Calenderweek 03 – WafdogBlog http://192.168.11.11 Tue, 28 May 2024 09:27:07 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 http://192.168.11.11/wp-content/uploads/2023/11/logo_fav.png Calenderweek 03 – WafdogBlog http://192.168.11.11 32 32 TeamViewer Exploited by Cybercriminals for Ransomware Attacks http://192.168.11.11/teamviewer-exploited-by-cybercriminals-for-ransomware-attacks/ Tue, 12 Mar 2024 15:37:56 +0000 http://192.168.11.11/?p=1201 TeamViewer Exploited by Cybercriminals for Ransomware Attacks Read More »

]]>
Cybercriminals appear to be currently exploiting the widely used remote access software TeamViewer to gain unauthorized access to remote computer systems and encrypt them with ransomware. This was reported by Bleeping Computer, citing a blog post from Huntress, detailing two specific attack incidents.

In both cases, initial access was made through TeamViewer from the same source point, as explained by security researchers at Huntress. This suggests that the same threat actor was responsible for these access attempts. Evidence of this was found by the researchers in a log file named connections_incoming.txt generated by the remote access tool.

Indications of Lockbit 3.0 Deployment The ransomware execution occurred through a batch file named PP.bat placed on the desktops of the compromised systems. While the attack on the first system seems to have been successful but limited to that system, on the second system, security software prevented the encryption of data despite multiple attempts by the attacker to execute the ransomware.

The specific ransomware used is not disclosed by the Huntress researchers. However, according to Bleeping Computer, indications from the researchers suggest that the malware was based on Lockbit 3.0. A ransomware builder for Lockbit 3.0 was released as early as 2022, and since then, various hacker groups have been utilizing this ransomware developed by the Lockbit gang.

Insecure Passwords as a Possible Entry Point It remains unclear how exactly the attacker managed to take control of the respective TeamViewer instances. The manufacturer of the remote support software told Bleeping Computer that most cases of unauthorized access are due to loosened default security settings of TeamViewer, including the use of insecure passwords, which is only possible in outdated versions of the software.

Indeed, there have been cases in the past where attackers utilized access credentials obtained from known data breaches to take over TeamViewer accounts and infiltrate associated devices. Additionally, trojanized versions of the remote support tool have been circulated to take over remote systems. Therefore, the recent attacks do not necessarily imply a vulnerability in TeamViewer.

The developer of the software recommends users to protect their systems by using complex passwords and two-factor authentication, regularly updating the tool, and restricting access to connected machines through the Allowlist feature. An article detailing best practices for secure unattended access via TeamViewer is available on the provider’s website.

]]>
Juniper Networks Releases Critical Updates to Patch Remote Code Execution Vulnerabilities in SRX Firewalls and EX Switches http://192.168.11.11/juniper-networks-releases-critical-updates-to-patch-remote-code-execution-vulnerabilities-in-srx-firewalls-and-ex-switches/ Tue, 12 Mar 2024 15:36:23 +0000 http://192.168.11.11/?p=1199 Juniper Networks Releases Critical Updates to Patch Remote Code Execution Vulnerabilities in SRX Firewalls and EX Switches Read More »

]]>
Juniper Networks has issued updates to address a critical remote code execution (RCE) vulnerability found in its SRX Series firewalls and EX Series switches. Rated 9.8 on the CVSS scoring system and tracked as CVE-2024-21591, this vulnerability could allow an unauthenticated, network-based attacker to execute remote code or cause a Denial-of-Service (DoS) situation, potentially gaining root privileges on the affected device. The vulnerability stems from an out-of-bounds write issue in J-Web of Juniper Networks Junos OS SRX Series and EX Series.

The vulnerability arises due to the use of an insecure function, enabling malicious actors to overwrite arbitrary memory. The affected versions include various iterations prior to 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and later.

As interim measures until the patches are applied, users are advised by Juniper Networks to either disable J-Web or limit access solely to trusted hosts.

