Exploit Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 06 Aug 2024 13:14:57 +0000 en-US hourly 1 https://wordpress.org/?v=68269 200474804 Apache OFBiz RCE Vulnerability Discovered, Patch Now https://gridinsoft.com/blogs/apache-ofbiz-rce-vulnerability/ https://gridinsoft.com/blogs/apache-ofbiz-rce-vulnerability/#respond Tue, 06 Aug 2024 13:14:57 +0000 https://gridinsoft.com/blogs/?p=26126 A vulnerability, CVE-2024-38856, has been discovered in Apache OFBiz that allows unauthenticated remote code execution. A patch is currently available, and the developer heavily recommends installing it, as hackers will not hesitate exploiting the issue after the disclosure. Considering the high CVSS score of the flaw, not much more motivation should be given. Critical Apache… Continue reading Apache OFBiz RCE Vulnerability Discovered, Patch Now

The post Apache OFBiz RCE Vulnerability Discovered, Patch Now appeared first on Gridinsoft Blog.

]]>
A vulnerability, CVE-2024-38856, has been discovered in Apache OFBiz that allows unauthenticated remote code execution. A patch is currently available, and the developer heavily recommends installing it, as hackers will not hesitate exploiting the issue after the disclosure. Considering the high CVSS score of the flaw, not much more motivation should be given.

Critical Apache OFBiz Flaw Allows Unauthorized Code Execution

Cybersecurity researchers have discovered a critical zero-day vulnerability in Apache OFBiz. The authorization flaw, identified as CVE-2024-38856, has a CVSS score of 9.8 and affects versions up to 18.12.14. Successful exploitation allows attackers to execute arbitrary code on vulnerable systems without authentication.

CVE-2024-38856 exploit request screenshot
CVE-2024-38856 exploit request in version 18.12.14 (Source: SonicWall)

Apache OFBiz is an open-source framework for enterprise resource planning (ERP). It includes web applications that cater to common business needs such as accounting, human resources, inventory management, customer relationship management, marketing, and more. Companies like United Airlines, Atlassian JIRA, HP Development Company, and Upwork Global Inc., among approximately 170 others, use this service. Organizations using it have been advised to promptly address this critical vulnerability.

CVE-2024-38856 Overview

During analysis, researchers observed that an attacker could gain control of the system and execute screen rendering code under certain conditions without proper authentication.
The issue stemmed from certain parts of the system failing to correctly verify authentication. This allowed unauthorized access to specific system components. This happens because the application does not check for any authentication for the command, relying on endpoint configurations instead.

This, in fact, is not the first vulnerability in Apache OFBiz in recent months. The previous vulnerability, CVE-2023-51467, also had a CVSS score of 9.8. It was related to the login function and resulted from an incomplete fix of a previous critical vulnerability, CVE-2023-49070. The latter was a flaw that also allowed for RCE, potentially leading to complete server control and theft of sensitive data.

RCE/ACE vulnerabilities have their deserved place among the most dangerous flaws. Being capable of providing both initial access and lateral movement, they are a desired thing for any adversary, at any attack stage. And considering the placement of the CVE-2024-38856 flaw, its successful exploitation may be a key to leaking tons of important internal information.

Apache OFBiz Flaw Patched

Unlike the mentioned vulnerabilities, which attackers actively attempted to exploit, there have been no reports of CVE-2024-38856 being exploited in the wild at the time of writing. Though there is an obvious tendency for hackers to start exploiting the flaw soon after the disclosure. That happened with some of the previous vulnerabilities in Apache products, and I have no doubt that this will happen to this one, too.

Regardless, the Apache OFBiz team released a patch for CVE-2024-38856 within 24 hours after the disclosure. Companies that use OFBiz should update to version 18.12.15, which addresses the vulnerability. Unfortunately, no workaround is available, meaning that applying the update is the only fix option.

Apache OFBiz RCE Vulnerability Discovered, Patch Now

The post Apache OFBiz RCE Vulnerability Discovered, Patch Now appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/apache-ofbiz-rce-vulnerability/feed/ 0 26126
Docker Engine Authentication Bypass Vulnerability Exploited https://gridinsoft.com/blogs/docker-engine-authentication-bypass/ https://gridinsoft.com/blogs/docker-engine-authentication-bypass/#respond Thu, 25 Jul 2024 18:18:11 +0000 https://gridinsoft.com/blogs/?p=25934 Attackers are actively exploiting a critical vulnerability in the Docker Engine that may allow for authentication bypass in a chain attack. This vulnerability allows attackers to bypass AuthZ authorization plugins, effectively mutilating any auth control. For this and several other reasons, the flaw got the max severity score possible (10.0). Critical Docker Engine Flaw Allows… Continue reading Docker Engine Authentication Bypass Vulnerability Exploited

The post Docker Engine Authentication Bypass Vulnerability Exploited appeared first on Gridinsoft Blog.

