Apr 06, 2024NewsroomSkimmer / Threat Intelligence

Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites.

The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of “improper neutralization of special elements” that could pave the way for arbitrary code execution.

It was addressed by the company as part of security updates released on February 13, 2024.

Sansec said it discovered a “cleverly crafted layout template in the database” that’s being used to automatically inject malicious code to execute arbitrary commands.

“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the company said.

“Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested.”

The command in question is sed, which is used to insert a code execution backdoor that’s then responsible for delivering a Stripe payment skimmer to capture and exfiltrate financial information to another compromised Magento store.

The development comes as the Russian government has charged six people for using skimmer malware to steal credit card and payment information from foreign e-commerce stores at least since late 2017.

The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future News reported that the arrests were made a year ago, citing court documents.

“As a result, members of the hacker group illegally took possession of information about almost 160 thousand payment cards of foreign citizens, after which they sold them through shadow internet sites,” the Prosecutor General’s Office of the Russian Federation said.

Mar 29, 2024NewsroomVulnerability / Linux

Details have emerged about a vulnerability impacting the “wall” command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions.

The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.

“The util-linux wall command does not filter escape sequences from command line arguments,” Ferrante said. “This allows unprivileged users to put arbitrary text on other users’ terminals, if mesg is set to “y” and wall is setgid.”

The vulnerability was introduced as part of a commit made in August 2013.

The “wall” command is used to write a message to the terminals of all users that are currently logged in to a server, essentially allowing users with elevated permissions to broadcast key information to all local users (e.g., a system shutdown).

“wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users,” the man page for the Linux command reads. “Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program which automatically denies messages.”

CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command line arguments to trick users into creating a fake SUDO prompt on other users’ terminals and trick them into entering their passwords.

However, for this to work, the mesg utility – which controls the ability to display messages from other users – has to be set to “y” (i.e., enabled) and the wall command is executed with setgid permissions.

CVE-2024-28085 impacts Ubuntu 22.04 and Debian Bookworm as these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command does not have setgid.

“On Ubuntu 22.04, we have enough control to leak a user’s password by default,” Ferrante said. “The only indication of attack to the user will be an incorrect password prompt when they correctly type their password, along with their password being in their command history.”

Similarly, on systems that allow wall messages to be sent, an attacker could potentially alter a user’s clipboard through escape sequences on select terminals like Windows Terminal. It does not work on GNOME Terminal.

Users are advised to update to util-linux version 2.40 to mitigate against the flaw.

“[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and *wall is setgid*,” according to the release notes. “Not all distros are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is set to y by default).”

The disclosure comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.

Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the underlying issue stems from input sanitization failure of netfilter verdicts, allowing a local attacker to cause a denial-of-service (DoS) condition or possibly execute arbitrary code. It has been addressed in a commit pushed on January 24, 2024.

Mar 27, 2024NewsroomVulnerability / API Security

A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users’ systems and carry out malicious actions.

“This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user’s knowledge,” Guardio Labs security researcher Oleg Zaytsev said in a new report shared with The Hacker News.

Tracked as CVE-2024-21388 (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue.

“An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension,” Microsoft said in an advisory for the flaw, adding it “could lead to a browser sandbox escape.”

Describing it as a privilege escalation flaw, the tech giant also emphasized that a successful exploitation of the bug requires an attacker to “take additional actions prior to exploitation to prepare the target environment.”

According to Guardio’s findings, CVE-2024-21388 allows a bad actor with the ability to run JavaScript on bing[.]com or microsoft[.]com pages to install any extensions from the Edge Add-ons store sans requiring user’s consent or interaction.

This is made possible by the fact that the browser comes with privileged access to certain private APIs that make it possible to install an add-on as long as it’s from the vendor’s own extension marketplace.

One such API in the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted websites that belong to Microsoft, including bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, among others.

The API also packs in a method called installTheme() that, as the name implies, is designed to install a theme from the Edge Add-ons store by passing a unique theme identifier (“themeId”) and its manifest file as input.

The bug identified by Guardio is essentially a case of insufficient validation, thereby enabling an attacker to provide any extension identifier from the storefront (as opposed to the themeId) and get it stealthily installed.

“As an added bonus, as this extension installation is not done quite in the manner it was originally designed for, there will be no need for any interaction or consent from the user,” Zaytsev explained.

In a hypothetical attack scenario leveraging CVE-2024-21388, a threat actor could publish a seemingly harmless extension to the add-ons store and use it to inject a piece of malicious JavaScript code into bing[.]com – or any of the sites that are allowed to access the API – and install an arbitrary extension of their choice by invoking the API using the extension identifier.

Put differently, executing the specially crafted extension on the Edge browser and going to bing[.]com will automatically install the targeted extension without the victim’s permission.

Guardio told The Hacker News that while there is no evidence of this bug being exploited in the wild, it highlights the need for balancing user convenience and security, and how browser customizations can inadvertently defeat security mechanisms and introduce several new attack vectors.

