MOVEit Vulnerabilities – The Post-Factum View

All this story started with a 0-day vulnerability (CVE-2023-34362) in MOVEit Transfer, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem. Researchers say that attacks with the exploitation of this vulnerability began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers. This allowed them to list files stored on the server, download them, and steal account credentials and secrets. The latter included the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. To simplify, all the attacks with that vulnerability was in fact a sophisticated SQL injection. The sophistication here is thanks to the unusual way of accessing the database – actually, through the 0-day breach.

As a result, Microsoft analysts linked the massive attacks to the Cl0p ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). And soon the hackers began to make demands, extorting ransoms from the affected companies. At the moment, according to Emsisoft experts, the number of companies-victims exceeds 230: at least 20 schools in the US and dozens of universities around the world were affected. In total, the leaks affected information about 17-20 million people.

MOVEit MFT Vulnerabilities Receive a Fix

MOVEit programs will receive service packs from Progress Software, including MOVEit Transfer and MOVEit Automation. The first one alreadyt got a patch that fixes for a critical SQL injection. It also contains fixes for two other, less serious vulnerabilities.

The critical issue has been identified as CVE-2023-36934 by the Trend Micro Zero Day Initiative. The developers report that it can be used without authentication, allowing an attacker to gain unauthorized access to the MOVEit Transfer database.

There are currently no reports of active exploitation of this breach by hackers. The second vulnerability is also a SQL injection and received the identifier CVE-2023-36932. Hackers actively use this one once they managed to bypass the authentication. Both SQL injections affect multiple versions of MOVEit Transfer, including 12.1.10 and later, 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later.

The third issue addressed by patches this month was the CVE-2023-36933 vulnerability. This breach allows attackers to spontaneously terminate a program. Bug persists in MOVEit Transfer versions 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later. Company recommends its clients to install updates for their versions, corresponding to the table below.

The post MOVEit Transfer Fixes a New Critical Vulnerability appeared first on Gridinsoft Blog.

Information security experts have discovered that the aCropalypse vulnerability, which allows restoring the original image edited on a Google Pixel device (using the Markup tool), is turning into a 0-day for Windows.

Let me remind you that we also wrote that YouTube Video Causes Pixel Smartphones to Reboot, and also that Information Security Specialists Discovered a 0-day Vulnerability in Windows Search.

Also information security specialists reported that the Google Pixel bug prevented users from calling 911.

It turned out that the aCropalypse bug also works for images cropped using the Windows Snipping Tool, which means that previously deleted content can also be restored for these images.

Restoring a shaded bank card number

The aCropalypse vulnerability (CVE-2023-21036) was discovered by cybersecurity experts Simon Aarons and David Buchanan. It allows restoring any images modified using the built-in Markup screenshot editor, which appeared on Pixel smartphones in 2018 with the release of Android 9.0 Pie.

In the case of the Pixel, the problem lies in how the image file is opened for editing: the cropped data still remains in the new saved image, allowing about 80% of the original image to be restored.

The researchers warned that aCropalypse could expose users’ sensitive information if they had once edited an image with Markup and then shared the file with other people or even posted it online.

Because some platforms don’t compress user-uploaded media, the sensitive data contained in the images may have been left untouched and stored somewhere online all these years. In this light, the example given by Aarons with the blurred bank card number shown above is very revealing.

It looks like the aCropalypse issue has gotten a lot worse now, as programmer Chris Blume has discovered that the vulnerability also affects the Windows Snipping Tool.

When you open a file in the Snipping Tool and overwrite the existing file, the same thing happens as in Markup: instead of truncating the unused data, the tool puts the unused data at the end of the file, which eventually allows to partially restore it.

Bleeping Computer and well-known information security expert Will Dormann confirm that the vulnerability actually works in Windows 10 and 11. So, Dormann suggested a simple test: copy any image (to have a backup), then open it with the Snipping Tool ” and crop it to a much smaller size. Save the file and compare the sizes of the cropped and original files. As you can see in the screenshot below, the file sizes are the same.

