This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
395 Comments
Tomi Engdahl says:
Hackers exploit critical VMware flaw to drop ransomware, miners https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-flaw-to-drop-ransomware-miners/
Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.
Tomi Engdahl says:
Failed Cobalt Strike fix with buried RCE exploit now patched https://portswigger.net/daily-swig/failed-cobalt-strike-fix-with-buried-rce-exploit-now-patched
The team behind the Cobalt Strike penetration testing tool has responded to reports of a failed remote code execution (RCE) exploit patch with a new fix.
Tomi Engdahl says:
Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware https://thehackernews.com/2022/10/emotet-botnet-distributing-self.html
The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems.
Tomi Engdahl says:
Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html
A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. Lisäksi:
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
Tomi Engdahl says:
Palvelunestohyökkäykset ryöpsähtivät kohteena muun muassa suosittu Yle Areena
https://yle.fi/uutiset/3-12665063
Tällä viikolla on ollut muutama suurempi palvelunestohyökkäys. Meille tehdyissä ilmoituksissa on ollut kasvua, sanoo johtava asiantuntija Juhani Eronen liikenne- ja viestintäviraston Traficomin Kyberturvallisuuskeskuksesta.
Tomi Engdahl says:
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang https://www.bleepingcomputer.com/news/security/tommyleaks-and-schoolboys-two-sides-of-the-same-ransomware-gang/
Two new extortion gangs named ‘TommyLeaks’ and ‘SchoolBoys’ are targeting companies worldwide. However, there is a catch they are both the same ransomware gang.
Tomi Engdahl says:
Exploited Windows zero-day lets JavaScript files bypass security warnings https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.
Tomi Engdahl says:
US govt warns of Daixin Team targeting health orgs with ransomware https://www.bleepingcomputer.com/news/security/us-govt-warns-of-daixin-team-targeting-health-orgs-with-ransomware/
CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.
Tomi Engdahl says:
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware https://arstechnica.com/information-technology/2022/10/ransomware-crypto-miner-and-botnet-malware-installed-using-patched-vmware-bug/
Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday
Tomi Engdahl says:
Thousands of GitHub repositories deliver fake PoC exploits with malware https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept
(PoC) exploits for various vulnerabilities, some of them including malware.
Tomi Engdahl says:
Typosquat campaign mimics 27 brands to push Windows, Android malware https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27-brands-to-push-windows-android-malware/
A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware.
Tomi Engdahl says:
Russia wages disinformation war. Ukraine’s cyber chief calls for global anti-fake news fight https://www.theregister.com/2022/10/22/ukraine_cybersecurity_chief_mwise/
‘Completely new approaches should be developed to prevent the influence of this propaganda’. As a hybrid offline and online war wages on in Ukraine, Viktor Zhora, who leads the country’s cybersecurity agency, has had a front-row seat of it all.
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Researchers find thousands of repos on GitHub offering fake proof-of-concept exploits for various vulnerabilities, with many of them containing malware instead
Thousands of GitHub repositories deliver fake PoC exploits with malware
https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
Tomi Engdahl says:
Associated Press:
Iran’s atomic energy agency says hackers breached its email system; hacking group Black Reward leaked 50GB of emails and Bushehr power plant construction plans
Iran releases footage from prison fire, adding to mystery
https://apnews.com/article/iran-technology-dubai-middle-east-business-944d99079fca61439d64054db6bde941
An anonymous hacking group claimed responsibility for the attack on Iran’s Atomic Energy Organization, demanding Tehran release political prisoners. The group, calling itself “Black Reward,” said it leaked 50 gigabytes of internal emails, contracts and construction plans related to Iran’s Russian-backed nuclear power plant in Bushehr and shared the files on its Telegram channel. It was unclear whether the breached system contained classified material.
“Unlike Westerners, we do not flirt with criminal mullahs,” the anonymous hacking group said in a Telegram post.
FILE – Iranians protest a 22-year-old woman Mahsa Amini’s death after she was detained by the morality police, in Tehran, Sept. 20, 2022, in this photo taken by an individual not employed by the Associated Press and obtained by the AP outside Iran. Iran’s atomic energy agency alleged Sunday, Oct. 23, 2022, that hackers acting on behalf of an unidentified foreign country broke into a subsidiary’s network and had free access to its email system. Sunday’s hack comes as Iran continues to face nationwide unrest first sparked by the Sept. 16 death of Amini. (AP Photo/Middle East Images, File)
FILE – Iranians protest a 22-year-old woman Mahsa Amini’s death after she was detained by the morality police, in Tehran, Sept. 20, 2022, in this photo taken by an individual not employed by the Associated Press and obtained by the AP outside Iran. Iran’s atomic energy agency alleged Sunday, Oct. 23, 2022, that hackers acting on behalf of an unidentified foreign country broke into a subsidiary’s network and had free access to its email system. Sunday’s hack comes as Iran continues to face nationwide unrest first sparked by the Sept. 16 death of Amini. (AP Photo/Middle East Images, File)
DUBAI, United Arab Emirates (AP) — Iran on Sunday released security footage that it said came from its notorious Evin Prison the night a fire broke out that killed at least eight inmates, an effort to clarify the government’s narrative amid growing international pressure.
