Temu Hacked, Hackers Sell Leaked Data

On Monday, September 16, a hacker with the nickname smokinthashit published a post on the hacker forum BreachForums that contains Temu’s user database. The attacker claims that the database contains 87 million records. The database reportedly contains usernames, identifiers, IP addresses, full names, birth dates, phone numbers, shipping addresses, and hashed passwords. As proof, the attacker published samples of the stolen data.

Temu is a Chinese shopping platform that operates pretty much around the world. It offers a variety of goods at relatively low prices. Despite numerous jokes about the quality of goods from Temu, the price-quality ratio allows the service to enjoy great popularity among buyers. It is not surprising that such a statement by cybercriminals caused such a fuss among users of the service.

Temu’s response

Security researchers contacted Temu representatives and asked them to comment on the situation. However, the company categorically denied any data leak. Temu said they examined the samples published by the attackers and found no matches with their databases. The platform representatives also clarified that they take user data privacy seriously and have the app’s MASA certification. They also have independent security validations, a HackerOne bug bounty program, and comply with the PCI DSS payment security standard.

For their part, the attackers went on to claim that they had indeed hacked Temu. They also claimed they still had access to the company’s internal dashboards and knew of the vulnerabilities in the code. However, they provided no evidence to support this claim. In any case, as a security measure, service users are recommended to enable two-factor authentication and change their passwords. In addition, against the backdrop of the incident, astrologers announced an increase in phishing attempts related to Temu and online shopping.

May Users be in Danger?

Although such statements from hackers are not usually made without any proof, there is no reason to believe them now. According to the responses from Temu’s representatives and attackers, it appears to be a database compiled through web scraping from various sources rather than a fresh breach. However, If the data breach is confirmed, it would suggest that sensitive information like actual shipping addresses, bank card details, and purchase history has been leaked online. Still, taking preventive measures like changing your password and enabling 2FA is always a good idea.

The post Temu Allegedly Hacked, Data Put on Sale On The Darknet appeared first on Gridinsoft Blog.

VMWare vCenter Server RCE Vulnerability Disclosed

Under the course of the last update for the vCenter Server, Broadcom, a parent company of VMWare released a fix for two vulnerabilities in this software. A more severe of two – CVE-2024-38812 – is a remote code execution flaw present in the local implementation of a remote procedure call (RPC) protocol. More specifically, the vulnerability falls under the CWE-122 specification, which stands for heap overflow.

By sending a specially crafted network packet, adversaries can overflow the memory of the program. This, in turn, forces it to execute code that they need. Such a flaw can circumvent both security policies of the program and, in quite a few cases, stand-alone security solutions. Considering that vCenter Server is a well-known and trusted software piece, security vendors do not check it too thoroughly. Also, there is another software solution from VMWare that has this flaw – their Cloud Foundation suite.

Vulnerability in a virtualization software like vCenter can hit pretty badly, especially when these virtualized environments are connected directly to the rest of the enterprise network. And even when everything is set up correctly, a spyware or a backdoor can create quite a mess in the infected virtual machine. What is worse, however, is the possibility of lateral movement and deployment of other malicious programs with the same exact malware. Sooner or later, attackers will find the way to “mainland” network, shall the vulnerability remain unpatched.

Another Flaw of vCenter Server

RCE heap overflow vulnerability is not the only weakness that Broadcom has fixed in this update. Another, slightly less severe flaw, coded CVE-2024-38813, allows attackers to escalate privileges to root level. Same as in the previous flaw, all they need for execution is a specially configured network package, sent to the vCenter environment. This makes up for its high CVSS score – 7.5, while other properties of the flaw are less severe otherwise.

As the virtualized environment has little to no connection to actual hardware, root-level privileges won’t give any more access than what the VM settings allow. So unlike with the RCE flaw, adversaries will not be able to use this vulnerability for initial access or lateral movement. At the same time, it may be pretty useful as an auxiliary tool: high privileges are always usable in any attack scenarios.

