After the flaw, dubbed as Follina, was publicly disclosed and various exploits were released, Microsoft acknowledged the bug and assigned it the CVE-2022-30190 tracking key, describing it as a remote code execution (RCE) error.

Security specialist Kevin Beaumont explained that malicious documents use Word’s remote template feature to retrieve an HTML file from a remote web server, which in turn uses the MSProtocol ms-msdt URI scheme to load code and run PowerShell. Beaumont also explains that the Follina error can also be exploited using ms-search MSProtocol.

Vulnerable PDF tools

Although this was already a considerable security risk, things did not stop there, as it was recently confirmed that the vulnerability could also be activated in Foxit PDF Reader. Through their Twitter account, user @j00sean mentioned: “While testing PDF readers, I found a way to trigger error CVE-2022-30190, also known as #Follina, in Foxit PDF Reader. This doesn’t work in Adobe because of sandbox protections.”

The user shared a video of their proof of concept (PoC), showing that the tests were performed on Foxit PDF Reader v11.2.2.53575, the latest version of the tool. At the moment, the developers of the PDF reader have not released security updates to address the bug or issued security alerts about it.

The researcher also posted the payload to trigger the bug in Foxit, adding that successful exploitation requires the target user to allow connection in the pop-up window of a security warning.

Known exploitation

Groups of allegedly Chinese threat actors have been actively exploiting this vulnerability. The reports specifically point to TA413, an advanced persistent threat (APT) group that launches ongoing hacking campaigns against the Tibetan community.

Finally, a Report by Proofpoint details how various officials in Europe and the United States have fallen victim to this campaign, receiving malicious documents through phishing emails allegedly sent by legitimate entities.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Follina, Microsoft Office vulnerability, also affects Foxit PDF Reader; no patches available appeared first on Information Security Newspaper | Hacking News.

This malware, loaded from Belarus to the VirusTotal platform, was analyzed by expert Kevin Beaumont, who reports that this document uses Word’s remote template function to retrieve an HTML file from a remote web server that uses MSProtocol ms-msdt to load code and execute PowerShell code.

Beaumont mentions that the code runs regardless of whether macros are disabled on the target system, not to mention that Microsoft Defender can’t seem to prevent the attack: “Although the protected view is activated if you change the document to RTF format, the malicious code will run without even opening the document.”  

The flaw was dubbed “Follina,” as a nod to the malicious file referencing 0438, the area code of a small Italian town. The researcher, and other members of the cybersecurity community, confirmed that the known exploit allows remote code to run on some versions of Windows and Office, including Office Pro Plus, Office 2013, Office 2016, and Office 2021.

The exploit doesn’t appear to work in recent versions of Office and in Windows Insider deployments, which could mean Microsoft is already working to address this issue. Beaumont also believes that the exploit could work on these versions with some modifications.

A hacking group hosted a web domain on Namecheap to use as a C&C server; the hosting company quickly shut down this website. The cybersecurity community has proposed some mitigation mechanisms, so a wave of active exploitation is very unlikely.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Zero-day vulnerability in Microsoft Office Pro Plus, Office 2013, Office 2016, and Office 2021 allows remote network hacking with just a single click appeared first on Information Security Newspaper | Hacking News.

Tracked as CVE-2022-1802, the vulnerability would allow threat actors to corrupt the methods of an array object in JavaScript through prototype contamination, leading to the execution of malicious code in the context of a privileged process.

Another flaw tracked as CVE-2022-1529 could allow malicious hackers to send messages to the primary process to index a JavaScript object twice, leading to prototype contamination and JavaScript code execution.

The developers of Tails have asked users not to start this browser while working with confidential information. The successful exploitation of the flaw would allow bypassing the security mechanisms in the distribution, leaving potentially critical information exposed.

“The vulnerability allows a malicious website to bypass some of the security built into Tor Browser and access information from other websites. For example, after visiting a malicious website, an attacker could access passwords and other sensitive records sent to other websites during the same Tails session,” the report said.  

Tails added that this flaw does not break the anonymity and encryption of Tor connections, which means that it remains safe to access websites from Tails as long as the user does not enter sensitive information. Other applications in the operating system are not affected, as JavaScript execution is disabled.