The purported CCTV footage of the mayhem last weekend only added to the mystery of what happened the night of the blaze at the detention facility. Evin Prison is known for holding political prisoners, including protesters from the demonstrations that have convulsed the country over the past five weeks. Rights groups estimate that thousands have been swept up since the unrest began over the Sept. 16 death of Mahsa Amini, a 22-year-old woman in police custody for allegedly not adhering to the country’s strict Islamic dress code.
Iran’s state-run IRNA news agency aired an interview with an unnamed top prison guard who claimed a riot broke out as prisoners convicted of financial crimes tried to escape. However, no unrest or violence is visible in the released CCTV footage. The quick glimpses show crowds of detainees rushing through cell doors. Some men appear panicked as smoke fills the ward and a siren wails. A prisoner tries to break his cell lock with a fire extinguisher, while another tries with a mop. A man tries to damage a CCTV camera.
Iran
In Israel, Albanian PM to meet cyber chief after Iran hack
Iran protests trigger solidarity rallies in US, Europe
East Iran city, scene of bloody crackdown, sees new protests
Protest against Iranian regime draws thousands in Berlin
ADVERTISEMENT
The cryptic video and shifting explanations for what happened last Saturday night at Evin Prison have sown doubt about the government’s version of events. Officials first said the unrest was stoked by “enemy agents” and some inmates who attempted to escape. They also claimed inmates set a sewing workshop on fire. But in numerous videos shared on social media, gunshots, explosions and protest chants can be heard.
Iran’s nationwide protests first focused on Iran’s state-mandated hijab, or headscarf, for women but transformed into one of the most serious challenges to the country’s ruling clerics. Protesters have clashed with police and even called for the downfall of the Islamic Republic itself. Security forces have fired live ammunition and tear gas to disperse demonstrations, killing over 200 people, according to estimates by rights groups.
Also on Sunday, Iran’s atomic energy agency alleged that hackers acting on behalf of an unidentified foreign country broke into a subsidiary’s network and had free access to its email system.
ADVERTISEMENT
An anonymous hacking group claimed responsibility for the attack on Iran’s Atomic Energy Organization, demanding Tehran release political prisoners. The group, calling itself “Black Reward,” said it leaked 50 gigabytes of internal emails, contracts and construction plans related to Iran’s Russian-backed nuclear power plant in Bushehr and shared the files on its Telegram channel. It was unclear whether the breached system contained classified material.
“Unlike Westerners, we do not flirt with criminal mullahs,” the anonymous hacking group said in a Telegram post.
Iran did not specify which foreign country it believed to be behind the hack, but it has previously accused the United States and Israel for cyberattacks that have impaired the country’s infrastructure.
“These illegal efforts out of desperation are aimed at attracting public attention,” the Atomic Energy Organization said.
Meanwhile Iran’s leading teachers’ association reported that sit-ins canceled classes at multiple schools across the country in protest over the government’s crackdown on student protesters.
Tomi Engdahl says:
Text4Shell Vulnerability Exploitation Attempts Started Soon After Disclosure
https://www.securityweek.com/text4shell-vulnerability-exploitation-attempts-started-soon-after-disclosure
Exploitation attempts targeting the Apache Commons Text vulnerability tracked as CVE-2022-42889 and Text4Shell started shortly after its disclosure, according to WordPress security company Defiant.
The company started monitoring its network of 4 million websites for exploitation attempts on October 17, the day when the cybersecurity community learned about its existence — the issue was disclosed by Apache developers on October 13.
Defiant, which provides the Wordfence security service for WordPress sites, said on Thursday that it had seen exploitation attempts from roughly 40 IP addresses since October 18. While a majority appear to be scans likely conducted by security teams and researchers looking for vulnerable instances, some of them may be the work of malicious actors.
“The vast majority of requests we are seeing are using the DNS prefix and are intended to scan for vulnerable installations – a successful attempt would result in the victim site making a DNS query to the attacker-controlled listener domain,” the company explained.
