Apr 09, 2024NewsroomVulnerability / IoT Security

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices.

The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

The vulnerabilities are tracked from CVE-2023-6317 through CVE-2023-6320 and impact the following versions of webOS –

• webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
• webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
• webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
• webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA

A brief description of the shortcomings is as follows –

• CVE-2023-6317 – A vulnerability that allows an attacker to bypass PIN verification and add a privileged user profile to the TV set without requiring user interaction

• CVE-2023-6318 – A vulnerability that allows the attacker to elevate their privileges and gain root access to take control of the device

• CVE-2023-6319 – A vulnerability that allows operating system command injection by manipulating a library named asm responsible for showing music lyrics

• CVE-2023-6320 – A vulnerability that allows for the injection of authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint

Successful exploitation of the flaws could allow a threat actor to gain elevated permissions to the device, which, in turn, can be chained with CVE-2023-6318 and CVE-2023-6319 to obtain root access, or with CVE-2023-6320 to run arbitrary commands as the dbus user.

“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet,” Bitdefender said. A majority of the devices are located in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.

Mar 13, 2024NewsroomPatch Tuesday / Software Update

Microsoft on Tuesday released its monthly security update, addressing 61 different security flaws spanning its software, including two critical issues impacting Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution.

Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an “Exploitation More Likely” assessment.

The fixes are in addition to 17 security flaws that have been patched in the company’s Chromium-based Edge browser since the release of the February 2024 Patch Tuesday updates.

Topping the list of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and could result in remote code execution and a DoS condition, respectively.

Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).

Successful exploitation of CVE-2024-21390 requires the attacker to have a local presence on the device either via malware or a malicious application already installed via some other means. It also necessitates that the victim closes and re-opens the Authenticator app.

“Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for the victim’s accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running,” Microsoft said in an advisory.

“While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

“Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

Another vulnerability of note is a privilege escalation bug in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0) that could permit an attacker to obtain SYSTEM privileges but only upon winning a race condition.

The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could abuse by placing a specially crafted file onto an online directory and tricking a victim into opening it, resulting in the execution of malicious DLL files.

The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which concerns a case of remote code execution affecting the Open Management Infrastructure (OMI).

“A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability,” Redmond said.

“The first quarter of Patch Tuesday in 2024 has been quieter compared to the last four years,” Narang said. “On average, there were 237 CVEs patched in the first quarter from 2020 through 2023. In the first quarter of 2024, Microsoft only patched 181 CVEs. The average number of CVEs patched in March over the last four years was 86.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Mar 01, 2024NewsroomRootkit / Threat Intelligence

The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.

“Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” the agencies said.

To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware –

• CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component
• CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
• CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
• CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
• CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

Mandiant, in an analysis published this week, described how an encrypted version of malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.

The directory exclusions were also previously highlighted by Eclypsium this month, stating the tool skips a dozen directories from being scanned, thus allowing an attacker to leave behind backdoors in one of these paths and still pass the integrity check.

“The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time,” agencies from Australia, Canada, New Zealand, the U.K., and the U.S. said.

They also urged organizations to “consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”

Ivanti, in response to the advisory, said it’s not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It’s also releasing a new version of ICT that it said “provides additional visibility into a customer’s appliance and all files that are present on the system.”

Feb 21, 2024NewsroomNetwork Security / Vulnerability

Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.

The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of wpa_supplicant and Intel’s iNet Wireless Daemon (IWD), respectively.

The flaws “allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password,” Top10VPN said in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like KRACK, DragonBlood, and TunnelCrack.

CVE-2023-52161, in particular, permits an adversary to gain unauthorized access to a protected Wi-Fi network, exposing existing users and devices to potential attacks such as malware infections, data theft, and business email compromise (BEC). It impacts IWD versions 2.12 and lower.

On the other hand, CVE-2023-52160 affects wpa_supplicant versions 2.10 and prior. It’s also the more pressing of the two flaws owing to the fact that it’s the default software used in Android devices to handle login requests to wireless networks.

That said, it only impacts Wi-Fi clients that aren’t properly configured to verify the certificate of the authentication server. CVE-2023-52161, however, affects any network that uses a Linux device as a wireless access point (WAP).

Successful exploitation of CVE-2023-52160 banks on the prerequisite that the attacker is in possession of the SSID of a Wi-Fi network to which the victim has previously connected. It also requires the threat actor to be in physical proximity to the victim.

