Malicious ISS module exploitation is the latest trend among threat actors targeting Exchange servers, analysts say.

Attackers once focused on exploiting ProxyLogon Microsoft Exchange server vulnerabilities have made a pivot to the new SessionManager backdoor, which can be used to gain persistent, undetected access to emails -- and even take over the target organization's infrastructure. 

Researchers from Kaspersky today report the emergence of SessionManager, which they say is part of a bigger trend of attackers deploying malicious backdoor modules inside Internet Information Services (ISS) servers for Windows, like Exchange servers.   

The malicious SessionManager backdoor, first observed in March 2021, has been used to target nongovernmental organizations (NGOs) across Africa, Europe, the Middle East, and South Asia, the researchers add. The Kaspersky report says 34 servers across 24 individual NGOs have been compromised by SessionManager. 

"The exploitation of Exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021," said Pierre Delcher, senior security researcher at Kaspersky, in a post about the findings. "The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild."

The Kaspersky team recommends regular threat hunting for malicious modules in exposed ISS servers and focusing detection on lateral movement across the network, as well as close monitoring of data exfiltration to the Internet. 

"In the case of Exchange servers, we cannot stress it enough: The past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” Delcher warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exchange Servers Backdoored Globally by SessionManager

An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.

A critical vulnerability in Zoho’s widely used compliance tool, ManageEngine ADAudit Plus, which monitors changes to Microsoft Active Directory, leaves endpoints vulnerable to unauthenticated users. A successful exploit could allow an attacker to take over an entire enterprise network, Horizon3.ai researchers warn.  

ADAudit Plus offers a path into an organization’s workstations, servers, and file servers, giving IT admins access to a range of users, groups, permissions, and login credentials, as well as security policies. ADAudit Plus also enables users to collect security events from agents running on other machines in the domain through endpoints that agents use to upload events.

The platform’s ability to offer deep access into a company’s internal IT ecosystem heightens the potential for a nightmare-scenario level of data exposure in the event of a breach.

The CVE-2022-28219 vulnerability enables malicious actors to easily take over a network for which they already have initial access. Malicious actors could exploit this vulnerability to deploy ransomware, exfiltrate sensitive business data, or disrupt business operations.

They could also then go on to exploit XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities to wreak additional havoc, according to an in-depth analysis this week by Horizon3.ai.

**Inside the Vulnerability**

Horizon3.ai discovered some of the ADAudit Plus endpoints used for reporting were unauthenticated.

“One of the first things that stood out was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library,” the analysis states. “This is the same vulnerable endpoint from CVE-2020-10189, reported against ManageEngine Desktop Central.”

It added, “This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file-upload vector, we found a path to trigger a blind XXE \[XML External Entity injection\] vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.”

The vulnerability was disclosed to Zoho in March, which released a new build, ADAudit Plus 7060, to fix the issue. The patch fixes the vulnerability by removing the /cewolf endpoint altogether, instead using a secure version of DocumentBuilderFactoryin the ProcessingTrackingListener class and requiring authentication in the form of an agent GUID between agents and ADAudit Plus.

**High Stakes, Plus Exploitation Difficult to Detect**

Horizon3.ai chief architect Naveen Sunkavally explains that ManageEngine products are very common in the enterprise and have been favorite targets of attackers over the years.

“ADAudit Plus is a tool that's used for compliance and auditing, which is a common need for many companies spanning different verticals,” he says. “This vulnerability has been found to be present in many types of environments, from healthcare and technology to construction and local governments.”

Just last fall, ManageEngine ADSelfService Plus, Desktop Central, and ServiceDesk Plus were all actively targeted by attackers using previously undisclosed zero days (CVE-2021-44515, CVE-2021-44077, and CVE-2021-40539) that are now part of the CISA Known Exploited Vulnerabilities (KEV) list.

The latest vulnerability is easy to exploit without any prior knowledge and can yield the "keys to the kingdom,  Sunkavally explains. To boot, exploitation is not that easy to detect because it makes use of the natural behavior of the ADAudit Plus application.

“ADAudit Plus is an attractive target for attackers because it integrates with Active Directory and stores high-privileged domain user credentials,” Sunkavally says.

He notes an attacker with initial access to a compromised network could exploit this vulnerability to extract these high-privileged credentials, move laterally, and take over the entire network.

“We've seen real-world environments where just exploiting this vulnerability alone is enough to take over the enterprise,” Sunkavally adds.