Apache Commons Text is an open source Java library designed for working with strings. It is used by many developers and organizations. CVE-2022-42889 is a critical issue related to untrusted data processing and it can lead to arbitrary code execution, but exploitation is only possible in certain circumstances.
When its existence became widely known, some rushed to compare it to Log4Shell, which impacts the widely used Log4j Java logging framework and which has been exploited in many attacks. That is why it was given the name Text4Shell.
However, a closer analysis revealed that while Text4Shell could also be useful to some threat actors, it’s unlikely to be exploited as widely as Log4Shell.
The fact that scanning for Text4Shell has started is not surprising, especially since PoC code and technical details are available, and an extension to scan for the vulnerability has been added to the popular Burp Suite web vulnerability scanner.
https://twitter.com/pwntester/status/1583188792017850368
There is a lot of people comparing #Text4Shell with #Log4Shell. The likelihood of exploitation is completely different but they are connected somehow and there is a good reason for that!
Tomi Engdahl says:
Nitrokod stealth malware hides on a pc for a month before it goes to work infects over 111,000 users
https://www.securitynewspaper.com/2022/09/01/nitrokod-stealth-malware-hides-on-a-pc-for-a-month-before-it-goes-to-work-infects-over-111000-users/
A Turkish entity going by the name of Nitrokod has been accused of running a campaign by spoofing a desktop version of Google Translate to actively mine cryptocurrency from its more than 111,000 users across eleven countries (UK, US, Sri Lanka, Greece, etc., Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland) in 2019.
Tomi Engdahl says:
New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889
https://securityboulevard.com/2022/10/new-text2shell-rce-vulnerability-in-apache-common-texts-cve-2022-42889/
This is an SSTI, Server-Side Template Injection issue with a payload that looks really similar to Log4Shell:
${script:javascript:java.lang.Run.Runtime.getRuntime().exec(“cat /etc/shadow”);}
As you can see, the macros Injection, or a template starts with ${ allows an attackers to inject arbitrary code by calling different Java class methods.
Wallarm Security Team recommends instantly updating the vulnerable library. The priority action is to update Apache Commons Text to version 1.10.0, via the usual package managers or a direct download from https://commons.apache.org/proper/commons-text/download_text.cgi.
All Wallarm API security and WAAP customers already got protection against CVE-2022-42889 while using the product in a blocking mode.
WAF signatures are not effective against CVE-2022-42889 due to many possible obfuscations in template injection syntaxes and using different gadgets and gadgets chains of Java objects by attackers.
References: https://nvd.nist.gov/vuln/detail/CVE-2022-42889#vulnCurrentDescriptionTitle
The post New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889 appeared first on Wallarm.
Tomi Engdahl says:
Dozen High-Severity Vulnerabilities Patched in F5 Products
https://www.securityweek.com/dozen-high-severity-vulnerabilities-patched-f5-products
Security and application delivery company F5 has released its October 2022 quarterly security notification, informing customers about a total of 18 vulnerabilities affecting its products.
A dozen of these vulnerabilities were assigned a ‘high severity’ rating. One of them is an authenticated remote code execution vulnerability affecting systems deployed in standard or appliance mode. The issue has a ‘critical’ rating if the device is in appliance mode. An attacker with elevated privileges can exploit the flaw to run arbitrary system commands, create or delete files, or disable services.
A majority of the remaining high-severity vulnerabilities can allow a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks.
In addition, three of the advisories are related to NGINX modules and they describe flaws that can allow a local attacker to cause an NGINX worker process to terminate.
A ‘high severity’ rating has also been assigned to an F5OS vulnerability that can be exploited for privilege escalation.
F5’s next quarterly updates are scheduled for February 1, 2023.
Tomi Engdahl says:
Data of 3 Million Advocate Aurora Health Patients Exposed via Malformed Pixel
https://www.securityweek.com/data-3-million-advocate-aurora-health-patients-exposed-malformed-pixel
Non-profit healthcare provider Advocate Aurora Health is informing 3 million individuals that a malformed tracking pixel has inadvertently exposed protected health information (PHI) to Facebook or Google.
Headquartered in Milwaukee, Wisconsin, and Downers Grove, Illinois, Advocate Aurora Health operates 26 hospitals and over 500 sites of care, and has more than 75,000 employees.
In a data breach notification on its website, the healthcare system is informing patients that an incorrectly configured tracking pixel – placed on the MyChart and LiveWell websites and applications and on some scheduling widgets – exposed some of their information.
