Kali Linux 2023.2, the second version of 2023, is now available with a pre-built Hyper-V image and thirteen new tools, including the Evilginx framework for stealing credentials and session cookies. […]
Related Posts
OpenSSH Agent RCE Flaw Let Attackers Execute Arbitrary Commands
OpenSSH Agent RCE Flaw Let Attackers Execute Arbitrary Commands
Researchers at Qualys discovered a new Remote Code Execution flaw in the OpenSSH.
This flaw exists in OpenSSH’s forward ssh-agent. This flaw allows an attacker to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent.
OpenSSH has been used in several servers and applications for remote login and file transfer, along with encryption. This vulnerability exists in the ssh-agent program that allows authentication to remote servers without entering the passphrase every time.
CVE-2023-38408: Remote Code Execution
This vulnerability exists in the ssh-agent due to the PKCS#11 feature in OpenSSH version 9.3p2 that has insufficient trustworthy search path. This issue exists due to an incomplete fix in CVE-2016-10009.
The CVSS Score for this vulnerability is yet to be confirmed.
The ssh-agent is a key manager who holds the PKCS#11 (Public-Key Cryptographic Standard) keys that are readily usable for remote server connections. An attacker can inject a malicious library in the ssh-agent, which makes the entire thread executable that remains even after the dclose().
In addition to this, many shared libraries are marked as “nodelete” by the loader, which makes this malicious library permanent until deleted by a superuser. These libraries exist in the /usr/lib* folder, which can allow the threat actor to dlopen() any library even when executing the SUID-root program.
Once the library is executed, the threat actor will get the same privilege as the user who initiated the ssh-agent. This vulnerability has been patched by OpenSSH.
A complete report has been published by Qualys which explains in detail the complete threat vector, background and the exploitation of this vulnerability.
Users of OpenSSH forward ssh-agent are recommended to upgrade to the latest version for preventing malicious activities.
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.
The post OpenSSH Agent RCE Flaw Let Attackers Execute Arbitrary Commands appeared first on Cyber Security News.
Cyber Security News
BadPack APK Malware Using Wired Trick to Attack Users & Stay Undetected
BadPack APK Malware Using Wired Trick to Attack Users & Stay Undetected
Hackers often exploit the APK packers to hide malicious codes within Android applications. This will make detecting and analyzing malware more difficult for security programs.
This technique increases the likelihood of a successful breach while ensuring that the malware remains persistent and hidden on the compromised devices.
Cybersecurity analysts at Plaoalto Networks’s Unit42 recently identified hackers using the BadPack APK packer to hide the malware file structure.
BadPack APK Malware Wired Trick
BadPack APK files are a developing threat to cybersecurity, they are Android applications that have been tweaked with their ZIP headers.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
These files are difficult to analyze using reverse engineering tools, and banking Trojans, including BianLian and Cerberus, often employ them.
The crucial file in APKs typically targeted is AndroidManifest.xml, which makes static analysis difficult.
The advanced WildFire found around 9200 BadPack samples between June 2023 and June 2024, indicating the need for a better understanding of this advancing malware technique as well as detection techniques.
APK files are compressed into ZIP archives with local and central directory file headers. These headers contain crucial information about the archive’s structure and content.
The Unit42 report states that to exploit this format, BadPack malware authors change header fields on purpose, consequently creating mismatches between local and central directory headers.
This means making it hard for one to analyze or extract APK contents, which facilitates the running of a malicious app on an Android device.
Besides this, one must know how these header structures are built and manipulated in order to detect BadPack malware.
BadPack malware tampers with APK headers, consequently creating differences between local and central directory headers. This technique exploits the way different analysis tools and Android run-time process the APKs.
In this case, Apktool and Jadx extract ordinary files once they have been tampered with, but devices using Android can use them because the runtime checks only central directory headers.
Compressing mismatched methods or sizes is employed by writers of such malware as a way of achieving this objective.
Understanding and reversing these manipulations is essential for successfully analyzing BadPack samples, as experiments on AndroidManifest.xml extraction and installation into real Android devices have proven.
BadPack is among the malware that tests traditional analysis tools like JAR, Unzip, and Apksigner as a result of the string compression and manipulated headers.
The open-source apkInspector tool is capable of successfully extracting and decoding AndroidManifest.xml files from BadPack, unlike most other tools.
This developing challenge shows the need for advanced analysis techniques and tools. We can achieve this by avoiding the installation of such apps from untrusted sources or any other third-party source and declining applications that ask for strange permissions.
IoCs
Here below are the SHA256 hashes of BadPack malware samples:-
0003445778b525bcb9d86b1651af6760da7a8f54a1d001c355a5d3ad915c94cb
015bd2e799049f5e474b80cbbdcd592ce4e2dfbfae183bada86a9b6ec103e25e
131135a7c911bd45db8801ca336fc051246280c90ae5dafc33e68499d8514761
90c41e52f5ac57b8bd056313063acadc753d44fb97c45c2dc58d4972fe9f9f21
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The post BadPack APK Malware Using Wired Trick to Attack Users & Stay Undetected appeared first on Cyber Security News.
TellYouThePass Ransomware Actor Weaponizing PHP RCE Flaw, Patch Immediately
TellYouThePass Ransomware Actor Weaponizing PHP RCE Flaw, Patch Immediately
The notorious TellYouThePass ransomware gang exploits a critical remote code execution (RCE) vulnerability in PHP to compromise servers and deploy their malicious payloads.
The flaw, tracked as CVE-2024-4577, allows unauthenticated attackers to execute arbitrary code on vulnerable PHP installations.
Imperva researchers discovered that the TellYouThePass ransomware operators began exploiting this high-severity PHP bug mere hours after a proof-of-concept (PoC) exploit was publicly released on June 10, 2024.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
The threat actors target exposed PHP servers to gain initial access and move laterally through victims’ networks before encrypting files and demanding ransom payments.
Malicious HTML Application
“The rapid weaponization of CVE-2024-4577 by the TellYouThePass ransomware group underscores the critical need for organizations to patch their PHP deployments without delay,” warned the Imperva research team. “We expect other threat actors to quickly adopt this exploit as part of their attack chains.”
PHP developers have released security updates addressing the RCE vulnerability in versions 8.2.7, 8.1.19, and 7.4.33. System administrators are strongly urged to upgrade their PHP installations to the latest patched releases to mitigate the risk of compromise.
The TellYouThePass ransomware first emerged in late 2021. It exploited the infamous Log4Shell vulnerability to infect Windows and Linux systems.
In 2022, the malware was rewritten in the Go programming language, enabling the operators to more easily target multiple operating systems, including macOS.
More recently, in November 2023, TellYouThePass was observed exploiting a critical RCE flaw (CVE-2023-46604) in Apache ActiveMQ message broker servers to breach and encrypt victims’ data.
Arctic Wolf security researchers found evidence linking the TellYouThePass gang to HelloKitty ransomware attacks leveraging the same ActiveMQ vulnerability.
With this latest PHP exploitation campaign, the TellYouThePass ransomware actor continues to demonstrate its ability to incorporate newly disclosed vulnerabilities into its attack toolkit rapidly.
Organizations running PHP in their environments must prioritize patching CVE-2024-4577 to defend against these evolving ransomware threats.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post TellYouThePass Ransomware Actor Weaponizing PHP RCE Flaw, Patch Immediately appeared first on Cyber Security News.