What is Apache OFBiz?

Apache OFBiz is an integral part of the digital backbone of numerous industries, ranging from financial services to healthcare. This open-source Enterprise Resource Planning (ERP) system is a key player in managing complex business processes, which is essential for large enterprises. This is what makes the CVE-2023-51467 vulnerability something more than a technical glitch. Its extensive exploitation can be a potential gateway for catastrophic disruptions in critical services and infrastructure​​.

Apache OFBiz Vulnerability – Technical side

SonicWall’s research team detected this critical zero-day vulnerability and promptly disclosed it to Apache OFBiz’s maintainers. The root of this vulnerability lies in the application’s login functionality. Attackers exploiting CVE-2023-51467 can bypass authentication by manipulating the checkLogin function in Apache OFBiz. By setting the “requirePasswordChange” parameter to “Y” in the URI and supplying null or invalid credentials, the function mistakenly returns a success status, thus allowing unauthorized access​​​​. The vulnerability specifically affects the login process of Apache OFBiz.

How does the exploit work?

1. Manipulating the CheckLogin Function
   The core issue lies in the “checkLogin” function. Normally, this function should validate a user’s credentials before granting access. However, due to a flaw in its implementation, it fails to perform this task correctly under certain conditions.
2. Exploiting Null or Invalid Credentials
   The exploit involves sending a crafted HTTP request where the “USERNAME” and “PASSWORD” parameters are left empty, or invalid values are provided. However, the exploit includes the “requirePasswordChange=Y” parameter in the URI.
3. Bypassing Authentication Checks
   Due to the flawed logic in the “checkLogin” function, when it receives null or invalid credentials along with the “requirePasswordChange=Y” parameter, it incorrectly bypasses the usual authentication checks. Specifically, it fails to enter the conditional block that checks whether the username and password are null. Consequently, it erroneously returns a success status, allowing the authentication process to be bypassed.
4. Potential for Server-Side Request Forgery (SSRF) or Remote Code Execution (RCE)
   By bypassing authentication, an attacker could potentially perform SSRF or RCE, leading to unauthorized access to sensitive data or control over the system.

The exploitation of this flaw could lead to dire consequences. Attackers could potentially gain control over sensitive systems, compromise confidential data, and disrupt essential services. Also, he widespread use of Apache OFBiz in various sectors heightens the risk of large-scale, coordinated attacks that could target multiple facets of society simultaneously​​.

Patch and Recommendations

In response to this alarming discovery, Apache released a security update. The new version, 18.12.11, addresses the vulnerability and is strongly recommended for immediate implementation. Additionally, organizations are advised to conduct thorough security audits and apply patches to all affected platforms promptly​​.

Users of Apache OFBiz are strongly advised to:

• Upgrade to Apache OFBiz version 18.12.11, which contains the fix for this vulnerability.
• Regularly audit systems for vulnerabilities and apply necessary patches.
• Keep an eye on system logs and access patterns to detect any signs of exploitation attempts.
• Utilize XDR solutions proactively to prevent cyberattacks by continuously monitoring and correlating data across endpoints, networks, and cloud environments. Early threat detection and rapid response are key.

The post Apache OFBiz Vulnerability Exposes Millions of Systems appeared first on Gridinsoft Blog.

What is Exim?

Exim is a mail transfer agent application for *NIX systems. Appeared back in 1995, it gained popularity as a free, open-source and flexible solution for mailing. Throughout the time, it was ported to different platforms, including even Windows. Some Linux distributions even included it as a default MTA solution. Despite its obsolescence, Exim keeps quite a share of ~59% among mailing clients available on the Internet.

Exim Buffer Overflow Vulnerability Allows RCE

Such a popularity, along with long-missing updates, could not be missed by cybercriminals. A 0-day vulnerability, discovered by an anonymous reporter, sits in a lack of input validation from the user. Hackers can reach the mailing server from a default SMTP port 25, and write data past the end of a buffer. This, eventually, allows them to execute any command they wish – and at the scale of a mailing server, this may have horrific consequences.