The pixel, the company says, “transmitted certain patient information to third-party analytics vendors that provided us with the pixel technology, particularly for users concurrently logged into their Facebook or Google accounts.”
Potentially exposed information includes IP addresses, information on scheduled appointments, patient proximity to an Advocate Aurora Health location, provider data, type of appointment or procedure, MyChart communications (including names and medical record numbers), insurance details, and the names of patient proxies.
Advocate Aurora Health says it has no evidence that Social Security numbers or financial account and credit/debit card details were exposed in the incident.
“We have disabled and/or removed the pixels from our platforms and launched an internal investigation to better understand what patient information was transmitted to our vendors,” the healthcare provider says.
Tomi Engdahl says:
FBI Warns of Iranian Cyber Firm’s Hack-and-Leak Operations
https://www.securityweek.com/fbi-warns-iranian-cyber-firms-hack-and-leak-operations
The Federal Bureau of Investigation on Thursday issued an alert to warn that Iranian cyber group Emennet Pasargad is targeting organizations to steal their data and leak it online.
Tomi Engdahl says:
Iran’s Nuclear Agency Says Email Server Hacked
https://www.securityweek.com/irans-nuclear-agency-says-email-server-hacked
Iran’s Atomic Energy Organisation said Sunday an email server of its subsidiary was hacked in a “foreign” attack aimed at drawing “attention” amid protests over the death of Mahsa Amini.
The Islamic republic has been gripped by weeks-long demonstrations sparked by the death of 22-year-old Amini on September 16 after her arrest for allegedly violating the country’s strict dress code for women.
The street violence has led to dozens of deaths, mostly among protesters but also among the security forces, and hundreds of demonstrators have been arrested.
A group called Black Reward on Friday issued an ultimatum on Twitter, threatening to release documents on Tehran’s nuclear program unless all “political prisoners, prisoners of conscience and people arrested in the recent protests” were released within 24 hours.
Tomi Engdahl says:
CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware
https://www.securityweek.com/cisa-tells-organizations-patch-linux-kernel-vulnerability-exploited-malware
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks.
The vulnerability is tracked as CVE-2021-3493 and it’s related to the OverlayFS file system implementation in the Linux kernel. It allows an unprivileged local user to gain root privileges, but it only appears to affect Ubuntu.
CVE-2021-3493 has been exploited in the wild by a stealthy Linux malware named Shikitega, which researchers at AT&T Alien Labs detailed in early September. Shikitega is designed to target endpoints and IoT devices running Linux, allowing the attacker to gain full control of the system. It has also been used to download a cryptocurrency miner onto the infected device.
As part of the malware’s infection chain, two Linux vulnerabilities are exploited for privilege escalation: CVE-2021-3493 and CVE-2021-4034.
CVE-2021-4034 is named PwnKit and it impacts Polkit’s Pkexec, a SUID-root program found in all Linux distributions. CISA warned about this vulnerability being exploited in attacks in June.
The news reports published when Shikitega’s existence came to light focused on the malware itself and did not highlight the fact that this appeared to be the first known instance of CVE-2021-3493 being exploited for malicious purposes.
Technical details and proof-of-concept (PoC) exploits for this vulnerability are publicly available.
https://scientyficworld.org/overlayfs-cve-2021-3493/#Let_the_Hack_begin
New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems
https://www.securityweek.com/new-shikitega-linux-malware-grabs-complete-control-infected-systems
Security researchers with AT&T Alien Labs are warning of a new piece of malware that can take full control of infected Linux systems, including Internet of Things (IoT) devices.
Dubbed Shikitega, the threat is delivered as part of a multi-stage infection chain, where each step is responsible for a part of the payload and fetches and executes the next module.
To ensure it can gain full control over an infected system, the malware downloads and executes Metasploit’s ‘Mettle’ meterpreter. It also attempts to exploit system vulnerabilities to escalate privileges and achieve persistence.
Shikitega hosts some of its command and control (C&C) servers on legitimate cloud services, uses a polymorphic encoder to evade detection, and deploys a cryptocurrency miner on the infected machines.
Tomi Engdahl says:
https://blog.aquasec.com/cve-2022-42889-text2shell-apache-commons-vulnerability
Tomi Engdahl says:
Exploited Windows zero-day lets JavaScript files bypass security warnings
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.
A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.
Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.
Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.
Windows MoTW bypass zero-day flaw
The HP threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using JavaScript files.
To be clear, we are not talking about JavaScript files commonly used on almost all websites, but .JS files distributed by threat actors as attachments or downloads that can run outside of a web browser.