Bleeping Computer journalists went even further. They note that the PNG file specification requires that a PNG image file always ends with an “IEND” data fragment, with any data added after it being ignored by image editors and viewers. And unused data remains in the file after IEND.

After all the manipulations described above, the journalists decided to “see” this data.

Since the acropalypse.app online application does not work with Windows files, David Buchanan shared with the publication a Python script that can be used to restore Windows files. The successful result of this script, which the expert does not intend to make public yet, can be seen below.

It is noted that not all PNG files are affected by this problem, and not all originals for all files can be completely restored.

In addition, opening a PNG file in a graphics editor (such as Photoshop) and saving it as another file will delete unused data at the end and cannot be recovered.

It is worth saying that the Snipping Tool works exactly the same with JPG files, saving the “cropped” data when overwritten. However, Buchanan says that his exploit does not yet work with JPGs, although recovery of such images is most likely possible.

Microsoft representatives told the media that they are already aware of this problem. The company is currently investigating the matter, and it promises it will “take steps to protect customers if necessary.”

The post The aCropalypse Vulnerability Poses a Threat Not Only to Pixel, but Also to Windows appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that ProxyToken Vulnerability Allows Stealing Mail Through Microsoft Exchange, and also that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The South Korean company AhnLab warned that hackers abused another 0-dayvulnerability . Researchers report that they are aware of at least one incident that occurred in July 2022, when attackers used a previously deployed web shell on an Exchange server to elevate privileges to the Active Directory administrator level and hlave stolen 1.3 TB of data and encrypt victim company systems.

Experts who investigated the incident write that it took the attackers just a week to capture the Active Directory administrator account. At the same time, the Exchange server appears to have been compromised using some kind of “undisclosed zero-day vulnerability”, although the victim company received technical support from Microsoft and regularly installed security updates after another compromise that took place in December 2021.

At the same time, AhnLab is not sure that the criminals did not exploit the already mentioned ProxyNotShell vulnerabilities, although the attack tactics were completely different.

Although AhnLab experts are not completely sure, it is worth noting that information security specialists are aware of at least three more undisclosed vulnerabilities in Exchange. So, last month, experts from the Zero Day Initiative told Microsoft that they discovered three problems in Exchange at once, which they track under the identifiers ZDI-CAN-18881, ZDI-CAN-18882 and ZDI-CAN-18932. Following this, in early October, Trend Micro added signatures for three critical Microsoft Exchange zero-day vulnerabilities to its N-Platform, NX-Platform, or TPS security products.

So far, Microsoft has not disclosed any information about these three bugs, and they have not yet been assigned CVE IDs.

The post Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It appeared first on Gridinsoft Blog.

The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files, pages, posts, widgets, users and media files and so on.

Let me remind you that we also talked about Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that About 30% of critical vulnerabilities in WordPress plugins remain unpatched.

The 0-day vulnerability has been identified as CVE-2022-31474 (CVSS 7.5) and affects BackupBuddy versions 8.5.8.0 through 8.7.4.1. The problem was fixed in early September, with the release of version 8.7.5.

The researchers explain that the bug allows unauthorized parties to download arbitrary files from the vulnerable site that may contain sensitive information. It is known that the problem is related to the Local Directory Copy function, which is designed to store a local copy of backups.

According to Wordfence, the attacks on CVE-2022-31474 began on August 26, 2022, and since that date, nearly five million hack attempts have been recorded. Most hackers tried to read the following files:

1. /etc/passwd
2. /wp-config.php
3. .my.cnf
4. .accesshash

BackupBuddy users are now strongly advised to update the plugin to the latest version. If users believe that they may have been compromised, it is recommended to immediately reset the database password, change the WordPress salts and API keys stored in wp-config.php.

The post 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times appeared first on Gridinsoft Blog.

Last Friday, the PrestaShop team issued an urgent warning, urging the administrators of the approximately 300,000 stores using the software to be more vigilant about security as attacks were discovered targeting the platform.

Let me remind you that we also wrote that New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores, and also that Dutch shops run out of cheese due to a ransomware attack.