]]>
Attackers are actively exploiting a critical vulnerability in the Docker Engine that may allow for authentication bypass in a chain attack. This vulnerability allows attackers to bypass AuthZ authorization plugins, effectively mutilating any auth control. For this and several other reasons, the flaw got the max severity score possible (10.0).

Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker has reported a critical vulnerability in a selection of versions of their Docker Engine. This vulnerability enables threat actors to bypass authorization plugins (AuthZ) under specific conditions. The vulnerability in question is CVE-2024-41110, rated at CVSS score: 10.0.

Vulnerability-affected versions list
Vulnerability-affected versions

The “predecessor” of this flaw in fact appeared back in 2018, and patched in January 2019. However, in April 2024, the flaw re-surfaced in modern versions of the software suite. The developers explain that this happened because they have missed to transfer the fixes to newer versions of the program.

In summary, CVE-2024-41110 allows attackers to send a specially crafted API request with a Content-Length of 0, tricking the Docker daemon into bypassing the AuthZ plugin. Typically, API requests contain a body that the authorization plugin checks to make access control decisions. When the Content-Length is set to 0, the plugin receives the request without a body, preventing proper validation and potentially leading to the approval of unauthorized actions, including privilege escalation.

And that explains the max CVSS score. Authentication bypass vulnerabilities are as bad as RCE/ACE ones, and may have similar application areas. Adversaries can easily use them to gain initial access, or perform lateral movement. At the very least, frauds can access the data stored on Docker and leak it to someone on the outside.

Risk Group & Vulnerability Patches

As for the potential risks, the versions at risk include Docker Engine v19.03.x and later versions that use authorization plugins for access control decisions. Ones who do not run any auth plugins should be safe from any attacks of that vector. Additionally, there is a limited risk for Docker Desktop users up to version 4.32.0. However, for this to be exploited, the threat actor must have local access to the host machine, or the Docker daemon must be insecurely exposed via TCP.

On the other hand, versions of Engine suite, commercial products of the developer, and internal infrastructure that do not rely on authorization plugins for access control decisions, as well as users of all versions of Mirantis Container Runtime, are not vulnerable.

Docker devs have released an update (docker-ce v27.1.1) that fixes the flaw, and strongly recommend that users update Docker Engine. If the update cannot be applied for some reason, the developers recommends at least to disable AuthZ plugins until the update can be applied.

Docker Engine Authentication Bypass Vulnerability Exploited

The post Docker Engine Authentication Bypass Vulnerability Exploited appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/docker-engine-authentication-bypass/feed/ 0 25934
Two Android Zero-Day Flaws in Google Pixel Exploited https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/ https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/#respond Fri, 05 Apr 2024 16:04:37 +0000 https://gridinsoft.com/blogs/?p=21089 Google has disclosed that two Android zero-day security vulnerabilities have been detected in its Pixel smartphones. The patch is already available, as Google claimed fixing the flaws in the recent Pixel Update Bulletin. Even worse news is that the flaw is already under exploitation in targeted attacks. Two Android Zero-Day Flaws Exploited in Targeted Attacks… Continue reading Two Android Zero-Day Flaws in Google Pixel Exploited

The post Two Android Zero-Day Flaws in Google Pixel Exploited appeared first on Gridinsoft Blog.

]]>
Google has disclosed that two Android zero-day security vulnerabilities have been detected in its Pixel smartphones. The patch is already available, as Google claimed fixing the flaws in the recent Pixel Update Bulletin. Even worse news is that the flaw is already under exploitation in targeted attacks.

Two Android Zero-Day Flaws Exploited in Targeted Attacks

In a recent announcement, Google released a statement regarding detecting two zero-day security vulnerabilities in its Pixel smartphones. The first vulnerability, CVE-2024-29745 (CVSS 7.2), is an information disclosure flaw in the bootloader component that could compromise data confidentiality. The other one, CVE-2024-29748, is a privilege escalation flaw in the firmware component that can allow unauthorized access and control over the device.