The JavaScript files seen distributed by the Magniber threat actors are digitally signed using an embedded base64 encoded signature block as described in this Microsoft support article.
https://www.bleepingcomputer.com/news/security/magniber-ransomware-now-infects-windows-users-via-javascript-files/
https://learn.microsoft.com/en-us/previous-versions/tn-archive/ee176795(v=technet.10)?redirectedfrom=MSDN
Tomi Engdahl says:
https://hackaday.com/2022/10/21/this-week-in-security-linux-wifi-fortinet-text4shell-and-predictable-guids/
Up first this week is a quintet of vulnerabilities in the Linux kernel’s wireless code. It started with [Soenke Huster] from TU Darmstadt, who found a buffer overwrite in mac80211 code. The private disclosure to SUSE kernel engineers led to a security once-over of this wireless framework in the kernel, and some other nasty bugs were found. A couple result in Denial-of-Service (DOS), but CVE-2022-41674, CVE-2022-42719, and CVE-2022-42720 are Remote Code Execution vulnerabilities.
The flaws were announced on the 13th, and were officially fixed in the mainline kernel on the 15th. Many distros shipped updates on the 14th, so the turnaround was quite quick on this one. The flaws were all memory-management problems, which has prompted a few calls for the newly-merged Rust framework to get some real-world use sooner rather than later.
Tomi Engdahl says:
https://hackaday.com/2022/10/21/this-week-in-security-linux-wifi-fortinet-text4shell-and-predictable-guids/
Text4Shell
If there’s anything worse than the attempt to make political scandals seem worse by slapping “gate” to the end of them, it’s the new trend of adding “4shell” to Java vulnerabilities. And in that vein, we have text4shell. It’s the quirk that StringSubstitutor.replace() and StringSubstitutor.replaceIn() can do string lookups on included strings — and that lookup can run arbitrary Java code:
final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace(“${script:javascript:java.lang.Runtime.getRuntime().exec(‘touch /tmp/foo’)}”);
System.out.println(out);
It looked for a while like modern JDK versions were unaffected, but it turns out that a slightly different approach gets us the exact same code execution issue.
There are already tools developed to catch this particular flaw, though the normal Java issue of libraries compiled-in to the final jarfile will be a problem here, too. Thankfully this one doesn’t look to have quite the same exposure as log4shell.
Detecting and mitigating CVE-2022-42889 a.k.a. Text4shell
By Alessandro Brucato
on October 19, 2022
https://sysdig.com/blog/cve-2022-42889-text4shell/
A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Muñoz on the very popular Apache Commons Text library.
The vulnerability is rated as a critical 9.8 severity and is always a remote code execution (RCE), which would permit attackers to execute arbitrary code on the machine and compromise the entire host.
Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10.
The CVE-2022-42889 issue
This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the “script,” “dns,” and “url” lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups.
In order to exploit the vulnerabilities, the following requirements must be met:
Run a version of Apache Commons Text from version 1.5 to 1.9
Use the StringSubstitutor interpolator
It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell.
How to exploit CVE-2022-42889
To reproduce the attack, the vulnerable component was deployed in a Docker container, accessible from an EC2 instance, which would be controlled by the attacker. Using the netcat (nc) command, we can open a reverse shell connection with the vulnerable application.
The vulnerable web application exposes a search API in which the query gets interpolated via the StringSubstitutor of Commons Text:
http://web.app/text4shell/attack?search=
The following payload could be used to exploit the vulnerability and open a reverse shell:
payload text4shell
This payload is composed of “${prefix:name}”, which triggers the String Lookup. As mentioned above, “script,” “dns,” and “url” are the keys that can be used as the prefix to exploit the vulnerability.
Before sending the crafted request, we need to set up the reverse shell connection by using the netcat (nc) command to listen on port 9090.
nc -nlvp 9090
The impact of CVE-2022-42889
According to the CVSSv3 system, it scores 9.8 as CRITICAL severity.
The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request.
However, it isn’t likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.
Looking at the vulnerable component, the likelihood of the exploitation is related to the use of the Apache Commons Text library. Specifically, exploitation is possible only if it implements the StringSubstitutor object with some user-controlled input. This implementation in production environments is not as common as the vulnerable string substitution in Log4j. Therefore, the large-scale impact of Text4Shell is not really comparable to Log4Shell.
Detecting and mitigating CVE-2022-42889
If you’re impacted by CVE-2022-42889, you should update the application to version 1.10.
As we have seen for the previous CVE-2022-22963, we can detect this vulnerability at three different phases of the application lifecycle:
Build process: With an image scanner.
Deployment process: Thanks to an image scanner on the admission controller.
