ColdFusion Vulnerability Exploited to Infiltrate Federal Agency Servers

Recently, CISA has reported that Adobe’s ColdFusion – an application development tool, continues to pose a serious threat to organizations. Even though Adobe patched the CVE-2023-26360 vulnerability in March, CISA disclosed that two public-facing web servers at an undisclosed federal government agency were breached this summer.

The attackers exploited the CVE-2023-26360 vulnerability in the ColdFusion software, which enabled them to penetrate the systems. They deploy malware, including a remote access trojan (RAT), and access data through a web shell interface. The problem is that the affected servers ran outdated and vulnerable ColdFusion versions. Although Adobe released patches in March, only some users installed them. As a result, the lack of updates left an opening for intruders to gain initial access.

Fixed But Still Works

The CVE-2023-26360 flaw in ColdFusion allows arbitrary code execution without user action. Adobe released the patch that fixes the issue back in March 2023. However, as some users do not see the need to install this hotfix, threat actors have persistently exploited the vulnerability in unpatched systems. The flaw affects ColdFusion versions 2018 Update 15 and earlier, as well as 2021 Update five and earlier, including unsupported versions.

As for current incidents, they both occurred in June. In the first breach, hackers accessed the web server through a vulnerable IP address, exploiting the ColdFusion flaw. They attempted lateral movement, viewed information about user accounts, and executed reconnaissance. In addition, they dropped malicious artifacts, including a RAT that utilizes a JavaScript loader. Nevertheless, the attack was thwarted before successful data exfiltration.

In the second incident, the attackers checked the web server’s operating system and ColdFusion version, inserting malicious code to extract usernames, passwords, and data source URLs. Evidence suggests the activity amounted to network reconnaissance mapping rather than confirmed data theft. The malicious code hints at threat actors’ potential activities, leveraging the compromised credentials.

Nice try, but please try again later

According to experts, although the attackers managed to penetrate the target network, they could not do much damage. Actions encompassed reconnaissance, user account reviews, malware distribution, data exfiltration attempts, and code planting to extract credentials. Eight artifacts were left behind alongside a modified publicly available web shell for remote access.

While later quarantined, assets exposed included password information that could enable deeper network pivoting. However, no data thefts or system transitions were confirmed. It’s unclear whether one or multiple actors were responsible for the linked events. However, one thing is sure: despite vendors fixing vulnerabilities quickly, user’s negligence abuses malicious code without target interaction by even low-skilled actors.

Older Vulnerabilities Cause More and More Concerns

Aside from some extreme cases, software developers rarely ignore patching serious vulnerabilities. Large companies though are ones who definitely pay less attention than they should. And as we can see from this story, this is applicable even to government organizations. And this is what creates concerns.

As time goes on, hackers find more and more ways to exploit the same vulnerabilities. While some of them are getting patched by all parties or rendered ineffective, others remain actual and, what is worse, exploitable. After the initial discovery of a certain vulnerability, it is obvious to expect a boom in its exploitation. This comes especially true for programs that are generally used by large corporations – a category most of govt orgs fall into.

Leaving such vulnerabilities unpatched is effectively an invitation for a hacker to pay your network a visit. In a modern turbulent and uneven time, such decisions borderline recklessness, if not outright sabotage.

The post Federal Agency Hacked With ColdFusion Vulnerability appeared first on Gridinsoft Blog.

What is a Zero-Day attack?

A zero-day attack is a type of vulnerability that has not been detected yet. It can be used for malware deployment and can target any application as a potential attack surface. This makes it difficult to build a trusted lineup of any sort and poses a significant challenge for cybersecurity analysts. However, for those who work in this industry, the challenge is exciting.

Attackers can exploit the undeclared function in a program or operating system to execute their code more beneficially. The most commonly used exploits by cybercriminals are those that provide remote code execution and escalation of privileges, which allow them to do whatever they want in the infected environment. As these attacks require advanced software, they are usually targeted against corporations since they possess more valuable data.

As the only person who knows about the breach is the criminal who discovered it, exploiting it without triggering any alarms or drawing attention is quite simple. Even some EDR solutions can make mistakes by overlooking actions from trusted programs without considering that such activities could be malicious. That’s why using an endpoint protection application that can prevent zero-day attacks is advisable.