GrapheneOS Android Zero-day tips
Detailed explanation of new zero-days from GrapheneOS developers

According to Google’s advisory, these vulnerabilities were fixed on April 2, 2024. The original discovery though happened back in early January 2024, by GrapheneOS developers. The good news is that they are subject to limited, targeted exploitation, which means the risk of widespread exploitation is relatively low. Nonetheless, Google urges all Pixel smartphone users to update their devices to the latest software version as soon as possible.

Android Zero-Day Vulnerabilities Exploited in the Wild

Although Google has not provided specifics on the attacks, GrapheneOS developers have indicated active exploitation of this flaw. In addition, CISA has updated its Known Exploited Vulnerabilities Catalog with these vulnerabilities currently being exploited. CVE-2024-29745 is linked to a vulnerability in the fastboot firmware, which supports various device states such as unlocking, flashing, and locking. Threat actors can exploit this flaw to access the devices’ memory without privileges or user interaction.

On the other hand, CVE-2024-29748 presents a different risk. This flaw allows to circumvent the factory reset done by the apps that use device admin API for this. As the result, attackers were able to stop the device from finishing the factory reset, although they need a physical interaction with one. Although Google has addressed a part of the issue, GrapheneOS has pointed out that the reset can still be stopped by cutting power to the device. As a result, GrapheneOS is working on a more comprehensive solution. This includes a stronger duress PIN/password feature and a secure “panic wipe” action that can be executed without requiring a reboot.

Safety Recommendations

As the digital landscape evolves, so does the sophistication of cyber threats. To mitigate these risks, users should manually verify if their devices have the latest software version. Staying informed about security updates and best practices is crucial in safeguarding digital assets against emerging threats. Google’s disclosure serves as a reminder of the ongoing battle for cybersecurity and the need for continuous improvement in defense mechanisms to protect personal information.

Two Android Zero-Day Flaws in Google Pixel Exploited

The post Two Android Zero-Day Flaws in Google Pixel Exploited appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/feed/ 0 21089
Critical Vulnerability Uncovered in Apple iOS and macOS Exploited https://gridinsoft.com/blogs/critical-vulnerability-ios-macos/ https://gridinsoft.com/blogs/critical-vulnerability-ios-macos/#respond Fri, 02 Feb 2024 09:08:08 +0000 https://gridinsoft.com/blogs/?p=19325 The Cybersecurity and Infrastructure Security Agency has identified a security flaw in Apple operating systems, particularly iOS and macOS. It has been added to the agency’s Known Exploited Vulnerabilities catalog. The vulnerability can allow attackers to bypass Pointer Authentication and gain unauthorized read and write access to the system. Critical Apple Operating Systems Vulnerabilities Exploited… Continue reading Critical Vulnerability Uncovered in Apple iOS and macOS Exploited

The post Critical Vulnerability Uncovered in Apple iOS and macOS Exploited appeared first on Gridinsoft Blog.

]]>
The Cybersecurity and Infrastructure Security Agency has identified a security flaw in Apple operating systems, particularly iOS and macOS. It has been added to the agency’s Known Exploited Vulnerabilities catalog. The vulnerability can allow attackers to bypass Pointer Authentication and gain unauthorized read and write access to the system.

Critical Apple Operating Systems Vulnerabilities Exploited

The U.S. CISA has added to the agency’s Known Exploited Vulnerabilities catalog a critical vulnerability in Apple’s iOS and macOS, discovered by Apple’s security team. The flaw has been designated CVE-2022-48618 and has a rather high severity rating of CVSS 7.8. Upon successful exploitation, attackers could potentially bypass security measures and gain unauthorized access to sensitive information. CISA is urging all users to take immediate action to secure their devices.

Apple has not revealed much information about CVE-2022-48618 and its active exploitation in the wild. However, the Cybersecurity and Infrastructure Security Agency has directed all U.S. federal agencies to fix this flaw by February 21, per the binding operational directive (BOD 22-01) issued in November 2021.

CVE-2022-48618 Vulnerability Impact

Discovered within the kernel component of Apple’s software, this vulnerability threatens the integrity of devices by enabling adversaries to manipulate memory functions and execute arbitrary code. Successful exploitation leads to compromising personal data and undermining critical infrastructure security that relies on these technologies.