Mitigation and Patches

As I’ve mentioned in the introduction, Broadcom does not offer any other fix for the vulnerability other than installing the update. That is unfortunate, as updating all the virtualized infrastructure may turn out to be a rather tedious task. But the deep nature of both vulnerabilities supposes that there’s not much one can do by themselves, except for closing the environment from external network connections.

List of vulnerable and fixed software versions

The post Critical VMWare vCenter Server RCE Vulnerability Fixed appeared first on Gridinsoft Blog.

What is Chase Bank Glitch?

Chase Bank Glitch is a name for an issue that was present for a short time on September 1, 2024. It allowed people to wire in checks of any amount, even if the corresponding account did not have enough money. After that, they were able to withdraw this money. This is what eventually caused such a fuss in TikTok: creators made dozens of videos showing how they managed to get thousands of dollars literally from the air.

The reason for such a bug is, obviously, an improper bank check validation that had taken place in Chase Bank ATMs’ software. That’s a particular oversight for such a huge bank, but well – bugs can happen in any software, of any company. And Chase Bank handled it well, providing a patch for this loophole in less than a day.

This still did not stop people from trying to follow the instructions from viral videos, even though the trick had stopped working. But the biggest problem happened to the ones who managed to do the trick while it was possible and withdrew the huge amount of money. The system retroactively recognized the flawed deposit transactions and deducted the corresponding sum from the accounts. As a result, quite a few tricksters now complain about having a huge debt on their bank accounts. Free money is never free!

Chase Bank Warns About Check Fraud Responsibility

While the glitch itself was not that much of an issue, the fact that people abused it is. Chase Bank made it quite clear that such manipulations with bank checks, regardless of why they work, fall under the book definition of a check fraud. And this, in turn, is a quite clear crime, with legal consequences for all the participants.

The main consequence though is the aforementioned deduction of a fraudulently accrued sum of money. I suspect the overall amount of cash that people managed to get in such a way is not worth starting a legal action, so the bank decided to punish the abusers directly with monetary penalties. And, in fairness, it is not even a penalty – just taking back what did not belong to these people.

For the bottom line, I would like to remind you that money is never free. If you get a big sum of money, someone must lose it, or give it to you in any other way. And in the case of this glitch, the bank is the one who loses money. Be sure that any bank, especially one as big as Chase, will never let such manipulations go, and never try abusing any issues in their systems. People are lucky to have only they bank accounts in debt, as this could have had much, much worse consequences.

The post Chase Bank Glitch: Fast Earning Scheme Explained appeared first on Gridinsoft Blog.

Critical RCE vulnerability affects thousands of WordPress sites

A cybersecurity researcher has recently discovered a critical vulnerability called CVE-2024-5932. It has a CVSS score of 10.0 (max possible), and seriously compromises more than 100,000 WordPress sites using the GiveWP plugin version 3.14.1 and earlier. The issue involves a PHP Object Injection (POI) vulnerability in the GiveWP plugin, widely used by donation and fundraising platforms. The vulnerability is exploited by deserialization of untrusted data, in particular through the ‘give_title’ parameter. Attackers can inject a maliciously crafted PHP object. When combined with an existing object-oriented programming (OOP) chain in the plugin, this leads to full remote code execution (RCE).

In addition to remote code execution (RCE), this vulnerability allows for unauthorized file deletion without any authentication. In practice, this may allow attackers to gain full control over the affected WordPress site by deleting critical files from the server. Given the role of the plugin in managing financial transactions and sensitive donor information, the consequences of such an exploit are exceptionally serious.

Detection And Response

A security researcher nicknamed villu164 discovered the vulnerability on May 26, 2024, and reported it through the Wordfence Bug Bounty Program. On June 13, 2024, Wordfence notified the plugin developer of the vulnerability, but they did not receive any feedback. On July 6, 2024, the company informed the WordPress.org team. A month later, on August 7, 2024, the developer released a fully patched version 3.14.2. Fortunately, there are currently no reports or evidence that the vulnerability has been exploited in the wild. But as it usually happens, the exploitation will inevitably follow the public disclosure of the flaw.

