Exploits Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/exploits/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 12 Sep 2023 22:40:44 +0000 en-US hourly 1 https://wordpress.org/?v=74678 200474804 Google Fixes Critical Vulnerability in Chrome, Exploited in the Wild https://gridinsoft.com/blogs/google-chrome-critical-vulnerability-fix/ https://gridinsoft.com/blogs/google-chrome-critical-vulnerability-fix/#respond Tue, 12 Sep 2023 20:52:45 +0000 https://gridinsoft.com/blogs/?p=16903 Google released an urgent security update for its Chrome browser. The patch contains the fix for CVE-2023-4863, a heap buffer overflow vulnerability that can simply be exploited. Actually, Google states that this vulnerability has already been used in the wild. The breach affects browser builds for all supported OS – Mac, Linux and Windows. Google… Continue reading Google Fixes Critical Vulnerability in Chrome, Exploited in the Wild

The post Google Fixes Critical Vulnerability in Chrome, Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
Google released an urgent security update for its Chrome browser. The patch contains the fix for CVE-2023-4863, a heap buffer overflow vulnerability that can simply be exploited. Actually, Google states that this vulnerability has already been used in the wild. The breach affects browser builds for all supported OS – Mac, Linux and Windows.

Google Chrome Vulnerability Exploited in the Wild

The bug with heap buffer, that made the CVE-2023-4863 possible, is related to the way Chrome handles WebP images. By default, Windows assigns the browser as a way to display images of that format, and it remains unchanged in the vast majority of cases. Thus, the potential audience of exploitation is humongous – Chrome retains its monopoly on the browser market. WebP, at the same time, steadily substitutes “classic” image formats.

Statcounter browser share
Google Chrome holds a market share of over 63%, as of August 2023

Originally, the flaw became known on September 6, 2023, after the corresponding research by Apple SEAR and Citizen Lab at The University of Toronto was sent to Google. The company, however, hesitates with publishing more extensive information upon the case. All that is known now is that the buffer overflow bug that happens during the WebP image reading can allow for arbitrary code execution. Alternatively, the browser may simply crash – which is to be expected with buffer overflow bugs. On the CVE MITRE resource, the exploit is listed though lacks any details besides the basics I’ve already mentioned.

How Critical CVE-2023-4863 is?

Arbitrary/remote code execution bugs are quite common to receive highest marks on exploit severity ratings. And when combined with eased in-the-wild usage and large selection of targets, the threat becomes truly massive. Millions of people use Chrome on a daily basis, and facing WebP images is common as well. Hackers can try to do whatever they want to millions of users, by simply sending the specifically crafted image.

Protect Yourself Against Chrome Exploits

Despite Google being sluggish with publishing the way the exploit works, they are fast on updates. The updates 116.0.5845.187/.188 for Windows (Stable/Extended) and 116.0.5845.187 for Mac have the vulnerability fixed. Updating the browser is plain and simple – go to Settings, and get down to the About Chrome button. Clicking it will initiate the browser update checkup, and if there is a newer version available – you’ll receive it.

But what can you do to avoid falling victim to exploits that were not uncovered and/or patched? Zero-trust is the only option that gives you reliable protection against such exploits. Its name is self-explanatory – solutions with such a policy treat any program as potentially dangerous. However, solutions with such a policy are mostly oriented towards corporate clients. And overall, negatives of having a paranoiac security solution in your system overwhelm situational profits. For individual users, I’d recommend looking for other options.

Your own awareness gives you a great advantage. The vast majority of phishing attacks bear on a single supposement – the victim will be too ignorant and reckless to notice the incoming fraud. And what can be more pleasant than crushing fraudsters’ hopes? Sure, this requires knowledge of what exactly you should seek, but these tips will do you a great service even away from scam avoidance.

The post Google Fixes Critical Vulnerability in Chrome, Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-chrome-critical-vulnerability-fix/feed/ 0 16903
Ivanti EPMM Vulnerability Patch is Vulnerable https://gridinsoft.com/blogs/ivanti-epmm-patch-fix-vulnerable/ https://gridinsoft.com/blogs/ivanti-epmm-patch-fix-vulnerable/#respond Thu, 03 Aug 2023 14:08:52 +0000 https://gridinsoft.com/blogs/?p=16532 Ivanti, the provider of a wide range of management solutions for corporations, have apparently taken up the baton from Ipswich, the vendor of an infamous MOVEit MFT. Analysts discovered 2 severe vulnerabilities in its EPMM over the last 10 days, and the company released urgent fixes. However, the patch for the CVE-2023-35078 appears to be… Continue reading Ivanti EPMM Vulnerability Patch is Vulnerable

The post Ivanti EPMM Vulnerability Patch is Vulnerable appeared first on Gridinsoft Blog.