This flaw is being actively exploited and affects a wide range of devices, including older and newer models such as iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. Additionally, it impacts Macs running macOS Ventura, Apple TV 4K, Apple TV 4K (2nd generation and later), Apple TV HD, and Apple Watch Series 4 and later. Thus, the systems affected by CVE-2022-48618 are:

macOS Ventura up to version 13.1
watchOS before version 9.2
iOS and iPadOS before version 16.2
tvOS before version 16.2

Apple’s Response

In response to the discovery, Apple has promptly issued patches to rectify the vulnerability, embedding enhanced security checks within the latest software updates. These updates, which include iOS 16.2 and macOS Ventura 13.1, aim to fortify devices against potential exploits. However, the delayed disclosure of the vulnerability raises questions about the timing and transparency of security communications. Though, that is more of an “industry standard” than just Apple’s omission.

Apple has fixed a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which were shipped on July 20, 2022. The flaw allowed an app with arbitrary kernel read and write capability to bypass Pointer Authentication. However, Apple addressed the issue with improved state management due to a logic issue.

The post Critical Vulnerability Uncovered in Apple iOS and macOS Exploited appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/critical-vulnerability-ios-macos/feed/ 0 19325
Panda Security Driver Vulnerabilities Uncovered in APT Simulation https://gridinsoft.com/blogs/panda-security-driver-vulnerabilities/ https://gridinsoft.com/blogs/panda-security-driver-vulnerabilities/#respond Mon, 29 Jan 2024 19:50:08 +0000 https://gridinsoft.com/blogs/?p=19272 Security researchers discovered critical security driver vulnerabilities in Panda Security software. This chain of flaws abuses legitimate drivers to disable EDR products. Despite having relatively low CVSS scores, they may be rather efficient in real-world attacks. Panda Security Driver Vulnerabilities Uncovered Researchers have unearthed three critical vulnerabilities in a security driver extensively utilized across various… Continue reading Panda Security Driver Vulnerabilities Uncovered in APT Simulation

The post Panda Security Driver Vulnerabilities Uncovered in APT Simulation appeared first on Gridinsoft Blog.

]]>
Security researchers discovered critical security driver vulnerabilities in Panda Security software. This chain of flaws abuses legitimate drivers to disable EDR products. Despite having relatively low CVSS scores, they may be rather efficient in real-world attacks.

Panda Security Driver Vulnerabilities Uncovered

Researchers have unearthed three critical vulnerabilities in a security driver extensively utilized across various digital platforms. The driver in question is pskmad_64.sys, which belongs to Panda Security. Although the vulnerability was discovered in July 2023, the company provided a patch only in January 2024.

By more detailed analysis, the experts discovered that the initial incident happened during the penetration testing procedure. The red team elaborated and used those vulnerabilities during the attack. Now, they received the codes of CVE-2023-6330, CVE-2023-6331 and CVE-2023-6332 respectively.

Analysis of the Flaws

The first vulnerability is CVE-2023-6330, which has CVSS 6.4 and is registry-related. Because the driver did not correctly validate the contents of these registry values, an attacker could place malicious content into the correct values. This could have resulted in a memory overflow. The minimum damage from this vulnerability is a denial of service.

The second vulnerability, CVE-2023-6331, also has CVSS 6.4, but Panda rates it as high. The vulnerability is related to the lack of bounds checking while moving data via memmove to an unloadable memory pool. An attacker can send a maliciously crafted packet to the driver using an IRP request with IOCTL code 0xB3702C08. This action will cause an overflow of the unloadable memory pool, resulting in an out-of-memory write. The minimum damage is a denial of service.

The third vulnerability CVE-2023-6332 has CVSS 4.1 and consists of insufficient request validation in the kernel driver. That is, an attacker can send a specific read request directly from kernel memory, causing sensitive data to be leaked. Although at first glance all these vulnerabilities seem harmless, in combination with other vulnerabilities they can cause more serious damage.

Antivirus Drivers Exploitation – A New Trend?

The story around vulnerable Panda Security drivers is strangely similar to the recent news about a tactic employed by Kasseika ransomware. Within a course of BYOVD attack, the latter exploited a flawed driver of a VirIT Agent System security solution. Such an approach allowed hackers to list all the processes running in the environment and suspend the ones related to the security tools.

Overall, the idea of using vulnerable drivers in cyberattacks is not new. Though targeting specifically antivirus/antimalware software drivers appears to be a new trend. Such drivers have deeper system integration, leading to more comprehensive control over the system in case of a successful exploitation. Moreover, security tools themselves usually consider these drivers safe and legit, meaning that attackers can stay under the radar even having their “main weapon” deployed directly on the disk.

How to stay protected?