As the plugin is described on the official website, GiveWP is the highest-rated, most downloaded, and best-supported donation plugin for WordPress. With GiveWP, users accept gifts for charity or other purposes through customizable donation forms. The donation plugin also allows you to view donor data and fundraising reports, manage donors, and integrate with various third-party gateways and services. In other words, the site interacts with finance and the people involved. It’s no surprise that it scored 10/10 on the CVSS scale – both the ease of exploitation and the amount of data it can expose are nothing to mess around with.

Recommendations

To protect their WordPress site, site masters should update the plugin to 3.14.2. Since there is no workaround available, websites running older versions remain highly vulnerable to exploitation, especially now that the vulnerability has been made public.

Still, a proactive approach towards picking plugins is a must. Even the well-known apps may be vulnerable, leave alone no-name plugins that were posted 2 years ago and never updated since. Tricks like typosquatting or supply chain attacks are applicable here as well, so stay updated on the latest WP security news.

The post Critical RCE Vulnerability in GiveWP WordPress Plugin appeared first on Gridinsoft Blog.

Google Pixel Phones Contain a Vulnerable Pre-Installed App

According to a recent report, Google Pixel devices shipped globally since September 2017 contain a severe vulnerability, latched within a pre-installed app. The application in question, Showcase.apk, can potentially expose millions of users to significant security risks. Researchers at iVerify discovered that this app has excessive system privileges. This enables it to remotely execute code and install arbitrary packages on the device.

Experts from other companies, including Palantir Technologies, and Trail of Bits state that the app poses considerable security risks for several reasons. First, it downloads a configuration file over an unprotected HTTP connection, making the file vulnerable to tampering. This allows attackers to execute code at the system level. The configuration file is downloaded from a single U.S.-based domain hosted on AWS, which further exacerbates the vulnerability. Also, the app is granted excessive privileges, which could have negative implications in certain scenarios, as discussed further.

Potential Exploitation Risks

The said APK file installs the Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), a program developed by Smith Micro, a company specializing in enterprise software. In short, this app is designed to switch the devices into a showroom mode. It includes switching phones into demo mode, disabling certain features to prevent tampering or locking. This app requires nearly three dozen different permissions, including access to location and external storage. While the program itself is not inherently malicious – many companies use similar functionality – its implementation is somewhat different.

The main issue is that the app’s use of an unencrypted HTTP connection makes it vulnerable to “man-in-the-middle” (MitM) attacks. This could allow attackers to eavesdrop on the transferred data and inject their own Internet packages on the fly. This obviously opens gates to malicious code or spyware installation to the attacked device.

The good news is that the app is not enabled by default, meaning there is no potential attack surface unless it is activated. Despite the potential for abuse, there is currently no evidence that this vulnerability has been exploited in the wild. On the other hand, the app’s deep integration into the system firmware means users cannot uninstall it. At the same time, it could be activated if a threat actor gains physical access to the device and enables developer mode. Another possible case is when the phone may be vulnerable “out-of-box” is when one purchases a showroom stock device – large retailers often offer them at a nice discount, at the price of a used smartphone at times.

Google’s Response

Google responded to the research findings by stating that the vulnerability is not related to the Android platform or Pixel devices but rather to a package specifically developed for Verizon demo devices in stores. Additionally, Google emphasized that exploiting this app would require both physical access to the device and the user’s password. The company also noted that the app is not present on the latest Pixel 9 series devices and confirmed that it will be removed from all supported Pixel devices in a future software update. Showroom devices may need this software (or its equivalents) installed manually.

The post Google Pixel Devices Shipped with Vulnerable App appeared first on Gridinsoft Blog.

Windows TCP/IP RCE Vulnerability Impacts All Systems with IPv6 Enabled

Researcher XiaoWei from Kunlun Lab has reported the discovery of a critical remote code execution vulnerability in the Windows TCP/IP stack. The vulnerability, identified as CVE-2024-38063, carries a CVSS score of 9.8 and can be exploited without user interaction (zero-click). While details are scarce at the time of writing, it is known that an attacker can send IPv6 packets containing specially crafted payloads to the target system. CVE-2024-38063 affects all supported versions of Windows 10, 11, and Windows Server. It should be explicitly noted that the issue affects only IPv6 users, as it is impossible to send the said crafted v6 packets to an IPv4 address.

