Among the presentations at this Augusts Black Hat 2022 conference, few were of practical use to system administrators and security officers. A welcome exception was the report by Rapid7 researcher, Jacob Baines, who spoke in detail about how hed analyzed Cisco enterprise software and found multiple vulnerabilities show more ...
therein. Jacobs findings are available as slides, in a detailed report, and as a set of utilities on GitHub. Jacob found 10 issues affecting Cisco Adaptive Security Software, Adaptive Security Device Manager, and Firepower Services Software for ASA. These software solutions control a variety of Cisco systems for enterprise users, including hardware firewalls, end-to-end enterprise security solutions, among others. Seven of these issues Cisco recognized as vulnerabilities, while the remaining three — according to the vendor — dont affect security. At the time of disclosure, two of the seven vulnerabilities had not been closed — despite the fact that Rapid7 informed Cisco back in February/March 2022 (another was supposedly closed later). What are the vulnerabilities? Lets take a look at two of the most noteworthy. The vulnerability CVE-2022-20829 relates to the update delivery method used in Cisco ASA software. The bug is rather trivial: binary update packages are not validated at all during installation; theres no digital signature verification or anything like that. Rapid7 showed how to modify Cisco ASDM binary packages to execute arbitrary code when processed. The second vulnerability of note is CVE-2021-1585. It was discovered in late 2020 by researcher Malcolm Lashley. As he found out, when updates are delivered, the certificate needed to establish a secure connection via a TLS handshake is processed incorrectly. This, in turn, allows an attacker to carry out a man-in-the-middle attack against Cisco clients — that is, substitute their own resource for a legitimate update source. This makes it possible to deliver and execute malicious code instead of a patch. This vulnerability has an interesting history: Malcolm Lashley reported it to Cisco in December 2020. In July 2021, Cisco released details of the vulnerability without a patch. In July 2022, the vulnerability was marked as closed on the internal portal for company clients. Rapid7 showed this not to be the case: if there was a patch, it didnt work. Nor can the other vulnerabilities be described as trivial. For example, CVE-2022-20828 can be used to attack a system administrator through remote access. The demonstration gives an example of how a potential attacker can gain full access to the system by entering a single command. Whats more, Rapid7 found that FirePOWER boot modules are not scanned at all. This means that if any vulnerabilities are closed in the software, its always possible to roll back the boot image to an earlier, unpatched version. Despite the potential for using such a downgrade in real attacks, Cisco did not even consider it a security issue. Update delivery difficulties These vulnerabilities show that even in enterprise software bundled with high-end corporate solutions, the update delivery system can leave much to be desired. Not so long ago, we wrote about a conceptually similar problem in consumer software, namely the Zoom web client for Apple machines. The update checking process seemed quite secure: access to the server was through a secure connection, and the update file was digitally signed. But the signature verification procedure allowed anything to be run instead of a legitimate executable file — and with the highest privileges at that. Theres also an example of malicious updates being used in real attacks: in 2018, Kaspersky researchers detected this method in the Slingshot APT campaign to compromise Mikrotik routers. In Ciscos case, verification of the digital signature of ASDM binary package updates didnt even have to be bypassed: it simply didnt exist (a mechanism supposedly appeared in August 2022, but its reliability has yet to be tested). If truth be told, all the attacks proposed by researchers at Black Hat are quite difficult to carry out. But since we could be talking about a large organization with a lot to lose from file-encrypting ransomware or theft of trade secrets, the risk should be taken seriously. What to do about it Given the specifics of these vulnerabilities, the Rapid7 researchers main recommendation is to limit, to the extent possible, working in administrator mode with full access. And this refers not only to having high privileges while connecting to the infrastructure remotely. There are many examples that show a hack is possible even given maximum offline isolation — through malicious updates or a simple script that exploits a software vulnerability. Careful monitoring of those individuals with full access to the infrastructure, and also limiting actions performed as administrator will help reduce the risk of a successful attack. But the risk wont be eliminated entirely…
Phones of at least three human rights investigators in Mexico were infected with Pegasus during the term of President Andres Manuel Lopez Obrador despite the assertions that it would stop using the controversial spyware, a report on Sunday found.