To ensure your safety and security, keeping your software and security systems up to date is crucial. Thus, conducting routine system audits and implementing robust security protocols can also help protect against potential exploits. In addition, there are more detailed recommendations that address current vulnerabilities.

Panda Security Driver Vulnerabilities Uncovered in APT Simulation

The post Panda Security Driver Vulnerabilities Uncovered in APT Simulation appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/panda-security-driver-vulnerabilities/feed/ 0 19272
Confluence RCE Vulnerability Under Massive Exploitation https://gridinsoft.com/blogs/confluence-rce-vulnerability-exploited/ https://gridinsoft.com/blogs/confluence-rce-vulnerability-exploited/#respond Wed, 24 Jan 2024 09:13:09 +0000 https://gridinsoft.com/blogs/?p=19215 Researchers are seeing attempts to exploit a critical vulnerability in outdated Atlassian Confluence servers. The flaw allows attackers to execute code remotely, with most attempts from Russian IP addresses. Typically for remote code execution vulnerabilities, this one received a high severity rating by CVSS scale. RCE Vulnerability in Confluence Exploited in the Wild According to… Continue reading Confluence RCE Vulnerability Under Massive Exploitation

The post Confluence RCE Vulnerability Under Massive Exploitation appeared first on Gridinsoft Blog.

]]>
Researchers are seeing attempts to exploit a critical vulnerability in outdated Atlassian Confluence servers. The flaw allows attackers to execute code remotely, with most attempts from Russian IP addresses. Typically for remote code execution vulnerabilities, this one received a high severity rating by CVSS scale.

RCE Vulnerability in Confluence Exploited in the Wild

According to Shadowserver, a threat monitoring service, their systems detected thousands of attempts to exploit CVE-2023-22527, which was given a maximum CVSS score of 10. The vulnerability allows attackers to achieve a remote code execution (RCE) in a low-complexity attack without authentication. These attacks came from over 600 unique IP addresses, with over 39,000 exploitation attempts recorded.

22,674 attacker IP addresses are recorded being from Russia. Among other popular locations for the attackers are Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador. The security flaw affects outdated Confluence 8 versions released before Dec. 5th, 2023, and Confluence 8.4.5, which no longer receives backported fixes. Confluence 7.19.x Long-Term Support (LTS) versions and Atlassian Cloud instances aren’t impacted.

Details of the Vulnerability

The CVE-2023-22527 vulnerability involves insecure user input included in a specifically crafted template. Using it, hackers gain the ability to execute arbitrary code remotely on the server hosting Confluence without any authentication. Attackers can manipulate templates to include malicious code, which is executed when the server processes.

In addition, successfully exploiting this vulnerability could allow an adversary to cause data destruction on the affected instance. Confidentiality has no impact, as an attacker cannot exfiltrate any instance data. However, the effect of exploitation includes gaining control over the server, accessing sensitive information, disrupting operations, or launching further attacks.

Mitigation and Recommendations

The company addressed the vulnerability with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only). Atlassian recommends that customers install the latest version. So, if you are on an out-of-date version, you must immediately patch it. Developers insist on patching each affected installation to the newest version available.

If your organization is running an outdated Confluence instance, it is necessary to consider it potentially compromised. It is highly recommended to immediately patch and review the systems thoroughly to detect any signs of exploitation. Security experts also suggest taking additional measures such as threat hunting, log review, monitoring, and auditing for the affected systems.

In addition, we recommend using EDR and XDR solutions. Both systems offer real-time monitoring, threat intelligence integration, automated response, and behavioral analysis, providing essential security against vulnerabilities.

Confluence RCE Vulnerability Under Massive Exploitation

The post Confluence RCE Vulnerability Under Massive Exploitation appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/confluence-rce-vulnerability-exploited/feed/ 0 19215
2 Citrix RCE Under Active Exploitation, CISA Notifies https://gridinsoft.com/blogs/2-citrix-rce-exploited-cisa-updates/ https://gridinsoft.com/blogs/2-citrix-rce-exploited-cisa-updates/#respond Fri, 19 Jan 2024 11:37:19 +0000 https://gridinsoft.com/blogs/?p=19158 CISA has given a timeframe of one to three weeks to fix three vulnerabilities related to Citrix NetScaler and Google Chrome. These zero-day vulnerabilities were actively used in cyber attacks. 2 Citrix RCEs Exploited In The Wild, CISA Urges to Update Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding… Continue reading 2 Citrix RCE Under Active Exploitation, CISA Notifies

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

]]>
CISA has given a timeframe of one to three weeks to fix three vulnerabilities related to Citrix NetScaler and Google Chrome. These zero-day vulnerabilities were actively used in cyber attacks.