There are no patches available, although the developers have already confirmed the release of the corrected version, Tails 5.1, scheduled for May 31. Meanwhile, the Tails community will be able to use the browser-independent version on Windows, Linux, and macOS systems.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Zero-day vulnerability in Tails and TOR Browser exposes users’ identity. No patches available appeared first on Information Security Newspaper | Hacking News.

The Zero Day Initiative (ZDI) posted a message thanking those involved in the event: “Thank you again to all competitors and participating suppliers for their cooperation and for fixing the errors revealed.” Affected product vendors have 120 days to release patches for the reported flaws in Pwn2Own.

The main winners of the Pwn2Own Miami 2022 event are Daan Keuper and Thijs Alkemade of Computest Sector 7. During the first day, the team earned $20,000 USD by demonstrating a code execution attack on the Inductive Automation Ignition SCADA solution, exploiting a missing authentication flaw. During this day Computest Sector 7 also demonstrated a remote code execution (RCE) attack on AVEVA Edge HMI/SCADA, receiving a reward of $20,000 USD.

On the second day, the researchers exploited an infinite loop error to trigger a denial of service (DoS) condition against Unified Automation’s C++ demo server, earning $5,000 USD, in addition to demonstrating an authentication evasion attack on OPC Foundation OPC UA .NET Standard, earning $40,000 USD more.

Computest Sector 7 won the Master of Pwn title after winning a total of $90,000 over the three days of the contest and taking first place on the leaderboard with a total of 90 points.

This year’s Pwn2Own Miami was held in person and also allowed the remote participation of some researchers. During the first edition of Pwn2Own Miami, with the theme of ICS, held in January 2020, ZDI awarded $280,000 for the reporting of 24 zero-day vulnerabilities in ICS and SCADA products.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products appeared first on Information Security Newspaper | Hacking News.

According to this report, the flaws allow local threat attackers to execute arbitrary code on affected smartphone models. Before the attack, malicious hackers must gain the ability to execute least-privilege code on the compromised system.

Apparently, the flaw resides within Web Bridge WebView. WebView exposes a JavaScript interface that allows threat actors to launch arbitrary applications; this flaw can be exploited along with other vulnerabilities to execute arbitrary code in the context of the current user.

The flaw was reported to developers in late 2021 and, in the absence of a functional patch, the researchers who reported it announced their intention to publicly disclose it as a zero-day vulnerability.

In addition, given the nature of the affected implementation and the type of attack, it is considered that the only recommended mitigation mechanism is to restrict interaction with the exposed application.

This Model of Samsung Galaxy is one of the company’s most popular smartphones, so the scope of successful exploitation could be huge. However, reports of the successful exploitation of the fault are still unknown.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day privilege escalation vulnerability in Samsung Galaxy S21 smartphones: No patch available appeared first on Information Security Newspaper | Hacking News.

A Spring Cloud Function vulnerability tracked as CVE-2022-22963 was identified on Tuesday, with additional reports circulating online since then. Now known as Spring4Shell, the vulnerability only affects Spring applications running on Java 9 and above and is caused by insecure deserialization of past arguments.

A zero-day exploit was briefly leaked during Wednesday morning, though it was enough time for cybersecurity specialists to download the PoC code. This leak allowed confirming that the vulnerability exists, is exploitable and represents a severe security risk.

Researchers from the cybersecurity firm Praetorian also confirmed the existence of the vulnerability, although they specify that successful exploitation requires specific configurations previously established: “The attack requires an endpoint with DataBinder enabled, in addition it depends largely on the servlet container for the application,” mentions the company’s blog.

Experts also note that Spring is commonly used with Apache Tomcat, which means there is great potential for widespread exploitation. To make matters worse, multiple reports indicate that cases of active exploitation have already been detected.

Praetorian describes a way to mitigate the exploitation of Spring4Shell by defining spring core databinder functionality as “pattern-specific blocking.” As this vulnerability has not been addressed, it is strongly recommended that administrators using Spring applications implement these mitigations as soon as possible.

Given the characteristics of the attack, cybersecurity specialists recall the risk that was presented at the end of 2021 with the massive exploitation of Log4j servers after the discovery of a vulnerability known as Log4Shell. This vulnerability allowed hacking groups to install malware and deploy ransomware attacks against affected deployments.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Exploitation code for the zero-day vulnerability in Spring Framework for Java applications is published. New Log4Shell flaw appeared first on Information Security Newspaper | Hacking News.