Runtime detection phase using a runtime detection engine: Detect post explotation behaviors in already deployed hosts or pods with Falco.
Conclusion
Even though the CVE-2022-42889 is exploitable under specific conditions which makes the vulnerability not as popular as others seen this year, it’s still important to take immediate actions.
To be safe, patch with the latest version to mitigate vulnerabilities and use scanners to find out if you are affected. It’s also important to take the necessary measures to mitigate the vulnerability and never stop monitoring your infrastructure or applications at runtime.
Tomi Engdahl says:
https://hackaday.com/2022/10/21/this-week-in-security-linux-wifi-fortinet-text4shell-and-predictable-guids/
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for “bring your own vulnerable driver”—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
As attacks surge, Microsoft countermeasures languish
How a Microsoft blunder opened millions of PCs to potent malware attacks
Microsoft said Windows automatically blocked dangerous drivers. It didn’t.
https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for “bring your own vulnerable driver”—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
As attacks surge, Microsoft countermeasures languish
Tomi Engdahl says:
Australian Business Cybersecurity conference gets hacked.
Hackers hit cybersecurity conference
https://www.smh.com.au/national/hackers-hit-cybersecurity-conference-20221024-p5bsiq.html
The Australian Institute of Company Directors (AIDC) had some solid names lending support to the launch of the institute’s new set of “cybersecurity governance principles” – a very hot topic in the wake of the Optus and Medibank Private hacks – including the federal minister in charge Clare O’Neil and Cyber Security Cooperative Research Centre CEO Rachael Falk.
So it’s less than ideal when an online conference on Monday to launch the principles was – get this – hacked, leaving the institute’s boss Mark Rigotti and LinkedIn, the platform hosting the event with a bit of a PR problem.
Thousands of would-be participants began to get antsy when they tried to log on for a 1pm start and the conference didn’t go live on schedule.
As the comments from the waiting participants began to mount, a fake Eventbrite link – which many unsuspecting users clicked upon – was posted in the LinkedIn chat function asking for credit card details, leading the institute to plead with participants not to try to use any links posted in the chat.
When an official-looking AICD link appeared to the event, some users who hadn’t learned their lesson the first time round tried to follow it, only to complain that it didn’t work and eventually, about 30 minutes into the debacle, the institute bowed to the inevitable and cancelled the event.
Rigotti said on Monday evening that it was unclear if any credit cards details had been handed over and urged anybody affected to contact their card issuers.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
Tomi Engdahl says:
https://fin.afterdawn.com/uutiset/2022/10/22/microsoft-pc-manager-ccleaner-testi
Tomi Engdahl says:
https://www.globalencryption.org/2022/10/global-encryption-day-statement/
Tomi Engdahl says:
Apple fixes new zero-day used in attacks against iPhones, iPads https://www.bleepingcomputer.com/news/apple/apple-fixes-new-zero-day-used-in-attacks-against-iphones-ipads/
In security updates released on Monday, Apple has fixed the ninth zero-day vulnerability used in attacks against iPhones since the start of the year.
Tomi Engdahl says:
SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan https://thehackernews.com/2022/10/sidewinder-apt-using-new-warhawk.html
SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk.
Tomi Engdahl says:
British company Interserve fined £4.4 million over ransomware attack https://therecord.media/british-company-fined-4-4-million-over-ransomware-attack/
A British construction company has been fined £4.4 million (about $5
million) by the U.K.’s data protection regulator after a ransomware group accessed sensitive data on 113, 000 employees
Tomi Engdahl says:
Iran’s atomic energy agency confirms hack after stolen data leaked online https://www.bleepingcomputer.com/news/security/iran-s-atomic-energy-agency-confirms-hack-after-stolen-data-leaked-online/
The Iranian Atomic Energy Organization (AEOI) has confirmed that one of its subsidiaries’ email servers was hacked after the ”Black Reward’ hacking group published stolen data online.
Tomi Engdahl says:
HyperSQL DataBase flaw leaves library vulnerable to RCE https://portswigger.net/daily-swig/hypersql-database-flaw-leaves-library-vulnerable-to-rce
Security researchers have discovered a serious vulnerability in HyperSQL DataBase (HSQLDB) that poses a remote code execution (RCE) risk.
Tomi Engdahl says:
WhatsApp oli nurin lähes kaksi tuntia
Maailman suosituin pikaviestin oli nurin lähes kaksi tuntia.
https://www.is.fi/digitoday/art-2000009156761.html
Suositulla WhatsApp-pikaviestimellä on ollut tiistaiaamuna vakavia ongelmia. Käyttäjät raportoivat Downdetector-palvelussa palvelun toimimattomuudesta. Virheilmoitusten määrä räjähti kymmenen jälkeen aamulla.