It is common for RCE vulnerabilities to receive the highest CVSS ratings. CVE-2023-42115 received a rating of 9.8/10, which puts it inline with the infamous MOVEit and Citrix NetScaler vulnerabilities, uncovered earlier this year. The problem is known to the developers for almost half a year, and the patch is still unreleased.

How to protect against RCE Vulnerabilities?

There, I usually share information about available patches from the vendor or temporary solutions that can fix the flaw. Though not this time. Lack of response from the developer means any fixes for the vulnerability is only up to the Exim users. The only way to be secured against the breach is to avoid using the program, but that can be rather problematic with such a huge share of mailing servers running Exim.

With that being said, I will still advise to use top-notched security solutions that feature most modern cybersecurity approaches. This will effectively detect and mirror any cyberattack attempts before hackers will be able to reach even a shade of success.

Giving crooks less chances for success though is not only about having a reliable security system. Sentinels are useless when there is an open vent in the warehouse. Under open vent, I mean unpatched software with known vulnerabilities and low cybersecurity awareness among personnel. Cybercriminals know and love both of these common weak spots, and be sure – they won’t hesitate to use them when needed.

The post Exim Vulnerability Allows RCE, No Patches Available appeared first on Gridinsoft Blog.

What is a Zero-Day attack?

A zero-day attack is a type of vulnerability that has not been detected yet. It can be used for malware deployment and can target any application as a potential attack surface. This makes it difficult to build a trusted lineup of any sort and poses a significant challenge for cybersecurity analysts. However, for those who work in this industry, the challenge is exciting.

Attackers can exploit the undeclared function in a program or operating system to execute their code more beneficially. The most commonly used exploits by cybercriminals are those that provide remote code execution and escalation of privileges, which allow them to do whatever they want in the infected environment. As these attacks require advanced software, they are usually targeted against corporations since they possess more valuable data.

As the only person who knows about the breach is the criminal who discovered it, exploiting it without triggering any alarms or drawing attention is quite simple. Even some EDR solutions can make mistakes by overlooking actions from trusted programs without considering that such activities could be malicious. That’s why using an endpoint protection application that can prevent zero-day attacks is advisable.

Identifying and Addressing Zero-Day Exploits and Attacks

Detecting and mitigating zero-day exploits and attacks can be challenging since there are no known vulnerabilities or signatures to identify them. Nevertheless, there are strategies that can be utilized to identify and eliminate these attacks.

• Monitor network traffic and system logs to identify any suspicious activity that could indicate a zero-day attack.
• Educate users on common attack methods, such as phishing and social engineering, to reduce the likelihood of a successful zero-day attack.
• Stay updated with software, system updates, and patches to minimize vulnerabilities that could be exploited in a zero-day attack.
• Implement intrusion detection and prevention systems to help detect and block zero-day exploits and attacks before they can cause damage.

Patches May Be Ineffective, Here Is Why

Organizations have been struggling with patch management for a long time. One of the reasons is the overwhelming number of patches they need to handle. In 2021, over 20,000 vulnerabilities were fixed, making it increasingly challenging to keep up with all the updates.

Even if staying up-to-date with patches was easy, many users tend to ignore them, thinking they can afford to update their software a few days or weeks after the release. However, this practice can pose significant risks, which many users are unaware of. Furthermore, patch management is often given little attention in security awareness training, despite the Department of Homeland Security recommending that critical patches be applied within 15 days of release.

However, determining which patches are critical can be a dilemma for many security teams. These teams have procedures in place to ensure that patches are tested internally before deployment, as sometimes, they can be buggy or ineffective, causing more harm. IT teams also follow procedures to track patch deployments and to ensure that no device or system is left unpatched.

How to Protect Against Zero-Days?

It is crucial to understand that the threat landscape is always changing, and new versions of zero-day vulnerabilities emerge frequently. To keep yourself informed about the latest developments and types of zero-day vulnerabilities each year, it is recommended to follow reliable sources on cybersecurity and remain up-to-date with current events in this industry.

Moreover, in today’s cybersecurity landscape, Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions are gaining significance. They work best when combined with the zero-trust model of protection.