“It’s relatively easy for attackers to trick users into installing an extension that appears harmless, not realizing it serves as the initial step in a more complex attack,” Zaytsev said. “This vulnerability could be exploited to facilitate the installation of additional extensions, potentially for monetary gain.”

Mar 22, 2024NewsroomAmazon Web Services / Vulnerability

Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially exploited by a malicious actor to hijack victims’ sessions and achieve remote code execution on underlying instances.

The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.

“Upon taking over the victim’s account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis.

“Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.”

The root cause of the vulnerability, per the cybersecurity firm, is a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack.

Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This permits the adversary to force (aka fixate) a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.

By abusing the shortcoming, a threat actor could have forced victims to use and authenticate the attacker’s known session and ultimately take over the victim’s web management panel.

“FlowFixation highlights a broader issue with the current state of cloud providers’ domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks,” Matan said, adding the misconfiguration also impacts Microsoft Azure and Google Cloud.

Tenable also pointed out that the shared architecture – where several customers have the same parent domain – could be a goldmine for attackers looking to exploit vulnerabilities like same-site attacks, cross-origin issues, and cookie tossing, effectively leading to unauthorized access, data leaks, and code execution.

The shortcoming has been addressed by both AWS and Azure adding the misconfigured domains to PSL, thus causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, has described the issue as not “severe enough” to merit a fix.

“In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with heightened risk of such attacks in cloud environments,” Matan explained.

“Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues.”

Mar 21, 2024NewsroomDatabase / Vulnerability

Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction.

Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity.

Described as an SQL injection flaw, it’s rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it “presents a lower assessed risk” despite the criticality.

“This org.postgresql:postgresql dependency vulnerability […] could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction,” Atlassian said.

According to a description of the flaw in the NIST’s National Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE.” The driver versions prior to the ones listed below are impacted –

• 42.7.2
• 42.6.1
• 42.5.5
• 42.4.4
• 42.3.9, and
• 42.2.28 (also fixed in 42.2.28.jre7)

“SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value,” the maintainters said in an advisory last month.

“There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.”

The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server –

• 8.2.1
• 9.0.0
• 9.1.0
• 9.2.1
• 9.3.0
• 9.4.0, and
• 9.5.0

The company also emphasized that Bamboo and other Atlassian Data Center products are unaffected by CVE-2024-1597 as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect against any potential threats.

Mar 08, 2024NewsroomNetwork Security / Vulnerability

Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user.

The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.

Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session.

“A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token,” the company said in an advisory.

“The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.”

The vulnerability impacts Secure Client for Windows, Linux, and macOS, and has been addressed in the following versions –

• Earlier than 4.10.04065 (not vulnerable)
• 4.10.04065 and later (fixed in 4.10.08025)
• 5.0 (migrate to a fixed release)
• 5.1 (fixed in 5.1.2.42)

Amazon security researcher Paulos Yibelo Mesfin has been credited with discovering and reporting the flaw, telling The Hacker News that the shortcoming allows attackers to access local internal networks when a target visits a website under their control.

Cisco has also published fixes for CVE-2024-20338 (CVSS score: 7.3), another high-severity flaw in Secure Client for Linux that could permit an authenticated, local attacker to elevate privileges on an affected device. It has been resolved in version 5.1.2.42.

“An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process,” it said. “A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.”

Jan 15, 2024NewsroomVulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

“This is achieved through a controlled browser extension, effectively bypassing the browser’s sandbox and the entire browser process,” the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser’s security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called “Opera Touch Background,” which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns “*.flow.opera.com” and “.flow.op-test.net” – both controlled by the browser vendor itself.

“This exposes the messaging API to any page that matches the URL patterns you specify,” Google notes in its documentation. “The URL pattern must contain at least a second-level domain.”

Guardio Labs said it was able to unearth a “long-forgotten” version of the My Flow landing page hosted on the domain “web.flow.opera.com” using the urlscan.io website scanner tool.

“The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the [content security policy] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check,” the company said.

“This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API.”

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim’s computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

“Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries,” the company told The Hacker News.

“This underscores the need for internal design changes at Opera and improvements in Chromium’s infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome’s web store, is recommended but has not yet been implemented by Opera.”

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it’s taking steps to prevent such issues from happening again.

“Our current structure uses an HTML standard, and is the safest option that does not break key functionality,” the company said. “After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future.”

“We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience.”

Web Application Security consists of a myriad of security controls that ensure that a web application:

1. Functions as expected.
2. Cannot be exploited to operate out of bounds.
3. Cannot initiate operations that it is not supposed to do.

Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years.

As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers.

Common Attack Methods

The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control.

Injections

SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records.

A SQL Injection is an attack that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

The starting point for this, is a command such as the one below:

This will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. Going further with this, this method will also return passwords if there are any.

Picture an attack like this being performed against a large social media company, or a large e-commerce business, and one can begin to see how much sensitive data can be retrieved with just one command.

Broken Access Control

Broken Access Control (BAC) has risen the ranks on the OWASP top ten from fifth to the most common Web Application Security Risks. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category during OWASP’s recent testing.