]]>
Ivanti, the provider of a wide range of management solutions for corporations, have apparently taken up the baton from Ipswich, the vendor of an infamous MOVEit MFT. Analysts discovered 2 severe vulnerabilities in its EPMM over the last 10 days, and the company released urgent fixes. However, the patch for the CVE-2023-35078 appears to be vulnerable for exploitation through the same pattern.

Ivanti EPMM Vulnerabilities Keep Going

On July 25, 2023 Ivanti released a note regarding the vulnerability in their EPMM device management software. They offered to install a patch to secure the software vulnerability (dubbed CVE-2023-35078) that allowed hackers to bypass authentication and access all the functionality of the app. Obviously, it received a top 10/10 CVSS rating. Bad news here is that the vulnerability was reportedly exploited since April 2023. The patch offered by the company allegedly closes the unauthorised access capabilities.

CVE-2023-35078 exploitation heatmap
Heatmap of CVE-2023-35078 exploitation by countries

Soon after, another security loophole was discovered. CVE-2023-35081 is a path traversal vulnerability that allows for unauthorised access to the files stored on the server. Unfortunately, the scale of this breach exploitation is around the same as the previous one – hackers used them along to fulfil different targets within one attack.

Thing is, not everything is ideal for the patched 2023-35078 vulnerability. Researchers found a way to do pretty much the same trick to the patched version as hackers did earlier. The new breach is possible for older versions of the EPMM – 11.2 and below – and received an index of CVE-2023-35082. Even after the patch, applications were not able to provide a sustainable security level. Fortunately, no cases of exploitation of this vulnerability have been discovered yet. But as we know, once 0-day vulnerability becomes an n-day one, its usage becomes much more widespread.

How to protect against CVE-2023-35082?

The only – and the most effective advice there is updating Ivanti EPMM to any of the versions newer than 11.2. It may be troublesome to perform such an update simultaneously in a huge network of devices, though efforts there are much more preferable than efforts on fixing the outcome of a cyberattack. Though, there could be several other solutions – not preventive, but still effective.

Adopt cybersecurity solutions with zero-trust policy. The baddest modern cyberattacks are done through vulnerabilities in trusted software, the only solution is to not trust at all. EDR/XDR solutions that are built around such a conception have their downsides, apparently, but the effectiveness of their protection is undoubted. Either it is a hand-made utility or a program with over 1 million users – it will thoroughly check all the actions it does.

Use UBA and SIEM to improve visibility and response in the environment. The aforementioned zero-trust security systems will greatly appreciate additional sources of information. This is almost essential in large networks that consist of different types of devices. Being aware and being able to respond as quickly as possible is vital in modern cybersecurity, when the count can go on for minutes.

Ivanti EPMM Vulnerability Patch is Vulnerable

The post Ivanti EPMM Vulnerability Patch is Vulnerable appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-epmm-patch-fix-vulnerable/feed/ 0 16532
The Second Exploit in Ivanti EPMM in a Week https://gridinsoft.com/blogs/ivanti-epmm-second-exploit/ https://gridinsoft.com/blogs/ivanti-epmm-second-exploit/#respond Tue, 01 Aug 2023 16:29:24 +0000 https://gridinsoft.com/blogs/?p=16444 Ivanti has once again encountered an error that affects and corrects its Endpoint Manager software. This is despite the fact that Ivanti had eliminated a zero-day vulnerability that targeted the same product a few days before. Analysts found new vulnerability in Ivanti EPMM Currently, two vulnerabilities are being actively exploited by malicious cyber actors. It… Continue reading The Second Exploit in Ivanti EPMM in a Week

The post The Second Exploit in Ivanti EPMM in a Week appeared first on Gridinsoft Blog.

]]>
Ivanti has once again encountered an error that affects and corrects its Endpoint Manager software. This is despite the fact that Ivanti had eliminated a zero-day vulnerability that targeted the same product a few days before.

Analysts found new vulnerability in Ivanti EPMM

Currently, two vulnerabilities are being actively exploited by malicious cyber actors. It is making them a common attack vector that poses significant risks to the federal enterprise. EPMM users are strongly advised to apply the available patches as soon as possible to protect themselves. Last week, it was disclosed that one of the vulnerabilities, known as CVE-2023-35078 and with a maximum-possible CVSS v3 rating of 10, was used in an attack against twelve ministries in the Norwegian government.

Many IT departments worldwide, including several U.S. government agencies, use Ivanti’s EPMM software to manage mobile devices, apps, and content. However, a newly discovered bug (CVE-2023-35081) has been identified. This vulnerability is a path traversal flaw with a CVSS v3 rating of 7.2. It permits an attacker to write any files onto the appliance.