Implementing updates promptly to improve cybersecurity and reduce risks by addressing known vulnerabilities is essential. By integrating EDR and XDR solutions that feature zero-trust architecture, organizations can detect, respond to, and mitigate security threats more efficiently, whether they involve known vulnerabilities or zero-day exploits. These technologies create a strong security posture prioritizing continuous monitoring, verification, and adaptive responses to evolving cyber threats. This helps to maintain a secure environment.

The post Can Zero-Day Attacks Be Prevented With Patches? appeared first on Gridinsoft Blog.

What is Pegasus Spyware?

Pegasus is a spying software, developed by NSO Group around 2011. There are no precise terms available, and the community can only estimate its release date by its first appearance. It likely saw its first application in 2012, when it was supplied to the Panama government. Such a mystery is explained pretty simply – NSO is a subordinate company of the Israeli government. The primary purpose of this software was to spy upon anti-Israelian activists, war criminals, and persons suspected of spying for other countries. One may say, it is an example of a cyberweapon – the most modern and pretty effective one.

Its functionality is pretty wide since by design it should be able to provide all possible information about the victim to the person who controls it. Originally, it was oriented on iOS devices, and only several Android attack cases were spotted. There is another malware developed by NSO Group – Chrysaor spyware – that is apparently the Pegasus version which has some adjustments for more efficient attacks on Android devices.

How is Pegasus Spyware Spread?

As Pegasus is a very precise tool that is sold for a pretty big price, there is no massiveness in its spreading – only point strikes that aim at designated persons. Most Google queries like “pegasus spyware download” will lead you to sites that offer a counterfeit for a large sum, or just spyware that will infect your device. NSO Group usually signs a contract with its counterparty (the govt of another country) where the key points about the program usage are stated. In particular, the developers leave the right to decide which amount of functions will be available to a certain country. There is also a contract clause that the government must use the Pegasus only for counter-terroristic actions and for national security needs.

On the devices of users who somehow managed to become a threat to national security, the Pegasus arrives generally through social engineering. Still, the approaches used still differ from classic Facebook spam or something like that. As those persons usually suspect that someone can try to attack them in that way, they will not recklessly click whatever they see. A pretty useful habit for everyone, but not everyone risks getting the Pegasus or spyware, comparable by the level of danger.

The typical ways of this spyware injection are the following:

Phishing links are sent via popular messenger or to the email. Usually, those are WhatsApp, iMessage or Facebook – these places are pretty popular among other cybercriminals as well. But this time, the message receives a way more serious disguise – thanks to the “extended” abilities of governmental companies. The latter can easily uncover when the subject of surveillance awaits the delivery, or an invoice from an insurance company.

Zero-click vulnerability exploitation. This rare type of exploit is even harder to imagine in iOS, which stands out with its security features. However, this breach in iMessage is actual for all versions up to 14.7 – then Apple claimed it fixed the breach. To be trapped, it was not required even to open the app or read the message – once received, it already was able to install the Pegasus. As researchers say, this bug could be present in the operating system since iOS 7 – which was released in 2013.

Photos app exploitation. Apple implemented its unique way for iPhones, iPads, Macs and the rest of their product lineup to process the images. However, as it was uncovered, this method made it possible to exploit the Tagged Image File Format (TIFF) files for remote code execution. The breach received the index of CVE-2016-4631. Crooks were sending the photo to a victim, and once they tried to open it – the code was executed and the Pegasus was delivered.

Apple Music MitM attacks. Apple Music application – a cross-platform mobile music library that is present on both iOS and Android, had a security flaw in its version for iOS 11. It lacked the diligent checkup of certain SSL certificates from the server. This cert serves for making sure that the server the app has connected to is genuine, and that no one can eavesdrop on the traffic. However, the uncovered flaw made it possible to spoof the certificate and connect the device to a hacker’s server, giving them the ability to interact with the system without any restrictions and security alarms. That flaw got the index of CVE-2017-2387.

Pegasus Spyware technical details

The sophisticated delivery ways I have mentioned above already made this malware quite unique. But the things under its hood are even more amazing – that’s the real representation of how well the malware may be made. Contrary to most of the malware you can see for sale in the Darknet, it is made for being way more autonomous – so even the target who expects the spying will likely miss its presence. It also tries to usethe deep integration to the attacked system by getting information directly from the hardware. That helps the Pegasus to circumvent the OS restrictions or spoofing techniques.