Identifying and Addressing Zero-Day Exploits and Attacks

Detecting and mitigating zero-day exploits and attacks can be challenging since there are no known vulnerabilities or signatures to identify them. Nevertheless, there are strategies that can be utilized to identify and eliminate these attacks.

• Monitor network traffic and system logs to identify any suspicious activity that could indicate a zero-day attack.
• Educate users on common attack methods, such as phishing and social engineering, to reduce the likelihood of a successful zero-day attack.
• Stay updated with software, system updates, and patches to minimize vulnerabilities that could be exploited in a zero-day attack.
• Implement intrusion detection and prevention systems to help detect and block zero-day exploits and attacks before they can cause damage.

Patches May Be Ineffective, Here Is Why

Organizations have been struggling with patch management for a long time. One of the reasons is the overwhelming number of patches they need to handle. In 2021, over 20,000 vulnerabilities were fixed, making it increasingly challenging to keep up with all the updates.

Even if staying up-to-date with patches was easy, many users tend to ignore them, thinking they can afford to update their software a few days or weeks after the release. However, this practice can pose significant risks, which many users are unaware of. Furthermore, patch management is often given little attention in security awareness training, despite the Department of Homeland Security recommending that critical patches be applied within 15 days of release.

However, determining which patches are critical can be a dilemma for many security teams. These teams have procedures in place to ensure that patches are tested internally before deployment, as sometimes, they can be buggy or ineffective, causing more harm. IT teams also follow procedures to track patch deployments and to ensure that no device or system is left unpatched.

How to Protect Against Zero-Days?

It is crucial to understand that the threat landscape is always changing, and new versions of zero-day vulnerabilities emerge frequently. To keep yourself informed about the latest developments and types of zero-day vulnerabilities each year, it is recommended to follow reliable sources on cybersecurity and remain up-to-date with current events in this industry.

Moreover, in today’s cybersecurity landscape, Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions are gaining significance. They work best when combined with the zero-trust model of protection.

Implementing updates promptly to improve cybersecurity and reduce risks by addressing known vulnerabilities is essential. By integrating EDR and XDR solutions that feature zero-trust architecture, organizations can detect, respond to, and mitigate security threats more efficiently, whether they involve known vulnerabilities or zero-day exploits. These technologies create a strong security posture prioritizing continuous monitoring, verification, and adaptive responses to evolving cyber threats. This helps to maintain a secure environment.

The post Can Zero-Day Attacks Be Prevented With Patches? appeared first on Gridinsoft Blog.

What is GitLab?

GitLab is an open-source repository and collaborative software development platform. The DevOps software package allows users to develop, protect and use software used by development teams who need to manage their code remotely. It has around 30 million registered users, including one million paying customers. As you may imagine, even a slight issue or vulnerability in the product will have a terrifying scale – and that is what happened.

GitLab Vulnerability Scores Highest CVSS Rating

The company recently discovered a critical path traversal vulnerability CVE-2023-2825 with maximum severity status CVSS score of 10.0. This vulnerability allows unauthenticated attackers to read arbitrary files on the server under certain conditions. Attackers can read sensitive data from vulnerable endpoints. This data may include proprietary software code, user credentials, tokens, files, and other personal information.

The vulnerability was discovered by cybersecurity researcher “pwnie” and affected versions 16.0.0 of GitLab Community Edition (CE) and Enterprise Edition (EE). He said you must have an attachment in a public project nested in at least five groups to exploit the vulnerability. However, the excellent point is that this structure is only found in some GitHub projects. Moreover, version 16.0 is the most recent update for GitLab CE/EE, thus it simply circulates too little time to become a major issue.

Mitigation

GitLab immediately released a security update to address this vulnerability after its discovery, highlighting its quick response to such security threats. To protect their systems, GitLab CE or EE version 16.0.0 users are strongly encouraged to install the most recent update or perform a roll back.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. – GitLab.

To update your GitLab installation, please follow these instructions.

Aside from the official guidelines, you may apply a number of other measures. They are reactive, but will most likely do their job in the case of other issues that will not receive a fix that fast.

