Mar 11, 2024NewsroomNetwork Security / Vulnerability

Technical specifics and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer, which could be potentially exploited to bypass authentication protections.

Tracked as CVE-2024-1403, the vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system. It impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.

“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins,” the company said in an advisory released late last month.

“Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.”

Progress Software said the vulnerability incorrectly returns authentication success from an OpenEdge local domain if unexpected types of usernames and passwords are not appropriately handled, leading to unauthorized access sans proper authentication.

The flaw has been addressed in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1.

Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has since released a PoC for CVE-2024-1403, stating the issue is rooted in a function called connect() that’s invoked when a remote connection is made.

This function, in turn, calls another function called authorizeUser() that validates that the supplied credentials meet certain criteria, and passes control to another part of the code that directly authenticates the user if the provided username matches “NT AUTHORITY\SYSTEM.”

“Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages,” security researcher Zach Hanley said.

“We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort.”

Feb 20, 2024NewsroomRansomware / Data Protection

The U.K. National Crime Agency (NCA) on Tuesday confirmed that it obtained LockBit’s source code as well as intelligence pertaining to its activities and their affiliates as part of a dedicated task force called Operation Cronos.

“Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the agency said.

It also announced the arrest of two LockBit actors in Poland and Ukraine. Over 200 cryptocurrency accounts linked to the group have been frozen. Indictments have also been unsealed in the U.S. against two other Russian nationals who are alleged to have carried out LockBit attacks.

Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) have been accused of deploying LockBit against numerous victims throughout the U.S., including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries, per the U.S. Department of Justice (DoJ).

Kondratyev has also been charged with three criminal counts arising from his use of the Sodinokibi, also known as REvil, ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

The development comes in the aftermath of an international disruption campaign targeting LockBit, which the NCA described as the “world’s most harmful cyber crime group.”

As part of the takedown efforts, the agency said it took control of LockBit’s services and infiltrated its entire criminal enterprise. This includes the administration environment used by affiliates and the public-facing leak site hosted on the dark web.

In addition, 34 servers belonging to LockBit affiliates have also been dismantled and more than 1,000 decryption keys have been retrieved from the confiscated LockBit servers.

LockBit, since its debut in late 2019, runs a ransomware-as-a-service (RaaS) scheme in which the encryptors are licensed to affiliates, who carry out the attacks in exchange for a cut of the ransom proceeds.

The attacks follow a tactic called double extortion to steal sensitive data prior to encrypting them, with the threat actors applying pressure on victims to make a payment in order to decrypt their files and prevent their data from being published.

“The ransomware group is also infamous for experimenting with new methods for pressuring their victims into paying ransoms,” Europol said.

“Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates distributed denial-of-service (DDoS) attacks as an additional layer of pressure.”

The data theft is facilitated by means of a custom data exfiltration tool codenamed StealBit. The infrastructure, which was used to organize and transfer victim data, has since been seized by authorities from three countries, counting the U.S.

According to Eurojust and DoJ, LockBit attacks are believed to have affected over 2,500 victims all over the world and netted more than $120 million in illicit profits. A decryption tool has also been made available via No More Ransom to recover files encrypted by the ransomware at no cost.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” NCA Director General Graeme Biggar said.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate.”

Feb 12, 2024NewsroomVulnerability / Data Recovery

Cybersecurity researchers have uncovered an “implementation vulnerability” that has made it possible to reconstruct encryption keys and decrypt data locked by Rhysida ransomware.

The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

“Through a comprehensive analysis of Rhysida Ransomware, we identified an implementation vulnerability, enabling us to regenerate the encryption key used by the malware,” the researchers said.

The development marks the first successful decryption of the ransomware strain, which first made its appearance in May 2023. A recovery tool is being distributed through KISA.

The study is also the latest to achieve data decryption by exploiting implementation vulnerabilities in ransomware, after Magniber v2, Ragnar Locker, Avaddon, and Hive.

Rhysida, which is known to share overlaps with another ransomware crew called Vice Society, leverages a tactic known as double extortion to apply pressure on victims into paying up by threatening to release their stolen data.

An advisory published by the U.S. government in November 2023 called out the threat actors for staging opportunistic attacks targeting education, manufacturing, information technology, and government sectors.

A thorough examination of the ransomware’s inner workings has revealed its use of LibTomCrypt for encryption as well as parallel processing to speed up the process. It has also been found to implement intermittent encryption (aka partial encryption) to evade detection by security solutions.

“Rhysida ransomware uses a cryptographically secure pseudo-random number generator (CSPRNG) to generate the encryption key,” the researchers said. “This generator uses a cryptographically secure algorithm to generate random numbers.”

Specifically, the CSPRNG is based on the ChaCha20 algorithm provided by the LibTomCrypt library, with the random number generated also correlated to the time at which Rhysida ransomware is running.

