Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
Related Posts
Hackers Exploit SonicWall VPNs to Deploy Fog & Akira Ransomware
Hackers Exploit SonicWall VPNs to Deploy Fog & Akira Ransomware
Hackers target VPNs primarily to exploit vulnerabilities that allow them to gain unauthorized access to enterprise networks.
By infiltrating these systems, hackers aim to identify enterprise assets and establish a foothold for further exploitation.
Arctic Wolf researchers recently discovered that hackers have been actively attacking SonicWall VPNs and breach corporate networks by using “Fog” ransomware.
Fog Ransomware Exploiting SSL VPN Vulnerabilities
Between “August” and “October 2024,” researchers discovered a major surge in cyber-attacks using “SonicWall SSL VPN” vulnerabilities.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
The exploitation of these vulnerabilities led to ransomware deployments by two major threat groups:-
Akira
Fog
Among the “30” documented intrusions, “Akira ransomware” was responsible for 75% of attacks, while “Fog ransomware” executed the remaining 25%.
All these attacks overlapped with discovering a critical security vulnerability in SonicWall’s firmware, and the flaw has been tracked as ‘CVE-2024-40766.’
However, the direct exploitation evidence remained not conclusive. The threat actors showed outstanding efficiency with encryption processes initiated as quickly as “1.5 hours” after gaining initial access, while in some cases, extended up to 10 hours.
Unlike targeted campaigns, all these attacks appeared opportunistic and affected organizations across various “industries” and “sizes.”
The threat actors primarily exploited “outdated firmware” versions, which highlights the critical importance of “regular security updates” and “external security monitoring.”
The attack pattern marked a notable shift from previous months when ransomware incidents were distributed across multiple firewall brands. This scenario suggests a strategic focus on “SonicWall vulnerabilities” by these threat groups, reads the Arctic Wolf report.
In these sophisticated cyber attacks, threat actors have gained unauthorized entry primarily via compromised “VPN accounts” operating on default “port 4433.”
The attacks originated from “VPS” hosting providers (AS64236 – UnReal Servers, LLC and AS32613 – Leaseweb Canada Inc.).”
Here, the threat actors found exploiting local device authentication rather than centralized “Microsoft Active Directory” integration, and notably, none of the compromised accounts had MFA enabled.
The intrusions were marked by rapid encryption focusing on virtual machine storage and backups alongside strategic “data exfiltration” patterns where general files were limited to six months of data.
Meanwhile, sensitive information from human resources and accounts payable departments saw up to “30 months of data being stolen.”
Activities of the threat actors were logged via message event IDs “238” (WAN zone remote user login allowed) and “1080” (SSL VPN zone remote user login allowed), followed by event ID “1079” indicating successful logins.
Upon gaining access the threat actors delete these firewall logs. The entire attack sequence occurred within several hours leaving organizations with “minimal response time.”
Recommendations
Here below we have mentioned all the recommendations:-
Regular firmware updates
VPN login monitoring
Secure off-site backups
Robust endpoint activity surveillance
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
The post Hackers Exploit SonicWall VPNs to Deploy Fog & Akira Ransomware appeared first on Cyber Security News.
WP-Members Plugin Expose WordPress Sites To Injection Attacks
WP-Members Plugin Expose WordPress Sites To Injection Attacks
[[{“value”:”
A security researcher reported a critical vulnerability in the WP-Members Membership Plugin that allows attackers to inject malicious scripts and potentially take over websites.
Administrators could take advantage of the unauthenticated stored XSS flaw that was present in the X-Forwarded header. To protect their users, researchers were rewarded for their responsible disclosure.
On March 7th, the plugin vendor released a partial patch (v3.4.9.2) and a full fix (v3.4.9.3) shortly after and upgraded to the latest version to mitigate the risk.
A critical vulnerability (CVSS: 7.2) exists in WordPress’s WP-Members Membership Plugin versions up to 3.4.9.2, which arises from insufficient sanitization and escaping of the X-Forwarded header.
Malicious attackers can exploit this to inject arbitrary scripts into the database, which then execute whenever a user visits the edit user page.
While a partial fix was implemented in version 3.4.9.2, a complete resolution arrived only in version 3.4.9.3. Upgrading to the latest version is crucial to addressing this security risk.
Technical Analysis Of The Vulnerability:
An attacker can exploit a cross-site scripting vulnerability in WP-Members by injecting malicious code into the X-Forwarded header during user registration.
It is achieveable by intercepting the registration request with a proxy and modifying it to include the attacker’s script, while the vulnerable plugin stores the attacker-provided script as the user’s IP address, allowing execution whenever that user information is displayed.
The `rktgk_get_user_ip` function in a vulnerable plugin relies on unsanitized HTTP headers (`HTTP_CLIENT_IP` or `HTTP_X_FORWARDED_FOR`) to determine a user’s IP address.
It allows attackers to inject malicious scripts into these headers, which are then stored as the user’s IP and when an administrator views or edits such a user account, the injected script executes within the administrator’s browser session due to the reflected XSS vulnerability.
The administrator account may be compromised, malicious users may be created, or users may be redirected to websites that are harmful.
Wordfence contacted the vendor and coordinated a patch; while version 3.4.9.2 addressed part of the issue, existing payloads could still be triggered.
Version 3.4.9.3 fully patched the vulnerability; updating the plugin and advising users to share this information with others who use the plugin is recommended.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
The post WP-Members Plugin Expose WordPress Sites To Injection Attacks appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass.
The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week.
The Read More