While the company reserved technical details about the vulnerabilities due to the risk of active exploitation, some descriptions of the detected issues were published, including:

• CVE-2022-0603: Use-after-free flaw in Chrome File Manager
• CVE-2022-0604: Dynamic storage buffer overflow in tab groups
• CVE-2022-0605: Use-after-free flaw in Webstore API
• CVE-2022-0606: Use-after-free flaw in ANGLE
• CVE-2022-0607: Use-after-free flaw on GPU
• CVE-2022-0608: Integer overflow in Mojo
• CVE-2022-0609: Use-after-free flaw in Animation
• CVE-2022-0610: Inappropriate implementation in Gamepad API

For cybersecurity specialists, use-after-free errors remain the most frequent and efficient way to exploit flaws in Chrome browsers. Five of these vulnerabilities are use-after-free bugs, so 26 of these flaws have already been detected in Chrome during 2022 alone.

The term use-after-free refers to an error in a system’s memory when a program cannot clear the pointer to memory after releasing it. Another common threat to web browser users is buffer overflow errors, which can result in a critical scenario for critical data stored on vulnerable systems.

Web browser users should update to version 98.0.4758.102 to mitigate the risk of exploitation. This update will be issued in the coming days, so users should limit the exposure of their systems while patches are ready. Check the version of Chrome that your system is running in the browser Settings.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day vulnerabilities in all Chrome browser versions affect millions of users appeared first on Information Security Newspaper | Hacking News.

While the vulnerability has already been addressed, since it was first reported hundreds of developers expressed doubts about Log4j and how to check its installation on a given system.

Although some developers assume that, being a Java library, if the administrator does not use Java applications his system cannot have Log4j installed. However, cybersecurity experts mention that applications can include their own JRE, so it is not necessary to have installed Java for Java applications to run on the system.

Through Stack Exchange, a developer shared a script that can help other users identify the Log4j installation on a system:

Subsequently, the command shown below is executed:

Additional comments are available on GitHub.

The researcher who initially reported the flaw in Log4j also mentions that it is only possible to exploit CVE-2021-44228 if the log4j2.formatMsgNoLookups option in the library settings is set to false. The most recent reports on this issue indicate that the latest version of the affected library keeps this setting set to true, which definitely prevents any attempt at exploitation.

However, threat actors are still looking for vulnerable deployments, so administrators should manually set the feature to true before their systems are affected.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to check if you have Log4j installed on your servers? Fix the vulnerability in seconds by setting the log4j2.formatMsgNoLookups variable to true appeared first on Information Security Newspaper | Hacking News.

News about these vulnerabilities began to unfold through websites frequented by Minecraft players. These platforms warned game users that threat actors could execute malicious code on servers running the Java version of Minecraft, manipulating log messages.

Experts note that this is a big security issue for environments tied to older Java runtimes, including web interfaces for multiple network devices, application environments using legacy APIs, and Minecraft servers, due to their reliance on older versions for mod compatibility.

Some users already report servers that perform scans across the Internet in an attempt to locate potentially vulnerable servers.

Log4j is built into multiple frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, so a host of third-party applications could also be affected by exploits of the same severity as those affecting Minecraft. 

Although it is known about the flaw, no major technical details are available; at the moment it is only known that the vulnerability received the identifier CVE-2021-44228 and that many popular systems could currently be affected.

On the other hand, Apache Foundation has not yet officially disclosed the vulnerability and its representatives have not responded to requests for any information. A group of researchers has analyzed the reports and concluded that this is a Java deserialization failure because Log4j makes network requests through the JNDI to an LDAP server and executes any code that is returned. The error is triggered within log messages with the use of the $ {} syntax.

Other reports claim that Java versions higher than 6u211, 7u201, 8u191 and 11.0.1 could show better resistance to exploiting the flaw, since the JNDI cannot load remote code using LDAP. However, threat actors could still exploit these bugs by abusing the classes that are present in vulnerable applications, although the success of these attacks would depend on the use of exposed devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day vulnerability in Log4j affects millions of Apache, Minecraft and other applications users; exploit code published appeared first on Information Security Newspaper | Hacking News.