Additionally, Juniper Networks has addressed a high-severity bug in Junos OS and Junos OS Evolved, identified as CVE-2024-21611 with a CVSS score of 7.5. This vulnerability, exploitable by an unauthenticated, network-based attacker, could lead to a DoS scenario.

Although there’s no evidence of active exploitation in the wild, Juniper Networks encountered multiple security vulnerabilities in its SRX firewalls and EX switches in the previous year, which were exploited by threat actors. Data from Censys, an attack surface management firm, indicates that as of January 11, 2024, more than 11,500 J-Web interfaces are accessible online, with a significant number located in South Korea, the U.S., Hong Kong, China, and India.

]]>
NetScaler’s ADC and Gateway Products: New Vulnerabilities Uncovered and Patched http://192.168.11.11/netscalers-adc-and-gateway-products-new-vulnerabilities-uncovered-and-patched/ Tue, 12 Mar 2024 15:34:41 +0000 http://192.168.11.11/?p=1197 NetScaler’s ADC and Gateway Products: New Vulnerabilities Uncovered and Patched Read More »

]]>
Just when you thought you had recovered from Bleed, two vulnerabilities in NetScaler’s ADC and Gateway products have been rectified, though not before malicious actors discovered and exploited them, according to the vendor.

CVE-2023-6548 could potentially enable remote code execution (RCE) within the appliances’ management interface. Despite its low 5.5 CVSS rating for an RCE bug, it necessitates the attacker to be authenticated, albeit with low-level privileges, and to possess access to NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with management interface access.

Furthermore, this vulnerability remains non-exploitable if the management console and related technologies are not configured for exposure to the public internet, as NetScaler’s configuration guidelines recommend it to be set up solely on a private network. TLDR: Adhering to Citrix’s instructions should ensure the safety of your appliances.

The downside? As per Shadowserver, just over 1,400 Netscaler management interfaces are exposed on the internet as of Wednesday afternoon.

The second bug, identified as CVE-2023-6549, could potentially trigger a denial-of-service attack, boasting an 8.2 CVSS rating. A successful exploit necessitates the appliance to be configured as a gateway (e.g., VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server providing authentication, authorization, and accounting controls.

“Exploits of these CVEs on unmitigated appliances have been observed,” according to a Tuesday security alert from Citrix.

These flaws solely impact customer-managed NetScaler ADC and NetScaler Gateway, hence customers utilizing Netscaler-managed services need not fret about any of this.

Affected products include:

Customers are advised to install updated versions: “We recommend immediate application of fixes,” according to the vendor’s guidance.

In response to The Register’s inquiries, Citrix mentioned being aware of “only a limited number of exploits in the wild.”

“The vulnerabilities only apply to customer-managed instances and do not apply to cloud managed services,” the vendor added. “NetScaler recommends customers apply the fixes quickly before the exploitation becomes widespread.”

The US Cybersecurity and Infrastructure Security Agency has promptly added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog.

And while this may evoke memories of Citrix-Bleed, the vendor assures that these new bugs under attack are unrelated to that zero-day. Citrix Bleed, of course, is the critical information-disclosure bug affecting NetScaler ADC and NetScaler Gateway, disclosed in October and utilized to infect victims with ransomware and pilfer, among other data, millions of Comcast Xfinity subscribers’ personal information.

Unlike Citrix Bleed, the latest security flaws do not facilitate data exfiltration, rendering them less appealing to potential digital thieves and ransomware crews.

A couple of Tenable security research engineers offered insights on the vulnerabilities. Satnam Narang and Scott Caveza noted that although these mark the second and third zero-days for Citrix appliances in the last four months, “the impact from these two new zero-day vulnerabilities is not expected to be as significant as Citrix Bleed.”

“Nonetheless, organizations employing these appliances in their networks should apply the available patches as soon as possible,” the duo added.

]]>
GitHub Implements Key Rotation in Response to Security Vulnerability http://192.168.11.11/github-implements-key-rotation-in-response-to-security-vulnerability/ Tue, 12 Mar 2024 15:31:38 +0000 http://192.168.11.11/?p=1195 GitHub Implements Key Rotation in Response to Security Vulnerability Read More »

]]>
GitHub has recently disclosed the rotation of certain keys as a precautionary measure in response to a security vulnerability that posed potential risks of unauthorized access to credentials within a production container.