Still, the research uncovers that CVE-2024-38063 leads to a buffer overflow. As a result, it allows an attacker to execute arbitrary code at the SYSTEM privileges level on the target system. This could potentially result in full control over the compromised system. Also, I expect to see more details as time goes on and the patch is installed on more systems, so the researcher can release the info with less risk.

Impact of such a vulnerability may have been tremendous, if Microsoft decided to ignore it or just missed it as a whole. These days, IPv6 is not that widespread, but experts around the world consider it to be the future of the Internet. And now, imagine the hackers being able to deploy malware to any device, any time without any user interaction. This is what could have happened should this flaw appear a decade later, after the global IPv6 introduction.

Microsoft’s Response and Mitigation

Microsoft noted that this is not the first vulnerability of this kind, and attackers have actively exploited previous ones. The company anticipates that attackers will eventually develop exploits to take advantage of this vulnerability. Fortunately, Microsoft already offers a fix in the form of its latest, August 2024 Patch Tuesday update. Additionally, organizations are advised to monitor network activity and implement network segmentation. These measures are intended to limit lateral movement of the threat in the event of a system compromise.

Microsoft also suggested a temporary workaround involving the disabling of the IPv6 protocol. However, the issue lies in the fact that IPv6 is enabled by default on most systems, and some Windows components rely on it. Disabling IPv6 could, therefore, disrupt the functionality of other Windows components.

The post Critical Windows TCP/IP Vulnerability Uncovered, Patch Now appeared first on Gridinsoft Blog.

EDRKillShifter Used in Ransomware Attacks

Research team from Sophos did a tremendous job analyzing the new toolkit. Being an element of targeted ransomware attacks, EDRKillShifter employs a lot of detection evasion techniques, as its usage is meant to be among the first attack steps. It is also worth noting that the tool is written in Golang, which appears to be a new trend among malware creators. And it adds for detection evasion, too, thanks to the availability of obfuscation utilities for this specific language.

One of the notable users of this anti-EDR tool is the RansomHub ransomware gang. Appeared in late February 2024, it quickly gained traction, attacking companies in Europe and the US. Nowadays, they are among the most active ransomware groups, claiming attacks on over 80 companies. Similar tools are also used by the LockBit ransomware group, namely the AuKill malware.

The execution of EDRKillShifter happens in three stages. First one requires direct interaction from adversaries: one should type the correct password when running the malware through the command line. Further steps happen automatically: malicious toolkit decrypts its resources and loads itself into the system memory. After that, the main course of the attack kicks in.

Key trick that this malicious toolkit pulls out is loading the vulnerable driver (BYOVD), which eventually does the main job of disabling EDRs. For this purpose, cybercriminals opt for a legitimate driver that has a known vulnerability. All the signatures and recognition of the latter allow the threat actors to do the trick under the nose of a still-working security solution. The driver allows the EDRKillShifter to methodically go through all the processes running in the environment, disabling ones that match with the hardcoded list.

How effective is EDRKillShifter?

Anti-EDR tools show a rather high efficiency in cyberattacks, and their growing popularity among threat actors confirms this. Disabling the security tool effectively unleashes adversaries in any further actions. EDRKillShifter is also rather hard to detect by itself, due to the obfuscation and BYOVD tactics it uses. Researchers also note that the list of EDR solutions that the toolkit may target is easy to expand. Since it is a hardcoded list, hackers simply add new or substitute older ones – is as easy as it sounds.

Fair enough, it is not the final payload, but it is what makes the deployment of one possible. Security analysts agree on the fact that such attack vectors will expand in future, with even more tricks and possibilities. Fortunately, BYOVD is not a new tactic and security vendors already have ways to detect the abuse.