Researcher Abdelhamid Naceri, who initially reported this flaw, also reported that the bug had been poorly addressed, so CVE-2021-24084 could still be exploited to gain administrator privileges via local access.

In this regard, specialist Mitja Kolsec mentioned: “It is known that an arbitrary file disclosure can lead to local privilege escalation if a specific method is used.” Using the exploit shared by Abdelhamid, the expert and his team were able to execute code with administrator privileges.

Although the vulnerability has been identified by multiple researchers and Microsoft, the company has not corrected the bug, which would allow vulnerable systems to be exposed even though they have the latest updates. Windows systems can only be targeted by this attack if the following conditions are true:

• System protection must be enabled on drive C and at least one restore point must be created. This specific condition could depend on multiple scenarios
• At least one local administrator account must be enabled on the target system

As mentioned above, Microsoft has not issued official security patches, so micropatch service 0patch released a set of unofficial updates for all versions of Windows 10 exposed to this flaw, including:

• Windows 10 v21H1 (32-bit and 64-bit)
• Windows 10 v20H2 (32-bit and 64-bit)
• Windows 10 v2004 (32-bit and 64-bit)
• Windows 10 v1909 (32-bit and 64-bit)
• Windows 10 v1903 (32-bit and 64-bit)
• Windows 10 v1809 (32-bit and 64-bit)

This is the second time that an unofficial patch has been issued to address a zero-day flaw in Windows, as a couple of weeks ago Naceri himself discovered that the CVE-2021-34484 flaw could be exploited to gain elevated privileges on all versions of Windows systems.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CVE-2021-24084: Critical zero-day vulnerability in Windows 10. No patch available appeared first on Information Security Newspaper | Hacking News.

Apparently, the vulnerability exists due to the absence of input verification and validation for certain HTTP requests, allowing threat actors to send specially crafted HTTP requests to a vulnerable device. FatPipe says the error resides in its web management interface and could be exploited to upload files to any location on the file system. The flaw has not yet received a CVE tracking key or been assigned a score under the Common Vulnerability Scoring System (CVSS).

The Agency notes that threat actors have exploited this flaw in order to inject a webshell that provides root access to a vulnerable device. According to the FBI, these attacks functioned as a starting point towards subsequent malicious activities: “Threat actors would have exploited this SSH access to route malicious traffic through the compromised devices,” the researchers note.

Finally, the threat actors performed a debugging of the affected systems in order to gain persistence and continue operating without being detected.

FatPipe has confirmed that the flaw was successfully addressed, so warp, MPVPN and IPVPN users are advised to upgrade to versions 10.1.2r60p93 and 10.2.2r44p1 of the software with which these devices operate.

At the moment alternative solutions to this flaw are unknown, although some experts mention that disabling UI access in WAN interfaces and configuring access lists in the web interface could be functional mitigation methods; still, applying official updates remains the top security recommendation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day vulnerability in FatPipe SD-WAN solutions allows uploading malicious files to affected servers appeared first on Information Security Newspaper | Hacking News.

In its report, Google notes that these attacks are part of a watering hole campaign, in which threat actors select specific websites to extract information from visitors: “The compromised websites had two iframes used as exploits for iOS and for macOS,” TAG notes.

Attackers abused the zero-day vulnerability to install a backdoor on Apple devices through the compromised websites. Investigators believe that the hacking group responsible for this campaign has extensive technological and economic resources at its disposal, so it is likely that they are being sponsored by a state actor.

After gaining root access to the affected platform, the attackers download a payload running in the background on the infected devices. By analyzing a sample of the end-stage malware, the experts concluded that it is a development resulting from the most advanced software engineering, using a model based on Data Distribution Service (DDS) to establish C&C communications.

The backdoor used by hackers is also somewhat unusual, as it allowed to spy on targets in a very detailed way, plus attackers were able to obtain logs of the affected system, take screenshots, record audio and video, execute terminal commands and the ability to upload and download files.

Although the researchers did not explicitly mention which websites are compromised in this hacking campaign, they point out that among the targets is a major media outlet in Hong Kong and a pro-democracy activist group, so the origin of this attack is intuit in the Chinese authorities.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Apple Mac users were spied upon easily according to Google Cyber Security Team? appeared first on Information Security Newspaper | Hacking News.