This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs (access control list) restrictions (if applicable),“Ivanti”

The company expressed gratitude towards cybersecurity firm Mnemonic for helping them identify a new vulnerability. Mnemonic warned in a blog post that remote file writing vulnerabilities can seriously compromise system security. Also, it is leading to various types of attacks, such as data breaches and system takeovers. Researchers from Mnemonic reported that the new EPMM vulnerability was exploited with CVE-2023-35078 to write Java server pages and Java .class files to disk.

These files were loaded into a running Apache Tomcat instance and enabled an external actor to run malicious java bytecode on the affected servers, “Ivanti”

Report from CISA

On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging security teams to patch vulnerabilities recently reported by Ivanti. CISA specified that both CVE-2023-35081 and CVE-2023-35078 were being actively exploited. The patches newly released for CVE-2023-35081 also include patches for CVE-2023-35078.

CISA explained that if CVE-2023-35078 remains unpatched, attackers can gain EPMM administrator privileges, enabling them to write arbitrary files with the operating system privileges of the web application server. The agency warned that the attacker could execute the uploaded file, such as a web shell.

Last week, CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities catalog and ordered all Federal Civilian Executive Branch government agencies to fix the issue by August 15. However, the agency has yet to take similar steps in regard to CVE-2023-35081.

How to avoid significant cyberattack?

Organizations that could potentially fall victim to cyberattacks should prioritize their defense. If a significant cyber attack does occur, it is recommended that the organization reset its cyber security approach and posture. After such an incident, every organization should reflect on its actions and decisions. This should serve as a lesson for not only government services but also companies.

  • It’s crucial to implement strict access controls like strong passwords, multi-factor authentication (MFA), and role-based access control to prevent unauthorized access to sensitive data and systems.
  • Keep your operating systems, software, and applications updated with the most delinquent security patches and updates to fix known vulnerabilities. Make sure to update these systems for optimal security regularly.
  • One crucial responsibility for organizations is to adopt the Zero Trust principles, which can significantly enhance security measures by following the ‘trust-none, verify all’. Every user, device, and connection must be authenticated before access to your business network and its essential assets and sensitive data.
  • It’s essential to stay up-to-date on the latest vulnerabilities and learn safe online practices to protect yourself and your team. Always be careful when sharing sensitive information online or with people you don’t know.

The Second Exploit in Ivanti EPMM in a Week

The post The Second Exploit in Ivanti EPMM in a Week appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-epmm-second-exploit/feed/ 0 16444
Ivanti 0-day exploited to target Norwegian government https://gridinsoft.com/blogs/ivanti-zero-day-norwegian-government/ https://gridinsoft.com/blogs/ivanti-zero-day-norwegian-government/#respond Tue, 25 Jul 2023 18:10:21 +0000 https://gridinsoft.com/blogs/?p=16297 Software development company Ivanti (formerly MobileIron Core) has patched a zero-day vulnerability that allowed authentication bypass. This vulnerability had a maximum CVSS level and was actively exploited to gain unauthorized access. What is Ivanti Company? Ivanti is an IT software company headquartered in Utah, United States. It produces a variety of IT management and security… Continue reading Ivanti 0-day exploited to target Norwegian government

The post Ivanti 0-day exploited to target Norwegian government appeared first on Gridinsoft Blog.

]]>
Software development company Ivanti (formerly MobileIron Core) has patched a zero-day vulnerability that allowed authentication bypass. This vulnerability had a maximum CVSS level and was actively exploited to gain unauthorized access.

What is Ivanti Company?

Ivanti is an IT software company headquartered in Utah, United States. It produces a variety of IT management and security solutions. Many organizations use the company’s products, including businesses, government agencies, and educational institutions. For example, almost all Norwegian ministries use Ivanti Endpoint Manager Mobile except a couple of ones. Having such important clients is always a huge responsibility, and unfortunately not everyone is capable of mitigating all the risks.

Ivanti EPMM 0-day Vulnerability

ACSC has received reports of a vulnerability in Ivanti EPMM (Endpoint manager mobile), also known as MobileIron Core, affecting all versions below 11.8.1.0. In brief, the vulnerability is CVE-2023-35078 and allows remote access to the API without authentication. It has the maximum severity rating of the CVSS scale and is a 10 out of 10 possible. While Ivanti said it received the information from a reliable source, the company did not disclose any further details about the nature of the attacks or the attacker’s identity behind them. Nevertheless, the Norwegian National Security Authority (NSM) confirmed that unknown attackers exploited the vulnerability to attack the State Organization for Security and Services (DSS). Thus, attackers could likely access and steal sensitive data from the compromised platform.

However, on Sunday, the company released a security patch that users can install by upgrading to EPMM 11.8.1.1, 11.9.1.1.1, and 11.10.0.2. However, versions below 11.8.1.0 that are outdated and unsupported have also received the update.