Darknet Infrastructure of EDR Killer Tools

One more noteworthy thing about EDRKillShifter is the infrastructure built around this and similar toolkits. Obfuscation services and loaders for malware payloads were always a profitable Darknet business. And it applies to this anti-EDR solution, too: the loader that executes the first attack stage appears to be made by a different threat actor. Obfuscation is likely done by the third-party actor, too.

From a certain point of view, this may look like an unnecessary complication and extra costs of the attack. On the other hand, having a whole bunch of elements made by different cybercriminals makes it harder to detect and trace. And this is worth much more than a fee that the ransomware actors pay for all these operations.

The post EDRKillShifter Malware: New EDR Killer Tool in Ransomware Actors’ Toolkit appeared first on Gridinsoft Blog.

SAP Uncovers Auth Bypass and Request Forgery Vulnerabilities

In their latest update, released on August 13, 2024, SAP disclosed fixing 17 security flaws, among which 6 are considered critical. Though only two of them caught the eyes of security researchers the most: CVE-2024-41730 and CVE-2024-29415. And for a good reason – both have CVSS ratings of 9+, and may lead to painful consequences if exploited by adversaries.

First one, CVE-2024-41730, is an authentication bypass vulnerability that allows adversaries to extract logon tokens to SAP Business Intelligence Platform. This has some requirements to successfully work: the system should have Single Sign On (SSO) enabled for Enterprise authentication. Though, it is pretty common to see these settings enabled, so it should not be that much of an obstacle. And having the auth token for the application effectively means taking over it, with the potential of data leaks and/or malware deployment.

The CVE-2024-29415 flaw, in the case of successful exploitation, may cause server-side request forgery (SSRF). Software fails to interpret some of the IP addresses correctly, considering localhost (127.0.0.1) and similar IPs as globally routable. In simple words, hackers can command the server to connect to the arbitrary IP address, ignoring its current security configurations. Such a trick can result in massive data leaks and infrastructure exposure. It is also worth noting that the flaw likely stems from an incorrect fix of the previous similar vulnerability CVE-2023-42282.

List of critical flaws that SAP fixed in the August 2024 patch

SAP Critical Vulnerabilities – Patches Available

Fortunately for the massive customer base of SAP products, the fixes are available right away. The company likely acknowledged the vulnerabilities quite some time ago, but never disclosed them publicly before having a proper fix. The list of software and versions that contain the fix is exceptionally huge, so if you use SAP, consider checking for updates and installing them right away.

Obviously, with such a large number of fixes, the company does not offer any mitigation instructions. Sure enough, one may say about disabling SSO for Enterprise authentication, but that is a less than favorable option. And overall, mitigations are only good when a proper solution is absent, but in this case it is already there.

The post Critical SAP Auth Bypass and SSRF Flaws Fixed, Update Now appeared first on Gridinsoft Blog.

1Password Vulnerability Let Attackers Exfiltrate Vault Items

1Password developers reported a critical vulnerability found in the Mac version of the app. This vulnerability, identified as CVE-2024-42219, was discovered by Robinhood’s Red Team during an independent security assessment of 1Password for Mac. It allows a malicious process running locally on a computer to bypass protections for inter-process communication. This issue affects all app versions up to 8.10.36.

Vulnerabilities in password managers are always a massive source of headache for both developers and users. Recent events around the LastPass password manager, that led to a huge leak of login credentials, is the perfect example of what may happen if that case is not managed properly. Fortunately, 1Password acknowledged the issue way before hackers started exploiting it in real-world attacks.

Technical Details

The CVE-2024-42219 vulnerability is related to bypassing inter-process communication (IPC) protections in 1Password for Mac across all versions up to 8.10.36. If a malicious process is running locally on the computer, it can circumvent these protections. This allows attackers to steal vault items and obtain credentials necessary for logging into 1Password, such as the account unlock key and SRP-𝑥 (Secure Remote Password) values. 1Password Vaults are secure containers for storing and organizing items, allowing users to share specific information with selected individuals. Essentially, they are mini password managers within the main application.