According to the Microsoft-owned subsidiary, the issue came to their attention on December 26, 2023. They promptly addressed the problem on the same day and rotated all conceivably compromised credentials as a proactive measure.

The rotated keys encompass various crucial aspects such as the GitHub commit signing key, GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys. Consequently, users relying on these keys are advised to import the updated versions.

Despite the severity of the vulnerability, identified as CVE-2024-0200 with a CVSS score of 7.2, there is no indication of it being previously exploited in the wild. GitHub’s Jacob DePriest emphasized that while the vulnerability also affects GitHub Enterprise Server (GHES), exploitation necessitates an authenticated user with an organization owner role logged into an account on the GHES instance, thereby mitigating potential risks significantly.

Additionally, GitHub addressed another critical bug, tracked as CVE-2024-0507 with a CVSS score of 6.5, which could allow an attacker with access to a Management Console user account with the editor role to elevate privileges through command injection.

These measures follow a previous incident where GitHub replaced its RSA SSH host key, used for securing Git operations, due to brief exposure in a public repository, demonstrating the company’s commitment to proactive security measures.

]]>
Alert: AndroxGh0st Malware Sparks Cloud-Based Botnet Threat, Warns CISA and FBI http://192.168.11.11/alert-androxgh0st-malware-sparks-cloud-based-botnet-threat-warns-cisa-and-fbi/ Tue, 12 Mar 2024 15:30:22 +0000 http://192.168.11.11/?p=1193 Alert: AndroxGh0st Malware Sparks Cloud-Based Botnet Threat, Warns CISA and FBI Read More »

]]>

CISA and the FBI have issued a warning regarding the deployment of the AndroxGh0st malware by threat actors, who are building a botnet for the purpose of identifying and exploiting victims within target networks.

Initially observed by Lacework in December 2022, AndroxGh0st, a Python-based malware, has spawned similar tools such as AlienFox, GreenBot (also known as Maintance), Legion, and Predator.

This cloud attack tool can breach servers with known vulnerabilities to access Laravel environment files and pilfer credentials from prominent applications like AWS, Microsoft Office 365, SendGrid, and Twilio.

Among the vulnerabilities exploited are CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).

Lacework highlighted AndroxGh0st’s capabilities in SMTP abuse, including scanning, exploiting exposed credentials and APIs, and deploying web shells. Specifically for AWS, the malware scans and parses AWS keys, and can even generate keys for brute-force attacks.

Compromised AWS credentials are utilized to create new users, user policies, and, in some cases, set up new AWS instances for further malicious scanning activities.

These functionalities render AndroxGh0st a formidable threat capable of downloading additional payloads and maintaining persistent access to compromised systems.

Alex Delamotte, a senior threat researcher at SentinelLabs, noted the prevalence of AndroxGh0st-related user-agent strings in network connections scanning honeypots. Delamotte praised CISA’s issuance of an advisory against such threats, highlighting the rarity of cloud-focused malware advisories.

This advisory coincides with the recent revelation by SentinelOne regarding a distinct tool named FBot, employed by attackers to breach web servers, cloud services, content management systems, and SaaS platforms.

Delamotte emphasized the trend of the cloud threat landscape borrowing code from various tools, integrating them into a comprehensive ecosystem, exemplified by AlienFox and Legion leveraging AndroxGh0st and FBot, respectively.

The alert follows NETSCOUT’s report of a significant surge in botnet scanning activity since mid-November 2023, peaking at nearly 1.3 million distinct devices on January 5, 2024. The majority of source IP addresses are traced back to the U.S., China, Vietnam, Taiwan, and Russia.

NETSCOUT’s analysis revealed a rise in the use of inexpensive or free cloud and hosting servers by attackers to establish botnet launch pads, leveraging trials, free accounts, or low-cost accounts to maintain anonymity and minimize overhead.

]]>