While UNISOC is a major chip producer, its technology has been little analyzed by mobile security specialists, so it is difficult to know what the security risks are present in devices with these chips and there are not even references to any vulnerability detected in their firmware.

A recent research effort was led by Check Point Research, and focuses on the modem of smartphones with UNISOC chips could be a very attractive attack target for cybercriminals, as this component can be accessed remotely and relatively easily, with the potential to deploy denial of service (DoS) attacks and block the communications of the affected devices.

Basic attack concepts

The Long-Term Evolution (LTE) network is made up of a dozen protocols and components, and you need to understand it to understand how the UNISOC modem works. The 3GPP Group introduced the Evolved Packet System (EPS), an LTE technology architecture consisting of three key interconnected components:

• User equipment (UE)
• Evolved UMTS terrestrial radio access network (E-UTRAN)
• Evolved Packet Core (EPC)

E-UTRAN has only one stack, the eNodeB station, which controls radio communications between the EU and the EPC. A UE can be connected to one eNodeB at a time.

The EPC component consists of four stacks, one of which is the Mobility Management Entity (MME). The MME controls the high-level operations of mobile devices on the LTE network. This component sends signaling messages related to security control, management of tracking areas, and mobility maintenance.

Check Point Research’s tests, conducted by a smartphone with a UNISOC modem, focus on communications between MME and UE stacks, which occur via EPS session management (ESM) and mobility management (EMM) protocols. The following screenshot shows the protocol stack of the modem. The no-access stratum (NAS) level hosts EPS and EMM signaling messages.

The NAS protocol operates with high-level structures, which would allow threat actors to create specially crafted EMM packets and send them to a vulnerable device, whose modem will analyze it and create internal objects based on the information received.

A bug in the scanning code would allow hackers to lock the modem and even perform remote code execution (RCE) attacks.

Security flaws in NAS handlers

Most NAS message analyzers have three arguments: an output buffer, which is an object of the appropriate message structure, the NAS message data blob for decoding, and the current offset in the message blob.

The unified function format allows you to easily implement the harness to fuzz the NAS analysis functions. Check Point experts used the classic combination of AFL and QEMU to fuzz the modem binary on a PC, patching the modem binary to redirect malloc calls to the libc equivalent. The fuzzer swapped the NAS message data and passed it as an input buffer to the analysis function.

One of the optional fields ATTACH_ACCEPT is mobile identity. The modem firmware implements an unpacking function such as liblte_mme_unpack_mobile_id_ie of srsRAN to extract the mobile identity from the NAS message. The identity data block begins with the length of the identity; if the device is represented by an International Mobile Subscriber Identity (IMSI), the 2-byte length of message data is copied to the output buffer as the IMSI number.

The check is bypassed to ensure that the provided length value is greater than one. Therefore, if the value of the length field is zero, 0-2 = 0xFFFFFFFE bytes of the NAS message are copied to the heap memory, leading to a DoS condition.

In the following screenshot, you can see the message ATTACH_ACCEPT, which causes the overflow.

Conclusions

The highlighted 0x23 value indicates that the following data is the identity block of the message, where the first 0x01 is the length and the second 0x01 is the IMSI type.

UNISOC is aware of this condition, and has already been assigned the identification key CVE-2022-20210. While the hacking variants described by Check Point are not easy to exploit and require great resources and planning, the possibility of exploitation is real and should not be dismissed.

Errors will be properly addressed, protecting millions of smart device users. Google is also aware of the report and will issue some additional protections for the Android system. 

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Millions of Android smartphones exposed to remote hacking due to vulnerability in UNISOC baseband chips appeared first on Information Security Newspaper | Hacking News.

The message describes these online platforms as “worryingly common threats,” detailing how threat actors used these sites for trafficking in stolen personal information: “Using strong relationships with our international partners, we will address crimes like these, which threaten privacy, security, and commerce around the world.”  

WeLeakInfo.to operators claimed to provide their users with a search engine to review and obtain personal information illegally obtained in more than 10,000 data breach incidents, with around 7 billion records indexed, exposing data such as full names, phone numbers, email addresses, and even online account passwords.

On the domains ipstress.in and ovh-booter.com, the report describes them as platforms for launching denial of service (DoS) attacks, commonly known as booting or stressor services. From these websites, threat actors could flood a specific web server with malicious traffic, making them inaccessible to legitimate users. 

As of this operation, the seized domain names, and any related domains, are now in the custody of the federal government, effectively suspending the operation of these malicious services. Visitors to the site will now find a seizure sign, reporting that U.S. federal authorities are responsible for the seizure.

The seizures of these domains were part of coordinated police action with the authorities of Belgium and the Netherlands. These police agencies arrested one of the main operators of these platforms, in addition to collaborating with various raids.

