Apr 11, 2024NewsroomSpyware / Cyber Espionage

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.

It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off “individually targeted attacks of such exceptional cost and complexity.”

“Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global,” Apple said.

“The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today.”

The update marks a change in wording that previously said these “threat notifications” are designed to inform and assist users who may have been targeted by state-sponsored attackers.

According to TechCrunch, Apple is said to have sent threat notifications to iPhone users in 92 countries at 12:00 p.m. PST on Wednesday coinciding with the revision to the support page.

It’s worth noting that Apple began sending threat notifications to warn users it believes have been targeted by state-sponsored attackers starting November 2021.

However, the company also makes it a point to emphasize that it does not “attribute the attacks or resulting threat notifications” to any particular threat actor or geographical region.

The development comes amid continued efforts by governments around the world to counter the misuse and proliferation of commercial spyware.

Last month, the U.S. government said Finland, Germany, Ireland, Japan, Poland, and South Korea had joined an inaugural group of 11 countries working to develop safeguards against the abuse of invasive surveillance technology.

“Commercial spyware has been misused across the world by authoritarian regimes and in democracies […] without proper legal authorization, safeguards, or oversight,” the governments said in a joint statement.

“The misuse of these tools presents significant and growing risks to our national security, including to the safety and security of our government personnel, information, and information systems.”

According to a recent report published by Google’s Threat Analysis Group (TAG) and Mandiant, commercial surveillance vendors were behind the in-the-wild exploitation of a chunk of the 97 zero-day vulnerabilities discovered in 2023.

All the vulnerabilities attributed to spyware companies targeted web browsers – particularly flaws in third-party libraries that affect more than one browser and substantially increase the attack surface – and mobile devices running Android and iOS.

“Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” the tech giant said.

“Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon.”

Google also said that increased security investments into exploit mitigations are affecting the types of vulnerabilities threat actors can weaponize in their attacks, forcing them to bypass several security guardrails (e.g., Lockdown Mode and MiraclePtr) to infiltrate target devices.

Feb 27, 2024NewsroomWebsite Security / Cryptojacking

A critical security flaw has been disclosed in a popular WordPress plugin called Ultimate Member that has more than 200,000 active installations.

The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw.

In an advisory published last week, WordPress security company Wordfence said the plugin is “vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.”

As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database.

It’s worth noting that the issue only affects users who have checked the “Enable custom table for usermeta” option in the plugin settings.

Following responsible disclosure on January 30, 2024, a fix for the flaw has been made available by the plugin developers with the release of version 2.8.3 on February 19.

Users are advised to update the plugin to the latest version as soon as possible to mitigate potential threats, especially in light of the fact that Wordfence has already blocked one attack attempting to exploit the flaw over the past 24 hours.

In July 2023, another shortcoming in the same plugin (CVE-2023-3460, CVSS score: 9.8) was actively exploited by threat actors to create rogue admin users and seize control of vulnerable sites.

The development comes amid a surge in a new campaign that leverages compromised WordPress sites to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites that contain drainers.

“These attacks leverage phishing tactics and malicious injections to exploit the Web3 ecosystem’s reliance on direct wallet interactions, presenting a significant risk to both website owners and the safety of user assets,” Sucuri researcher Denis Sinegubko said.

It also follows the discovery of a new drainer-as-a-service (DaaS) scheme called CG (short for CryptoGrab) that runs a 10,000-member-strong affiliate program comprised of Russian, English, and Chinese speakers.

One of the threats actor-controlled Telegram channels “refers attackers to a telegram bot that enables them to run their fraud operations without any third-party dependencies,” Cyfirma said in a report late last month.

“The bot allows a user to get a domain for free, clone an existing template for the new domain, set the wallet address where the scammed funds are supposed to be sent, and also provides Cloudflare protection for that new domain.”

The threat group has also been observed using two custom telegram bots called SiteCloner and CloudflarePage to clone an existing, legitimate website and add Cloudflare protection to it, respectively. These pages are then distributed mostly using compromised X (formerly Twitter) accounts.