However, certain conditions are required to exploit this vulnerability: the attacker needs to convince the user to execute malicious software on their computer. During the attack, the absence of specific macOS checks for inter-process communication can be exploited. This allows the attacker to spoof or hijack trusted 1Password integrations, such as the browser extension or command-line interface. Fortunately, there have been no reports of this vulnerability being exploited in the wild.

1Password’s Response

1Password promptly released an update to patch this vulnerability as soon as they were notified. Details about the issue were disclosed on relevant news platforms after the patch was released, which upset some users who expected to see it in the changelog. However, it’s clear that the company maintained informational silence to ensure user safety.

1Password strongly recommends that all users update their app to version 8.10.36 as soon as possible to mitigate potential risks. The company also expressed gratitude to Robinhood’s team for responsibly disclosing the vulnerability and for their close collaboration, which ensured timely protection for users.

The post 1Password Vulnerability for MacOS Causes Credentials Leak appeared first on Gridinsoft Blog.

Chinese Cybercriminals Are Exploiting A Vulnerability In Windows 10

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the CVE-2018-0824 vulnerability in its catalog of exploited vulnerabilities. This was prompted by a Cisco Talos report indicating that the Chinese group APT41 may have actively used this flaw in their attacks. In short, the vulnerability allows for privilege escalation and remote code execution, putting hundreds of millions of Windows 10 users at risk. Attackers, such as the Chinese group APT41, use this vulnerability to achieve local privilege escalation and remote code execution. They create custom loaders that inject code for CVE-2018-0824 exploitation directly into memory. This allows them to take control of the system.

The remote code execution vulnerability CVE-2018-0824 has a CVSS score of 7.5 and exists in “Microsoft COM for Windows” when it fails to properly handle serialized objects, known as the “Microsoft COM for Windows Remote Code Execution Vulnerability.” This vulnerability affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, and Windows 10 Server. An attacker exploiting this vulnerability could use a specially crafted file or script to perform actions. In an email attack, the attacker could send the file to the user and convince them to open it. In a web-based attack, the attacker could host a website containing the file and persuade the user to open it by clicking a link.

CVE-2018-0824 and Threat Actors

The primary threat actor known to exploit this vulnerability is APT41, a cyber group that, according to the U.S. government, consists of Chinese nationals. In August 2023, experts detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts within a Taiwanese government-affiliated research institute’s environment. This attack, conducted by APT41, involved the use of a unique Cobalt Strike loader written in GoLang to evade detection. The attackers behind the operation were proficient in simplified Chinese, indicating their likely origin.

Although it might seem that APT41 poses a minimal risk to the average user, that’s not entirely accurate. Another threat actor, targeting all Windows users, is highlighted in other reports. SnakeKeylogger aka KrakenKeylogger is a new malicious software aimed at Windows users, and not mandatory ones from within a corporate network. This malware logs keystrokes, steals credentials, and takes screenshots to gather sensitive information, which is then sent to fraudsters. This malware typically spreads through phishing campaigns, where malicious code is hidden in email attachments.

Avaliable Solutions

Although a patch for CVE-2018-0824 has been available for a long time, attackers continue to exploit it. On the other hand, SnakeKeylogger remains a significant threat to users. So, here are several solutions to address these issues:

Upgrade to Windows 11. One radical solution for Windows 10 users is to upgrade to Windows 11. However, there is a significant problem: many users are reluctant to switch to Windows 11. The primary reason is that Windows 11 has higher system requirements, and not all users can upgrade their hardware to support the new system. Many users remain on Windows 10 despite security warnings due to resource limitations and the unwillingness to spend money on new equipment.

Use Advanced System Protection. There is also a workaround solution — blocking attacks with the advanced system protection. GridinSoft Anti-Malware is the one you can rely on in this question. This program will prevent any malware from getting into the system, even before they can do any harm. While using an outdated version of Windows is not the best solution, employing an advanced anti-malware program can significantly reduce risks.

The post Windows COM Vulnerability Exploited by Chinese Hackers appeared first on Gridinsoft Blog.