-
Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The tech giant said it’s working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year. As part of the
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
In a joint advisory released by cybersecurity agencies across Canada, Australia, and the United Kingdom, IT professionals and managers in government and critical sectors are alerted to sophisticated cyber-attacks targeting CISCO ASA VPN devices.
Background on the Cyber Threat
The Canadian Centre for Cyber Security and its international counterparts have been monitoring a series of cyber-attacks since early 2024.
These incidents have primarily affected CISCO ASA devices, specifically the ASA55xx series running firmware versions 9.12 and 9.14.
The attacks believed to be espionage efforts by a state-sponsored actor, have not shown signs of prepositioning for a disruptive or destructive network attack.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
However, the level of sophistication observed is a cause for concern.
CVE Details and Impact
The first vulnerability identified is CVE-2024-20359, allowing persistent local code execution.
This flaw enables attackers to maintain a presence on the affected device even after it has been rebooted.
The second vulnerability, CVE-2024-20353, can lead to a denial of service within the Cisco Adaptive Security Appliance and Firepower Threat Defense Software’s web services.
This vulnerability could be exploited to disrupt operations and deny access to network resources.
Malicious actors have exploited both vulnerabilities to gain unauthorized access through WebVPN sessions, often associated with Clientless SSLVPN services.
The agencies have not disclosed any specific hacker groups involved, but the capabilities point to a well-resourced and sophisticated actor.
Exploiting these vulnerabilities poses a significant risk to organizations that rely on the affected CISCO ASA VPN devices.
Unauthorized access to these devices can lead to data breaches, espionage, and potentially a foothold for future attacks against critical infrastructure.
Mitigation Strategies
In response to these threats, the advisory encourages organizations to:
- Review logs for unknown, unexpected, or unauthorized device access or changes.
- Update affected devices to the latest firmware versions as soon as possible.
- Visit the Cisco Security Advisories portal and the Cisco Talos Blog for additional information and guidance on mitigation.
- Implement network segmentation and access control lists to limit the traffic allowed to and from the affected devices.
- Employ multi-factor authentication to access VPNs and reduce the risk of unauthorized access.
The alert serves as a reminder of the ever-present cyber threats facing organizations and the importance of maintaining robust cybersecurity practices.
As the situation develops, further updates and recommendations are expected to be issued by the involved cybersecurity agencies.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training ->
Try Free Demo
The post Authorities Warned that Hackers Are Exploiting Flaws in CISCO ASA VPNs appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). ”
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Security researchers at Cisco Talos have uncovered a sophisticated cyber espionage campaign dubbed “ArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 (STORM-1849).
This campaign targeted government networks globally by exploiting multiple zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) firewalls.
The attack chain leveraged two custom malware implants – “Line Dancer” and “Line Runner” – to gain persistent access and remote control over compromised ASA devices.
Line Dancer was an in-memory shellcode interpreter that enabled executing arbitrary payloads, while Line Runner provided a persistent backdoor by abusing a legacy VPN client pre-loading functionality.
“Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While Cisco researchers have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) that were abused in this campaign.”
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
Initial Compromise and Line Dancer Implant
The initial attack vector used to compromise ASA firewalls remains unknown. However, once access was obtained, the hackers deployed the Line Dancer implant – a memory-resident shellcode interpreter.
This allowed them to upload and execute malicious payloads via the host-scan-reply field of the SSL VPN session establishment process.
Line Dancer provided the capability to disable logging, capture device configurations, sniff network traffic, execute CLI commands, and even bypass authentication mechanisms.
It hooked critical functions like crash dumps to hinder forensic analysis and rebooted devices to remove itself from memory.
Persistent Line Runner Backdoor
To maintain access, the hackers exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to install the Line Runner persistent backdoor.
This leveraged a legacy feature that allowed pre-loading VPN client bundles on ASAs.
Line Runner consisted of Lua scripts that created a hidden directory, planted a web content file acting as a backdoor, and modified system scripts to copy a malicious ZIP file for execution on every boot.
This gave the attackers a persistent HTTP-based backdoor that survived software upgrades and reboots.