Pegasus is capable of reading SMS, emails, recording cellular and VoIP calls, and enabling the mic and camera to record the environment around the phone. It also has full access to the device memory: this malware can harvest photos and videos present on the device, as well as a calendar and contact book. Thus, it is theoretically capable of deleting certain data from the phone – but it goes against stealthiness. This malware can also grab the information about the current phone location – regardless if there are any software location spoofers present, it will get the info directly from the GPS chip.

Aside from the “deep” data, Pegasus is also able to dig into the programs to get the information. Popular apps like WhatsApp, Viber and Facebook Messenger can easily be accessed, resulting in stolen conversations, and even more contacts leaked. Researchers say about over 50,000 contacts that Pegasus have successfully stolen from the attacked devices. As this spyware always runs with root privileges, it can even recover the data that was deleted some time ago – of course, if it is possible for the storage device technology.

The infamous spyware can also perform self-destruction under different circumstances. If it cannot connect to the command server for more than 2 months (60 days), it automatically destructs itself, together with the packages of gathered data. Alternatively, it may be self-destructed from the device after the corresponding command from the server. It also provides some alternative ways of installation – even with physical access to the device.

Pegasus and the international community

According to the reports from different sources, there are thousands of people from all over the world who were attacked with Pegasus Spyware. Some of them were breached through WhatsApp, some got a malicious iMessage SMS. The only thing that unites them, aside from the payload, is the fact that they had no way to prevent that. Most of the injection cases were done through zero-day vulnerabilities that were uncovered later by the developers. This thing, considering that spying is not a very moralistic act, creates a lot of awkward questions.

First of all, do the governments have a right to spy on the person they want to? When buying the Pegasus, govts promise they will use the tool only against the persons who pose a threat to national security. However, this category’s borders are blurred. Some Muslim countries have proven that by spying on human rights activists, in particular – women who promoted women’s rights in Middle East countries.

Second – is there a way to prevent that? Obviously, this question appeared almost immediately after the Pegasus identification. An infamous Anti-Pegasus tool, anti-spyware software that is designed only to detect and wipe out the Pegasus, became not just an item of constant speculations, but also the disguise for the other malware. Still, it does not provide you with a guarantee that malware will be deleted, since this spyware is extremely secretive.

On the other hand, installing the last security updates and using the most modern smartphones will likely not help at all. Hackers who deploy malware use the most unexpected ways, which are not countered by software patches or other stuff. To be honest, there is no way to prevent zero-day exploitation on mobile phones – just because there are no solutions capable of doing that without dealing serious harm to the phone’s performance. Apple implemented a Lockdown mode in iOS 16, which supposes a harsh restriction on the device’s functionality for maximum security. Will this trade-off be effective? Only time will tell us.

The post Pegasus Spyware — The Most Dangerous Malware appeared first on Gridinsoft Blog.

What is a Zero-Day Vulnerability?

And so, how can you describe the zero-day attack definition? It is a vulnerability that has never been detected yet. Zero-day attack exists, but no one expects them, either as it’s used for malware deployment. Any application may be the potential attack surface, hence, there is no reason to build a trusted lineup of any sort. Such a situation looks like a nightmare for any cybersecurity analyst, however, for most people who work in this industry that just adds to the excitement.

Let’s have a short reference to the definition of vulnerability (and zero-day vulnerability). It is the undeclared function in the program or the operating system that allows the attacker to execute his code in more beneficial ways. Primarily, the exploits that are used by crooks the most are ones that provide remote code execution and escalation of privileges. Such actions usually make it possible for cybercriminals to do whatever they want in the infected environment. Since it assumes the use of advanced software, the majority of attacks committed with the use of exploits is done against corporations – just because they have much more valuable stuff.