U.S. authorities have asked anyone who has information about other members of this cybercriminal operation to file a complaint immediately, as this is a critical time to act against these groups.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post FBI seizes infrastructure of Weleakinfo and other cyber criminal platforms appeared first on Information Security Newspaper | Hacking News.

Below are brief descriptions of the reported flaws and their respective tracking key and scores set by the Common Vulnerability Scoring System (CVSS).

CVE-2021-44759: A bug in TLS source validation would allow remote threat actors to perform Man-in-The-Middle (MiTM) attacks to evade the authentication process on affected deployments.

This is a medium-severity flaw and received a CVSS score of 6.4/10.

CVE-2021-44040: An insufficient validation when processing requests would allow remote threat actors to pass specially crafted input, thus performing denial of service (DoS) attacks.

The vulnerability received a CVSS score of 6.5/10.

According to the report, these flaws reside in all versions of Apache Traffic Server between v8.0.0 and v9.1.1.

Even though these issues could be exploited by remote threat actors using specially crafted data, there are no active exploitation reports known. Still, information security specialists recommend users of affected implementations patch their software as soon as possible.  

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post 2 critical vulnerabilities in Apache Traffic Server: Patch immediately appeared first on Information Security Newspaper | Hacking News.

Researcher Jared Rittle was responsible for identifying the flaws, mentioning that successful attacks would allow threat actors to perform denial of service (DoS), arbitrary code execution, and access to sensitive information attacks.  

Cisco Talos published a report with technical details of each of the flaws, available for public consultation.

Below are brief descriptions of the reported vulnerabilities, and their corresponding identification and scoring key according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-26077: The software uses an unsecured communication channel to transmit sensitive information within the configuration communications functionality of OAS Engine, allowing remote hackers to track network traffic and access sensitive information.

The vulnerability received a CVSS score of 6.5/10.

CVE-2022-27169: The lack of authentication for a critical function in the OAS Engine SecureBrowseFile functionality would allow remote threat actors to send a specially crafted request and reveal sensitive information.

This is a medium severity vulnerability and received a CVSS score of 6.5/10.

CVE-2022-26082: A file write issue in the OAS Engine SecureTransferFiles functionality would allow a remote administrator to send specially crafted requests to execute arbitrary code on the target system.

The fault received a CVSS score of 7.9/10.

CVE-2022-26026: The lack of authentication for a critical function in the OAS Engine SecureConfigValues functionality would allow remote administrators to drive a DoS condition using a specially crafted request.

The flaw received a CVSS score of 6.5/10.

CVE-2022-26043: An external configuration control issue in the OAS Engine SecureAddSecurity functionality would allow remote hackers to send specially crafted requests to create custom security groups, evading the authentication process.

This is a medium severity vulnerability and received a CVSS score of 6.5/10.

CVE-2022-26067: The lack of authentication for a critical feature in the OAS Engine SecureTransferFiles functionality would allow remote administrators to send specially crafted requests to read arbitrary files on the affected system.

This is a low-risk flaw and received a CVSS score of 4.3/10.

CVE-2022-26303: The vulnerability exists due to an external configuration control issue in the OAS Engine SecureAddUser functionality. A remote attacker can send a specially crafted request and create an OAS user account.

The vulnerability received a CVSS score of 6.5/10.

According to the report, the flaws reside in Open Automation Software Platform v16.00.0112. While the flaws can be exploited by remote threat actors, no active exploitation attempts have been detected so far; still, users of affected deployments are encouraged to upgrade as soon as possible.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post 7 high-severity vulnerabilities in Open Automation Software Platform, used for connectivity between PLCs and IoT devices appeared first on Information Security Newspaper | Hacking News.

Researchers from NCC Group managed to exploit one of these vulnerabilities, tracked as CVE-2022-23121 and with a score of 9.8/10 according to the Common Vulnerability Scoring System (CVSS). This flaw was exploited on a Western Digital PR4100 NAS device, which runs the My Cloud OS firmware.

QNAP reported detection of three other vulnerabilities, tracked as CVE-2022-23125, CVE-2022-23122, CVE-2022-0194 and which also received CVSS scores of 9.8/10. Exploiting these flaws would allow threat actors to execute arbitrary code remotely.

On March 22, the Netatalk development team released version 3.1.13 to fix these security flaws, three months after the flaws were exploited at the Pwn2Own ethical hacking event. QNAP says the Netatalk vulnerabilities affect the following operating system versions:

• QTS 5.0.x and later
• QTS 4.5.4 and later
• QTS 4.3.6 and later
• QTS 4.3.4 and later
• QTS 4.3.3 and later
• QTS 4.2.6 and later
• QuTS hero h5.0.x and later
• QuTS hero h4.5.4 and later
• QuTScloud c5.0.x

“QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide more information as soon as possible.” As mentioned above, QNAP recommends disabling AFP to mitigate exploitation risk. To apply this security measure, you will need to go to Control Panel > Network Services and > Win/Mac/NFS/WebDAV > Apple Networks and select Disable AFP (Apple File Protocol).