Viestit eivät välittyneet niitä lähetettäessä. Lähetetyn viestin viereen ilmestyi vain kellosymboli, joka kertoo lähettämisen yrittämisestä. Perillemenokuittauksia ei kuitenkaan tule.
Ennen kahtatoista päivällä viestejä sai jälleen lähetettyä.
https://downdetector.com/status/whatsapp/
Tomi Engdahl says:
WhatsApp back online after global outage hits users
https://www.reuters.com/technology/whatsapp-outages-reported-across-india-2022-10-25/
Tomi Engdahl says:
Vakava varoitus ihmisten suhteesta Whatsappiin: ”Silloinhan suositeltiin, että vaihtakaa muualle”
Whatsappin toimimattomuus nosti esiin laajempia ongelmia.
https://www.iltalehti.fi/digiuutiset/a/9e64a838-fb95-432f-b827-eb8202d25f52
Tiistaina noin kello kymmenen aikaan aamulla pikaviestisovellus Whatsapp lakkasi toimimasta. Viestejä ei voinut lähettää tai vastaanottaa. Tietoturva-asiantuntija Petteri Järvinen pitää tapausta hyvänä esimerkkinä siitä, miten luotamme jopa liikaa yksittäisiin palveluihin ja niiden toimivuuteen.
– Monelle on varmaan tullut yllätyksenä katkon myötä se, miten tärkeä Whatsapp on suhteessa siihen, miten vähän siitä puhutaan. Se on arjen peruspalveluita ja monelle paljon tärkeämpi kuin esimerkiksi sähköposti tai Facebook. Arki pyörii monella sen varassa: sen avulla pidetään yhteyttä kollegoihin, harrastuspiireihin, lapsiin ja kouluunkin. Monissa tapauksissa ollaan täysin Whatsappin varassa, Järvinen kertoo.
Järvinen nostaa esille erityisesti ryhmäkeskustelut, jotka ovat yksi Whatsappin tärkeimmistä ominaisuuksista. Muuta tehokasta tapaa pitää yhteyttä moniin ihmisiin samanaikaisesti ei käytännössä ole, jos ei lasketa mukaan muita pikaviestisovelluksia, jotka ovat taas huomattavasti vähemmän käytettyjä.
– Whatsapp on Suomessa ylivoimainen markkinajohtaja. Puolitoista vuotta sitten puhuttiin siitä, että Whatsappin ehdot muuttuvat ja se alkaa kerätä tietoa. Silloinhan suositeltiin, että vaihtakaa muualle. Whatsapp kuitenkin Facebookin tuotteena on lähes kaikkien puhelimessa – eihän sen asemaa mikään syrjäytä, Järvinen toteaa.
Katkos vaikuttaa kaikkialla
Järvinen muistuttaa vuosi sitten esiin nousseesta tapauksesta, jossa kävi ilmi, että ministerit käyttivät työssään Whatsappia. Hän toivoo, että valtion tasolla ei oltaisi ainakaan kovin riippuvaisia Whatsappista, mutta ministereiden ja kansanedustajien työssä katkokset voivat näkyä.
– Arjen pyörittäminen ministeritasollakin on tärkeää eli miten esimerkiksi viestitään ja kuka vastaa mistäkin. Tällaiset asiat ovat petollisen tärkeitä, eikä niihin kiinnitä samalla tavalla huomiota kuin esimerkiksi sähköpostiin. Kun palvelu joku päivä putoaa pois käytöstä, onkin hätä kädessä.
Perhetasolla katkokset voivat vaikuttaa suurestikin.
Tomi Engdahl says:
WhatsApp back online after worldwide outage
https://www.bbc.com/news/technology-63383957
The messaging platform WhatsApp has come back online after an outage that affected users around the world.
Meta, which owns WhatsApp, said the problem had been fixed but did not give a reason for the disruption.
People trying to send and receive messages on WhatsApp, which has about two billion users globally, began reporting issues just before 08:00 BST.
More than 12,000 reports were posted within half an hour, according to the service status website Down Detector.
However, by about 10:00 BST service seemed to be returning for many users.
Tomi Engdahl says:
US charges alleged Chinese spies in telecoms probe case
https://www.bbc.com/news/world-us-canada-63378817
Two Chinese nationals have been charged with paying thousands of dollars in cash and jewellery to obstruct a federal investigation into a major telecommunications company.