For example, I recommend using software that supports the Zero Trust model. In two words, Zero Trust is a security strategy designed to implement security principles. It is not a product or service but rather an approach. These principles include detailed verification, the use of least privilege access, and the assumption of a breach. However, this may prevent unauthorized access.

In addition, you can follow cyber news and keep up with the latest developments. Thus, you can gain valuable insights into the latest products, emerging threats, and cybersecurity trends. Cyber news sources provide information about new vulnerabilities, data breaches, malware attacks, and hacking incidents. So, it lets you stay proactive and better equipped to protect yourself and your digital assets. By keeping up with these reports, you can learn from real-world examples and understand the tactics and techniques employed by cybercriminals. Forewarned is forearmed.

The post GitLab Releases Patch to Critical Vulnerability appeared first on Gridinsoft Blog.

On average, companies took 52 days to fix bugs, while three years ago they needed an average of 80 days. Thus, almost all vendors fixed the vulnerabilities within the industry standard of 90 days.

According to statistics collected for 2019-2021 and based on 376 zero-day vulnerabilities discovered by Google Project Zero experts, 26% of the problems related to Microsoft products, 23% to Apple and 16% to Google. That is, the three software giants accounted for 65% of all detected problems, and, according to experts, this well reflects the complexity and volume of their software products, which inevitably have “white spots” that even numerous security engineers miss.

Overall, the report named Linux, Mozilla, and Google as the best in terms of timely release of patches, while Oracle, Microsoft, and Samsung were named as the worst.

Recall, by the way, that we wrote that 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues.

In the highly competitive field of mobile OS, iOS and Android go hand in hand: the former has an average bug fix time of 70 days, while the latter has 72 days.

In the browser category, Chrome outperforms all competitors with an average bug fix period of 29.9 days, while Firefox comes in second with 37.8 days. Apple, in third place, took twice as long to fix bugs in WebKit, taking an average of 72.7 days.

Google Project Zero experts explain:

You might also be interested in reading what Google says that a quarter of all 0-day vulnerabilities are new variations of old problems.

READ ALSO: Zero Day Attacks – How To Prevent Them? What does a zero day attack mean? Or is there a way to avoid this danger?

The post Google analysts noticed that software vendors began to fix Zero-day vulnerabilities faster appeared first on Gridinsoft Blog.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

• CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
• CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
• CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
• CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
• CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

The bug is related to a bypass of the information disclosure patch (CVE-2021-24084) released by Microsoft engineers in February this year. This month, cybersecurity researcher Abdelhamid Naseri, who initially discovered the problem, noticed that the vulnerability was not fully fixed and can be used to gain administrator rights.

0patch confirms that by using the method described in the blog of researcher Raj Chandel, combined with a bug discovered by Abdelhamid Naseri, it is possible to be able to run code as a local administrator.”

While Microsoft has likely already taken notice of the researchers’ reports, the company has yet to fix the bug, meaning especially systems running Windows 10 (with the latest security updates from November 2021) are still vulnerable to attacks.

Fortunately, two specific conditions must be met for implementation of vulnerability. Firstly, system protection must be enabled on drive C and at least one restore point must be created. Second, at least one local administrator account must be activated on the computer, or the credentials of at least one member of the Administrators group must be cached.

While Microsoft prepares patches, 0patch has already released unofficial free updates for all vulnerable versions of Windows 10 (Windows 10 21H2 also supports 0patch). Let me remind you that 0patch is a platform designed for such situations, there are zero-day fixes and other unpatched vulnerabilities to support products that are no longer supported by manufacturers, custom software, and so on.

The fixes are already available and apply to the following Windows versions:

• Windows 10 v21H1 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v20H2 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v2004 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1909 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1903 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1809 (32-bit and 64-bit) with May 2021 updates.

Experts point out that the bug does not apply to Windows Server (since there are simply no problematic functions), there is simply no access to work or study there), and the bug does not apply to Windows 10 version 1803 and earlier versions. The point is that Access to work or study works there in a different way.

The post Unofficial fixes released for 0-day issue in Windows Mobile Device Management Service appeared first on Gridinsoft Blog.