In addition to fixing these flaws, QNAP is working to address a Linux vulnerability called ‘Dirty Pipe’ actively exploited in attacks that allows root privileges to be obtained and a high-severity OpenSSL bug that can lead to denial-of-service (DoS) states.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical zero-day security vulnerabilities in QNAP devices allows remote hacking appeared first on Information Security Newspaper | Hacking News.

Below are brief descriptions of the reported flaws, as well as their tracking keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2022-22275: Improper processing of incoming HTTP/S traffic from WAN to DMZ would allow remote threat actors to evade security policy until tcp handshake is complete, triggering a denial of service (DoS) attack.

This is a flaw of medium severity and received a CVSS score of 5.1/10.

CVE-2022-22276: The configured SNMP service remains accessible to external users even if SNMP is disabled on the firewall interfaces, so malicious hackers can connect to the SNMP service, accessing information that would otherwise remain restricted.

The flaw received a CVSS score of 4.6/10.

CVE-2022-22277: SNMP-Reply includes SSID Password in clear text, which would allow remote attackers with the ability to intercept network traffic to gain access to sensitive data.

This is a low-severity bug and received a CVSS score of 3.8/10.

CVE-2022-22278: This flaw exists because the Content Filtering Service (CFS) in SonicOS returns a huge “HTTP 403 forbidden” message to the source address when users try to access resources prohibited by the CFS function.

Remote threat actors can send multiple requests to the system that trigger the 403 error and consume all available bandwidth, leading to a DoS condition. The flaw received a CVSS score of 4.6/10.

According to the report, the flaws reside in all SonicOS versions between 6.5 and 7.0.1.0-5030-1391.

While this vulnerability could be exploited by unauthenticated remote threat actors, no active exploitation attempts or the existence of an attack variant related to the attack have been detected so far. Still, users of affected deployments are encouraged to apply the available patches.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 4 new vulnerabilities in SonicWall SonicOS affect firewalls and other security products: Patch immediately appeared first on Information Security Newspaper | Hacking News.

The Zero Day Initiative (ZDI) posted a message thanking those involved in the event: “Thank you again to all competitors and participating suppliers for their cooperation and for fixing the errors revealed.” Affected product vendors have 120 days to release patches for the reported flaws in Pwn2Own.

The main winners of the Pwn2Own Miami 2022 event are Daan Keuper and Thijs Alkemade of Computest Sector 7. During the first day, the team earned $20,000 USD by demonstrating a code execution attack on the Inductive Automation Ignition SCADA solution, exploiting a missing authentication flaw. During this day Computest Sector 7 also demonstrated a remote code execution (RCE) attack on AVEVA Edge HMI/SCADA, receiving a reward of $20,000 USD.

On the second day, the researchers exploited an infinite loop error to trigger a denial of service (DoS) condition against Unified Automation’s C++ demo server, earning $5,000 USD, in addition to demonstrating an authentication evasion attack on OPC Foundation OPC UA .NET Standard, earning $40,000 USD more.

Computest Sector 7 won the Master of Pwn title after winning a total of $90,000 over the three days of the contest and taking first place on the leaderboard with a total of 90 points.

This year’s Pwn2Own Miami was held in person and also allowed the remote participation of some researchers. During the first edition of Pwn2Own Miami, with the theme of ICS, held in January 2020, ZDI awarded $280,000 for the reporting of 24 zero-day vulnerabilities in ICS and SCADA products.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products appeared first on Information Security Newspaper | Hacking News.

First, the alert mentions ten flaws in Contrail Networking, in its versions prior to 2011. Five of these flaws are considered critical and all were tracked in 2021. The two most severe errors are buffer overflow flaws in Pillow tracked as CVE-2021-25289 and CVE-2021-34552, plus a heap overflow in Apache HTTP Server tracked as CVE-2021-26691.

The remaining flaws reside in the nginx resolution (CVE-2021-23017) and the xmlhttprequest-ssl package (CVE-2021-31597).

On the other hand, the second security alert refers to critical flaws in Contrail Networking prior to v21.3. These reports include a remote code execution bug in Git for Visual Studio tracked as CVE-2019-1349; and a denial of service (DoS) error in the pcre_compile function in pcre_compile.c in PCRE tracked as CVE-2015-8391.

This week, Juniper Networks also announced patches for 14 vulnerabilities in Junos OS and Junos OS Evolved, including 10 severe issues that could lead to DoS and remote code execution (RCE) scenarios. In its report, the firm notes that there are no reports of active exploitation.

