0-day Vulnerability Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/0-day-vulnerability/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 16 Jan 2024 20:34:57 +0000 en-US hourly 1 https://wordpress.org/?v=93018 200474804 New Google Chrome 0-day Vulnerability Exploited, Update Now https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/ https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/#respond Tue, 16 Jan 2024 20:34:57 +0000 https://gridinsoft.com/blogs/?p=19078 In the most recent release notes, Google reports about a new 0-day vulnerability that is already exploited in the wild. The update fixes the issue, but the very fact of it being exploited means it should be implemented as soon as possible. It appears to be the first 0-day exploit in Chrome browser in 2024.… Continue reading New Google Chrome 0-day Vulnerability Exploited, Update Now

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

]]>
In the most recent release notes, Google reports about a new 0-day vulnerability that is already exploited in the wild. The update fixes the issue, but the very fact of it being exploited means it should be implemented as soon as possible. It appears to be the first 0-day exploit in Chrome browser in 2024.

New Chrome 0-day Vulnerability Fixed

On January 16, Google released an update for its Chrome browser that contains a fix for 3 vulnerabilities. Among them there is one, CVE-2024-0519, that was reported by an anonymous user. The company acknowledges the exploitation of this breach in the wild.

0-day vulnerability exploited
An excerpt from Google’s patch note for the latest Chrome update

Key issue of the vulnerability lies in an improper memory access control in the JScript V8 engine, used in Chrome. The issue falls under CWE-119 designation. The way Chrome operates supposes the ability of direct memory addressing, but with lack of proper handling, it leads to the ability to reference to a wrong memory location. What this gives to attackers is the ability to both read and write to the random memory area, causing data leaks and arbitrary code execution.

Besides the most sensible issue, there are also 2 high-severity vulnerabilities fixed in the same update. Both touch V8 JavaScript, too, but are related to lack of memory write validation and type confusion. The latter, actually, can lead to similar effects with CVE-2024-0519, so it should be treated with the same seriousness. The good thing about these two is the absence of their real-world exploitation.

Google Releases Fix to the Newest 0-day Exploit

The severity of the issue obviously calls for urgent response from the developer. Fortunately, Google never hesitates to patch such bugs. However, due to the limitations, the patch may not be available to all users simultaneously. Here is the list of OS-specific versions that contain a fix.

OS Version with Fix
Windows 120.0.6099.224(225)
MacOS 120.0.6099.234
Linux 120.0.6099.224

To check whether you have an updated version of the browser or to check for updates, go to Settings → About Chrome. This will open the menu which checks the update availability each time you open it.

Chrome updated

Being the most popular web browser is not just about privileges, as you may witness. Such a humongous user base means increased (if not maxed out) attention from adversaries, who take such vulnerabilities nothing short of a gift. For ordinary users, the best way to counteract this is to keep an eye on the latest updates, specifically on what issues they fix.

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/feed/ 0 19078
Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/ https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/#respond Fri, 12 Jan 2024 10:15:08 +0000 https://gridinsoft.com/blogs/?p=18979 Ivanti issued an alert about its Connect Secure VPN appliances. Advanced threat actors are exploiting two zero-day vulnerabilities in cyberattacks, possibly including state-sponsored groups. That is yet another vulnerability in Ivanti software. Ivanti Connect Secure Zero-Day Exploited Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices… Continue reading Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

]]>
Ivanti issued an alert about its Connect Secure VPN appliances. Advanced threat actors are exploiting two zero-day vulnerabilities in cyberattacks, possibly including state-sponsored groups. That is yet another vulnerability in Ivanti software.

Ivanti Connect Secure Zero-Day Exploited

Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices are susceptible to zero-day vulnerabilities currently being exploited in sophisticated cyberattacks. Experts attribute these attacks to suspected Chinese state-backed hackers.

Ivanti has confirmed that the vulnerabilities in question allow attackers to gain unauthorized access and execute arbitrary code on affected devices. Considering the widespread use of Ivanti Connect Secure appliances in various business environments and providing secure remote access to corporate networks, it is of heightened concern.

Details of the ICS 0-Day Vulnerability

The exploited vulnerabilities are CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the Internet. These flaws may lead to severe consequences, including remote code execution (RCE) and unauthorized access to sensitive data. That, actually, explains the reason for 8+ score – the best things come in two.

The first vulnerability concerns authentication bypass in the web component, which allows remote attackers to access restricted resources without proper control checks. The second vulnerability is related to command injection in the web components, which allows authenticated administrators to execute arbitrary commands on the appliance by sending specially crafted requests.