CVE-2023-35078 Details

CVE-2023-35078 is a zero-day authentication bypass vulnerability. It provides remote API access without authentication to specific paths. That is, an attacker can access personally identifiable information such as usernames, phone numbers, and other mobile device information on the vulnerable system. An attacker can also make configuration changes, including creating an EPMM administrator account for additional changes to the vulnerable system. The vulnerability affects all supported versions of EPMM (v11.10, 11.9, and 11.8) and earlier unsupported releases. However, the vulnerability is patched in versions 11.10.0.2, 11.9.1.1, and 11.8.1.1.1. Since CVE-2023-35078 has a maximum CVSS severity level of 10.0 and is easily exploitable, experts strongly recommend updating all devices, even EOL devices. Otherwise, if you cannot update the appliance, it is recommended to switch off.

CVE-2023-35078 vulnerability heatmap by countries image
CVE-2023-35078 vulnerability heatmap by countries

In addition, Ivanti has published a password-protected security advisory. However, only customers with login credentials can access it, which is perplexing. The company also clarified that the vulnerability is not used in a supply chain attack. IoT search engine Shodan found more than 2,900 MobileIron user portals are publicly available on the Internet, mainly in the US and Europe. About 30 of them are associated with local and state governments in the United States. The most vulnerable servers are in the US, Germany, the UK, and Hong Kong. The Norwegian National Cyber Security Center has notified all known system owners in the country that have MobileIron Core available on the Internet of a security update that has been issued.

How to secure against Ivanti 0-day vulnerability?

Well, the Norwegian government is not the only client of Ivanti. Companies from different corners of the world use their software, and appear to have a soft spot at the place no one expected. Here are some steps you can take to secure against the Ivanti 0-day vulnerability.

  • Apply the latest security patches. It’s the first action you must take since Ivanti has released a patch to address the vulnerability. So, you should apply the patch as soon as possible to protect your organization.
  • Use multi-factor authentication (MFA). It adds a layer of security to your organization’s IT systems. MFA requires users to use two or more pieces of identification to authenticate themselves. This way is making it more difficult for attackers to access your systems.
  • Monitor your IT systems for suspicious activity. You should monitor them for suspicious activity, such as unauthorized access attempts or unusual traffic patterns. As we can see, it will help you to identify and respond to attacks.
  • Educate your users about security best practices. Users are the first defense against cyberattacks. You should educate your users about safety best practices. For example, they must avoid clicking suspicious links or opening attachments from unknown senders.

By following these steps, you can help to protect your organization against the 0-day vulnerability and other cyberattacks.

The post Ivanti 0-day exploited to target Norwegian government appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-zero-day-norwegian-government/feed/ 0 16297
NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability https://gridinsoft.com/blogs/nortonlifelock-hack-moveit-clop/ https://gridinsoft.com/blogs/nortonlifelock-hack-moveit-clop/#comments Mon, 19 Jun 2023 17:52:31 +0000 https://gridinsoft.com/blogs/?p=15409 NortonLifeLock, the world-famous antivirus software developer, had reportedly been hacked by the Cl0p ransomware gang. Hackers listed it on their Darknet leak page, and it appears that the cybersecurity vendor is yet another victim of MOVEit vulnerability. NortonLifeLock Hacked via MOVEit Vulnerability The vulnerability in Progress’ MOVEit MFT solution set the whole cybersecurity community abuzz.… Continue reading NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability

The post NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability appeared first on Gridinsoft Blog.

]]>
NortonLifeLock, the world-famous antivirus software developer, had reportedly been hacked by the Cl0p ransomware gang. Hackers listed it on their Darknet leak page, and it appears that the cybersecurity vendor is yet another victim of MOVEit vulnerability.

NortonLifeLock Hacked via MOVEit Vulnerability

The vulnerability in Progress’ MOVEit MFT solution set the whole cybersecurity community abuzz. It allowed hackers to send external login requests to the cloud SQL database. After a successful brute force in such a manner, the crooks were receiving full access to the web repository – meaning they could upload their files and manage existing ones. Despite the patch being released pretty soon after the vulnerability discovery, it was too late. Threat actors, particularly ones who stand behind Cl0p ransomware, successfully abused the vulnerability to breach into the companys’ networks.

NortonLifeLock Cl0p site ransom note
NortonLifeLock listing on the Cl0p ransomware Darknet leak site

NortonLifeLock company, the developer of a famous Norton Antivirus, appears to be hacked via this breach as well. Along with 80+ other companies, it was listed on the Cl0p’s Darknet leak site since the beginning of summer 2023. It is not clear though whether exactly MOVEit vulnerability was used, and if it was – which one of several uncovered ones was used.

What is Cl0p Ransomware?