He advises businesses using ADAudit Plus to upgrade to build 7060 or later and ensure ADAudit Plus is configured with a dedicated service account with restricted privileges.

“This vulnerability is not one to hold off on patching,” he says.

**Buggy ManageEngine Has History of Vulnerabilities**

This is not the first time the ManageEngine suite was found to have vulnerabilities. Last September a joint advisory from the FBI and CISA warned of APT attackers exploiting a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus.

While Zoho moved to fix the vulnerabilities, less than a month later Palo Alto Networks issued a warning that many companies are still vulnerable.

Most recently, an elusive attack targeting SolarWinds' Orion network management software, dubbed the Supernova cyberattack, exploited a ManageEngine flaw in the software running on a victim's server.

Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration

Immigration organisations are being targeted by the APT group Evilnum, using spear phishing to send malicious Word documents.
The post Immigration organisations targeted by APT group Evilnum appeared first on Malwarebytes Labs.

Organisations working in the immigration sector are advised to be on high alert for Advanced Persistent Threat (APT) attacks. Bleeping Computer reports that European organisations, specifically, are under threat from the Evilnum hacking group.

Evilnum, on the APT scene since 2018 at the earliest and perhaps most well known for targeting the financial sector, appears to have switched gears.

**In times of conflict**

The observed attacks seem to have sprung into life on or around the beginning of the invasion of Ukraine. This is quite worrying for several reasons:

*   Immigration organisations in Europe are still impacted by the fallout from COVID-19. Additionally, Government immigration services continue to be non-functional or afflicted with severe delays in processing. The UK, which set up a dedicated visa for Ukrainian refugees, has experienced processing delays for unrelated visas of up to 6 months as a result of this project. Being targeted with malware could impact crucial services still further, putting people at risk.
*   Huge amounts of sensitive data is passing to and from independent immigration organisations related to the invasion of Ukraine. Exfiltration of this data could put people both outside Ukraine and those still there at risk of significant harm.
*   Many volunteer organisations have sprung up to support efforts related to Ukraine. Many of these have little to no funding and are being run by random groups of immigration lawyers with minimal experience of cybersecurity issues. This is, unfortunately, an area of potential rich pickings for attackers.

**Important attack details**

The APT group targeted an Intergovernmental organisation (IGO), an entity created via treaty which involves two or more nations to work on issues of common interest. This attack, then, is at the highest level in terms of immigration related impact.

It begins, as so many attacks do, with a targeted email containing a rogue attachment. Opening the attached Word document fires up a message which claims that the document was created in a later version of Microsoft Word. It explains how to enable editing in order to view the supposed content, typically called “Compliance” but also “Complaint” or “Proof of ownership”, among others.

Heavily obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader (which loads up the binary), and creates a scheduled task to keep things constantly ticking over. File system artefacts created during execution are designed to imitate legitimate Windows binary names, to assist in detection avoidance.

The aim here is to create a backdoor on infected systems. Machine snapshots are taken and sent back to base via POST requests, with exfiltrated data in encrypted form.

**Cybersecurity, just from a different point of view**

Refugees from Ukraine are being assisted by multiple organisations that were set up after the initial invasion. Lawyers helping to run these groups may not be fully immersed in cybersecurity. However, they follow strict rules and regulations with regard to client data by default. As a result, they’re often doing security-centric things to keep client data secure without perhaps noticing the crossover.

For example: Most immigration lawyer/client interactions in the UK currently are remote, partly due to COVID-19 and partly because the UK’s visa system is now almost entirely online. As a result, pretty much everything involving sensitive documentation begins life in the form of an email. This sounds bad at first glance; however, this isn’t the case. Lawyers and clients aren’t emailing important documents in plaintext. Instead, they’re making use of encrypted documents, secure file uploads, and deleting data as and when required.

**Tips for immigration orgs**

If you’re a small organisation looking to help with visa or refugee processes for Ukrainians fleeing the invasion, here’s some of the things you can make a start on now to help keep things secure:

*   Ensure your website is HTTPs. Most sites I’ve seen in this realm use a combination of contact email and/or web form. You don’t want sensitive information intercepted because of insecure websites. As few people as possible should have admin access to the site, and anything related to publishing. Use as few extensions and plugins as possible. Paying for domain anonymity services is useful if required.
*   Consider using an alias for public facing email addresses. Additionally, lock down all email addresses with multifactor authentication (MFA). The same goes for backup/recovery emails tied to the main account(s).
*   If you have the choice of SMS codes or authentication apps/hardware based security keys for 2FA, choose the latter. SMS won’t work with no signal reception, and fraudsters may divert your SMS codes via SIM swapping.
*   Consider using a password manager for organization-specific passwords. If you need to share logins, use a management tool which allows you to share logins without revealing the password itself. Should you land on a phishing site, your password manager won’t pre-fill your details into the bogus portal.