Document Integrate ANY.RUN in your company for Effective Malware Analysis Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
- Interact with malware safely
- Set up virtual machine in Linux and all Windows OS versions
- Work in a team
- Get detailed reports with maximum data If you want to test all these features now with completely free access to the sandbox: ..
Anti-Forensics and Attribution
The ArcaneDoor campaign demonstrated advanced anti-forensics capabilities, modifying core dump functions, disabling logging, and hooking authentication processes to hide their activities.
These operational security measures, combined with developing bespoke malware implants and chaining of zero-days, strongly suggest a state-sponsored threat actor.
While Cisco has released patches for the exploited vulnerabilities, organizations should urgently update their ASA firewalls and follow the recommended incident response procedures to detect and remediate potential compromises from this campaign.
Perimeter network devices like firewalls are lucrative targets for espionage actors because they provide a direct intrusion point into sensitive networks.
The ArcaneDoor campaign underscores the importance of prompt patching, secure configurations, and proactive monitoring of such critical infrastructure components.
Combat Email Threats with Free Phishing Simulations: Email Security AwarenessΒ Training ->
Try Free DemoΒ
Indicators of Compromise
Likely Actor-Controlled Infrastructure:Β
192.36.57[.]181
185.167.60[.]85
185.227.111[.]17
176.31.18[.]153
172.105.90[.]154
185.244.210[.]120
45.86.163[.]224
172.105.94[.]93
213.156.138[.]77
89.44.198[.]189
45.77.52[.]253
103.114.200[.]230
212.193.2[.]48
51.15.145[.]37
89.44.198[.]196
131.196.252[.]148
213.156.138[.]78
121.227.168[.]69
213.156.138[.]68
194.4.49[.]6
185.244.210[.]65
216.238.75[.]155Multi-Tenant Infrastructure:
5.183.95[.]95Β
45.63.119[.]131Β
45.76.118[.]87Β
45.77.54[.]14Β
45.86.163[.]244Β
45.128.134[.]189Β Β Β Β
89.44.198[.]16Β
96.44.159[.]46Β
103.20.222[.]218Β
103.27.132[.]69Β
103.51.140[.]101Β
103.119.3[.]230Β
103.125.218[.]198Β
104.156.232[.]22Β
107.148.19[.]88Β
107.172.16[.]208Β
107.173.140[.]111Β
121.37.174[.]139Β
139.162.135[.]12Β
149.28.166[.]244Β
152.70.83[.]47Β
154.22.235[.]13Β
154.22.235[.]17Β
154.39.142[.]47Β Β
172.233.245[.]241Β
185.123.101[.]250Β
192.210.137[.]35Β Β
194.32.78[.]183Β
205.234.232[.]196Β Β
207.148.74[.]250Β
216.155.157[.]136Β
216.238.66[.]251Β
216.238.71[.]49Β
216.238.72[.]201Β
216.238.74[.]95Β
216.238.81[.]149Β
216.238.85[.]220Β
216.238.86[.]24Β ΒThe post Hackers Exploit Cisco Firewall Zero-Days to Hack Government Networks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
But the giants they beat out are welcome to pitch self-developed drones for production contracts.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Aircraft are likely βalready flyingβ material toward the beleaguered country, senior official says.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The new supplemental renews the push to boost production sixfold since Russiaβs Ukraine invasion.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create refined, individualized campaigns.
Protecting data and systems from this democratization of phishing abilities gives a new challenge for the defenders.
Zscalerβs Phishing Report 2024 is based on an analysis of more than 2 billion phishing reports that occurred in 2023 and provides insights into future trends, current campaigns, prime targets within various regions/industries/brands as well as threat actors using AI.
This report demonstrates the need for constant alertness and zero trust security against an evolving phishing landscape, with examples reflecting how AI is now being used to enhance such activities.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Top Phishing Trends And Targets
Phishing surged 58.2% in 2023 as threat actors leveraged AI for sophisticated social engineering like voice/deepfake phishing.
Adversary-in-the-middle and emerging browser-in-the-browser attacks persisted.Β
The top targeted countries were:-
- US
- UK
- India
- Canada
- Germany
Besides this, Finance and insurance faced 27.8% of attacks (a 393% year-over-year increase), the highest percentage across industries.