Patches Not Yet Available

Although it has identified fewer than ten customers that have been affected, Ivanti has advised all of its customers to run the external Integrity Checker Tool (ICT) as a precautionary measure. The company has also added new functionality to the external ICT, which will be incorporated into the internal ICT. Customers should ensure they have both tools’ latest versions.

As for patch fixes, Ivanti plans to release patches for these vulnerabilities during the week of January 22. However, they will be rolled out in a staggered schedule according to the product version. In the meantime, the company has released a series of mitigation steps that customers should follow immediately to safeguard their systems. It is highly recommended that organizations follow these mitigation steps, as the situation is still evolving.

How to Protect against 0-day vulnerabilities?

Since a zero-day vulnerability is a vulnerability that attackers learned about before software developers did, there is no guaranteed solution. However, some measures significantly reduce the risks, and I will list them below:

  • Use corporate-grade protection solutions like EDR/XDR. This innovative anti-malware software approach focuses on endpoint protection rather than individual devices. EDR and XDR solutions collect a vast amount of data about endpoint activity, including file operations, network traffic, and user behavior. It employs machine learning and AI to detect and respond to threats. By analyzing this data, they can identify anomalous patterns indicating a zero-day attack.
  • Apply Zero Trust. Zero trust is a cybersecurity model that grants access on a least privilege basis and continuously verifies users and devices. As a result, this reduces the attack surface and makes it more difficult to exploit vulnerabilities.
  • Perform regular pentesting. Penetration testing is a simulated real attack on an organization’s IT infrastructure to identify and assess vulnerabilities that attackers could exploit. So, this action can help organizations identify zero-day vulnerabilities that other security tools may not detect.

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/feed/ 0 18979
New Confluence Vulnerability Leads to Unauthorised Access https://gridinsoft.com/blogs/new-confluence-vulnerability-unauthorised-access/ https://gridinsoft.com/blogs/new-confluence-vulnerability-unauthorised-access/#respond Tue, 31 Oct 2023 15:32:49 +0000 https://gridinsoft.com/blogs/?p=17408 Another vulnerability in the flagship product of Atlassian corporation, Confluence, allows hackers to access the servers and dump the data. As the company claims, the issue sits in the improper authorization within the Data Center and Server apps. The company already offers the patches for this breach. Confluence Data Center and Server Vulnerability Leads to… Continue reading New Confluence Vulnerability Leads to Unauthorised Access

The post New Confluence Vulnerability Leads to Unauthorised Access appeared first on Gridinsoft Blog.

]]>
Another vulnerability in the flagship product of Atlassian corporation, Confluence, allows hackers to access the servers and dump the data. As the company claims, the issue sits in the improper authorization within the Data Center and Server apps. The company already offers the patches for this breach.

Confluence Data Center and Server Vulnerability Leads to Data Loss

As it often happens to any vulnerabilities within authorization/input validation, the new breach in Confluence got a rather high CVSS mark – 9.1/10. All versions of Confluence Data Center and Server are susceptible to this vulnerability. Though, good news for the clients – the breach was discovered by the developers and is not exploited in the wild. At least yet.

Atlassian publication CVE-2023-22518
Topic on the Atlassian website about the latest vulnerability

Currently, neither company nor researchers show any PoC exploits for this flaw. And within this short time gap, before the hackers will find the way to use the vulnerability, it will be a great idea to install the patches offered by the company. Despite the vulnerability touching all Data Center and Server versions ever released, the patches cover only the most used version.

Actually, CVE-2023-22518 is not the only recent security vulnerability in the Confluence. A few weeks ago, on October 5, the cybersecurity world was set abuzz due to a zero-day discovery in the same Data Center and Server solution. This exploit was reportedly used later on, by a Storm-0062 a.k.a DarkShadow cybercrime gang. The breach allowed hackers to access Confluence servers and create accounts with admin privileges without any permissions required. While for a smaller company or a more niche product this may be not so critical, it is pretty bad for a massively popular software that Atlassian develops.

CVE-2023-22515 exploitation stats
Statistics regarding the cases of CVE-2023-22515

Confluence Patches for CVE-2023-22518 are Available

The fact that the co was the first to describe the breach adds the silver lining to the story. Along with the report about the discovered issue, they immediately released security updates that are called to patch the exploit. And while the previous exploit was working only on Data Center and Server version 8+, the new one makes all the versions susceptible to exploitation.

As there are several major versions of the solution in use, the co have made patches for each of them:

Product name Versions
Confluence Data Center and Server
  • 7.19.16 or later
  • 8.3.4 or later
  • 8.4.4 or later
  • 8.5.3 or later
  • 8.6.1 or later

For mitigations, Atlassian only offers to shift the vulnerable instance of the product into offline mode. Yes, this effectively means stopping any operations related to the Confluence, though if there is no way to implement the latest updates, not many other options are available.