Being proactive by scanning their cloud environment for possible vulnerabilities is the best way to address vulnerabilities before they result in breaches. Having clear visibility across the entire attack surface is key to securing the cloud.
Fortinet researchers found some malicious Microsoft Office documents that attempted to leverage legitimate websites—MediaFire and Blogger—to execute a shell script and then dropped two malware variants of Agent Tesla and njRat.
Spotted by security researchers at CloudSEK, the first of these campaigns worked via a domain impersonating the Google Play Store and displaying a malicious, browser–based application for Chrome.
This in-development feature aims to allow admins to filter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites.
A new analysis of Bumblebee, a particularly pernicious malware loader that first surfaced this March, shows that its payload for systems that are part of an enterprise network is very different from its payload for standalone systems.
A total of 1,043 schools and colleges—part of 62 school districts and the campuses of 26 colleges and universities— were hit by ransomware hackers in 2021, according to cybersecurity company Emsisoft.
Many Russian men eligible for enlistment have resorted to illegal channels that provide them with fabricated exemptions, while those fleeing the country to neighboring regions turn to use identity masking tools.
According to the scant details provided in the announcement, a group of hackers residing outside the Russian Federation exploited a security gap in the company's IT systems and accessed customer and employee details.
The police have planned awareness campaigns focusing on topics like multi-factor authentication, strong passwords, software updates, identifying online fraudsters, preventing financial fraud, and safe use of social media.
Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082).
To gain control of this dynamic threat landscape, it’s important that security teams keep a pulse on new and emerging threats, the latest cybercrime tactics, and the leading tools at their disposal.
A new phishing technique using Chrome's Application Mode feature allows threat actors to display local login forms that appear as desktop applications, making it easier to steal credentials.
The new funding, the company says, will help improve the accuracy of vulnerability assessments and accelerate adoption of Detectify’s surface monitoring and application scanning platform.
Documents belonging to the Italian luxury sports car manufacturer Ferrari are circulating online, the company confirmed their authenticity stating it is not aware of cyberattacks.
In a parasitic manner, the threat actor compromised the websites of other scammers posing as a decentralized application (DApp) and injected malicious JavaScript code into them.
Okta recently released its annual global snapshot of zero trust implementation across industries and found that 72 percent of government organizations surveyed were already employing zero trust methods.
One of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. It also gives attackers the ability to execute shell commands.
Digital adversaries behind the SolarMarker malware crippled a global tax consulting firm by camouflaging fake Chrome browser updates as part of watering hole attacks. Threat actors use the Google Dorking technique and conduct source code searches to identify such vulnerable websites before injecting the malicious code into them.
Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, suggesting an inadequate patch.
The goal of BOD 23-01, it said, is to maintain an up-to-date inventory of networked assets, identify software vulnerabilities, track an agency's asset coverage and vulnerability signatures, and share that information to CISA at defined intervals.
The warning was issued as a Private Industry Notification from the FBI Miami Field Office in coordination with the Internet Crime Complaint Center (IC3) yesterday to raise awareness among cryptocurrency investors who are increasingly being targeted.
A bug in vm2, a popular JavaScript sandbox environment, could allow malicious actors to bypass sandbox protections and stage remote code execution (RCE) on the host device.
Nearly a dozen vulnerabilities have been found in a car parking management system made by Italian company Carlo Gavazzi, which makes electronic control components for building and industrial automation.
In an ongoing cyberespionage campaign, hacking group Witchetty has been found targeting two governments in the Middle East and a stock exchange in Africa. Among the new tools used by the group is a backdoor named Stegmap. The malware is distributed via the rarely used steganography technique.
