In an advisory released by the company, Apple revealed patches for three previously unknown bugs it says may already have been used by attackers. Read More
Related Posts
GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability
GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ to disseminate the Golang-based botnet GoTitan and the.NET application “PrCtrl Rat,” which has the ability to be remotely controlled.
Any Operating System using Apache Active MQ versions earlier than 5.15.16, 5.16.7, 5.17.6, and 5.18.3 was susceptible to this critical vulnerability.
An advisory was released by Apache in October addressing this vulnerability (CVE-2023-46604) that pertains to the deserialization of untrusted data in Apache.
Due to the high risk and potential consequences of this vulnerability, CISA added CVE-2023-46604 to its list of known exploits, or KEV Catalog, on November 2.
Document
Protect Your Storage With SafeGuard
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
GoTitan Botnet – Ongoing Exploitation on Apache ActiveMQ
Generally, in this case, the attacker causes the system to unmarshal a class under their control by sending a crafted packet.
It is then necessary for a predefined XML file to be hosted externally for the susceptible server to be prompted to retrieve and load a class configuration XML file from the given remote URL.
The arbitrary code meant to run on the infected system is defined in the malicious XML file. Attackers can execute code on the remote, susceptible server by setting parameters like “cmd” or “bash.”
According to Fortinet researchers, this month, GoTitan, a new botnet, was identified, which may be obtained from the malicious URL “hxxp://91.92.242.14/main-linux-amd64s” and is written in the Go programming language. The malware runs certain checks prior to execution, and the attacker only offers binaries for x64 architectures.
Additionally, a file called “c.log” is created, containing the program status and execution time. It appears that this file is a developer’s debug log, indicating that GoTitan is still in its early stages of development.
Subsequently, it obtains the C2 IP address and crucial facts about the exploited endpoint, such as CPU details, memory, and architecture.
“GoTitan communicates with its C2 server by sending “xFExFE” as a heartbeat signal and waiting for further instructions. When it receives a command, it passes it to a function named “handle_socket_func2” that determines an attack method,” researchers explain.
Distributed denial-of-service (DDoS) attacks can be launched using 10 distinct methods by GoTitan: TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.
Researchers also found more well-known malware and tools in use, like Sliver, Kinsing, and Ddostf.
System updates, patching, and continuous monitoring of security advisories are essential to reduce the danger of exploitation.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability appeared first on Cyber Security News.
Cyber Security News

Bonus Episode: 2024 Cybersecurity Canon Hall of Fame Inductee: Tracers in the Dark by Andy Greenberg.
Bonus Episode: 2024 Cybersecurity Canon Hall of Fame Inductee: Tracers in the Dark by Andy Greenberg.
Rick Howard and Andy Greenberg discuss his 2024 Cybersecurity Canon Hall of Fame book: “Tracers in the Dark.” Read More
The CyberWire
CacheWarp : A New Flaw in AMD’s SEV Let Attackers Hijack Encrypted Virtual Machines
CacheWarp : A New Flaw in AMD’s SEV Let Attackers Hijack Encrypted Virtual Machines
CacheWarp is a new software-based fault attack that allows attackers to gain access to encrypted virtual machines (VMs) and escalate privileges on AMD’s Secure Encrypted Virtualization-Encrypted State (SEV-ES) and Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) technologies.
The underlying vulnerability tracked as CVE-2023-20592 with Medium severity was uncovered by researchers from the CISPA Helmholtz Center for Information Security in Germany, the Graz University of Technology in Austria, and independent researcher Youheng Lu discovered CacheWarp.
Researchers claim that the CacheWarp attack method enables malicious attackers to escalate privileges, take over control flow, and break an encrypted virtual machine.
“CacheWarp is a software-based fault injection attack on SEV VMs. It allows the hypervisor to revert data modifications of the VM on a single-store granularity, leading to an old (stale) view of memory for the VM”, researchers said.
AMD Secure Encrypted Virtualization (SEV) is a CPU extension that allows for more secure virtual machines (VMs) isolation from the underlying hypervisor. AMD SEV enables developers to deploy virtual machines securely in an untrusted hypervisor environment.
To create an isolated execution environment, SEV-SNP, which features Secure Nested Paging (SNP), offers robust memory integrity security to assist against malicious hypervisor-based attacks, including data replay, memory re-mapping, and more.
The security experts have given video demonstrations on CacheWarp bypassing OpenSSH authentication and Sudo Authentication.
INVD Instruction Lead to a Loss of SEV-ES and SEV-SNP
AMD has detected a potential vulnerability with the INVD instruction that could result in a loss of memory integrity for SEV-ES and SEV-SNP guest virtual machines (VMs). The microcode update addresses the vulnerability that has been provided.
“Improper or unexpected behavior of the INVD instruction in some AMD CPUs may allow an attacker with a malicious hypervisor to affect cache line write-back behavior of the CPU leading to a potential loss of guest virtual machine (VM) memory integrity,” AMD said.
Affected Products
1st Gen AMD EPYC Processors (SEV and SEV-ES)
2nd Gen AMD EPYC Processors (SEV and SEV-ES)
3rd Gen AMD EPYC Processors (SEV, SEV-ES, SEV-SNP)
Mitigation
For customers that have the AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) feature active, AMD has supplied a hot-loadable microcode patch and updated the firmware image for AMD 3rd generation EPYC processors (“Zen 3” microarchitecture, formerly codenamed “Milan”). The patch should not affect performance.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
The post CacheWarp : A New Flaw in AMD’s SEV Let Attackers Hijack Encrypted Virtual Machines appeared first on Cyber Security News.
Cyber Security News