps. Jao said that it’s possible that this latter variant might not be susceptible to the math causing this breakage. For now, though, SIKE is dead, at least in the current running. The schedule for the remaining three candidates is currently unknown. Source: arstechnica.com

Windows and Adobe Reader exploits said to target orgs in Europe and Central America. Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Multiple news outlets have published articles like this one, which cited marketing materials and other evidence linking DSIRF to Subzero, a malicious toolset for “automated exfiltration of sensitive/private data” and “tailored access operations [including] identification, tracking and infiltration of threats.” Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren’t necessarily the countries in which the DSIRF customers who paid for the attack resided. An email sent to DSIRF seeking comment wasn’t returned. Wednesday’s post is the latest to take aim at the scourge of mercenary spyware sold by private companies. Israel-based NSO Group is the best-known example of a for-profit company selling pricey exploits that often compromise the devices belonging to journalists, attorneys, and activists. Another Israel-based mercenary named Candiru was profiled by Microsoft and University of Toronto’s Citizen Lab last year and was recently caught orchestrating phishing campaigns on behalf of customers that could bypass two-factor authentication. Also on Wednesday, the US House of Representatives Permanent Select Committee on Intelligence held a hearing on the proliferation of foreign commercial spyware. One of the speakers was the daughter of a former hotel manager in Rwanda who was imprisoned after saving hundreds of lives and speaking out about the genocide that had taken place. She recounted the experience of having her phone hacked with NSO spyware the same day she met with the Belgian foreign affairs minister. Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: Wednesday’s post also provides detailed indicators of compromise that readers can use to determine if they have been targeted by DSIRF. Microsoft used the term PSOA—short for private-sector offensive actor—to describe cyber mercenaries like DSIRF. The company said most PSOAs operate under one or both of two models. The first, access-as-a-service, sells full end-to-end hacking tools to customers for use in their own operations. In the other model, hack-for-hire, the PSOA carries out the targeted operations itself. Source: arstechnica.com