This should protect Exchange servers from attacks and give administrators more time to install full-fledged patches when Microsoft releases them. The fact is that zero-day vulnerabilities in Microsoft Exchange have recently been regularly exploited by “government hackers”, as well as by groups pursuing financial gain.

For example, I recently wrote about US and UK accused China for attacks on Microsoft Exchange servers. Moreover, Sophos experts have discovered the Epsilon Red ransomware that exploits vulnerabilities in Microsoft Exchange servers to attack other machines on the network.

The new functionality is called Microsoft Exchange Emergency Mitigation (EM) and is based on the Exchange On-premises Mitigation Tool (EOMT), released in March this year to help identify and fix ProxyLogon problems.

EM runs as a Windows service on Exchange Mailbox servers and will be automatically installed on Exchange Server 2016 and Exchange Server 2019 mailbox servers after the September 2021 cumulative update (or newer) is deployed. Administrators can disable EM if they don’t want Microsoft to automatically apply security measures to their servers.

The new functionality will detect Exchange servers that are vulnerable to one or more known issues and automatically apply temporary mitigation measures to them (until administrators can apply full patches).

So far EM offers three types of protection:

• A custom rule blocks certain patterns of malicious HTTP requests that could compromise the Exchange server.
• disabling the vulnerable service on the Exchange server;
• disabling the vulnerable application pool on the Exchange server.

Let me also remind you that I talked about the fact that Hackers attack Microsoft Exchange servers on behalf of Brian Krebs.

The post New feature in Exchange Server will apply fixes automatically appeared first on Gridinsoft Blog.

The PrintNightmare issue caused much confusion, as Microsoft initially combined two vulnerabilities under one identifier (CVE-2021-1675). But the official patch released in June only fixed part of the problem, leaving a critical RCE bug unpatched.

Because of this, at the end of June, a group of Chinese researchers accidentally published their PoC exploit for this vulnerability, believing that the problem had already been fixed.

The exploit code was quickly removed from GitHub, but it still leaked online, and the information security community discovered that a dangerous RCE vulnerability in Windows Print Spooler was still relevant.

As a result, to clear up the misunderstanding, Microsoft assigned the second error a separate identifier CVE-2021-34527, and also confirmed that the problem allows remote execution of arbitrary code with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, as well as create new accounts. with user rights.

The company has now published unscheduled patches for PrintNightmare, but the fixes are still incomplete as the vulnerability can still be exploited locally to gain SYSTEM privileges.

Updates are available for the following OSs:

• Windows 10 21H1 (KB5004945);
• Windows 10 20H1 (KB5004945);
• Windows 10 2004 (KB5004945);
• Windows 10 1909 (KB5004946);
• Windows 10 1809 и Windows Server 2019 (KB5004947);
• Windows 10 1507 (KB5004950);
• Windows 8.1 и Windows Server 2012 (KB5004954/KB5004958);
• Windows 7 SP1 и Windows Server 2008 R2 SP1 (KB5004953/KB5004951);
• Windows Server 2008 SP2 (KB5004955/KB5004959).

The patches for Windows 10 1607, Windows Server 2016 and Windows Server 2012 are not yet ready, but, according to Microsoft, will be released soon.

Let me remind you that I also talked about the fact that the Unofficial patch published for PrintNightmare vulnerability.

The post Microsoft releases unscheduled patch for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit has left many researchers confused, and some have suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix.

For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.

The problem affects all versions of Windows, can even affect XP and Vista, and helps remotely execute arbitrary code with SYSTEM privileges, which allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

There is no patch for this vulnerability yet, and Microsoft experts reported that the problem is already being exploited in real life, although the company did not specify whether this is being done by cybercriminals or information security researchers.

Microsoft engineers offered administrators several solutions to the problem. For example, it is recommended to disable Print Spooler completely by blocking printing locally and remotely. It is also possible to disable incoming remote printing through Group Policy, which will block the main vector of potential attacks. In the second case, “the system will no longer function as a print server, but local printing from directly connected devices will still be possible.”

Now a third option has appeared: the experts involved in the development of the 0patch solution have prepared temporary patches (or micro-patches) for this problem. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Micropatches are available for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2, as well as Windows 10 v20H2, Windows 10 v2004, and Windows 10 v1909.

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.