I’ve spoken to individuals from several UK-based immigration organisations, including those focused on helping Ukrainians. At this point, none of them report having been targeted by attacks similar to the above. However, those organisations are absolutely in the spotlight for anyone potentially up to no good. If you’re in this line of work, or you’re just getting started, consider where and how you can begin to get things locked down right now.

Immigration organisations targeted by APT group Evilnum

Mozilla has released Firefox updates to the Release Channel that fix several security vulnerabilities and introduce a new privacy feature called Query Parameter Stripping.
The post Update now! Mozilla fixes security vulnerabilities and introduces a new privacy feature for Firefox appeared first on Malwarebytes Labs.

Mozilla released version 102.0 of the Firefox browser to Release channel users on June 28, 2022.

The new version fixes 20 security vulnerabilities, five of which are classified as “High”. The new version also comes with a new privacy feature that strips parameters from URLs that track you around the web.

**Vulnerabilities**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs we think you should know:

**High**

CVE-2022-34479: A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. This bug only affects Firefox for Linux. It does not apply to other operating systems.

CVE-2022-34470: Use-after-free in nsSHistory. Use after free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Navigations between XML documents may have led to a use-after-free and potentially exploitable crash.

CVE-2022-34468: CSP sandbox header without ‘allow-scripts’ can be bypassed via retargeted javascript: URI. An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11. Some of these bugs showed evidence of JavaScript prototype or memory corruption, and with enough effort some of these could have been exploited to run arbitrary code.

**Moderate**

CVE-2022-34482 and CVE-2022-34483: Two separate issues with the same effect. Drag and drop of malicious image could have led to malicious executable and potential code execution. An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension.

CVE-2022-34478: The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild, so in this release Firefox has blocked these protocols from prompting the user to open them.

**New privacy feature**

Many companies involved in advertising use custom URL query parameters that enable them to track clicks on links. The most well-known example is probably the ?fbclid= parameter that Facebook adds to outbound links.

With the release of Firefox 102, Mozilla has added the new “Query Parameter Stripping” feature that automatically strips some of these query parameters. It does not matter whether you clicked on a link or pasted the URL into the address bar.

To enable Query Parameter Stripping, go into the Firefox Settings, click on **Privacy & Security**, and then change **Enhanced Tracking Protection** to **Strict**.

You will need to click **Reload All Tabs** to apply the changes. If you find that setting **Enhanced Tracking Protection** to **Strict** could causes issues with certain sites, you can use the Manage Exceptions option to add these websites, or use the “Custom” setting to choose which trackers and scripts to block.

**Updating**

Under normal circumstances, updates will be applied without user intervention. You can check for the version number in the products’ menu under **Help** > **About**

Should you not be using the latest version for some reason, e.g. automatic updates are disabled, then this screen will inform you that a new version is available and will start downloading it.

When it’s done, you’ll see a prompt to restart the browser. This will apply the update.

Stay safe, everyone!

Update now! Mozilla fixes security vulnerabilities and introduces a new privacy feature for Firefox

There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organization's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

**How Do Zero-Days Work?**

Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.

While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.

However, zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. It's very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.

Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.

Thankfully, even though more zero-days are being discovered than ever before, they're still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.

With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

Infamous malware Raccoon Stealer is reportedly back in business after a break.
The post Raccoon Stealer returns with a new bag of tricks appeared first on Malwarebytes Labs.

The popular malware Raccoon stealer, which suspended operations after a developer allegedly died in the Ukraine invasion, has returned.

Raccoon stealer is malware as a service, with the developers selling it to would-be users. The operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly who the leak has come from.

**So much data, so little time**

The popular tool, used for data theft, is ubiquitous where stealing credentials is concerned. Cryptocurrency wallets, cookies, passwords, browser autofill data, and credit card data: pretty much anything is up for grabs.