Tomi Engdahl says:
German cyber agency warns threat situation is higher than ever’
https://therecord.media/german-cyber-agency-warns-threat-situation-is-higher-than-ever/
Germany’s federal cybersecurity office warned on Tuesday that ransomware, political hacking, and other cybersecurity threats facing the country are “higher than ever.”. Lisäksi:
https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html
Tomi Engdahl says:
Ukrainian charged for operating Raccoon Stealer malware service https://www.bleepingcomputer.com/news/security/ukrainian-charged-for-operating-raccoon-stealer-malware-service/
26-year-old Ukrainian national Mark Sokolovsky has been charged for involvement in the Raccoon Stealer malware-as-a-service (MaaS) cybercrime operation.
Tomi Engdahl says:
Cisco warns of ISE vulnerability with no fixed release or workaround https://www.malwarebytes.com/blog/news/2022/10/cisco-patch-needed-for-remote-file-access-vulnerability-in-identity-services-engine
Tomi Engdahl says:
Dutch police arrest hacker who breached healthcare software vendor https://www.bleepingcomputer.com/news/security/dutch-police-arrest-hacker-who-breached-healthcare-software-vendor/
The Dutch police have arrested a 19-year-old man in western Netherlands, suspected of breaching the systems of a healthcare software vendor in the country, and stealing tens of thousands of documents.
Tomi Engdahl says:
VMware fixes critical Cloud Foundation remote code execution bug https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-cloud-foundation-remote-code-execution-bug/
VMware has released security updates today to fix a critical vulnerability in VMware Cloud Foundation, a hybrid cloud platform for running enterprise apps in private or public environments.
Tomi Engdahl says:
Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog https://thehackernews.com/2022/10/researchers-detail-windows-event-log.html
Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS). The exploits, dubbed LogCrusher and OverLog by Varonis, take aim at the EventLog Remoting Protocol (MS-EVEN), which enables remote access to event logs.
Tomi Engdahl says:
22-Year-Old Vulnerability Reported in Widely Used SQLite Database Library https://thehackernews.com/2022/10/22-year-old-vulnerability-reported-in.html
A high-severity vulnerability has been disclosed in the SQLite database library, which was introduced as part of a code change dating all the way back to October 2000 and could enable attackers to crash or control programs.
Tomi Engdahl says:
22-Year-Old Vulnerability Reported in Widely Used SQLite Database Library https://thehackernews.com/2022/10/22-year-old-vulnerability-reported-in.html
A high-severity vulnerability has been disclosed in the SQLite database library, which was introduced as part of a code change dating all the way back to October 2000 and could enable attackers to crash or control programs.
“CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled,” Trail of Bits researcher Andreas Kellas said in a technical write-up published today.
The vulnerability discovered by Trail of Bits concerns an integer overflow bug that occurs when extremely large string inputs are passed as parameters to the SQLite implementations of the printf functions, which, in turn, make use of another function to handle the string formatting (“sqlite3_str_vappendf”).
“If the format string contains the ‘!’ special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause the program to hang and loop (nearly) indefinitely,” Kellas explained.
The vulnerability is also an example of a scenario that was once deemed impractical decades ago — allocating 1GB strings as input — rendered feasible with the advent of 64-bit computing systems.
Stranger Strings: An exploitable flaw in SQLite
https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
Trail of Bits is publicly disclosing CVE-2022-35737, which affects applications that use the SQLite library API. CVE-2022-35737 was introduced in SQLite version 1.0.12 (released on October 17, 2000) and fixed in release 3.39.2 (released on July 21, 2022). CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled; arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present, and denial-of-service is confirmed in all cases.
On vulnerable systems, CVE-2022-35737 is exploitable when large string inputs are passed to the SQLite implementations of the printf functions and when the format string contains the %Q, %q, or %w format substitution types. This is enough to cause the program to crash. We also show that if the format string contains the ! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause the program to hang and loop (nearly) indefinitely.
SQLite is used in nearly everything, from naval warships to smartphones to other programming languages. The open-source database engine has a long history of being very secure: many CVEs that are initially pinned to SQLite actually don’t impact it at all.
Although this bug may be difficult to reach in deployed applications, it is a prime example of a vulnerability that is made easier to exploit by “divergent representations” that result from applying compiler optimizations to undefined behavior.
Tomi Engdahl says:
Zscaler outage causing heavy packet loss, connectivity issues https://www.bleepingcomputer.com/news/technology/zscaler-outage-causing-heavy-packet-loss-connectivity-issues/
A Zscaler service outage is causing loss of connectivity, packet loss, and latency for customers, with no information available as to what is causing the disruption.