2 Citrix RCEs Exploited In The Wild, CISA Urges to Update

Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding actively exploiting three vulnerabilities. The involved vulnerabilities are CVE-2023-6548 and CVE-2023-6549. The agency immediately added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and demanded that U.S. federal agencies patch it ASAP.

The first has a CVSS score of 5.5 and affects NetScaler ADC and Gateway management interfaces. Its deadline to fix it is January 24. As for the other two vulnerabilities, one of them can cause a denial of service condition on specific configurations. It concerns vulnerable Gateway appliances like VPN, ICA Proxy, CVPN, RDP Proxy services, or AAA virtual servers. This vulnerability has a CVSS score of 8.2, more than the previous one. However, CISA has given three weeks to fix these two vulnerabilities.

So, why would you prioritize fixing vulnerabilities with lower CVSS? When they are easy to exploit, this decision becomes more obvious and demanded. While exploiting some vulnerabilities with maximum CVSS requires certain conditions close to the laboratory, other issues require much less effort. It’s no wonder CISA so strongly recommends that this vulnerability be fixed first and foremost.

Citrix RCE Vulnerability Details

CVE-2023-6548 is a medium-severity (CVSS score of 5.5) Remote Code Execution (RCE) vulnerability that affects Citrix NetScaler ADC and Gateway appliances. It allows an authenticated attacker with low-level privileges to execute code on the management interface of the affected devices via NSIP, SNIP, or CLIP.

Next, the CVE-2023-6549 vulnerability is a Denial of Service (DoS) vulnerability. It was also found in the Citrix NetScaler ADC and has a CVSS score 8.2. Threat actors can exploit it under specific configurations of vulnerable appliances. As mentioned, VPN, ICA Proxy, CVPN, RDP Proxy services, or an AAA virtual server are at risk. The vulnerability can disrupt services by overwhelming the system, leading to a denial of service condition.

Citrix Responds to New Vulnerabilities

Citrix promptly published an advisory and recommended that customers immediately apply updates for affected versions. Customers using Citrix-managed cloud services or Adaptive Authentication are not required to take action. The company suggests separating network traffic to the appliance’s management interface and not exposing it to the internet, as outlined in their secure deployment guide.

In addition, the company strongly recommended that network traffic to the appliance’s management interface be separated, either physically or logically, from regular network traffic. Furthermore, the management interface should not be exposed to the internet, as outlined in their secure deployment guide.

2 Citrix RCE Under Active Exploitation, CISA Notifies

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/2-citrix-rce-exploited-cisa-updates/feed/ 0 19158
New Google Chrome 0-day Vulnerability Exploited, Update Now https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/ https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/#respond Tue, 16 Jan 2024 20:34:57 +0000 https://gridinsoft.com/blogs/?p=19078 In the most recent release notes, Google reports about a new 0-day vulnerability that is already exploited in the wild. The update fixes the issue, but the very fact of it being exploited means it should be implemented as soon as possible. It appears to be the first 0-day exploit in Chrome browser in 2024.… Continue reading New Google Chrome 0-day Vulnerability Exploited, Update Now

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

]]>
In the most recent release notes, Google reports about a new 0-day vulnerability that is already exploited in the wild. The update fixes the issue, but the very fact of it being exploited means it should be implemented as soon as possible. It appears to be the first 0-day exploit in Chrome browser in 2024.

New Chrome 0-day Vulnerability Fixed

On January 16, Google released an update for its Chrome browser that contains a fix for 3 vulnerabilities. Among them there is one, CVE-2024-0519, that was reported by an anonymous user. The company acknowledges the exploitation of this breach in the wild.

0-day vulnerability exploited
An excerpt from Google’s patch note for the latest Chrome update

Key issue of the vulnerability lies in an improper memory access control in the JScript V8 engine, used in Chrome. The issue falls under CWE-119 designation. The way Chrome operates supposes the ability of direct memory addressing, but with lack of proper handling, it leads to the ability to reference to a wrong memory location. What this gives to attackers is the ability to both read and write to the random memory area, causing data leaks and arbitrary code execution.