Cl0p ransomware gang is a Russian ransomware project backed by the threat actor known under the FIN7/Sangria Tempest name. A lot of facts point at FIN7 being related to Russian external reconnaissance service (a.k.a. SVR). The gang is famous for its cheeky pick of targets, particular passion at hacking into educational institutions and heavy use of novice software vulnerabilities. Earlier this year, Cl0p ransomware was spread after the use of vulnerability in PaperCut – another MFT solution. Though, the list of all security breaches it uses is obviously far bigger.

Cl0p
A ransom note from Cl0p ransomware

Getting back to the Norton hack, in the note on the Darknet site, Cl0p said nothing about the negotiations. If the company refuses to pay, hackers disclose this fact and publish the leaked data. This is not the case of Norton – their record says only about the fact of the hack. The negotiation commonly takes up to several weeks – especially if the company is ready to pay, but wishes to discuss the ransom sum.

How to protect against MOVEit vulnerability?

For any cybersecurity company, being hacked is a big reputational loss. Even though Norton is not guilty of MOVEit vulnerabilities, they were hacked and potentially let the user information leak – and that is already image-busing. Though until the detailed info regarding how exactly it was hacked, and how much data is lost, it is hard to say whether the users suffer or not. And despite Norton being not entirely guilty in this situation, they could use several preventive measures that minimise the chances of zero-day vulnerability exploitation.

NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability

Probably, the best method for 0-day counteraction is using a zero-trust security solution. They have their disadvantages – particularly high resource consumption and higher access delays – but their effectiveness is exceptionally good. When set up properly, they will not allow any program to perform an action without the diligent checkup, and that is what could have stopped the Cl0p at the moment of MOVEit breach exploitation.

The post NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/nortonlifelock-hack-moveit-clop/feed/ 1 15409
PaperCut Vulnerability Allows RCE, Exploited in the Wild https://gridinsoft.com/blogs/papercut-vulnerability-allows-rce/ https://gridinsoft.com/blogs/papercut-vulnerability-allows-rce/#respond Wed, 26 Apr 2023 11:33:14 +0000 https://gridinsoft.com/blogs/?p=14378 PaperCut, a software solution used for print management, appears to be vulnerable to remote code execution (RCE). Another security violation that popped out along with the former allows extracting user data from the profiles created in the program. The RCE vulnerability is already used in cyberattacks. What is PaperCut? PaperCut is a print management solution,… Continue reading PaperCut Vulnerability Allows RCE, Exploited in the Wild

The post PaperCut Vulnerability Allows RCE, Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
PaperCut, a software solution used for print management, appears to be vulnerable to remote code execution (RCE). Another security violation that popped out along with the former allows extracting user data from the profiles created in the program. The RCE vulnerability is already used in cyberattacks.

What is PaperCut?

PaperCut is a print management solution, which allows fine-tuning printer usage. It provides features such as print job tracking, print quota management, cost allocation, and secure printing, among others. The latter is exceptionally needed to prevent possible data leaks within the company. The software supports a wide range of different printers, scanners, and other devices of that purpose. It is a pretty popular solution – the latest data says about 100+ million users around the world. It can be very, very unfortunate if something that popular is unsafe.

Two Vulnerabilities Found in PaperCut Software

Recent research shows that PaperCut has two vulnerabilities – one is bad, and the other is horrifying. Let’s start with the most worrying one. CVE-2023-27350 allows remote code execution (RCE) without any authentication. RCE/ACE vulnerabilities are extremely dangerous, and seeing a 9+ CVSS rate for them is a common thing. This one received 9.8 points – equalling the recently-discovered MSMQ vulnerability.

Even more unpleasant is the fact that crooks already succeeded in using this vulnerability for cyberattacks. TrendMicro reported about hackers using the RCE vulnerability to execute a PowerShell script. The latter have downloaded a ransomware payload, circumnavigating passive security solutions present in the network. Threat actors did this trick using Windows Network Shell (netsh) utility. Another interesting feature of that attack is the use of temporary data hosting for payload delivery. In 60 minutes, the file is removed automatically from the hosting, leaving 0 evidence.

PaperCut RCE Vulnerability exploitation scheme

CVE-2023-27351 is less severe, yet still unpleasant. It also allows unauthorised access, but this time users’ information is under attack. Hackers can extract things like full names of the users, usernames, emails and even card numbers. All this information is available from user profiles created in PaperCut MF servers. It can potentially allow attackers to extract credentials to the PaperCut accounts.

List of PaperCut software vulnerable to mentioned exploits:

CVE-2023-27350 CVE-2023-27351
Site servers PaperCut MF/NG v.15.0 or later
Application servers Application servers
PaperCut MF/NG v.8.0 or later

How to Protect Against PaperCut Vulnerability?

