Jan 09, 2024NewsroomNetwork Security / Data Protection

A security flaw has been disclosed in Kyocera’s Device Manager product that could be exploited by bad actors to carry out malicious activities on affected systems.

“This vulnerability allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the ‘Restrict NTLM: Outgoing NTLM traffic to remote servers’ security policy is not enabled,” Trustwave said.

Tracked as CVE-2023-50916, Kyocera, in an advisory released late last month, described it as a path traversal issue that enables an attacker to intercept and alter a local path pointing to the backup location of the database to a universal naming convention (UNC) path.

This, in turn, causes the web application to attempt to authenticate the rogue UNC path, resulting in unauthorized access to clients’ accounts and data theft. Furthermore, depending on the configuration of the environment, it could be exploited to pull off NTLM relay attacks.

The shortcoming has been addressed in Kyocera Device Manager version 3.1.1213.0.

QNAP Releases Fixes for Several Flaws

The development comes as QNAP released fixes for several flaws, including high-severity vulnerabilities impacting QTS and QuTS hero, QuMagie, Netatalk and Video Station.

This comprises CVE-2023-39296, a prototype pollution vulnerability that could allow remote attackers to “override existing attributes with ones that have an incompatible type, which may cause the system to crash.”

The shortcoming has been addressed in versions QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110.

A brief description of the other notable flaws is as follows –

• CVE-2023-47559 – A cross-site scripting (XSS) vulnerability in QuMagie that could allow authenticated users to inject malicious code via a network (Addressed in QuMagie 2.2.1 and later)
• CVE-2023-47560 – An operating system command injection vulnerability in QuMagie that could allow authenticated users to execute commands via a network (Addressed in QuMagie 2.2.1 and later)
• CVE-2023-41287 – An SQL injection vulnerability in Video Station that could allow users to inject malicious code via a network (Addressed in Video Station 5.7.2 and later)
• CVE-2023-41288 – An operating system command injection vulnerability in Video Station that could allow users to execute commands via a network (Addressed in Video Station 5.7.2 and later)
• CVE-2022-43634 – An unauthenticated remote code execution vulnerability in Netatalk that could allow attackers to execute arbitrary code (Addressed in QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110)

While there is no evidence that the flaws have been exploited in the wild, it’s recommended that users take steps to update their installations to the latest version to mitigate potential risks.

Dec 20, 2023NewsroomNetwork Security / Data Breach

Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns.

“Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network,” Mark Loman, vice president of threat research at Sophos, said.

“Attackers know this, so they hunt for that one’ weak spot’ — and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders.”

Remote encryption (aka remote ransomware), as the name implies, occurs when a compromised endpoint is used to encrypt data on other devices on the same network.

In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimize their footprint, with more than 80% of all compromises originating from unmanaged devices.

“Ransomware families known to support remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal, and it’s a technique that’s been around for some time – as far back as 2013, CryptoLocker was targeting network shares,” Sophos said.

A significant advantage to this approach is that it renders process-based remediation measures ineffective and the managed machines cannot detect the malicious activity since it is only present in an unmanaged device.

The development comes amid broader shifts in the ransomware landscape, with the threat actors adopting atypical programming languages, targeting beyond Windows systems, auctioning stolen data, and launching attacks after business hours and at weekends to thwart detection and incident response efforts.

Sophos, in a report published last week, highlighted the “symbiotic – but often uneasy – relationship” between ransomware gangs and the media, as a way to not only attract attention, but also to control the narrative and dispute what they view as inaccurate coverage.

This also extends to publishing FAQs and press releases on their data leak sites, even including direct quotes from the operators, and correcting mistakes made by journalists. Another tactic is the use of catchy names and slick graphics, indicating an evolution of the professionalization of cyber crime.

“The RansomHouse group, for example, has a message on its leak site specifically aimed at journalists, in which it offers to share information on a ‘PR Telegram channel’ before it is officially published,” Sophos noted.

While ransomware groups like Conti and Pysa are known for adopting an organizational hierarchy comprising senior executives, system admins, developers, recruiters, HR, and legal teams, there is evidence to suggest that some have advertised opportunities for English writers and speakers on criminal forums.

“Media engagement provides ransomware gangs with both tactical and strategic advantages; it allows them to apply pressure to their victims, while also enabling them to shape the narrative, inflate their own notoriety and egos, and further ‘mythologize’ themselves,” the company said.