The Russian state-sponsored hacking group ‘APT29’ (aka Nobelium, Cloaked Ursa) has been using unconventional lures like car listings to entice diplomats in Ukraine to click on malicious links that deliver malware. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
The Russian state-sponsored hacking group ‘APT29’ (aka Nobelium, Cloaked Ursa) has been using unconventional lures like car listings to entice diplomats in Ukraine to click on malicious links that deliver malware. […] Read More
BleepingComputer
Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack
In a first, Russia’s APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street. Read More
PoC Exploit Released for HTTP File Server Remote Code Execution Vulnerability
A proof-of-concept (PoC) exploit has been released for a critical remote code execution vulnerability in the HTTP File Server (HFS) software, identified as CVE-2024-39943.
This vulnerability affects HFS version 3 before 0.52.10 on Linux, UNIX, and macOS systems, allowing remote authenticated users with upload permissions to execute OS commands due to the use of execSync instead of spawnSync in the child_process Module of Node.js.
The vulnerability arises because HFS uses a shell to execute the df command, which attackers can exploit to run arbitrary commands on the host system. The National Vulnerability Database (NVD) has acknowledged this issue but not yet fully analyzed it.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The PoC exploit from Truonghuuphuc demonstrates how attackers can leverage this flaw to gain control over vulnerable systems.
By exploiting this vulnerability, attackers can execute commands to gather system information, create backdoor accounts, and potentially deploy malware. This type of exploitation can lead to significant security breaches, including data theft and system compromise.
Users of HFS are strongly advised to update to version 0.52.10 or later to mitigate this vulnerability. The update addresses the issue by replacing execSync with spawnSync in the child_process module, thereby preventing the execution of arbitrary commands via the shell
To deploy the updated HFS version with the necessary configuration, users can use the following command:
./hfs –config config.yaml
Administrators should ensure that their HFS installations are updated to the latest version to protect against potential attacks exploiting this vulnerability.
Update HFS to Version 0.52.10 or Later:
The vulnerability is fixed in HFS version 0.52.10. Ensure you download and install this version or any later version to mitigate the issue. This update replaces the use of execSync with spawnSync in the child_process module of Node.js, which prevents the execution of arbitrary OS commands.
Disable Upload Permissions Temporarily:
If you cannot immediately update HFS, consider temporarily disabling upload permissions for all users. This will reduce the risk of exploitation until the update can be applied[4].
Implement Strong Authentication Mechanisms:
Ensure that strong authentication mechanisms are in place. Regularly review and restrict user permissions, especially upload permissions, to minimize the risk of unauthorized access.
Monitor Systems for Suspicious Activities:
Continuously monitor your systems for any suspicious activities or unauthorized command executions. Implement logging and alerting mechanisms to detect potential exploitation attempts.
Network Segmentation:
Consider implementing network segmentation to limit the potential impact of exploitation. This can help contain any breach and protect critical assets.
Regular Audits and Updates:
Audit and update all instances of HFS in your environment regularly. Keeping software up-to-date is crucial for maintaining security and protecting against newly discovered vulnerabilities.
By following these steps, you can effectively mitigate the risk posed by the CVE-2024-39943 vulnerability and secure your HTTP File Server from potential exploitation.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post PoC Exploit Released for HTTP File Server Remote Code Execution Vulnerability appeared first on Cyber Security News.
Russian Hackers Launched Sabotage Attacks On 20 Critical Infrastructure
[[{“value”:”
Researchers identified a cyberattack by the Sandworm group targeting critical infrastructure in Ukraine in March 2024. The attack aimed to disrupt the information and communication systems (ICS) of energy, water, and heat suppliers across ten regions.
In addition to the previously known QUEUESEED backdoor, the attackers used a new toolkit, including LOADGRIP malware and a Linux variant of QUEUESEED named BIASBOAT, which was a server-specific encrypted file utilizing a compromised machine’s unique identifier.
The malware targeted Linux systems managing industrial automation processes (ASUTP), likely through specialized domestic software.
Breaches were identified in at least three supply chains, where attackers gained initial access through compromised Software Defined Radio (SDR) devices containing vulnerabilities or via legitimate access by supplier employees with technical privileges to maintain the organization’s Industrial Control Systems (ICS).
Attackers deployed malicious tools like WEEVELY web shells and REGEORG to exploit these access points.NEO tunnels and PIVOTNACCI for lateral movement and launching cyberattacks within enterprise networks.
CERT-UA identified and responded to a cyberattack campaign targeting critical infrastructure facilities in Ukraine between March 7th and 15th, 2024.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
The attackers gained initial access through compromised supply chains and exploited a lack of segmentation to move laterally within the network.
They deployed QUEUESEED and GOSSIPFLOW malware, previously linked to UAC-0133 (a subcluster of Sandworm/APT44) responsible for water supply facility attacks using SDELETE, to target Windows machines, highlighting the continued threat posed by APT groups and the importance of proper segmentation and security practices.
A critical infrastructure attack campaign targeting Ukrainian energy, water, and heat suppliers leveraged two key weaknesses.
First, poor segmentation practices allowed supplier software-defined radios (SDRs) to access the organizations’ ICS networks directly, bypassing internet and internal access controls.
Second, suppliers’ lax security practices left vulnerabilities in their provided software, such as remote code execution (RCE) flaws, open to exploitation.
CERT-UA suspects these attacks aimed to compromise ICS systems and amplify the impact of physical strikes planned for spring 2024.
QUEUESEED, a C++ malware, gathers system information (OS, language, username) and executes commands from its control server.
The malware can read and write files, run commands, update its configuration, and self-destruct.
Communication with the control server utilizes HTTPS with encrypted data (JSON format, RSA+AES). The backdoor’s configuration file, including the control server URL, is AES-encrypted with a static key.
An internal queue for commands and results resides in the Windows registry, encrypted with AES using the %MACHINEGUID% value as the key. Persistent is achieved through a dropper that creates a scheduled task or a registry entry under the “Run” key.
A hacking group has been using malicious tools to compromise Linux systems.
BIASBOAT, a C-based ELF program, is a Linux variant of QUEUESEED that injects payloads using LOADGRIP, another C-based ELF injector.
LOADGRIP decrypts the payloads using a key based on a static constant and the machine ID.
At the same time, GOSSIPFLOW, a Go program, creates tunnels and functions as a SOCKS5 proxy and also uses other tools, including CHISEL, LIBPROCESSHIDER, JUICYPOTATONG, and ROTTENPOTATONG.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
The post Russian Hackers Launched Sabotage Attacks On 20 Critical Infrastructure appeared first on Cyber Security News.
“}]] Read More
Cyber Security News