Since 2019, Raccoon stealer has been lifting data from the unwary. Cheap to purchase and packing a large range of features, it is able to steal from as many as 60 different applications including:

**Email**: Outlook, Thunderbird, Thunderbird  
**Browsers**: Firefox, Chrome, Microsoft Edge, Internet Explorer, Vivaldi, SeaMonkey, Vivaldi  
**Cryptocurrency app**s: Exodus, Monero, Electrum, Jaxx

Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.

Its operators are constantly innovating, for example making use of Telegram to operate C&C. This is one malware project which wasn’t going to stay gone for long.

**An all new raccoon rampage**

The new version, Raccoon Stealer 2.0, was claimed as being sold on Telegram and in circulation since May 17. However, these claims related to Telegram have since been shown to be fake.

While functionality appears to be mostly similar to the original version, there are some notable differences. The creators claim to have improved the software and resurrected their malware antics to “honour” the legacy of the teammate who died:

> _After our teammate loss we made a decision that we can not leave our project and we will continue our work in his honour. Raccoon Stealer 2.0 was totally coded from the very beginning. New back-end, new front-end, absolutely new stealer software._

**Smash and grab**

Credit card data, autofill, browser passwords, and a big slice of cryptocurrency wallets are once more targets for Raccoon Stealer. The big change up seems to be related to how data is exfiltrated. This new version doesn’t appear to be particularly stealthy.

The name of the game in data exfiltration is to make as few moves as possible to help evade detection. Sneaky malware will collect data as it goes, before eventually sending the whole lot in a zip in one go. If an infection is constantly pinging away, the chances of it being caught by security tools increases dramatically.

Here, Racoon Stealer seems to be throwing a little caution to the wind. The stealer sends data every single time it adds to its exfiltrated data collection. Researchers note that Raccoon Stealer 2.0 possesses no obfuscation or anti-analysis techniques.

I’d love to know if some sort of data driven analysis led developers to the conclusion that smash and grab is ultimately more suited to their business model than waiting it out. Ultimately, this may be the one bright note for embattled IT admins in the wake of everyone’s least favourite raccoon’s re-emergence onto the malware scene.

Raccoon Stealer returns with a new bag of tricks

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?**

This vulnerability could lead to a browser sandbox escape.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220614**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220614)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-33680: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

By Waqas
The new phishing scam uses malicious and fake chatbots to steal login credentials of unsuspected Facebook users through…
This is a post from HackRead.com Read the original post: Facebook Phishing Scam: Crooks Using Messenger Chatbots to Steal Login Data

****The new phishing scam uses malicious and fake chatbots to steal login credentials of unsuspected Facebook users through Facebook Messenger.****

A new phishing campaign has been discovered by Trustwave security researchers, which involves using Facebook Messenger chatbots while the campaign’s objective is to steal user credentials.

According to Trustwave’s analysis of this new phishing campaign, the chatbots impersonate customer support staff of the social network. These bots then hijack pages by compelling page managers to enter credentials for that Facebook page. The malicious chatbots and websites were quickly taken down after Trustwave’s report.

Chatbots are basically specially designed programs that provide customer support and answer user queries as live support staff before the question is forwarded to a human employee. These bots are generally used by businesses that offer live chat or customer support services.

**Attack Scenario Explained**

This phishing attack started with an email informing the recipient that Facebook would delete their page after 48 hours for violating Meta community standards. When the recipient clicked on the Appeal Now link, they were redirected to a fake Messenger support page hosted by Google Firebase, where they had to interact with chatbots. 

Fake Support chatbot (Image: Trustwave)

Researchers noticed that the phony support chatbot profile was a fan/business page that didn’t have any followers or posts. However, the attackers used the official Messenger logo on the profile page to make the bot appear legit. In the Appeal form, the user entered their name, surname, email ID, page name, and mobile number. 

They were also prompted to complete 2FA authentication, and the OTP could be of any length. As soon as the user clicked on Submit button, the attackers received the form, and the credentials were compromised while the user was redirected to Meta’s official intellectual property and copyright guidelines page.

Password stealing and Fake OTP Page (Image: Trustwave)

**How was the Scam Exposed?**

Concerns were raised when researchers identified many errors in the email, which hinted at its malicious nature. Such as, a dot was missing after the third sentence, and there was incorrect capitalization of the word Page.

The email header also contained several errors pointing to the email’s illegitimacy. For instance, Policy Issues was written in the sender’s name, and the sender domain didn’t belong to Facebook/Meta.