Apparently, the attacks affected PrestaShop version 1.6.0.10 or later, as well as version 1.7.8.2 or later, but only when running a module vulnerable to SQL injection, for example, Wishlist 2.0.0-2.1.0.

Typically, such attacks start with the hackers sending a POST request to the vulnerable endpoint, followed by a parameterless GET request to the home page, which creates a blm.php file in the root directory. This file is a web shell and allows attackers to remotely execute commands on the server.

In many cases, attackers have been known to use this web shell to inject a fake payment form into the checkout page (web skimmer) and steal customer payment card details. After the attack, the hackers covered their tracks so that the site owner would not realize that the resource had been hacked.

PrestaShop developers say that traces of a compromise can still be found if hackers are not too zealous in destroying evidence. For example, traces of criminals can be found in the web server access logs, file modifications to add malicious code can be seen, as well as the activation of the MySQL Smarty cache, which is part of the attack chain. This feature is disabled by default, but the researchers say the hackers turned it on themselves and recommend removing it altogether if it’s not needed.

All store administrators are advised to install the latest security update (PrestaShop version 1.7.8.7) as soon as possible, as well as they should update all modules used to the latest versions.

At the same time, PrestaShop maintainers emphasize that they discovered and fixed a zero-day vulnerability in the new version, but they “cannot be sure that this is the only way to carry out attacks.” The discovered vulnerability received the identifier CVE-2022-36408.

The post Stores Are under Attack due to 0-Day Vulnerability in PrestaShop appeared first on Gridinsoft Blog.

The vulnerability in question is the CVE-2022-2294 bug, which was fixed by Google and Apple engineers earlier this month.

Let me remind you that we also wrote that SpookJS Attack Allows to Bypass Site Isolation In Google Chrome.

The current vulnerability is known to be a heap buffer overflow in the WebRTC component and was first reported by information security expert Jan Vojtěsek from the Avast Threat Intelligence team. Even then, it was known about the exploitation of the bug in real attacks, but no details were disclosed.

As Avast experts now say, the vulnerability was discovered after investigating a spyware attack on one of the company’s customers. According to experts, Candiru started using CVE-2022-2294 back in March 2022, attacking users in Lebanon, Turkey, Yemen and Palestine.

Spyware operators used the standard watering hole tactic for such campaigns. This term refers to attacks that are built by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that have come to drink. This usually means that attackers inject malicious code onto legitimate sites, where it waits for victims.

In this case, by compromising the site, the hackers expected that it would be visited by their targets using a browser vulnerable to CVE-2022-2294. In one case, the website of an unnamed Lebanese news agency was hacked and injected with JavaScript, allowing XXS attacks and redirecting the victim to a server with exploits.

The attack was particularly nasty in that it did not require any interaction with the victim (such as clicking on a link or downloading something). To compromise, it was enough to simply open a malicious site in Google Chrome or another Chromium-based browser (including Edge, as well as Safari, since the vulnerability was related to WebRTC).

To make sure they attack only the right people, the hackers created victim profiles by collecting a lot of data, including information about the victim’s system language, time zone, screen size, device type, browser plugins, device memory, cookies, and more.

It is also noted that in the case of the Lebanese attacks, 0-day not only allowed the attackers to execute shellcode inside the rendering process, but was additionally associated with some kind of sandbox escape vulnerability that Avast was unable to recreate for analysis.

When the DevilsTongue malware finally infiltrated the victim’s system, she tried to elevate privileges by installing a Windows driver containing another unpatched vulnerability. Thus, the total number of 0-day bugs involved in this campaign was at least three.

Once the driver was installed, DevilsTongue used a security hole to gain access to the kernel, the most sensitive part of any OS. Researchers call this attack method BYOVD — bring your own vulnerable driver (“bring your own vulnerable driver”). It allows malware to bypass OS protections since most drivers automatically have access to the OS kernel.