How to protect against software vulnerabilities?

Well, as you can see, pretty much any software solution can have vulnerabilities. Brands, developers and stuff the like does not influence: if there is something to hack, it will be hacked. There, only your fast reaction and the presence of proper security is what can secure your system.

EDR/XDR systems that use zero-trust policy are the best way to secure yourself from exploitation attacks. Their all-encompassing protection allows them to track, analyze and stop any suspicious activity. Meanwhile zero-trust will not leave a chance for exploitation even in a highly-trusted application. They treat any app as potentially dangerous, so even the Confluence will be checked as roughly as a Java-applet from the Web.

Keep an eye on recent cybersecurity news. Events like new vulnerabilities, or the companies hacked with their usage obviously cause massive discussions. Sure, not all of them will touch the software you use, but being on alarm is worth it.

Regularly update the software or apply mitigation patches. Most of the minor updates are needed not only to fix some minor bugs, but also to patch security vulnerabilities. A good habit here is viewing the patch notes – they can quickly reveal if the update is security-related or brings other stuff. For large companies, with dozens of computers in the network, it may be complicated to update the software in one turn, so making a choice is important.

New Confluence Vulnerability Leads to Unauthorised Access

The post New Confluence Vulnerability Leads to Unauthorised Access appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-confluence-vulnerability-unauthorised-access/feed/ 0 17408
Exim Vulnerability Allows RCE, No Patches Available https://gridinsoft.com/blogs/exim-vulnerability-rce/ https://gridinsoft.com/blogs/exim-vulnerability-rce/#respond Fri, 29 Sep 2023 20:54:06 +0000 https://gridinsoft.com/blogs/?p=17024 Exim Internet Mailer, a program massively used as a basis for mailing servers, appears to have a remote code execution vulnerability. By overflowing the buffer, hackers can make the program execute whatever code they need. Despite several reports to the developer, the patch is still not available. What is Exim? Exim is a mail transfer… Continue reading Exim Vulnerability Allows RCE, No Patches Available

The post Exim Vulnerability Allows RCE, No Patches Available appeared first on Gridinsoft Blog.

]]>
Exim Internet Mailer, a program massively used as a basis for mailing servers, appears to have a remote code execution vulnerability. By overflowing the buffer, hackers can make the program execute whatever code they need. Despite several reports to the developer, the patch is still not available.

What is Exim?

Exim is a mail transfer agent application for *NIX systems. Appeared back in 1995, it gained popularity as a free, open-source and flexible solution for mailing. Throughout the time, it was ported to different platforms, including even Windows. Some Linux distributions even included it as a default MTA solution. Despite its obsolescence, Exim keeps quite a share of ~59% among mailing clients available on the Internet.

Exim main site
Main site of Exim Internet Mailer

Exim Buffer Overflow Vulnerability Allows RCE

Such a popularity, along with long-missing updates, could not be missed by cybercriminals. A 0-day vulnerability, discovered by an anonymous reporter, sits in a lack of input validation from the user. Hackers can reach the mailing server from a default SMTP port 25, and write data past the end of a buffer. This, eventually, allows them to execute any command they wish – and at the scale of a mailing server, this may have horrific consequences.

It is common for RCE vulnerabilities to receive the highest CVSS ratings. CVE-2023-42115 received a rating of 9.8/10, which puts it inline with the infamous MOVEit and Citrix NetScaler vulnerabilities, uncovered earlier this year. The problem is known to the developers for almost half a year, and the patch is still unreleased.

How to protect against RCE Vulnerabilities?

There, I usually share information about available patches from the vendor or temporary solutions that can fix the flaw. Though not this time. Lack of response from the developer means any fixes for the vulnerability is only up to the Exim users. The only way to be secured against the breach is to avoid using the program, but that can be rather problematic with such a huge share of mailing servers running Exim.

With that being said, I will still advise to use top-notched security solutions that feature most modern cybersecurity approaches. This will effectively detect and mirror any cyberattack attempts before hackers will be able to reach even a shade of success.

Giving crooks less chances for success though is not only about having a reliable security system. Sentinels are useless when there is an open vent in the warehouse. Under open vent, I mean unpatched software with known vulnerabilities and low cybersecurity awareness among personnel. Cybercriminals know and love both of these common weak spots, and be sure – they won’t hesitate to use them when needed.