That’s not all. The main process of Rhysida ransomware compiles a list of files to be encrypted. This list is subsequently referenced by various threads created to simultaneously encrypt the files in a specific order.

“In the encryption process of the Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file,” the researchers noted. “Of these, the first 48 bytes are used as the encryption key and the [initialization vector].”

Using these observations as reference points, the researchers said they were able to retrieve the initial seed for decrypting the ransomware, determine the “randomized” order in which the files were encrypted, and ultimately recover the data without having to pay a ransom.

“Although these studies have a limited scope, it is important to acknowledge that certain ransomwares […] can be successfully decrypted,” the researchers concluded.

Feb 08, 2024NewsroomCyber Threat / Network Security

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.

The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.

All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user.

“If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts,” Cisco said about CVE-2024-20252 and CVE-2024-20254.

On the other hand, successful exploitation of CVE-2024-20255 targeting a user with administrative privileges could enable the threat actor to overwrite system configuration settings, resulting in a denial-of-service (DoS) condition.

Another crucial difference between the two sets of flaws is that while the former two affect Cisco Expressway Series devices in the default configuration, CVE-2024-20252 only impacts them if the cluster database (CDB) API feature has been enabled. It’s disabled by default.

Patches for the vulnerabilities are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.

Fortinet, for its part, has released a second round of updates to address what are bypasses for a previously disclosed critical flaw (CVE-2023-34992, CVSS score: 9.7) in FortiSIEM supervisor that could result in the execution of arbitrary code, according to Horizon3.ai researcher Zach Hanley.

Tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.8), the flaws “may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.”

It’s worth noting that Fortinet resolved another variant of CVE-2023-34992 by closing out CVE-2023-36553 (CVSS score: 9.3) in November 2023. The two new vulnerabilities are/will be plugged in the following versions –

• FortiSIEM version 7.1.2 or above
• FortiSIEM version 7.2.0 or above (upcoming)
• FortiSIEM version 7.0.3 or above (upcoming)
• FortiSIEM version 6.7.9 or above (upcoming)
• FortiSIEM version 6.6.5 or above (upcoming)
• FortiSIEM version 6.5.3 or above (upcoming), and
• FortiSIEM version 6.4.4 or above (upcoming)

Completing the trifecta is VMware, which has warned of five moderate-to-important severity flaws in Aria Operations for Networks (formerly vRealize Network Insight) –

• CVE-2024-22237 (CVSS score: 7.8) – Local privilege escalation vulnerability that allows a console user to gain regular root access

• CVE-2024-22238 (CVSS score: 6.4) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code into user profile configurations

• CVE-2024-22239 (CVSS score: 5.3) – Local privilege escalation vulnerability that allows a console user to gain regular shell access

• CVE-2024-22240 (CVSS score: 4.9) – Local file read vulnerability that allows a malicious actor with admin privileges to access sensitive information

• CVE-2024-22241 (CVSS score: 4.3) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code and take over the user account

To mitigate the risks, all users of VMware Aria Operations for Networks version 6.x are being recommended to upgrade to version 6.12.0.

Considering the history of exploitation when it comes to Cisco, Fortinet, and VMware flaws, patching is a necessary and crucial first step that organizations need to take to handle the shortcomings.

Jan 10, 2024NewsroomRansomware / Data Security

A decryptor for the Tortilla variant of the Babuk ransomware has been released by Cisco Talos, allowing victims targeted by the malware to regain access to their files.

The cybersecurity firm said the threat intelligence it shared with Dutch law enforcement authorities made it possible to arrest the threat actor behind the operations.

The encryption key has also been shared with Avast, which had previously released a decryptor for Babuk ransomware after its source code was leaked in September 2021. The updated decryptor can be accessed here [EXE file].

“A single private key is used for all victims of the Tortilla threat actor,” Avast noted. “This makes the update to the decryptor especially useful, as all victims of the campaign can use it to decrypt their files.”

The Tortilla campaign was first disclosed by Talos in November 2021, with the attacks leveraging ProxyShell flaws in Microsoft Exchange servers to drop the ransomware within victim environments.

Tortilla is one among the many ransomware variants that have based their file-encrypting malware on the leaked Babuk source code. This includes Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker, and RA Group.

The development comes as German cybersecurity firm Security Research Labs (SRLabs) released a decryptor for Black Basta ransomware called Black Basta Buster by taking advantage of a cryptographic weakness to recover a file either partially or fully.

“Files can be recovered if the plaintext of 64 encrypted bytes is known,” SRLabs said. “Whether a file is fully or partially recoverable depends on the size of the file.”

“Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

Bleeping Computer reported late last month that the Black Basta developers have since fixed the issue, preventing the tool from working with newer infections.