Fortunately for all corporations that use the program, the developer already acknowledged that issue and released a security update. They recommend installing the latest updates available for vulnerable software as soon as possible. Such a rapid reaction is greatly appreciated, but companies generally tend to delay updates. This may be caused by numerous factors, some of which are hard to deal with. For that reason, preventive measures may be a more convenient option.

Most effective solution against exploitation is anti-malware software with a zero-trust policy. It supposes that no software is trusted, and each action must be checked. Modern EDR/XDR solutions generally opt for this exact policy, as it provides way higher protection rates against modern threats. Certainly, it has its downsides – but they are dim compared to the consequences of ransomware attack or APT activity.

Additional solution there is using active network protection. As I mentioned above, hackers used netsh to trick the firewall restrictions and reach the file hosting. More advanced network security solutions, like Network Detection and Response systems, are invulnerable to this. They will also make it much easier to analyse the cyberattacks (or their attempts), and implement urgent reactive measures.

The post PaperCut Vulnerability Allows RCE, Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/papercut-vulnerability-allows-rce/feed/ 0 14378
MSMQ Vulnerability Allows Remote Code Execution https://gridinsoft.com/blogs/msmq-vulnerability-rce/ https://gridinsoft.com/blogs/msmq-vulnerability-rce/#comments Tue, 11 Apr 2023 23:24:21 +0000 https://gridinsoft.com/blogs/?p=14148 Recent update released by Microsoft, an April Patch Tuesday, revealed a severe vulnerability in Microsoft Message Queueing mechanism. That vulnerability allows remote code execution after sending 1 (one) package through a specific port. What is Microsoft Message Queueing? Microsoft Message Queueing, or MSMQ, is an infrastructure element for sharing messages within a local network. At… Continue reading MSMQ Vulnerability Allows Remote Code Execution

The post MSMQ Vulnerability Allows Remote Code Execution appeared first on Gridinsoft Blog.

]]>
Recent update released by Microsoft, an April Patch Tuesday, revealed a severe vulnerability in Microsoft Message Queueing mechanism. That vulnerability allows remote code execution after sending 1 (one) package through a specific port.

What is Microsoft Message Queueing?

Microsoft Message Queueing, or MSMQ, is an infrastructure element for sharing messages within a local network. At the time of its release – 1997 – it provided a convenient way to communicate with all machines in a nonhomogeneous network. The very essence of that application is turning around the guarantee that the message will be delivered. Security features, as well as other useful elements that made it more convenient to use rendered MSMQ a pretty popular solution for networks. Later, however, it was pushed out from use by newer Microsoft products, like Azure Queues.

Despite being officially ceased from further development, it still receives security updates. Microsoft promises to support it unless the last Windows version it is present in will be supported with security patches. Networks that consist of older computers, are not compliant with modern software or are managed by conservative administrators, still use MSMQ. But the low usage and absence of functionality updates do not mean absence of vulnerabilities. The latter is especially true given that MSMQ is still present even in the latest Windows/Windows Server versions – 11 and 2022.

MSMQ setup
MSMQ setup window with an option to disable its components, or an entire service at once

MSMQ Vulnerability Allows Remote Code Execution

The patch note for 2023 April Patch Tuesday contains information about almost a hundred different breaches that Microsoft managed to fix. A tiny CVE-2023-21554 is not noticeable unless you’re looking at its detailed explanation. As it turns out, the vulnerability supposes the ability to gain control over the reigning process of an entire MSMQ mechanism – mqsvc.exe. Analysts already coined it QueueJumper. Having their hands on that process, hackers can easily make it run any code. Such breaches are classified as remote or arbitrary code execution, and are often guests to the top of vulnerability charts.

Having such an ability is sour, but even more so is having it so easy to exploit. Sending a single packet, forged specifically for exploitation, through the TCP port 1801, gives hackers control over the aforementioned mqsvc.exe. This is pretty easy to do, as you may guess. And given that MSMQ is still present even in the most modern systems, it is feasible for hackers to use it for their dirty deeds. For sure, using it supposes that hackers should be able to reach the 1801 port, meaning it is open to network connections. But now it is a way less common peephole than the RDP’s port 443, and it is open by default.

How to Fix MSMQ Vulnerability? And should I?

After Microsoft published the breach with its detailed explanation in its patch note, nothing stops hackers from using the breach. So yes, it is worth fixing it as soon as possible. RCE/ACE vulnerabilities always bring advanced dangers, as they are commonly used for initial access and malware unfolding. Considering all I told you above about the ports and ease of its exploitation, it is just a matter of time when crooks will put it to use.