Vietnamese cybersecurity company GTSC uncovered a zero-day in fully patched Microsoft Exchange servers. The flaws are being tracked (by Zero Day Initiative) as ZDI-CAN-18333 with a CVSS score of 8.8 and ZDI-CAN-18802 with a CVSS score of 6.3. The bug could be abused by attackers to achieve remote access to affected systems. At least one organization has been the victim of an attack campaign exploiting the zero-days.
Ubuntu Security Notice 5614-2 - USN-5614-1 fixed a vulnerability in Wayland. This update provides the corresponding update for Ubuntu 16.04 ESM. It was discovered that Wayland incorrectly handled reference counting certain objects. An attacker could use this issue to cause Wayland to crash, resulting in a denial of service, or possibly execute arbitrary code.
WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.
Ubuntu Security Notice 5651-2 - USN-5651-1 fixed a vulnerability in strongSwan. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points in certificates. A remote attacker show more ...
could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.
Red Hat Security Advisory 2022-6763-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a memory leak vulnerability.
Ubuntu Security Notice 5651-1 - Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points in certificates. A remote attacker could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.
Red Hat Security Advisory 2022-6764-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a memory leak vulnerability.
Ubuntu Security Notice 5653-1 - Benjamin Balder Bach discovered that Django incorrectly handled certain internationalized URLs. A remote attacker could possibly use this issue to cause Django to crash, resulting in a denial of service.
Ubuntu Security Notice 5652-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Domingo Dirutigliano and show more ...
Nicola Guerrera discovered that the netfilter subsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service.
Red Hat Security Advisory 2022-6765-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2022-6766-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing show more ...
systems. Issues addressed include denial of service, information leakage, and open redirection vulnerabilities.
This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.
Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to
Australian telecom giant Optus on Monday confirmed that nearly 2.1 million of its current and former customers suffered a leak of their personal information and at least one form of identification number as a result of a data breach late last month. The company also said it has engaged the services of Deloitte to conduct an external forensic assessment of the attack to "understand how it
A 46-year-old man in the U.S. has been sentenced to 25 years in prison after being found guilty of laundering over $9.5 million accrued by carrying out cyber-enabled financial fraud. Elvis Eghosa Ogiekpolor of Norcross, Georgia, operated a money laundering network that opened at least 50 business bank accounts for illicitly receiving funds from unsuspecting individuals and businesses after
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) that directs federal agencies in the country to keep track of assets and vulnerabilities on their networks six months from now. To that end, Federal Civilian Executive Branch (FCEB) enterprises have been tasked with two sets of activities: Asset discovery and vulnerability
India's Central Bureau of Investigation (CBI) on Monday disclosed that it has detained a Russian national for allegedly hacking into a software platform used to conduct engineering entrance assessments in the country in 2021. "The said accused was detained by the Bureau of Immigration at Indira Gandhi International Airport, Delhi while arriving in India from Almaty, Kazakhstan," the primary
A popular Chinese-language YouTube channel has emerged as a means to distribute a trojanized version of a Windows installer for the Tor Browser. Kaspersky dubbed the campaign OnionPoison, with all of the victims located in China. The scale of the attack remains unclear, but the Russian cybersecurity company said it detected victims appearing in its telemetry in March 2022. The malicious version
Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. "This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager
A big promise with a big appeal. You hear that a lot in the world of cybersecurity, where you're often promised a fast, simple fix that will take care of all your cybersecurity needs, solving your security challenges in one go. It could be an AI-based tool, a new superior management tool, or something else – and it would probably be quite effective at what it promises to do. But is it a silver
You always want to know what is attached to your network. And whether it could be vulnerable or not. Read more in my article on the Tripwire State of Security blog.
Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for their support! Do you know the old thought experiment about the AI designed to make paper clips that quickly decides that it will have to eliminate all the humans to maximize paper clips? Many security … show more ...
Continue reading "Kolide can help you nail audits and compliance goals with endpoint security for your entire fleet"
A 74-year-old Manga artist received an unsolicited Facebook message from somebody claiming to be Incredible Hulk actor Mark Ruffalo. You can probably guess where this is heading...