> “The fact that the spammers are leveraging the platform that they are mimicking makes this campaign a perfect social engineering technique.”
> 
> Trustwave

In conclusion, it is imperative that social media users be cautious when opening such warning notices and always check for red flags before giving away sensitive information. Moreover, it is always best to be cautious when engaging with someone on Facebook or social media in general. If you are unsure about the legitimacy of a user or bot, do not provide any personal information and report them to Facebook.

**More Facebook Phishing News**

*   URL Padding: Facebook Mobile Users Hit by Phishing Scam
*   Facebook ads used in spreading Facebook Messenger phishing scam
*   Facebook Last Warning Phishing Scam Stealing Login, Credit Card Data
*   “I think you appear in this video” phishing scam hijacks Facebook accounts
*   Microsoft, PayPal & Facebook most targeted brands in phishing scams: Report

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Facebook Phishing Scam: Crooks Using Messenger Chatbots to Steal Login Data

Microsoft is urging organizations that don't have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the "FabricScape" cloud bug.

Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.

The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.

The fix has been applied to all customers that are subscribed to Microsoft's automatic update service, but others will need to manually patch to the latest version of Service Fabric. "Customers whose Linux clusters are automatically updated do not need to take further action," the company said in its bug disclosure announcement.

**A Privilege-Escalation Issue**

Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a cluster of machines. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.

The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendor's Unit 42 threat intelligence team found that an attacker with access to a compromised container could exploit the vulnerability to escalate privileges and gain control of the host node and, from there, escape it and attack the entire cluster.

"The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application," says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker could take by exploiting FabricScape include deploying ransomware or hijacking systems for cryptomining.

"If an organization hosts all of its applications, and possibly credentials, on Service Fabric, an attacker can gain control of all of those," Zelivansky says.

For an attack to be successful, a threat actor would first need to find a way to compromise a containerized workload on a Linux Service Fabric cluster, Microsoft said. The attacker would then need to trigger the DCA to run the vulnerable function in a manner that results in a so-called "race condition" where malicious code can be introduced into the environment.

**PoC: Exploiting the Flaw**

Researchers at Palo Alto Networks were able to exploit the vulnerability on Azure Service Fabric using a container under their control and a simulated compromised workload. They found the attack only worked if the compromised container had access to Service Fabric runtime data — something that is granted by default in single-tenant environments but less common in multitenant setups.

"Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected," Zelivansky said. Last year, Palo Alto Networks discovered another set of vulnerabilities in the Azure Container Instances (ACI) platform that allowed for a similar container escape.

Microsoft urged organizations using Service Fabric to review containerized workloads in both Linux and Windows environments that had access to host clusters. "By default, a \[Service Fabric\] cluster is a single-tenant environment and thus there is no isolation between applications," Microsoft said. All applications running in these single tenant environments are considered trusted and therefore have access to Service Fabric runtime, Microsoft said.

Thus, organizations that want to run untrusted application in a Service Fabric cluster should take additional measures to create isolation between applications and should remove access to Service Fabric runtime for those untrusted apps, Microsoft said.

Zelivansky says the first layer of defense against vulnerabilities such as FabricScape is focusing on the application itself, limiting the possibility of an attack by remediating known vulnerabilities in their code. They can also limit exposure to the Internet.

However, he offers a caveat: "But the reality is that even if an application is safe from any known vulnerability, zero-day vulnerabilities could be discovered and exploited in any code. And \[software\] supply-chain attacks such as typosquatted or malicious packages are becoming more common than before," he says.

Zelivansky says organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. "An organization should check if they have Linux-based applications on Service Fabric. If the answer is yes, we recommend giving top priority to addressing this vulnerability now that its full details are out."

**Cloud Vulnerabilities in Cyberattackers' Sights**

Vulnerabilities in cloud products and services have become a growing concern for organizations — and not just because of the security risks associated with them. In many cases, organizations also have a hard time keeping track of cloud vulnerabilities because of the absence of a common vulnerability enumeration (CVE) program for cataloging them. Because many cloud-security issues are considered the service provider's sole responsibility, there often has been little disclosure of these issues, leaving organizations in the dark about whether they might have been exposed to a specific threat.

This week researchers at Wiz launched a new community-based cloud vulnerability database aimed at addressing this lack of information. The database currently contains information on some 70 previous security issues in cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for information on cloud threats in the absence of a formal program like MITRE's CVE program for information security flaws.

Tag

#microsoft