A Brazilian threat actor is targeting more than 30 Portuguese financial institutions with information-stealing malware as part of a long-running campaign that commenced in 2021.
“The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain,” SentinelOne researchers Aleksandar Milenkoski and Tom Read More
Related Posts
CISA Warns of Hackers Exploiting OS Command Injection Vulnerabilities
CISA Warns of Hackers Exploiting OS Command Injection Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have raised alarms about hackers exploiting OS command injection vulnerabilities.
These vulnerabilities, a constant issue in software products, pose essential risks to users and organizations.
The alert comes in response to recent threat actor campaigns that have successfully targeted and compromised network edge devices, exploiting these vulnerabilities.
What is OS Command Injection Vulnerability?
OS command injection vulnerabilities occur when software fails to properly validate and sanitize user input before constructing commands to execute on the underlying operating system.
This oversight allows malicious actors to execute unauthorized commands, potentially leading to severe consequences such as data breaches, system compromise, and unauthorized access.
Despite being a well-known and preventable class of vulnerability, OS command injection issues continue to surface.
The recent alert highlights three specific vulnerabilities:
These vulnerabilities allowed unauthenticated attackers to execute code on network edge devices remotely, demonstrating the critical need for robust security measures.
Secure by Design: A Proactive Approach
CISA and the FBI emphasize adopting a “secure by design” approach to software development.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
This methodology incorporates security measures from the start, starting in the design phase and continuing through development, release, and updates.
By doing so, software manufacturers can significantly reduce the risk of vulnerabilities and protect their customers from potential exploits.
Key Recommendations for Software Manufacturers:
Use Safe Functions: Ensure that software uses functions that generate commands in safer ways, preserving the intended syntax of the command and its arguments.
Review Threat Models: Regularly review and update threat models to identify and mitigate potential risks.
Utilize Modern Libraries: Use modern component libraries designed with security in mind.
Conduct Code Reviews: Implement thorough code reviews to identify and address potential vulnerabilities.
Aggressive Testing: Conduct aggressive adversarial product testing to ensure the quality and security of the code throughout the development lifecycle.
Products that are secure by design are better equipped to protect against malicious cyber actors. Incorporating security measures from the beginning reduces the burden on customers and minimizes public risk.
OS command injection vulnerabilities, often resulting from CWE-78, can be prevented by clearly separating user input from command contents.
CISA has added the vulnerabilities mentioned earlier to the Known Exploited Vulnerabilities (KEV) Catalog, which documents vulnerabilities exploited in the wild.
This catalog is a valuable resource for organizations to stay informed about current threats and take necessary precautions.
Preventing OS Command Injection Vulnerabilities
To prevent OS command injection vulnerabilities, developers should take several proactive steps during the design and development of software products:
Use Built-in Library Functions: Use built-in library functions that separate commands from their arguments instead of constructing raw strings whenever possible.
Input Parameterization: Keep data separate from commands by using input parameterization and validating all user-supplied input.
Limit User Input: Restrict the parts of commands constructed by user input to only what is necessary.
Sanitize Input: Sanitize user input before invoking commands, ensuring malicious inputs cannot compromise the system.
Secure by Design Principles
CISA and the FBI encourage manufacturers to adopt three fundamental principles to protect their products from OS command injection exploits:
Take Ownership of Customer Security Outcomes: Manufacturers should eliminate OS command injection vulnerabilities from their products and provide safe building blocks for developers.
Embrace Radical Transparency and Accountability: Lead transparently when disclosing product vulnerabilities and ensure accurate CVE and CWE mappings.
Build Organizational Structure and Leadership: Prioritize security in product development, make appropriate investments, and establish structures that promote proactive measures.
Software manufacturers are encouraged to take the Secure by Design Pledge to demonstrate their commitment to Secure by Design principles. This pledge outlines seven key goals, including reducing systemic vulnerabilities like OS command injection.
The Secure by Design initiative aims to foster a cultural shift across the industry, promoting the development of secure technology products to use out of the box.
By adopting these principles, manufacturers can help protect their customers and contribute to a safer digital landscape.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post CISA Warns of Hackers Exploiting OS Command Injection Vulnerabilities appeared first on Cyber Security News.
New Terrapin Attacking SSH Protocol to Downgrade the Connection Security
New Terrapin Attacking SSH Protocol to Downgrade the Connection Security
SSH protocol is one of the most used protocols across several organizations to establish a remote terminal login and file transfer. SSH consists of an authenticated key exchange for establishing the secure channel connection to ensure integrity and confidentiality.
However, a new technique named “Terrapin attack” has been discovered, which will allow threat actors to downgrade the SSH protocol version, thus allowing the exploitation of vulnerable servers. Additionally, the threat actor can redirect the victim’s login into a shell under the attacker’s control.
Terrapin Attacking SSH Protocol
Terrapin attack is a kind of prefix truncation attack in which the initial encrypted packets sent through the secure SSH channel can be deleted without the server or client noticing it.
There are two root causes for this flaw; one of them is the optional messages that are allowed in the SSH handshake, which do not require authentication. Second, the SSH handshake does not reset message sequence numbers when encryption is enabled.
Root Cause Analysis
SSH Does Not Protect the Full Handshake Transcript
SSH server authentication uses a signature to verify the handshake integrity. However, the handshake is formed with a constant list of handshake messages instead of a complete transcript. This creates an authentication flaw that allows an attacker to tamper with the handshake and manipulate the sequence numbers.
SSH Does not Reset Sequence Numbers
As specified, the SSH does not sequence numbers during the initial connection. Instead, it increases sequence numbers monotonically, which is not associated with the encryption state. Hence, any tampered sequence number before the secure channel goes directly into the channel.
With respect to these two root causes, there were many possible attacks, such as:
Sequence number manipulation: An attacker can increase the receiver counter, allowing full control of the receive and send counters.
Prefix Truncation attack on the BPP (Binary Packet Protocol): An attacker can manipulate the sequence numbers to delete a specific number of packets at the initial secure channel without any noise.
Extension Negotiation Downgrade attack: An attacker can manipulate the client into believing that the server does not support recent signature algorithms, which will prevent certain countermeasures from being executed.
Rogue Extension Attack and Rogue Session Attack: An attacker can replace the victim’s extension info message with a custom one. On the other hand, an attacker can also inject a malicious user authentication message, which will log the victim into a shell that is controlled by the attacker, which will give complete control over the victim’s terminal.
Furthermore, a complete report has been published, which provides detailed information about the attack scenarios, the results of the attack, and the observed behavior.
The post New Terrapin Attacking SSH Protocol to Downgrade the Connection Security appeared first on Cyber Security News.
Cyber Security News