Tag Archive for: bugs

CISA ADDS ANDROID PIXEL AND SUNHILLO SURELINE BUGS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

/in


CISA ADDS ANDROID PIXEL AND SUNHILLO SURELINE BUGS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

Pierluigi Paganini
March 06, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel and Sunhillo SureLine vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

The Android Pixel vulnerability, tracked as CVE-2023-21237, resides in applyRemoteView of NotificationContentInflater.java. The exploitation of this vulnerability could lead to local information disclosure with no additional execution privileges needed. The exploitation doesn’t require user interaction.

Google addressed the issue in June 2023, the IT giant is aware of “limited, targeted exploitation.”

“There are indications that CVE-2023-21237 may be under limited, targeted exploitation.” reads the security bulletin published by the company.

The issue is likely chained with other flaws in an exploit used by a commercial spyware vendor or a nation-state actor.

The second issue added to the Catalog is an OS Command Injection vulnerability in Sunhillo SureLine. The exploitation of the flaw can allow to execute arbitrary commands with root privileges.

The exploitation can lead to complete system compromise.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 26, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, CISA

Source…

Researchers say easy-to-exploit security bugs in ConnectWise remote-access software now under mass attack

/in


Security researchers say a pair of easy-to-exploit flaws in a popular remote-access tool used by more than a million companies around the world are now being mass exploited, with hackers abusing the vulnerabilities to deploy ransomware and steal sensitive data.

Cybersecurity giant Mandiant said in a post on Friday that it has “identified mass exploitation” of the two flaws in ConnectWise ScreenConnect, a popular remote access tool that allows IT and technicians to remotely provide technical support directly on customer systems over the internet.

The two vulnerabilities comprise CVE-2024-1709, an authentication bypass vulnerability that researchers deemed “embarrassingly easy” for attackers to exploit, and CVE-2024-1708, a path-traversal vulnerability that allows hackers to remotely plant malicious code, such as malware, on vulnerable ConnectWise customer instances.

ConnectWise first disclosed the flaws on February 19 and urged on-premise customers to install security patches immediately. However, thousands of servers remain vulnerable, according to data from the Shadowserver Foundation, and each of these servers can manage up to 150,000 customer devices.

Mandiant said it had identified “various threat actors” exploiting the two flaws and warned that “many of them will deploy ransomware and conduct multifaceted extortion,” but did not attribute the attacks to specific threat groups.

Finnish cybersecurity firm WithSecure said in a blog post Monday that its researchers have also observed “en-mass exploitation” of the ScreenConnect flaws from multiple threat actors. WithSecure said these hackers are exploiting the vulnerabilities to deploy password stealers, back doors, and in some cases ransomware.

WithSecure said it also observed hackers exploiting the flaws to deploy a Windows variant of the KrustyLoader back door on unpatched ScreenConnect systems, the same kind of back door planted by hackers recently exploiting vulnerabilities in Ivanti’s corporate VPN software. WithSecure said it could not yet attribute the activity to a particular threat group, though others have linked the past activity to a China-backed hacking group focused…

Source…

Mirai Botnet Exploits Zero-Day Bugs For DDoS Attacks

/in


InfectedSlurs, a Mirai botnet malware, has been exploiting two zero-day remote code execution (RCE) vulnerabilities. The malware targets routers and video recorders (NVR) devices, aiming to make them a part of its distributed denial of service (DDoS) swarm. Although the botnet was discovered in October 2023, it is believed that its initial activities date back to the latter half of 2022. In this blog, we’ll dive into how the botnet was discovered, how it functions, and more.

 

Mirai Botnet Detection Details


The botnet was discovered when Akamai’s Security Intelligence Response Team (SIRT) noticed malicious activity pertaining to the company’s honeypots. As of now, it is believed malicious activity was initiated to target a rarely used TCP port. The SIRT teams noticed fluctuations with regard to the frequency of the zero-day exploits

An analysis of the zero-day vulnerabilities, published by Akamai, reads, “The activity started out with a small burst, peaking at 20 attempts per day, and then thinned out to an average of two to three per day, with some days completely devoid of attempts.” It’s worth mentioning that vulnerable devices that fell prey to the botnet were unknown until November 9, 2023. 

Initially the probes were low-frequency and attempted authentication using a POST request. Upon acquiring the access, the botnet attempted a command injection exploitation. Researchers have also determined that the botnet used default admin credentials for installing Mirai variants. 

Upon further observation, it was identified that the wireless LAN routers, built for hotels and residential purposes, were also being targeted by the Mirai botnet. Commenting on the RCE flaw being exploited for unauthorized access, Akamai stated: “The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild.” 


InfectedSlurs, JenX, and hailBot


The InfectedSlurs botnet is suspected to be knitted with other cybersecurity threats such as  JenX and hailBot. The botnet gets its name from the use of racial and offensive language in the command-and-control (C2)…

Source…

Cactus Ransomware Using Qlik Bugs, DanaBot in Latest Attacks

/in


Fraud Management & Cybercrime
,
Ransomware

Operators Exploit Flaws in Data Analytics Platform to Access Corporate Networks

Mihir Bagwe (MihirBagwe) •
December 1, 2023    

Cactus Ransomware Using Qlik Bugs, DanaBot in Latest Attacks
Operators of Cactus ransomware are staying active, security researchers say. (Image: Shutterstock)

Operators of a new ransomware strain dubbed Cactus are using critical vulnerabilities in a data analytics platform to gain access to corporate networks. Cactus ransomware operators are also getting an assist from deploying Danabot malware that is distributed through malvertising.

See Also: M-Trends 2023 Report

Cactus ransomware first emerged in March and adopted a double-extortion tactic – stealing and encrypting data. It has visibly ramped up operations in the past few months and has participated in a surge of ransomware activities this fall, setting record-breaking levels of ransomware attacks. Cactus listed 33 victims in September, U.K.-based cybersecurity firm NCC Group said in October (see: Known Ransomware Attack Volume Breaks Monthly Record, Again).

Cactus’ campaign, which cybersecurity firm Arctic Wolf said affects data analytics platform Qlik Sense, uses vulnerabilities initially detected by researchers in August. One vulnerability, identified as CVE-2023-41266, is a path traversal bug that could be exploited to generate anonymous sessions and execute unauthorized HTTP requests. Another flaw, CVE-2023-41265, has a critical-severity CVSS rating of 9.8. It does not require authentication and allows privilege escalation and execution of HTTP requests on the back-end server hosting the application.

In September, Qlik discovered that hackers could bypass the fix for CVE-2023-41265, prompting a new…

Source…