Let me remind you that the DevilsEye spyware, which was developed by the Israeli company Candiru and then sold to governments of different countries, was described in detail by specialists from Microsoft companies last year. Even then, it was known that politicians, human rights activists, activists, journalists, scientists, embassies and political dissidents in various countries of the world suffer from this malware attack.

The post Chrome 0-day Vulnerability Used to Attack Candiru Malware appeared first on Gridinsoft Blog.

The malware received its name due to the fact that it uses pCloud, Dropbox and Yandex.Disk cloud storages as control servers.

Let me remind you that we also wrote that Vulnerability in macOS Leads to Data Leakage, and also that Microsoft Releases PoC Exploit to Escape MacOS Sandbox.

The capabilities of CloudMensis indicate that the main goal of its operators is to collect confidential information from infected machines. For example, the malware is capable of taking screenshots, stealing documents, intercepting keystrokes, and compiling lists of emails, attachments, and files stored on removable media.

CloudMensis supports dozens of different commands, which allows its operators to perform a variety of actions on infected machines:

1. change in the malware configuration the cloud storage provider and authentication tokens, file extensions of interest, the frequency of polling cloud storage, and so on;
2. make a list of running processes;
3. to capture the screen;
4. make a list of letters and attachments;
5. make a list of files on removable media;
6. run shell commands and upload the result to the cloud storage;
7. download and execute arbitrary files.

According to ESET analysis, attackers infected the first Mac as early as February 4, 2022. Since then, they have only occasionally used the backdoor to compromise other machines, hinting at the targeted nature of this campaign.

Interestingly, once deployed, CloudMensis is able to bypass the Transparency Consent and Control (TCC) system, which asks the users if they need to grant the app permission to take screenshots or monitor keystrokes. The TCC mechanism is designed to block access to sensitive user data, allowing macOS users to customize privacy settings for various applications and devices (including microphones and cameras).

Rules created by the user are stored in a database protected by System Integrity Protection (SIP), which ensures that only the TCC daemon can modify them. Thus, if a user has disabled SIP on the system, CloudMensis will grant itself the necessary permissions by simply adding new rules to TCC.db.

However, even if SIP is enabled and any version of macOS Catalina prior to 10.15.6 is installed on the machine, CloudMensis can still gain the necessary rights by exploiting a vulnerability in CoreFoundation, which has the identifier CVE-2020-9934 and which Apple fixed two years ago. This bug will force the TCC daemon (tccd) to load a database that CloudMensis can write to.

The vector of infection, as well as the goals of the hackers, are still unknown, but the researchers write that, judging by the way the attackers handle Objective-C, they are practically unfamiliar with macOS. At the same time, experts admit that CloudMensis is still a powerful spy tool that can pose a serious threat to potential victims.

The post CloudMensis Malware Attacks MacOS Users appeared first on Gridinsoft Blog.

According to Stone, 9 of the 18 exploited zero-day vulnerabilities are variants of previously patched vulnerabilities.

In many cases, the attacks were not sophisticated, and the attacker could have exploited the vulnerability in another way. For example, the recently discovered Follina vulnerability for Windows (CVE-2022-30190) is a variant of CVE-2021-40444 MSHTML.

Let me remind you that we wrote about Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine, as well as Microsoft Fixed Follina Vulnerability and 55 Other Bugs.

Many of the zero days of 2022 are due to the fact that the previous vulnerability was not fully fixed. In the case of win32k and Chromium Windows property access interceptor bugs, the flow of execution that was used to test the concept of exploits was fixed, but the root cause problem was not fixed: the attackers were able to go back and activate the original vulnerability. through another path.

And in the case of problems with WebKit and Windows PetitPotam, the original vulnerability was previously fixed, but at some point regressed so that attackers could exploit the same vulnerability again. In iOS, IOMobileFrameBuffer fixed a buffer overflow error by checking if the size is less than a certain number, but not checking the minimum bound of that size.

A researcher on the Google Project Zero blog gave several examples of 0-day vulnerabilities and their associated variants.

To properly mitigate zero-day vulnerabilities, Google researchers recommend investing in root cause analysis, options, fixes, and exploits.