MSMQ Vulnerability Allows Remote Code Execution

Fortunately, the patch that closes the breach is already available. The aforementioned Patch Tuesday fixes this, and numerous other vulnerabilities. Installing it is the easiest and the fastest way to forget about such a threat. However, updates are not that easy to install on all machines when we talk about large corporate networks. For these cases, Microsoft offered a pretty straightforward solution – closing port 1801 from external connections manually. It still does not fix the ability to take over the MSMQ process but makes the exploitation way more complicated and less efficient.

The post MSMQ Vulnerability Allows Remote Code Execution appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/msmq-vulnerability-rce/feed/ 1 14148
New Microsoft SmartScreen Bypass Technique Causes Concerns https://gridinsoft.com/blogs/microsoft-smartscreen-bypass-technique/ https://gridinsoft.com/blogs/microsoft-smartscreen-bypass-technique/#respond Fri, 17 Mar 2023 15:19:49 +0000 https://gridinsoft.com/blogs/?p=13818 Microsoft SmartScreen proved to be an effective way of approving the legitimacy of the application – by checking one’s certificate. With time, Microsoft did a lot of work making it more efficient and sustainable to hacking – but that never made even a single mechanism secure from zero-day breaches. A new vulnerability that allows bypassing… Continue reading New Microsoft SmartScreen Bypass Technique Causes Concerns

The post New Microsoft SmartScreen Bypass Technique Causes Concerns appeared first on Gridinsoft Blog.

]]>
Microsoft SmartScreen proved to be an effective way of approving the legitimacy of the application – by checking one’s certificate. With time, Microsoft did a lot of work making it more efficient and sustainable to hacking – but that never made even a single mechanism secure from zero-day breaches. A new vulnerability that allows bypassing SmartScreen protection is already in use and touches a huge number of users. How does that work and how to avoid problems? Let’s have a look.

What is Microsoft SmartScreen?

For those who are not familiar with the internal security mechanisms in Windows, Microsoft SmartScreen is a security utility that notifies the user whether the application it tries to run is dangerous. The key way it understands secureness is the application’s digital certificate. The latter should have a valid signature of a company or a developer. The certificate authority (CA) assures the one, so only legit ones will pass through.

Microsoft SmartScreen warning
Microsoft SmartScreen warning screen

Users may notice the SmartScreen work when they launch an app with no certificate, or when the one is outdated. A pop-up appears, warning the user that it may be dangerous to run that thing, and thus SmartScreen banned its immediate execution. Sure, it does not always work perfectly, blocking legit programs that have outdated certificates – that unfortunate occurrence may happen even with well-known developers. Nonetheless, hackers found a way to circumvent that mechanism and make the programs run regardless of the certificate.

New SmartScreen Exploitation Way

Threat actors never sleep, especially when companies whose products they used to exploit start putting spokes in the wheels. Recent changes in Microsoft policy regarding the execution of the files that arrived from the Internet made it troublesome to spread malware in the usual way. In particular, a huge volume of malware that cybercriminals generally delivered through vulnerable macros in MS Office ceased with this change. For that reason, they decided to approach hacking Windows security from a different angle.

The new breach is not having a whole lot of really new concepts. CVE-2023-24880 describes a way to seamlessly run the MSI file with a specifically smurfed signature. It does not feature a valid Authenticode signature, but the malformed one. Under that condition, the SmartScreen will return an error and allow the execution. But as it turns out, this exact spot crooks were exploiting earlier – but with the use of other file types. In November 2022, threat actors associated with Magniber ransomware were using JavaScript files with a signature spoofed in pretty much the same way. That vulnerability, in turn, received an index of CVE-2022-44698.

Explanation of SmartScreen Exploit

Under the cover, the mechanism of confusing the security mechanisms looks like the following. There are 3 elements in the system that are used to make sure if the program is legit and good to go without the SmartScreen warning. Those are shdocvw.dll, wintrust.dll – a library that helps the SmartScreen to make a decision, and the exact smartscreen.exe.

SmartScreen mechanism

During the normal checkup, SmartScreen calls for wintrust.dll and requests it to parse the program signature. If everything is OK, the program starts without any warnings. When it’s not, a shdocvw.dll will display a warning window. While working with a specifically spoofed certificate, SmartScreen routinely asks wintrust.dll for verification. That request, however, returns a value that causes smartscreen.exe to send an error message to shdocvw.dll. The latter will fail to start in such conditions, making the program run with no restrictions.

The way they are spoofing certificates hides in the SignedData structure in the file sections. Among other things, it carries certificates that validate the signature and SignedInfo structure. All this info is required for the wintrust.dll to ensure the validity of the signature. To help it navigate through these sections, there is a CERT_CONTEXT structure pointer. Hackers force this pointer to gain a NULL value by giving it a signature that does not contain the SignerInfo serial number. The resulting E_INVALIDARG output goes to shdocvw.dll, making it fail as well. As we already mentioned, this mechanism is identical to the one used in CVE-2022-44698.