Exim Vulnerability Allows RCE, No Patches Available

The post Exim Vulnerability Allows RCE, No Patches Available appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/exim-vulnerability-rce/feed/ 0 17024
Citrix and Adobe Vulnerabilities Under Active Exploitation https://gridinsoft.com/blogs/citrix-adobe-vulnerabilities/ https://gridinsoft.com/blogs/citrix-adobe-vulnerabilities/#respond Thu, 20 Jul 2023 16:36:50 +0000 https://gridinsoft.com/blogs/?p=16140 Citrix was able to patch a zero-day vulnerability, while Adobe warns of attacks using ColdFusion Zero-Day and releases an urgent update that nearly fixes the issue. Nonetheless, the story is still not over, as these vulnerabilities are still exploited. Citrix and Adobe Patch 0-day Vulnerabilities Simultaneously, products of two companies were hit with critical vulnerabilities… Continue reading Citrix and Adobe Vulnerabilities Under Active Exploitation

The post Citrix and Adobe Vulnerabilities Under Active Exploitation appeared first on Gridinsoft Blog.

]]>
Citrix was able to patch a zero-day vulnerability, while Adobe warns of attacks using ColdFusion Zero-Day and releases an urgent update that nearly fixes the issue. Nonetheless, the story is still not over, as these vulnerabilities are still exploited.

Citrix and Adobe Patch 0-day Vulnerabilities

Simultaneously, products of two companies were hit with critical vulnerabilities that allowed crooks the remote execution of malicious code. Citrix and Adobe are well known in the software market, so there’s no need to introduce them. The vulnerability in Citrix NetScaler has a CVSS of 9.8 out of 10, allowing for code execution without authentication. On July 18, Citrix said it had patched the vulnerabilities. However, attackers have likely had time to exploit them.

Adobe is doing a little worse in this regard. Adobe ColdFusion, a popular server-side scripting language, faces critical vulnerabilities. These vulnerabilities are noted as CVE-2023-38203 with a severity level of 9.8 out of 10 and CVE-2023-29298. This allows an unauthenticated attacker to execute arbitrary code on a vulnerable server. The company soon released a patch that was supposed to fix the vulnerabilities. However, the patch provided by Adobe for CVE-2023-29298 on July 11 is incomplete, which means that remedies against CVE-2023-29298 do not currently exist.

Moreover, experts discovered that the vulnerability that Adobe patched a few days earlier was actually CVE-2023-38203 and not CVE-2023-29300. The security company made a mistake by unintentionally releasing a critical zero-day vulnerability to users already dealing with the threat posed by the incomplete patch. Project Discovery quickly took down the disclosure post, and Adobe fixed the vulnerability two days later. By the way, the CVE-2023-29300 vulnerability also has a severity rating of 9.8.

Consequences

While estimating the potential damage from these vulnerabilities is impossible, it can be compared to the MOVEit and GoAnywhere vulnerabilities. The former resulted in 357 individual organizations being compromised, while the latter affected over 100 organizations. However, both organizations have since released patches. Meaning users can only hope the problem will be fixed soon.

Top 10 countries that use ColdFusion
The countries that use Adobe ColdFusion

How to protect against vulnerabilities?

Protecting against vulnerabilities involves adopting proactive cybersecurity measures and practices. Here are some steps you can take to enhance your security:

  • Keep Software Updated. You should regularly update your operating system, applications, and antivirus software. Developers release updates to patch security vulnerabilities, so staying up-to-date is crucial.
  • Use Strong Passwords. Strong passwords will help prevent compromise through brute force. In addition, consider using a password manager to store and manage your passwords securely.
  • Enable Multi-Factor Authentication. Adding MFA (multi-factor authentication) provides an additional layer of security by requiring extra verification (like a code sent to your phone). It will be a different and insurmountable barrier to intruders.
  • Use protection solutions. Powerful antivirus software is integral to complementing the above recommendations. In the event of an attempt to infect the system, it will neutralize the threat before it can cause harm.
  • Keep Abreast of Security News. Finally, stay informed about the latest cybersecurity threats and best practices to adapt your defenses accordingly.

Although there is no such thing as 100% protection, implementing these measures can significantly reduce your risk and make it harder for attackers to exploit vulnerabilities.

The post Citrix and Adobe Vulnerabilities Under Active Exploitation appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/citrix-adobe-vulnerabilities/feed/ 0 16140
MOVEit MFT 0-day Vulnerability is Used to Steal Corporate Data https://gridinsoft.com/blogs/moveit-mft-0day-vulnerability/ https://gridinsoft.com/blogs/moveit-mft-0day-vulnerability/#respond Thu, 01 Jun 2023 19:36:36 +0000 https://gridinsoft.com/blogs/?p=14966 MOVEit managed file transfer (MFT) solution appears to contain a 0-day vulnerability, already exploited by hackers. Progress, the developer of the software solution, already released a note and security advisory regarding the case. What is MOVEit MFT? MOVEit is a software solution that allows convenient and secure data transfer inside the organisation. The product under… Continue reading MOVEit MFT 0-day Vulnerability is Used to Steal Corporate Data

The post MOVEit MFT 0-day Vulnerability is Used to Steal Corporate Data appeared first on Gridinsoft Blog.

