Tag Archive for: server

Exploit available for critical flaw in FortiClient Server

/in


Security researchers have released technical details and a proof-of-concept (PoC) exploit for a critical vulnerability patched last week in Fortinet’s FortiClient Enterprise Management Server (FortiClient EMS), an endpoint security management solution. The vulnerability, tracked as CVE-2023-48788, was reported to Fortinet as a zero-day by the UK National Cyber Security Centre (NCSC) and was actively exploited in the wild at the time of the patch, but likely in very targeted attacks. The availability of the new PoC, even though not weaponized, could enable wider exploitation and easier adoption by more attacker groups.

The flaw is the result of improper sanitization of elements in an SQL command, which could be exploited in an SQL injection scenario to execute unauthorized code or commands on the FortiClient EMS. Customers are advised to upgrade to version 7.0.11 or above for the 7.0.x series and to version 7.2.3 or above for the 7.2.x series.

Fortinet vulnerability trivial to exploit

FortiClient EMS is the central server component that is used to manage endpoints running FortiClient. According to researchers with penetration testing firm Horizon3.ai, who reconstructed the vulnerability, it is in a component called FCTDas.exe, or the Data Access Server, which communicates with Microsoft SQL Server database to store information received from endpoints.

Endpoints that have FortiClient installed communicate with a component of the EMS called FmcDaemon.exe over port 8013 using a custom text-based protocol that is then encrypted with TLS for protection. FmcDaemon.exe then passes information to FCTDas.exe in the form of SQL queries that are then executed against the database.

The researchers managed to build a Python script to interact with FmcDaemon.exe and send a simple message to update the FCTUID followed by an SQL injection payload to trigger a 10-second sleep. They then observed that the payload was passed to FCTDas.exe, therefore confirming the vulnerability.

“To turn this SQL injection vulnerability into remote code execution we used the built-in xp_cmdshell functionality of Microsoft SQL Server,” the researchers said in their technical…

Source…

Dangerous Windows 10, 11, Server Zero-Day Exploited By Lazarus Hackers

/in


The notorious and highly prolific North Korean Lazarus criminal hacking group has been exploiting an admin-to-kernel privilege escalation Windows security flaw using an updated version of its FudModule rootkit.

What Is CVE-2024-21338 And Why Is It So Dangerous?

In a detailed analysis of the exploit, Lazarus and the FudModule Rootkit, Jan Vojtěšek from the Avast Threat Labs explains how researchers found the exploit for this previously unknown zero-day vulnerability in the Windows appid.sys AppLocker driver.

Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.

“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities,” Vojtěšek says. “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes,) disable kernel-mode telemetry, turn off mitigations, and more.”

As for the FudModule rootkit, Vojtěšek says this represents “one of the most complex tools Lazarus holds in their arsenal.”

Microsoft Issued Fix As Part Of February Patch Tuesday

Microsoft has now published an updated security advisory recognizes this as a zero-day vulnerability.

Impacting various versions of Windows 10, Windows 11 and Windows Server, users are advised to check the updated security advisory and apply the patch if they have not already done so.

That Microsoft has now issued a patch for this vulnerability means, the Avast analysis says, that Lazarus’ offensive operations will undoubtedly be disrupted.

“While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel),” Vojtěšek concludes, “we believe that finding…

Source…

Ransomware associated with LockBit still spreading 2 days after server takedown

/in


A stylized skull and crossbones made out of ones and zeroes.

Two days after an international team of authorities struck a major blow at LockBit, one of the Internet’s most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms—SophosXOps and Huntress—attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn’t immediately clear if the ransomware was the official LockBit version.

“We can’t publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown,” John Hammond, principal security researcher at Huntress, wrote in an email. “While we can’t attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Hammond said the ransomware is being deployed to “vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).”

Muddying the attribution waters

SophosXOps and Huntress didn’t say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren’t part of the official operation.

“When builds are leaked, it can also muddy the waters with regards to attribution,” researchers from security firm Trend Micro said Thursday. “For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon,…

Source…

Mid-West Data Depot offers safe, convenient server data backup storage

/in


businessman-showing-virtual-security

With the advent of computers came the need to store information. Nearly every business of every size has countless gigabytes of data related to their operations and their customers. Against the landscape of constant threats from computer viruses and cyber-attackers, data backups have become a big concern.

In the data industry, best practices call for following a 3-2-1 backup strategy; three copies of your data, using two different types of media, and one copy is stored offsite. That’s where Mid-West Data Depot comes in.

LOCATION, LOCATION, LOCATION
The new service offered by media company Mid-West Family South Bend makes perfect sense: Companies need a safe place to store their data backups. Mid-West Data Depot is literally located inside a tornado shelter in South Bend that has redundant power supplies, four huge pipelines to the internet, security, and plenty of rack space for computer servers.

Data Depot site manager Bill Gamble said after you consider putting the right infrastructure in place, the business is straightforward.

ADVERTISEMENT




Your content continues below

“It’s a place to store your data offsite. When we bought this building, it was already a data storage facility. Thick walls. No windows. We affectionately call it The Bunker. If there’s a disaster, this is where you want your data to be.”

STORED DATA IS SAFE DATA
Gamble said offsite data storage is growing in popularity.

“Data that isn’t backed up can be lost forever due to any number of issues. Our infrastructure means we’ll never lose power, we have reliable and redundant network connections, and there’s no weather that can compromise The Bunker. It’s that simple.”

Gamble points out that 43 percent of cyber incursions annually target small businesses. He adds that of those businesses, 46 percent have fewer than 1,000 employees.

“The scary thing is everyone’s going to get hacked eventually. What’s sad is that 70 percent of small businesses that suffer a catastrophic data breach close within a year. If you own a business, just ask your insurance agent if you can get a discount because you have an offsite backup.”

A LOCAL DATA DEPOT
One of the differentiators Gamble points to is…

Source…