Feb 21, 2024NewsroomActive Directory / Vulnerability

VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw.

Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug.

“A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs),” the company said in an advisory.

EAP, deprecated as of March 2021, is a software package that’s designed to allow direct login to vSphere’s management interfaces and tools through a web browser. It’s not included by default and is not part of vCenter Server, ESXi, or Cloud Foundation.

Also discovered in the same tool is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) that could permit a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EAP session.

Ceri Coburn from Pen Test Partners has been credited with discovering and reporting the twin vulnerabilities.

It’s worth pointing out that the shortcomings only impact users who have added EAP to Microsoft Windows systems to connect to VMware vSphere via the vSphere Client.

The Broadcom-owned company said the vulnerabilities will not be addressed, instead recommending users to remove the plugin altogether to mitigate potential threats.

“The Enhanced Authentication Plugin can be removed from client systems using the client operating system’s method of uninstalling software,” it added.

The disclosure comes as SonarSource disclosed multiple cross-site scripting (XSS) flaws (CVE-2024-21726) impacting the Joomla! content management system. It has been addressed in versions 5.0.3 and 4.4.3.

“Inadequate content filtering leads to XSS vulnerabilities in various components,” Joomla! said in its own advisory, assessing the bug as moderate in severity.

“Attackers can leverage the issue to gain remote code execution by tricking an administrator into clicking on a malicious link,” security researcher Stefan Schiller said. Additional technical specifics about the flaw have been currently withheld.

In a related development, several high- and critical-severity vulnerabilities and misconfigurations have been identified in the Apex programming language developed by Salesforce to build business applications.

At the heart of the problem is the ability to run Apex code in “without sharing” mode, which ignores a user’s permissions, thereby allowing malicious actors to read or exfiltrate data, and even provide specially crafted input to alter execution flow.

“If exploited, the vulnerabilities can lead to data leakage, data corruption, and damage to business functions in Salesforce,” Varonix security researcher Nitay Bachrach said.

Feb 13, 2024NewsroomVulnerability / Email Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages.

“Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages,” CISA said.

According to a description of the bug on NIST’s National Vulnerability Database (NVD), the vulnerability impacts Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.

The flaw was addressed by Roundcube maintainers with version 1.6.3, which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with discovering and reporting the vulnerability.

It’s currently not known how the vulnerability is being exploited in the wild, but flaws in the web-based email client have been weaponized by Russia-linked threat actors like APT28 and Winter Vivern last year.

U.S. Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply vendor-provided fixes by March 4, 2024, to secure their networks against potential threats.

Jan 16, 2024NewsroomVulnerability / Network Security

Over 178,000 SonicWall firewalls exposed over the internet are exploitable to at least one of the two security flaws that could be potentially exploited to cause a denial-of-service (DoS) condition and remote code execution (RCE).

“The two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern,” Jon Williams, a senior security engineer at Bishop Fox, said in a technical analysis shared with The Hacker News.

The vulnerabilities in question are listed below –

• CVE-2022-22274 (CVSS score: 9.4) – A stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote, unauthenticated attacker to cause DoS or potentially result in code execution in the firewall.

• CVE-2023-0656 (CVSS score: 7.5) – A stack-based buffer overflow vulnerability in the SonicOS allows a remote, unauthenticated attacker to cause DoS, which could result in a crash.

While there are no reports of exploitation of the flaws in the wild, a proof-of-concept (PoC) for CVE-2023-0656 was published by the SSD Secure Disclosure team April 2023.

The cybersecurity firm revealed that the issues could be weaponized by bad actors to trigger repeated crashes and force the appliance to get into maintenance mode, requiring administrative action to restore normal functionality.

“Perhaps most astonishing was the discovery that over 146,000 publicly-accessible devices are vulnerable to a bug that was published almost two years ago,” Williams said.

The development comes as watchTowr Labs uncovered multiple stack-based buffer overflow flaws in the SonicOS management web interface and SSL VPN portal that could lead to a firewall crash.

To safeguard against possible threats, it’s recommended to update to the last version and ensure that the management interface isn’t exposed to the internet.