]]>
MOVEit managed file transfer (MFT) solution appears to contain a 0-day vulnerability, already exploited by hackers. Progress, the developer of the software solution, already released a note and security advisory regarding the case.

What is MOVEit MFT?

MOVEit is a software solution that allows convenient and secure data transfer inside the organisation. The product under this brand name has a long story that begins in 2002, and on its path got the cloud storage feature and support of mobile platforms. Solutions of such kind gained significant popularity since the companies started bearing on electronic document management. Retaining diligent security level for that process is tremendously important, as such apps are used to transfer any kind of corporate documents.

MOVEit MFT 0-day Allows to Steal Data

According to the advisory published by the Progress, the vulnerability in MOVEit MFT allows for unauthorised access that ends up with remote code execution. The vulnerability also relies on two HTTP ports – 80 and 443. Known cases of this vulnerability usage were bearing on an SQL injection that grants hackers access to the MOVEit MySQL server. Researchers detected a sample of the webshell code uploaded to VirusTotal – it is completely undetected. The consequent requests to the database tries to pick the password, and once the input is correct, the door is open. After the successful penetration, hackers get access to the list of the files, and possess the ability to add new and download what is already present.

MOVEit MFT malicious webshell code VirusTotal
Webshell code used for hacking the MOVEit has 0 detections on VirusTotal

The list of the vulnerable and secure MOVEit versions is as follows:

Software name Vulnerable versions Fixed in
MOVEit Transfer 2023.0.0 2023.0.1
2022.1.x 2022.1.5
2022.0.x 2022.0.4
2021.1.x 2021.1.4
2021.0.x 2021.0.6

Security Advisory for Vulnerable Versions

Aside from the update request, developers released a list of recommended actions. The only solution is banning the connections via the aforementioned 80 and 443 ports in the firewall rules. Though, it is not lossless – without the access through these ports, users will not be able to log into the web interface; built-in automation tasks as well as some of the APIs and add-ons will not work either. After this manipulation, Progress still recommends checking the logs for potential attempts of malignant access and updating the software.

MOVEit MFT 0-day Vulnerability is Used to Steal Corporate Data

Consider reading about new iOS 0-day vulnerability that was also reported on June 1, 2023

The post MOVEit MFT 0-day Vulnerability is Used to Steal Corporate Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/moveit-mft-0day-vulnerability/feed/ 0 14966
New iOS Vulnerability Allows “Triangulation” Attack https://gridinsoft.com/blogs/ios-zeroclick-vulnerability-triangulation/ https://gridinsoft.com/blogs/ios-zeroclick-vulnerability-triangulation/#respond Thu, 01 Jun 2023 18:49:48 +0000 https://gridinsoft.com/blogs/?p=14958 New iOS vulnerability allows executing a zero-click malware delivery through the built-in iMessage messenger. The breach was discovered by Kaspersky analytics team, and appears to touch almost every user of Apple smartphones. Experts dubbed the malware “Triangulation”. iOS Exploit Allows Zero-Click Infection Probably, the worst case scenario for any target of cyberattack is the infection… Continue reading New iOS Vulnerability Allows “Triangulation” Attack

The post New iOS Vulnerability Allows “Triangulation” Attack appeared first on Gridinsoft Blog.

]]>
New iOS vulnerability allows executing a zero-click malware delivery through the built-in iMessage messenger. The breach was discovered by Kaspersky analytics team, and appears to touch almost every user of Apple smartphones. Experts dubbed the malware “Triangulation”.

iOS Exploit Allows Zero-Click Infection

Probably, the worst case scenario for any target of cyberattack is the infection performed without any action from the victim. And this is it – a crafted iMessage can trigger the malware injection to the device, leaving the user no chance to react. According to the report issued by Kaspersky, the breach is used to install a spyware dubbed Triangulation. Thing is, analysts discovered this trojan running in the iPhones of the company’s top executives.

Triangulation spyware is capable of things typical for malware of its class that aims at mobile devices. It allows for remote microphone enabling, gathering information about activity hours, geolocation, and grabbing photos and files from messengers. The worst thing here is that Triangulation is particularly hard to stop or remove – to some extent because of specific iOS characteristics.

Triangulation Trojan Is Very Tough to Find and Remove

As any other spyware, this one tries to stay as stealthy as possible. The only visible sign of its activity is disabled updates – at least this is what analysts discovered while examining the case. In iOS 14, Apple introduced a feature that displays when your mic or camera is in use, and also shows which app uses it. Though, it does not look like Triangulation triggers that mechanism, either because of a certain trick with OS settings or through enabling the mic during the use of other apps.