The report was also shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), encouraging users and administrators to review the company’s reports and apply the necessary corrections as soon as possible: “Remote threat actors could exploit some of these vulnerabilities to take control of an affected system”, points out the Agency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 30 vulnerabilities in different Juniper products could allow the total takeover of the affected network. Update immediately appeared first on Information Security Newspaper | Hacking News.

Tracked as CVE-2022-0729, the flaw exists due to a boundary error when processing files in the application would allow remote threat actors to execute arbitrary code on the victim’s system using specially crafted files.

This is a highly severe vulnerability and received a score of 7.7/10 according to the Common Vulnerability Scoring System (CVSS). Information security experts note that the flaw exists in all Vim versions prior to v8.2.4440.

While the flaw can be exploited by unauthenticated remote threat actors, no active exploitation attempts or the existence of a malware variant linked to the exploitation have been identified so far. Still, Vim’s developers recommend applying the available patches as soon as possible to mitigate the risk of attack to the minimum possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical buffer overflow vulnerability in Vim text editor. Update your servers appeared first on Information Security Newspaper | Hacking News.

“For the time being, we will keep the Department of Defense website closed until the harmful traffic on the website is gone”, reads one of Finland government tweets.  

It all started this morning, when the Ministry of Foreign Affairs of Finland posted on Twitter: “There are currently interruptions in the online services of the Ministry of Foreign Affairs sites http://Um.fi and Finlanabroad.fi have been attacked with a denial of service variant. We will investigate and try to get the services up and running as soon as possible. We apologize for the inconvenience.”

At 14:06 (Finland time), the Finnish government’s official Twitter account confirmed that these issues had already been addressed and that the websites of both ministries had resumed operations: “The attack is over. Due to the protections on these platforms, most of the sites continued to operate normally during the incident.”

For now there is no information available about the perpetrators of the attack, although it is most likely that the authorities are linking this incident with activity of Russian hacking groups. Just a few hours ago, Ukrainian President Volodymyr Zelenskyy sent a message to the Finnish government via video regarding the conflict with Russia. Other reports mention that Finland’s government is considering applying to NATO, a move the Russian government opposes.

Finland’s Defense Ministry also claimed that Russian state jets have committed various violations of its airspace, which could indicate what the target behind these attacks has been.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Finland government defense sector website shutdown after big DDoS attacks appeared first on Information Security Newspaper | Hacking News.

Below are brief descriptions of the reported flaws, in addition to their assigned tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-25704: A memory leak within the Linux kernel performance monitoring subsystem when using PERF_EVENT_IOC_SET_FILTER in BIG-IQ Centralized Management would allow local users to deploy a denial of service (DoS) condition.

The flaw received a CVSS score of 5.1/10.

According to the report, the flaw lies in the following versions of BIG-IQ Centralized Management: 7.0.0 – 8.1.0.

CVE-2020-25704: A memory leak within the Linux kernel performance monitoring subsystem when using PERF_EVENT_IOC_SET_FILTER would allow local users to deploy DoS attacks.

This is a low severity flaw and received a CVSS score of 5.1/10.

The flaw resides in all versions of F5OS between 1.0.0 & 1.3.1.

Patches to address these flaws are now available, so users of affected deployments are encouraged to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Important memory leak vulnerabilities in F5 firewalls: Patch immediately appeared first on Information Security Newspaper | Hacking News.

Borat RAT, dubbed after the character played by comedian Sacha Baron Cohen, is sold to all kinds of threat actors through hacking forums on the dark web, according to experts from cybersecurity firm Cyble Research.

The researchers mention that the Trojan is packaged with a constructor, function modules, and a server certificate. The malware has extensive capabilities, including keylogger function, ransomware encryption and decryption component, plus an option feature for attackers to create their own ransom notes and a function for deploying denial of service (DoS) attacks.

In addition, Borat RAT can remotely record audio from an affected machine by taking control of the microphone, capturing webcam images and other remote control functions, including mouse/keyboard hijacking, screenshots, modifying settings and deleting files.

After installation, the malware will start collecting data from the affected environment and then sending it to a C&C server under the control of the attackers. Apparently, Borat RAT focuses on browser information, including cookies, browsing histories, bookmarks, favorites, and users’ credentials. Tools like Chrome, Microsoft Edge, and Discord tokens are especially exposed to this attack variant.

The researchers add that Borat can cause inconvenience to victims in many other ways, as it allows hackers to perform all sorts of annoying tasks such as playing audio, altering mouse settings, hiding the taskbar, manipulating a computer’s LED lights and even turning it off unexpectedly, although the main risk is its advanced functions,  uncommon for a RAT tool.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This new malware has a keylogger, ransomware and can perform DDoS attacks appeared first on Information Security Newspaper | Hacking News.