Is this vulnerability dangerous?

Obviously, this breach is the one to worry about. As crooks are looking for another way to run malware on the device without triggering alarms, it is obvious that such a thing will be put to use. And the same group of cyber burglars – Magniber – is already using it. They reportedly scored several victims in early spring 2023, using .msi files with a modified certificate. The group used to deploy ransomware to single-user systems since 2018, attacking mostly users from Thailand and South Korea. The signature thing of that ransomware is that a single sample will add a unique signature to the ciphered files. That being said, crooks generate a unique sample for each small group of victims, making the outbreaks hard to track. Another notable thing is the use of vulnerabilities to deploy malware – like the article subject.

Still, nothing stops other cybercriminals from using that breach. Microsoft already released a patch in their March 14 Patch Tuesday (KB5023706), but as it usually happens, users are not hastening to install it. Previous patches that fixed critical vulnerabilities, such as the infamous EternalBlue, for example, are still not installed massively enough to prevent this breach from successful exploitation. And the minor patch that closes not-that-widely-known vulnerability is even less likely to be installed in time.

How to stay secure?

Being secured against modern cyber threats should be a major concern for both home and corporate users. Some measures, especially in corporations, are about to be deployed globally and under the control of system administrators/cybersecurity teams. But there are enough places we can personally tie up the loose thing.

  • Avoid launching the files from an untrustworthy source. Programs or files you got somewhere on the Internet, particularly from sites with pirated software or anonymous forums, should be treated with caution. If you cannot avoid interacting with it, try to check the downloaded item with anti-malware software, or using services like VirusTotal. But the best way to have less pain in the neck is to use only official sources.
  • Be suspicious of any email you receive. One of the most popular sources of malicious files is spam emails. Sure enough, it may be challenging to distinguish the one, especially when hackers are doing their best to disguise it as legitimate. Still, checking some things, like the sender’s address, and appealing to common sense will make the task much easier.
  • Update your software as often as possible. All the software vendors release minor updates not just to annoy you with the “update me” pop-up. Most often, such things contain bug fixes, and what is more important – vulnerability patches. There are several names which products should be taken care of especially well – Adobe, Microsoft, and Oracle. Yet other updates are not about to be ignored either.
  • Use top-rated anti-malware software. It is always handy to have something that will solve certain problems for you. Instead of spending time and effort trying to figure out whether the file is malicious or not, you can ask a program to do it for you. Of course, not each one will fit to deal with the threats I was describing above. You need to pick the one which can boast of a multi-component scanning system and the ability to provide on-run protection. I’d recommend you to try out GridinSoft Anti-Malware – it can detect any threat, thanks to the neural network and perfect proactive detection system.

New Microsoft SmartScreen Bypass Technique Causes Concerns

The post New Microsoft SmartScreen Bypass Technique Causes Concerns appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-smartscreen-bypass-technique/feed/ 0 13818
Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/ https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/#respond Thu, 21 Apr 2022 20:47:31 +0000 https://gridinsoft.com/blogs/?p=7441 The US Infrastructure and Cybersecurity Agency (CISA) warned that a vulnerability in the Windows Print Spooler component, patched by Microsoft in February 2022, is being actively exploited by hackers. The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows. At the same time, the… Continue reading Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.

]]>
The US Infrastructure and Cybersecurity Agency (CISA) warned that a vulnerability in the Windows Print Spooler component, patched by Microsoft in February 2022, is being actively exploited by hackers.

The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows.

At the same time, the company did not disclose almost any technical details of the bug, it was only reported that attackers can use the vulnerability locally, in attacks of low complexity and without any user interaction.

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalogue, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.CISA representatives stated.

It is worth recalling that last year, Microsoft fought for a long time (and not always successfully) with various bugs in Print Spooler, including a critical PrintNightmare vulnerability that allows remote arbitrary code execution. Then, after accidentally leaking the technical details of the bug and PoC exploit, CISA experts warned administrators that they urgently needed to disable the Print Spooler service on domain controllers and systems not used for printing in order to block potential attacks.

Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.Microsoft also recommended.

Now, the nature of the attacks on CVE-2022-22718 and the identities of the perpetrators behind them are almost unknown, as the authorities are apparently trying to prevent further exploitation of the problem by other hack groups.

Vulnerability in Windows Print Spooler
Vulnerability in Windows Print Spooler in CISA catalog

In addition, this week two other issues were added to the CISA catalogue of known exploited vulnerabilities, although they date back to 2018 and 2019:

  • CVE-2018-6882 (CVSS score 6.1) – XSS Vulnerability in Zimbra Collaboration Suite (ZCS)
  • CVE-2019-3568 (CVSS score of 9.8) is a stack buffer overflow vulnerability in WhatsApp VOIP.

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/feed/ 0 7441