Triangulation disabled updates
One of the signs of Triangulation malware activity – disabled updates

Since iOS keeps its files closed from external view, it is hard to use specialised software to uncover the malware running in the system. Moreover, this makes its removal even more difficult. The mentioned report says that the only probable way to remove Triangulation trojan from the device is to reset the phone to factory settings. And it is suboptimal – such a harsh operation wipes all user files as well. And each minute spent with an infected device can mean more and more personal data leaked to the unwanted party.

What can I do?

Frankly, it is quite unusual to give such advice to iOS users. For a long time, this operating system was considered one, if not the most secure OS. Zero-day vulnerabilities or clickless exploits were happening earlier, but Apple issued hotfixes pretty quickly. Though this time, neither the list of vulnerable iOS versions nor hotfixes are available. I hope to see a new-style Rapid Security Response patch Apple introduced in the past month. But now, here is what you can do to protect from Triangulation trojan attack.

Perform a periodic checkup of your device. Potentially, the victims in Kaspersky team were simply ignorant to the mic/camera usage notifications that were appearing on the screen. Either way, keeping eye on what your iPhone tries to tell you is important – sometimes simply to uncover a legit app that uses your mic excessively.

Another place you can peek into is the Updates section in Settings. Since the malware reportedly disables updating functions, it may be an obvious sign for the user. Even if you disabled it willingly, it is recommended to turn them back on. Apple is doing its best to keep their devices secure, and the new updates policy is a perfect confirmation to that.

iOS updates
Be sure your iPhone is up to date

To continue the previous paragraph – keep an eye on the most recent iOS updates and install all security patches available. Sometimes, the company releases fixes even for older OS versions, especially if the vulnerability is critical and exploited in the wild. As you can see, sometimes being careful and avoiding muddy waters may be not enough, because you simply cannot avoid a thing you cannot even see.

The post New iOS Vulnerability Allows “Triangulation” Attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ios-zeroclick-vulnerability-triangulation/feed/ 0 14958
MSMQ Vulnerability Allows Remote Code Execution https://gridinsoft.com/blogs/msmq-vulnerability-rce/ https://gridinsoft.com/blogs/msmq-vulnerability-rce/#comments Tue, 11 Apr 2023 23:24:21 +0000 https://gridinsoft.com/blogs/?p=14148 Recent update released by Microsoft, an April Patch Tuesday, revealed a severe vulnerability in Microsoft Message Queueing mechanism. That vulnerability allows remote code execution after sending 1 (one) package through a specific port. What is Microsoft Message Queueing? Microsoft Message Queueing, or MSMQ, is an infrastructure element for sharing messages within a local network. At… Continue reading MSMQ Vulnerability Allows Remote Code Execution

The post MSMQ Vulnerability Allows Remote Code Execution appeared first on Gridinsoft Blog.

]]>
Recent update released by Microsoft, an April Patch Tuesday, revealed a severe vulnerability in Microsoft Message Queueing mechanism. That vulnerability allows remote code execution after sending 1 (one) package through a specific port.

What is Microsoft Message Queueing?

Microsoft Message Queueing, or MSMQ, is an infrastructure element for sharing messages within a local network. At the time of its release – 1997 – it provided a convenient way to communicate with all machines in a nonhomogeneous network. The very essence of that application is turning around the guarantee that the message will be delivered. Security features, as well as other useful elements that made it more convenient to use rendered MSMQ a pretty popular solution for networks. Later, however, it was pushed out from use by newer Microsoft products, like Azure Queues.

Despite being officially ceased from further development, it still receives security updates. Microsoft promises to support it unless the last Windows version it is present in will be supported with security patches. Networks that consist of older computers, are not compliant with modern software or are managed by conservative administrators, still use MSMQ. But the low usage and absence of functionality updates do not mean absence of vulnerabilities. The latter is especially true given that MSMQ is still present even in the latest Windows/Windows Server versions – 11 and 2022.

MSMQ setup
MSMQ setup window with an option to disable its components, or an entire service at once

MSMQ Vulnerability Allows Remote Code Execution

The patch note for 2023 April Patch Tuesday contains information about almost a hundred different breaches that Microsoft managed to fix. A tiny CVE-2023-21554 is not noticeable unless you’re looking at its detailed explanation. As it turns out, the vulnerability supposes the ability to gain control over the reigning process of an entire MSMQ mechanism – mqsvc.exe. Analysts already coined it QueueJumper. Having their hands on that process, hackers can easily make it run any code. Such breaches are classified as remote or arbitrary code execution, and are often guests to the top of vulnerability charts.