The post 0-Day Vulnerabilities of 2022 Repeat the Mistakes of Past Years appeared first on Gridinsoft Blog.

Researchers warn that European governments and municipalities in the US have been targeted by a phishing campaign using malicious RTF documents.

Let me remind you that the discovery of Follina became known at the end of May, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem.

The vulnerability has been tracked under the identifier CVE-2022-30190 and is known to be exploitable to execute arbitrary code through the normal opening of a Word document or preview in File Explorer, resorting to executing malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT).

The bug affects all versions of Windows that receive security updates, i.e. Windows 7 and later, as well as Server 2008 and later.

Worse, it is noted that the vulnerability is in many ways similar to the PrintNightmare problem, which Microsoft could not fix for quite some time. The fact is that Follina also pulled the discovery of other bugs, the consequences of exploiting which can be no less serious.

We have already written that Chinese hackers are actively using the fresh 0-day, and experts warned that soon there will be more such attacks. Unfortunately, the predictions of the experts turned out to be correct: now Proofpoint analysts report that they have discovered a phishing campaign aimed at government agencies in Europe and municipal authorities in the United States, which in total affected at least 10 of the company’s customers. According to experts, government hackers are behind these attacks.

To deceive potential victims and force them to open a decoy document, the attackers used the theme of a pay increase. Opening the document resulted in the deployment of a Powershell script that checked to see if the system was a virtual machine and was then used to steal information from multiple browsers, email clients, and file services, as well as collect system information, after transferring the data to a server controlled by hackers.

According to Bleeping Computer, the payload collected a lot of data from a wide variety of applications, including:

1. passwords from browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc and AVAST Browser;
2. data from other applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat;
3. system information: computer information, list of usernames, Windows domain information.

Most of the attacks are reported to have been in the United States, as well as Brazil, Mexico and Russia.

Since there is still no patch for Follina, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also officially recommended to disable file previews in Windows Explorer, because the attack is possible in this way as well.

In the absence of an official patch, an unofficial one has already appeared, from 0patch. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Unofficial patches are provided for Windows 11 v21H2, Windows 10 (1803 to 21H2), Windows 7 and Windows Server 2008 R2. Moreover, instead of disabling MSDT recommended by Microsoft, 0patch specialists added additional cleaning of the path provided by the user, which also helps to avoid exploiting the bug.

Meanwhile, information security experts are already beginning to criticize Microsoft for its sluggishness and lack of fixes.

The post Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster appeared first on Gridinsoft Blog.

Let me remind you that the discovery of Follina became known a few days ago, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem. The vulnerability is now tracked as CVE-2022-30190 and is known to be exploitable through normal Word document opening or File Explorer preview, using malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) to execute.

The bug affects all versions of Windows that receive security updates, that is, Windows 7 and later, as well as Server 2008 and later.

Let me remind you that we also wrote that Lapsus$ hack group stole the source codes of Microsoft products.

Previously, experts have already reported that the discovery of Follina is a very worrying signal, as the vulnerability opens up a new attack vector using Microsoft Office. The fact is that the bug works without elevated privileges, allows bypassing Windows Defender and does not require the activation of macros to execute binaries or scripts.

As Proofpoint experts now say, the Chinese “government” hackers from the TA413 group have already taken advantage of the Follina problem, targeting their attacks on the international Tibetan community.

Attackers distribute ZIP archives to victims that contain malicious Word documents designed to attack CVE-2022-30190. The decoys are disguised as messages from the Central Tibetan Administration and use the tibet-gov.web[.]app domain.

Well-known information security researcher MalwareHunterTeam also writes that he found DOCX documents with file names in Chinese that are used to deliver malicious payloads through the http://coolrat[.]xyz domain, including malware to steal passwords.

Since there is no patch for Follina yet, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT URI protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also recommended to disable file preview in Windows Explorer, because the attack is possible in this way as well.

The post Chinese Hackers Attack Fresh 0-day Follina Vulnerability appeared first on Gridinsoft Blog.