Zero-day attack vulnerabilities never appear out of the blue. Developers do their best to make their programs work well. Nonetheless, a well-working program solution does not always mean one that has no vulnerabilities. Besides the ones that are known by the vendor, there are some that are still present but have not been uncovered. They may be uncovered by cybercriminals, as well as by analysts who review the application. Special outsource users, called bug hunters, also work on uncovering the vulnerabilities present in a certain product. Such initiatives are paid generously, so it is a good way to earn money. But there are still a lot of advanced users who decide to apply those tricks for revenue.

How are zero-day vulnerabilities used?

Since no one (besides the crook who discovered it) knows about that breach, it is pretty easy to apply it if we are talking about the avoidance of any alarms and attention. Even some of the EDR solutions make a mistake by passing the actions from well-known programs like legit, without the thought that this exact activity may be malicious. That’s why it is better to use an endpoint zero-day attack protection application.

Any vulnerability needs a way to be used, and zero-day vulnerabilities are not single. Same as with any other exploit, crooks create an exploit malware that opens that breach and executes the payload with advanced privileges. For the breaches that allow escalation of privileges, there is the other method. Crooks just make another account in your system, which has administrator privileges, and hide it from your sight. Therefore, they get the ability to run anything with admin privileges at any time. Such a step is quite popular when the APT is deployed.

Why Zero-day Vulnerability is Dangerous?

Of course, like any other exploits, zero-day ones carry tremendous danger, wherever it is used. Using any of the deployment consequences, they provide themselves full control over one of the computers in the network and then expand it to the whole network. The final target of threat actors is your domain controller – they likely know that you have something you don’t want to be published. Crooks may even break into your network without interacting with your files – but they can ask you for payment to keep the fact of the breach in secret. Such cunning guys often call themselves postpaid pen-testers.

Nonetheless, not all crooks may be so noble. Usually, they will deploy ransomware, spyware, or both things simultaneously – to make it impossible for you to reach your data without paying them. Ransomware developers work a lot at making a compound malware that has both data stealing and ciphering modules – such a cadaver is just a nuke for sensitive data. They will also ask you to pay two separate ransoms – one for data decryption and the other for keeping the leaked data in secret. Still, nobody stops them from taking both ransoms, publishing the stolen data, and disappearing without the decryption key. Fortunately, such situations are pretty rare.

Zero-day Attack Prevention

Most of the discovered vulnerabilities are fixed pretty fast. When these breaches are not expected, specialists who found them report them to the vendor, and the latter fixes them as fast as possible. In the current environment, it is important to keep silent until the exploit fix is released. OSINT gives a lot of basic information for cyberattacks, so even several words you told in your Instagram story can act a lot. But, what is a zero-day attack in cyber security?

The exact danger for you is in the fact that someone applies this exploit against you. Its existence is unpleasant, but it is still nothing until you are not attacked. However, it is quite hard to make sure that no one will ever attack you. Fortunately, there are some tips that may decrease this danger, as well as the overall damage done by the attack by orders of magnitude.

• Use a well-done security tool. Both regular and zero-day vulnerability may easily circumvent the non-professional protection mechanisms. Using the solutions like EDR, together with all possible security setups in the systems will decrease the chances of a successful attack. Harsh delimitation of rights will likely block the span of possible actions, while the EDR with a zero-trust policy will detect and block all possible tricks they may apply to reach the target. For sure, that is not a panacea – all these actions are recommended to apply along with regular cybersecurity measures.
• Update your software regularly. Even though zero-day vulnerabilities may be discovered even in the latest version of programs, the chance of such a case decreases with the growth of version number. Sure, sometimes this rule does not work, but it is better to rely on a trend than to deny it because of the miserable exclusions. Besides zero-day attacks, you will also receive patches for all breaches that were already discovered. Older versions may have a worse codebase, or contain solutions that are much easier to hack.
• Limit the attack surfaces. Even when you cannot predict where the attack will happen, you still can make it much harder to apply any attack vector. The biggest breach which is present in each company – the human – must be the element of the biggest concern. Zero-click attacks happen pretty rarely, so the vast majority of threats your company will face will likely be related to the actions of your employees. Opening the attached file from the phishing email, and plugging in the flash drive without scanning it for possible malware – that may look like a low probability case, but that isn’t.

The post Zero-Day Vulnerability: Understanding the Real Threats appeared first on Gridinsoft Blog.