Having such an ability is sour, but even more so is having it so easy to exploit. Sending a single packet, forged specifically for exploitation, through the TCP port 1801, gives hackers control over the aforementioned mqsvc.exe. This is pretty easy to do, as you may guess. And given that MSMQ is still present even in the most modern systems, it is feasible for hackers to use it for their dirty deeds. For sure, using it supposes that hackers should be able to reach the 1801 port, meaning it is open to network connections. But now it is a way less common peephole than the RDP’s port 443, and it is open by default.

How to Fix MSMQ Vulnerability? And should I?

After Microsoft published the breach with its detailed explanation in its patch note, nothing stops hackers from using the breach. So yes, it is worth fixing it as soon as possible. RCE/ACE vulnerabilities always bring advanced dangers, as they are commonly used for initial access and malware unfolding. Considering all I told you above about the ports and ease of its exploitation, it is just a matter of time when crooks will put it to use.

MSMQ Vulnerability Allows Remote Code Execution

Fortunately, the patch that closes the breach is already available. The aforementioned Patch Tuesday fixes this, and numerous other vulnerabilities. Installing it is the easiest and the fastest way to forget about such a threat. However, updates are not that easy to install on all machines when we talk about large corporate networks. For these cases, Microsoft offered a pretty straightforward solution – closing port 1801 from external connections manually. It still does not fix the ability to take over the MSMQ process but makes the exploitation way more complicated and less efficient.

The post MSMQ Vulnerability Allows Remote Code Execution appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/msmq-vulnerability-rce/feed/ 1 14148
Information Security Specialists Discovered a 0-day Vulnerability in Windows Search https://gridinsoft.com/blogs/0-day-vulnerability-in-windows-search/ https://gridinsoft.com/blogs/0-day-vulnerability-in-windows-search/#respond Sat, 04 Jun 2022 12:24:21 +0000 https://gridinsoft.com/blogs/?p=8301 A new 0-day Windows Search vulnerability could be used to automatically open a search box and launch remote malware, which is easily done by simply opening a Word document. Bleeping Computer says the problem is serious because Windows supports the search-ms protocol URI handler, which allows apps and HTML links to run custom searches on… Continue reading Information Security Specialists Discovered a 0-day Vulnerability in Windows Search

The post Information Security Specialists Discovered a 0-day Vulnerability in Windows Search appeared first on Gridinsoft Blog.

]]>
A new 0-day Windows Search vulnerability could be used to automatically open a search box and launch remote malware, which is easily done by simply opening a Word document.

Bleeping Computer says the problem is serious because Windows supports the search-ms protocol URI handler, which allows apps and HTML links to run custom searches on the device. And while most searches will search on the local device, it’s also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search box.

For example, Sysinternals allows remotely mounting live.sysinternals.com as a network share to run its utilities. Users can use the following search-ms URI to find this remote share and display only files that match a specific name: search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals

In this case, the crumb search-ms variable specifies the search location, and the displayname variable specifies the title. When executing this command from the Run dialog box or the browser address bar in Windows 7, Windows 10 and Windows 11, a custom search box will appear, as in the screenshot below. The header says “Searching Sysinternals” as specified in the search-ms URI.

0-day vulnerability in Windows Search

Hackers can use the same approach for attacks, where phishing emails masquerade as updates or patches that supposedly need to be installed urgently. Attackers can set up a remote Windows share that will be used to host malware disguised as security updates, and then use the search-ms URI in their attacks.

It would seem difficult to get the user to click on such a URL, especially given the warning that will be displayed in this case.

0-day vulnerability in Windows Search

However, Hacker House co-founder and security researcher Matthew Hickey has found a way to combine a newly discovered vulnerability in Microsoft Office with a search-ms handler to open a remote search window by simply opening a Word document.

Let me remind you that the discovery of 0-day Follina became known just a few days ago, although researchers first found this bug back in April 2022, but then Microsoft refused to acknowledge the problem. The vulnerability is now tracked as CVE-2022-30190 and is known to be exploitable through normal Word document opening or File Explorer preview, using malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) to execute.

The bug affects all versions of Windows that receive security updates, including Windows 7 and later, as well as Server 2008 and later.

Matthew Hickey
Matthew Hickey

CVE-2022-30190 is known to allow Microsoft Office documents to be modified to bypass Protected View and run URI handlers without user interaction, which can lead to further handler abuse. Hickey discovered yesterday that it is possible to modify existing exploits for Microsoft Word MSDT to abuse search-ms instead.

The new PoC automatically runs the search-ms command when the user opens a Word document. The exploit opens a Windows Search window that lists executable files on a remote SMB share. This shared folder can be named whatever the hacker wants, such as “Critical Updates”, and will prompt users to install the malware under the guise of a patch.