While Microsoft remained the most impersonated brand at 43.1% of phishing attempts. AI amplified reach and deception of phishing campaigns across multiple vectors.
However, there is a swap since, as it increases productivity, generative AI also serves as a two-edged sword by enabling even inexperienced threat actors to become the skilled social engineers that they are.
AI performs reconnaissance tasks automatically, personalizes email and communications to eliminate mistakes, and creates attractive phishing pages that are indistinguishable from genuine ones.
The report presented ChatGPT generating a login page for phishing within 10 prompts and includes warning signs to look out for.
Emerging sophisticated approaches include voice phishing (vishing) supported by AI and deepfake impersonation in the name of social engineering.
Phishing has grown worse due to generative AI because it allows quicker and more accurate attacks at multiple phases.
There is a global increase in the adoption of advanced AI-driven voice impersonation for vishing campaigns, which has caused great financial damage in some instances.
One of the biggest challenges related to AI cyber threats is deep fake phishing that perfectly copies facial appearances, voice,s and gestures.Β
The capability of AI-driven vishing and deepfake impersonation to be very sophisticated poses significant emergent challenges that strong organizational defenses must fulfil.
Mitigations
Here below, we have mentioned all the mitigations recommended by the researchers:-
- Use AI-powered phishing prevention solutions that offer several capabilities, such as Browser Isolation, to combat AI-driven threats effectively.
- Implement a Zero Trust architecture to prevent traditional and AI-driven phishing attacks at multiple stages.
- Prevent compromise by inspecting TLS/SSL at scale.
- Eliminate lateral movement by enabling direct user-to-application connections and implementing AI-powered app segmentation.
- Detect and shut down compromised users and insider threats using inline inspection.
- Prevent data loss by inspecting data in-motion and at-rest.
- Adopt foundational security best practices to enhance overall resilience to phishing attacks.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP
.The post Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code execution, Arbitrary code injection, and Prototype Pollution.
These vulnerabilities have been assigned with CVE-2024-21508, CVE-2024-21509, and CVE-2024-21511.
The severity of these vulnerabilities ranges from 6.5 (Medium) to 9.8 (Critical). While only one of these vulnerabilities has been patched, the other two remain and must be fixed by the Vendor.Β
MySQL2 Flaw Vulnerability
According to the reports shared with Cyber Security News, the node-mysql2 library allows users to connect to the database in JavaScript and has over 2 million installations per week.Β
The user can utilize this library to establish a connection with their database and execute queries with it.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
This particular scenario also applies to a threat actor, providing them with server-level access.
Since the attack vector entirely depends on the post-connection to the server, attacks such as Remote Code Execution, Arbitrary code execution, and prototype pollution are possible.Β
CVE-2024-21508 & CVE-2024-21511
This particular vulnerability arises because the node-mysql2 library allows the first argument passed to the connection query function to be a string containing the query.
However, this particular argument is not validated correctly, allowing a user to pass objects instead of strings.
Further, MySQL2 generates a parsing function for every query, usually cached for optimization purposes.
The library’s source code also contains a parameter supportBugNumbers, which is used when a query returns a large number.
However, this argument is not sanitized or checked correctly, which allows a user to pass an object with malicious code that will result in Remote code execution.
CVE-2024-21509 – Prototype Pollution
Analyzing the library’s source code also revealed that the function that parses the returned response uses a global prototype as a map, which can be exploited in a similar pattern to the previous attack to achieve Prototype Pollution.
The severity for this vulnerability was given as 6.5 (Medium).
Another vulnerability mentioned by the researcher was associated with cache poisoning.
This cache poisoning can be exploited even in stricter application configurations.Β
Cache Poisoning
The node-mysql2 library uses a response function in which keys are inserted into the string and the use of a “:” delimiter.
The key strings can also contain a “:” delimiter, enabling the exploitation of this behavior to manipulate the hash function. However, the vendors fixed this vulnerability.
Users are recommended to upgrade their MySQL2 to the latest version, 3.6.7, to prevent the exploitation of this cache poisoning vulnerability. Other vulnerabilities have yet to be addressed.
The researcher also stated, “the vendor did not provide the necessary cooperation, ignoring my emails for months, so this material was released without the final fixes.β
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP
.The post Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