Besides the most sensible issue, there are also 2 high-severity vulnerabilities fixed in the same update. Both touch V8 JavaScript, too, but are related to lack of memory write validation and type confusion. The latter, actually, can lead to similar effects with CVE-2024-0519, so it should be treated with the same seriousness. The good thing about these two is the absence of their real-world exploitation.

Google Releases Fix to the Newest 0-day Exploit

The severity of the issue obviously calls for urgent response from the developer. Fortunately, Google never hesitates to patch such bugs. However, due to the limitations, the patch may not be available to all users simultaneously. Here is the list of OS-specific versions that contain a fix.

OS Version with Fix
Windows 120.0.6099.224(225)
MacOS 120.0.6099.234
Linux 120.0.6099.224

To check whether you have an updated version of the browser or to check for updates, go to Settings → About Chrome. This will open the menu which checks the update availability each time you open it.

Chrome updated

Being the most popular web browser is not just about privileges, as you may witness. Such a humongous user base means increased (if not maxed out) attention from adversaries, who take such vulnerabilities nothing short of a gift. For ordinary users, the best way to counteract this is to keep an eye on the latest updates, specifically on what issues they fix.

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/feed/ 0 19078
Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer https://gridinsoft.com/blogs/windows-smartscreen-vulnerability-phemedrone-stealer/ https://gridinsoft.com/blogs/windows-smartscreen-vulnerability-phemedrone-stealer/#respond Fri, 12 Jan 2024 21:58:53 +0000 https://gridinsoft.com/blogs/?p=19010 The malicious campaign exploits the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen to spread Phemedrone Stealer. It utilizes intricate evasion techniques to bypass traditional security measures and target sensitive user information. Phemedrone Stealer Campaign Exploits CVE-2023-36025 Trend Micro researchers uncovered a malware campaign exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. This campaign involves… Continue reading Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer

The post Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer appeared first on Gridinsoft Blog.

]]>
The malicious campaign exploits the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen to spread Phemedrone Stealer. It utilizes intricate evasion techniques to bypass traditional security measures and target sensitive user information.

Phemedrone Stealer Campaign Exploits CVE-2023-36025

Trend Micro researchers uncovered a malware campaign exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. This campaign involves the Phemedrone Stealer, which can extract a wide range of sensitive data. Its infection chain begins with cloud-hosted malicious URL files, often disguised using URL shorteners. Upon execution, these files exploit CVE-2023-36025 to initiate the malware download.

The campaign itself is concentrated on social media. Hackers spread URL files, that look as an innocent link shortcut. Clicking it initiates a call to the GitHub repo, that returns the shellcode needed to download and run the payload. While it is not new to see the frauds targeting such places, the use of URL files is what defines the efficiency of the trick. They essentially act as a lockpick to user trust, spam filters and system protection all at once.

CVE-2023-36025: A Gateway for Cybercriminals

In a nutshell, CVE-2023-36025 is a critical vulnerability that affects Microsoft Windows Defender SmartScreen. It allows attackers to bypass security warnings and checks by manipulating Internet Shortcut (.url) files. Despite Microsoft’s patch released on November 14, 2023, cybercriminals have actively exploited the vulnerability, leading to its inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

In the Phemedrone campaign, frauds use advanced evasion tactics by utilizing a control panel item (.cpl) file to bypass Windows Defender SmartScreen. By default, it should send you a warning once you the URL shortcut. But the usage of specifically crafted file variant circumvents the protection and executes malicious downloads in the background. Further on the line, a couple of other known Windows weaknesses are exploited, particularly the Windows Control Panel binary.

Detailed Analysis

Attackers spread Phemedrone Stealer malware using cloud hosting and URL shorteners. They exploit CVE-2023-36025 by tricking users into opening .url files. They evade Windows Defender SmartScreen using a .cpl file and the MITRE ATT&CK technique T1218.002. The malware executes a DLL loader that calls Windows PowerShell to download a loader from GitHub. The second-stage loader, Donut, can execute various types of files in memory and targets multiple applications and services to steal sensitive information.

Phemedrone Stealer’s infection chain image
Phemedrone Stealer’s infection chain

The malware collects system information and compresses it into a ZIP file using MemoryStream and ZipStorage classes. It then validates the Telegram API token and sends the attacker the compressed data via the SendMessage and SendZip methods. The SendZip method uses an HTTP POST request to compress the data into a document and send it to the Telegram API.