As with the MSDT exploits, Hickey demonstrated that it was possible to create an RTF that would automatically open a Windows Search window while still previewing in Explorer.

While overall this exploit is not as dangerous as the MS-MSDT RCE vulnerability, it can also be useful to attackers who can use it in sophisticated phishing campaigns.Matthew Hickey said.

Bleeping Computer journalists note that events is the reminiscence of the situation with the PrintNightmare RCE vulnerability discovered and fixed in Print Spooler in 2021. At that time, Microsoft quickly fixed the original bug, but its discovery led to many other local privilege escalation vulnerabilities related to the original problem. Then Microsoft developers were forced to make radical changes to Windows Printing in order to finally get rid of this class of vulnerabilities as a whole.

Now Microsoft will probably have to make it impossible to run URI handlers in Microsoft Office without user interaction. Until that happens, there will be regular reports of new exploits being created.

The post Information Security Specialists Discovered a 0-day Vulnerability in Windows Search appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerability-in-windows-search/feed/ 0 8301
F5 warns of critical BIG-IP RCE vulnerability https://gridinsoft.com/blogs/f5-big-ip-vulnerability/ https://gridinsoft.com/blogs/f5-big-ip-vulnerability/#respond Thu, 05 May 2022 18:18:49 +0000 https://gridinsoft.com/blogs/?p=7736 F5, Inc warned the users about the critical vulnerability that harms the iControl REST users. That solution is a framework offered by the F5 Corporation as an advanced tool for software developers. The detected flaw is noted as critical, since it makes the device takeover possible for non-authorised users. F5 warns its customers of a… Continue reading F5 warns of critical BIG-IP RCE vulnerability

The post F5 warns of critical BIG-IP RCE vulnerability appeared first on Gridinsoft Blog.

]]>
F5, Inc warned the users about the critical vulnerability that harms the iControl REST users. That solution is a framework offered by the F5 Corporation as an advanced tool for software developers. The detected flaw is noted as critical, since it makes the device takeover possible for non-authorised users.

F5 warns its customers of a new vulnerability

The CVE-2022-1388, according to the analysts from the company, allows the potential threat actors to remotely execute arbitrary code and disable services on BIG-IP without any authentication. This threat is classified as severe, with a CVSS v3 rating of 9.8 – that indicator classifies it as critical. Vulnerability in one of the components of iControl REST makes it possible to bypass the authentication in BIG-IP. Afterward, crooks are free to execute any code in the framework. Here is the list of BIG-IP versions that reportedly contain that breach:

  • 16.1.0 to 16.1.2;
  • 15.1.0 to 15.1.5;
  • 14.1.0 to 14.1.4;
  • 13.1.0 to 13.1.4;
  • 12.1.0 to 12.1.6;
  • 11.6.1 to 11.6.5.

F5 offers a fast fix for the issue

As you can see, almost all versions of BIG-IP that are currently in use are exposed. F5 Inc. has already released fixed versions of this software, and recommends installing it as soon as possible. Those versions are:

  • 17.0.0;
  • 16.1.2.2;
  • 15.1.5.1;
  • 14.1.4.6;
  • 13.1.5.

The company emphasizes that older versions of the software (12.x and 11.x) will not receive the fix of that flaw, and it is recommended to move on to the newer version. If the client is not able to apply the update for some reason, F5 recommends applying the following settings to prevent vulnerability exploitation:

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

Block iControl REST access through the self IP address
You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured.

F5 Inc. advice on the case of CVE-2022-1388 vulnerability in BIG-IP.

How serious is the CVE-2022-1388?

Since the iControl framework, as well as BIG-IP, are generally used by corporations, they are the main place where CVE-2022-1388 may harm. The ability to remotely execute the code without the authorisation allows the cybercriminals to extend their presence pretty quickly, up to the full control over the network. Any malware distributor will be pleased with such an ability, especially considering the amount of valuable data that is present in such corporations. Moreover, using such advanced and expensive solutions as the ones offered by F5 Corporation means that attackers may ask for a huge ransom.

Besides that, having such a vulnerability in your software product also impacts you image as a developer. F5 did a pretty good job – they detected the flaw and issued a fix for it before cybercriminals did. However, that does not mean that crooks lost the ability to exploit it – they just lost the suddenness – it is not a zero-day vulnerability anymore. A lot of companies will be slow with updates, and some may just ignore it. The absence of a fast reaction often leads to bad consequences. Fortunately for the F5, they already have disclaimed the responsibility for any case of a malware attack with that breach.

The post F5 warns of critical BIG-IP RCE vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/f5-big-ip-vulnerability/feed/ 0 7736