“One possible such scenario might be where an attacker walks around a company’s building scanning for networks before targeting an employee leaving the office,” the researchers said.

Major Linux distributions such as Debian (1, 2), Red Hat (1), SUSE (1, 2), and Ubuntu (1, 2) have released advisories for the two flaws. The wpa_supplicant issue has also been addressed in ChromeOS from versions 118 and later, but fixes for Android are yet to be made available.

“In the meantime, it’s critical, therefore, that Android users manually configure the CA certificate of any saved enterprise networks to prevent the attack,” Top10VPN said.

Feb 15, 2024The Hacker NewsSaaS Security / Risk Management

With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications.

Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023. Their study reveals how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.

The TL;DR Version Of SaaS Security

2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizations such as JumpCloud, MGM Resorts, and Microsoft (respectively), and probably many others that often go unannounced.

The first insight from this research cements the concept that SaaS is the new supply chain, providing an almost intuitive framework to the importance of securing SaaS usage. These applications are clearly an integral part of the modern organization’s set of tools and vendors. That said, long gone are the days when every 3rd party with access to company data had to go through security or IT approval. Even in the most rigorous companies, when a diligent employee needs a quick and efficient solution, they’ll look it up and use it to get their jobs’ done faster and better. Again, think of the widespread use of GenAI, and the picture is clear.

As such, any organization concerned about the security of its supply chain must adopt SaaS security measures. According to the MITRE ATT&CK technique ‘Trusted Relationships’ (T1199), a supply chain attack occurs when an attacker targets a vendor to exploit it as a means to infiltrate a broader network of companies. By entrusting sensitive data to external SaaS vendors, organizations subject themselves to supply chain risks that reach beyond immediate security concerns.

Four Common SaaS Risks

There are various reasons and ways in which SaaS is being targeted. The good news is that most of the risks can be significantly mitigated when monitored and controlled. Basic SaaS security capabilities are even free, suited for organizations that are just beginning to develop their SaaS security posture or need to compare it to their current solution.

1) Shadow SaaS

The first problem with SaaS usage is the fact that it often goes completely unnoticed: The number of applications used by organizations is typically 250% larger than what a basic and often-used query of the workspace reveals.

Amongst the companies analyzed:

• 41% of applications were used by only one individual, resulting in a very long tail of unsanctioned applications.
• 1 out of 5 users were utilizing applications not used by anyone else within their organization, creating security and resource strains.
• 63% of single-user applications were not even accessed within a 3-month period, begging the question – why keep them connected to company data?
• 96.7% of organizations used at least one application that had a security incident in the previous year, solidifying the continuous risk and need for proper mitigation.

2) MFA Bypassing

Wing’s research indicates a trend where users opt to use a username/password to access the services they need, bypassing the security measures in place (see image 1).

Image 1: From Wing Security’s research, bypassing MFA.

3) Forgotten tokens

Users grant the applications they need tokens; this is necessary for the SaaS applications to serve their purpose. The problem is that these tokens are often forgotten about after a few or just one use. Wing’s research revealed a large presence of unused tokens over a period of 3 months, creating an unnecessarily large attack surface for many customers (Image 2).

4) The new risk of Shadow AI

In the beginning of 2023, security teams primarily concentrated on a select few renowned services offering access to AI-based models. However, as the year progressed, thousands of conventional SaaS applications adopted AI models. The research shows that 99.7% of companies were using applications with integrated AI capabilities.

Organizations were required to agree to updated terms and conditions permitting these applications to utilize and refine their models using the organizations’ most confidential data. Often, these revised terms and conditions slipped under the radar, along with the usage of AI itself.

There are different ways in which AI applications may use your data for their training models. This can come in the form of learning your data, storing your data and even having a human manually go over your data to improve the AI model. According to Wing, this capability is often configurable and totally avoidable, provided it is not overlooked.

Solving SaaS Security Challenges In 2024

The report ends on a positive note, listing 8 ways in which companies can mitigate the growing threat of the SaaS supply chain. Including:

1. Ongoing shadow IT discovery and management.
2. Prioritize the remediation of SaaS misconfigurations
3. Optimize anomaly detection with predefined frameworks, automate when possible.
4. Discover and monitor all AI-using SaaS applications, and constantly monitor your SaaS for updates in their T&C pertaining to AI usage.