Mitigation and Recommendations

In light of this threat, when attackers find vulnerabilities faster than developers fix them, we have a few recommendations in that regard:

  • Regularly update your OS, apps, and security solution. This action is crucial as developers continuously address security vulnerabilities through patches. Although the process may seem tedious, it is a necessary and proactive measure to ensure that your operating system, applications, and security solutions are equipped with the latest defenses against evolving cyber threats.
  • Be cautious with Internet Shortcut (.url) files. Exercise caution, especially when dealing with Internet Shortcut files, particularly those received from unverified sources. These files can serve as gateways for malware, making it essential to pay attention to the legitimacy of URLs before opening them to mitigate the risk of infection.
  • Implement advanced security solutions. This measure detects and neutralizes malware if it infiltrates your device. Robust security software with real-time monitoring and threat detection capabilities adds an extra layer of protection, helping identify and promptly respond to potential threats.
  • Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer

  • Stay informed about the risks of phishing and social engineering. These tactics often serve as the initial vectors for malware campaigns. Educate yourself and your team on recognizing phishing attempts, avoiding suspicious links, and verifying the authenticity of communications to minimize the likelihood of falling victim to such cyber threats.

The post Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/windows-smartscreen-vulnerability-phemedrone-stealer/feed/ 0 19010
Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/ https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/#respond Fri, 12 Jan 2024 10:15:08 +0000 https://gridinsoft.com/blogs/?p=18979 Ivanti issued an alert about its Connect Secure VPN appliances. Advanced threat actors are exploiting two zero-day vulnerabilities in cyberattacks, possibly including state-sponsored groups. That is yet another vulnerability in Ivanti software. Ivanti Connect Secure Zero-Day Exploited Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices… Continue reading Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

]]>
Ivanti issued an alert about its Connect Secure VPN appliances. Advanced threat actors are exploiting two zero-day vulnerabilities in cyberattacks, possibly including state-sponsored groups. That is yet another vulnerability in Ivanti software.

Ivanti Connect Secure Zero-Day Exploited

Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices are susceptible to zero-day vulnerabilities currently being exploited in sophisticated cyberattacks. Experts attribute these attacks to suspected Chinese state-backed hackers.

Ivanti has confirmed that the vulnerabilities in question allow attackers to gain unauthorized access and execute arbitrary code on affected devices. Considering the widespread use of Ivanti Connect Secure appliances in various business environments and providing secure remote access to corporate networks, it is of heightened concern.

Details of the ICS 0-Day Vulnerability

The exploited vulnerabilities are CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the Internet. These flaws may lead to severe consequences, including remote code execution (RCE) and unauthorized access to sensitive data. That, actually, explains the reason for 8+ score – the best things come in two.

The first vulnerability concerns authentication bypass in the web component, which allows remote attackers to access restricted resources without proper control checks. The second vulnerability is related to command injection in the web components, which allows authenticated administrators to execute arbitrary commands on the appliance by sending specially crafted requests.

Patches Not Yet Available

Although it has identified fewer than ten customers that have been affected, Ivanti has advised all of its customers to run the external Integrity Checker Tool (ICT) as a precautionary measure. The company has also added new functionality to the external ICT, which will be incorporated into the internal ICT. Customers should ensure they have both tools’ latest versions.

As for patch fixes, Ivanti plans to release patches for these vulnerabilities during the week of January 22. However, they will be rolled out in a staggered schedule according to the product version. In the meantime, the company has released a series of mitigation steps that customers should follow immediately to safeguard their systems. It is highly recommended that organizations follow these mitigation steps, as the situation is still evolving.

How to Protect against 0-day vulnerabilities?

Since a zero-day vulnerability is a vulnerability that attackers learned about before software developers did, there is no guaranteed solution. However, some measures significantly reduce the risks, and I will list them below:

  • Use corporate-grade protection solutions like EDR/XDR. This innovative anti-malware software approach focuses on endpoint protection rather than individual devices. EDR and XDR solutions collect a vast amount of data about endpoint activity, including file operations, network traffic, and user behavior. It employs machine learning and AI to detect and respond to threats. By analyzing this data, they can identify anomalous patterns indicating a zero-day attack.
  • Apply Zero Trust. Zero trust is a cybersecurity model that grants access on a least privilege basis and continuously verifies users and devices. As a result, this reduces the attack surface and makes it more difficult to exploit vulnerabilities.
  • Perform regular pentesting. Penetration testing is a simulated real attack on an organization’s IT infrastructure to identify and assess vulnerabilities that attackers could exploit. So, this action can help organizations identify zero-day vulnerabilities that other security tools may not detect.

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/feed/ 0 18979