The most common types of BAC, is Vertical and Horizontal privilege escalation. Vertical privilege escalation occurs when a user can elevate their privileges and perform actions, they should not have access to do.

The CVE-2019-0211, which was an Apache Local Privilege Escalation. This critical vulnerability, from 2019, affected Apache HTTP servers running on Unix systems, especially those utilizing the mod_prefork, mod_worker, and mod_event libraries.

This granted attackers the capability to execute unprivileged scripts, potentially leading to root access and compromising shared hosting services. Exploiting this flaw requires the manipulation of shared-memory regions within Apache’s worker processes, which must be done before initiating an Apache graceful restart.

The below is a screenshot of the POC code. As one can see, a certain level of technical ability is required in this respect, however, vertical privilege escalation can just as easily occur when a user’s permissions are overly permissive, or not revoked when they leave a business.

This takes us back to the principle of least privilege, a ubiquitous term found throughout the IT world, that is now becoming more commonplace as we realise how crucial web applications have become.

Horizontal Privilege Escalation is when a user gains access to data they are not supposed to have access to, but that data is held at the same level as their own permissions. This can be seen with one standard user accessing the data of another standard user. Whilst this should not be allowed, the privileges are not rising vertical, but spreading horizontally. This is sometimes seen as more dangerous, as it can occur without raising any alerts on security systems.

With BAC becoming ever more present in the last couple of years, it is important to remember:

• Solely depending on obfuscation is not a sufficient method for access control.
• If a resource is not meant to be accessible to the public, it should be denied access by default.
• Developers should explicitly specify allowed access for each resource at the code level, with access denial as the default setting.

Best Practices – Read between the Lines (of code!)

To maintain security, developers need to verify incoming data, implement parameterized queries when interacting with databases, and apply effective session management methods to protect sensitive data. Much of this relies on both the security of web browsers, but also of the back-end security of the web servers delivering web content, leading to a segregation of duties in web security.

The biggest problem that arises here, is that whilst Web Application Firewalls (WAFs), can mitigate these risks, much of the responsibility for secure implementation of web content lands at the feet of the developers who put these sites together. Cybersecurity can often become an afterthought, with functionality being preferred.

Practical Example – Input Validation

Input Validation is the simplest and most effective ways to implement secure coding, in this example to prevent SQL injections.

1. User Input: The user provides input, for example:

2. Sanitization: The user input is not directly inserted into the SQL query. It is sanitized and treated as data, not as SQL code.
3. Query Execution: The SQL query is executed with the user input as a parameter:
4. As such, the query enters the backend as below:

In this code, the (user_input,) is a tuple containing the user’s input. The database driver takes care of escaping and properly handling this input. It ensures that the input is treated as a data value, not executable SQL code.

If the user input contains malicious code, such as “105 or 1=1,” it is not executed as SQL. Instead, it’s treated as a value to be compared to the UserId in the database.

The database driver automatically handles the escaping of the input, preventing it from affecting the structure of the SQL query or introducing security vulnerabilities.

Web Application Firewalls (WAFs)

A WAF operates at layer 7 of the OSI model, and acts as a reverse proxy, ensuring client traffic passes through the WAF before entering the backend server. The rules or policies on the WAF protect against the documented vulnerabilities that are present in these backend servers and filter out malicious traffic.

There are a plethora of WAFs on the market, and these can all provide a strong defence against the more novel attacks, and contribute well to a defence in depth approach, the practice of secure coding is something that ensure the foundations of the web application is secure and will not fall victim to more complex or novel attacks in the future.

WAFs are currently moving towards a mixture of security model that use behavioural-analysis technologies to detect malicious threats, and further mitigate against the threats of more advanced ‘bots’ which have been leveraged for low-effort attacks on websites.

The main drawback of using a WAF, aside from the added latency and HTTP overhead, is the fact that a WAF can be bypassed by using a 0-day exploit against a web application, which secure coding and correct sanitisation can mitigate against more effectively that offsetting all Web application security to a WAF. It is important to remember a WAF is simply a layer of security, and not the entire solution.

Incident Response and Recovery

SecurityHQ’s suggestions to mitigate against attacks:

1. Employing a WAF as a first line of defence is critical to ensure business can defend against a large volume of attacks.
2. Ensure up-to-date and strong standard algorithms and protocols are in use, this should be paired with proper key management.
3. Encrypt data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server. Enforce encryption using directives such as HTTP Strict Transport Security (HSTS).
4. Enable bot management strategies on websites and have a documented incident response plan.
5. Ensure secure development practices are in place, with a documented process of testing new features on web applications and ensure input validation is deployed.
• This should be coupled with ensuring the principle of least privilege.
6. Regularly test for vulnerabilities, with Vulnerability Management, and Managed Defense with IBM tooling, and keep track of component versions.
7. Utilise a red application test to uncover vulnerabilities scanners cannot find.
8. Ensure Developers are regularly trained to keep up with the latest security trends and emerging threats.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

Note: This article was expertly written by Tim Chambers, Senior Cyber Security Manager at SecurityHQ