For the full list of findings, tips on ensuring safe SaaS usage and a 2024 SaaS security forecast, download the full report here.

Feb 01, 2024NewsroomNetwork Security / Malware

Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices.

This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE.

“CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution,” the company said, attributing it to UNC5221, adding it also detected multiple new versions of WARPWIRE, a JavaScript-based credential stealer.

The infection chains entail a successful exploitation of CVE-2023-46805 and CVE-2024-21887, which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges.

The flaws have been abused as zero-days since early December 2023. Germany’s Federal Office for Information Security (BSI) said it’s aware of “multiple compromised systems” in the country.

BUSHWALK, written in Perl and deployed by circumventing the Ivanti-issued mitigations in highly-targeted attacks, is embedded into a legitimate Connect Secure file named “querymanifest.cgi” and offers the ability to read or write to files to a server.

On the other hand, FRAMESTING is a Python web shell embedded in an Ivanti Connect Secure Python package (located in the following path “/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py”) that enables arbitrary command execution.

Mandiant’s analysis of the ZIPLINE passive backdoor has also uncovered its use of “extensive functionality to ensure the authentication of its custom protocol used to establish command-and-control (C2).”

Furthermore, the attacks are characterized by the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activity on Ivanti CS appliances, including network reconnaissance, lateral movement, and data exfiltration within victim environments.

Ivanti has since disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, the latter of which has come under active exploitation targeting a “limited number of customers.” The company has also released the first round of fixes to address the four vulnerabilities.

UNC5221 is said to target a wide range of industries that are of strategic interest to China, with its infrastructure and tooling overlapping with past intrusions linked to China-based espionage actors.

“Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories,” Mandiant said. “UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.”

Each New Year introduces a new set of challenges and opportunities for strengthening our cybersecurity posture. It’s the nature of the field – the speed at which malicious actors carry out advanced persistent threats brings a constant, evolving battle for cyber resilience. The excitement in cybersecurity lies in this continuous adaptation and learning, always staying one step ahead of potential threats.

As practitioners in an industry that operates around-the-clock, this hypervigilance becomes second nature. We are always in a constant state of readiness, anticipating the next move, adapting strategies, and counteracting threats. However, it remains just as crucial to have our fingers on the pulse of the most common vulnerabilities impacting security postures right now. Why? Knowing these weak points is not just about defense; it’s about ensuring robust, uninterrupted business continuity in an environment where risks are always around the corner.

The Importance of Regularly Assessing Your Security Posture

The journey to build a cyber resilient security posture begins with identifying existing vulnerabilities; however, when asked about their vulnerability visibility, less than half of cybersecurity professionals claim to have high (35%) or complete visibility (11%). At best, more than half of organizations (51%) have only moderate visibility into their vulnerabilities.[1]

Regular assessments are one of the primary ways you can evaluate your organization’s security posture and gain the visibility you need to understand where risks are. These assessments comprehensively review your organization’s cybersecurity practices and infrastructure and can range in scope and frequency depending on your organization’s needs and the maturity of your risk program.

Security Maturity and Your Testing Frequency

• Immature or No Risk Strategy: Assessments are not conducted on an ongoing frequency or are conducted on an ad-hoc basis.
• Emerging or Ad-Hoc Risk Strategy: Assessments are conducted with some frequency, typically quarterly or monthly.
• Mature or Set Strategy: Assessments are conducted on an ongoing basis, usually monthly.
• Advanced Strategy: Regularly assessments are engrained in the overall risk program and take place on a monthly or weekly basis depending on the type of test.

Suggested Testing Frequency by Common Framework

• NIST CSF: The National Institute of Standards and Technology (NIST) guidelines vary from quarterly to monthly scans, based on the specific guidelines of the governing framework.
• PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) mandates quarterly scans.
• HIPAA: The Health Information Protection Accountability Act (HIPAA) does not require specific scanning intervals but emphasizes the importance of a well-defined assessment strategy.

Types of Regular Assessments

• Vulnerability Scans
• Penetration Tests
• Breach and Ransomware Simulations
• Security Reputation Scans
• Business Impact Analyses
• Security Posture Assessment

Conducting assessments routinely enables your organization to preemptively identify potential security threats and vulnerabilities, much like preventive health check-ups for your organization’s cybersecurity.

ArmorPoint has recently released a security maturity self-assessment. Take the 15-question quiz to determine the gaps in your security posture.