Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems.
"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Oracle Weblogic Server Flaw Allows Attackers Full Control – PoC Released
[[{“value”:”
A new secondary JNDI injection vulnerability was discovered in a recent version of WebLogic, allowing attackers to trigger JNDI injection during another JNDI lookup process, effectively enabling Remote Code Execution (RCE) on the targeted system.
A patch has been implemented for this vulnerability, which was not present in earlier versions of Oracle software and was included in the official Oracle Q2 quarterly update.
An attacker can exploit WebLogic’s JNDI functionality through two main methods. First, if the target class implements the OpaqueReference interface and WebLogic uses the ForeignOpaqueReference class, a malicious lookup operation can trigger JNDI injection via the getReferent method.
Second, by setting the java.naming.factory.object attribute to the MessageDestinationObjectFactory class during InitialContext initialization, the getObjectInstance method becomes vulnerable to JNDI injection when a lookup operation is performed.
It gets around normal restrictions on JNDI attributes, which lets any code run on the WebLogic server, and it looks at two new JNDI injection vulnerabilities, CVE-2024-20931 and CVE-2024-21006, in the context of the WebLogic server.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
CVE-2024-20931 exploits the initialization of InitialContext, while CVE-2024-21006 introduces a malicious objectfactory during this initialization and triggers upon lookup. WebLogic’s lookup operation calls methods based on the target class’s implemented interfaces.
Only by implementing ClassTypeOpaqueReference and its related methods (getObjectClass/getReferent) or OpaqueReference (getReferent) can these vulnerabilities, along with CVE-2023-21839, CVE-2023-21931, and CVE-2024-20931, be exploited.
WLNamingManager.class
WebLogic patches for CVE-2023-21839 and CVE-2024-20931 prevent unauthorized JNDI lookups. The fix modifies the `weblogic.jndi.internal.ForeignOpaqueReference#getReferent` method. When `getReferent` is called, `InitialContext` automatically sets the `java.naming.factory.initial` and `java.naming.provider.url` properties.
It prevents the use of the malicious `remoteJNDIName` value within the `lookup` call, effectively stopping remote JNDI exploitation through `ForeignOpaqueReference`. Additionally, `weblogic.jndi.internal.JNDIUtils#isValidJndiScheme` validates the JNDI scheme to further restrict unauthorized access.
ForeignOpaqueReference.class
According to pwnull, the code appears vulnerable to JNDI injection even if standard JNDI properties like “java.naming.factory.initial” are not set. The attacker can exploit the “java.naming.factory.object” attribute, which is commonly used in newer JDK versions.
MessageDestinationObjectFactory.class
The exploit leverages the BeanFactory#getObjectInstance method in Tomcat to call MessageDestinationObjectFactory#getObjectInstance in WebLogic, which ultimately triggers JNDI injection through MessageDestinationReference#lookupMessageDestination.
notepad.exe
WebLogic might restrict how to configure JNDI lookups by controlling properties like `java.naming.factory.initial` and lookup names. To bypass these limitations, `java.naming.factory.object` can be used to set a custom object factory.
The factory implements the `getObjectInstance` method of `MessageDestinationObjectFactory` achieving secondary JNDI injection in WebLogic, allowing to indirectly control resource binding and potentially circumvent restrictions.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
Raj Ananthanpillai from Trua joins Dave to discuss privacy concerns and what you shouldn’t share with ChatGPT. Dave and Joe share some listener follow up from Clayton who shares some comments on a previous episode where Dave discusses bomb threats to retail stores for ransom. Dave’s story follows Google rapidly trying to correct bogus airline phone numbers that were discovered this week. Joe’s story is on an Android app called “Spyhide” which is a phone surveillance app, that has been collecting private phone data from tens of thousands of Android devices around the world. Our catch of the day is from listener Isak who writes in to share a comedic spam email he received. Read More
Oracle has released its Critical Patch Update (CPU) for April 2024, addressing 372 vulnerabilities across multiple products.
The Critical Patch Update provides fixes for security flaws in widely-used Oracle products including Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, Supply Chain Products Suite, Siebel CRM, Oracle Sun Products, Java SE, and more.
The update includes fixes for several critical security flaws that could allow attackers to remotely execute code, manipulate data, or gain unauthorized access to systems.
The vulnerabilities addressed span multiple severity levels, with 34 classified as “Critical,” meaning attackers could exploit them to gain unauthorized access, execute arbitrary code, or disrupt system operations.
The update also resolves 159 vulnerabilities rated “Important” severity, which could be exploited remotely to access sensitive data. The remaining issues are rated Moderate or Low risk.
“Security is a top priority for Oracle, and we take great care to identify and resolve vulnerabilities in a timely manner,” said Ravi Kumar, Oracle’s Chief Security Officer. “This latest CPU demonstrates our ongoing efforts to ensure our customers can confidently rely on our products to protect their most sensitive data and mission-critical systems.”
Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors – Register Here.
Key Highlights
The April 2024 CPU fixes 372 security vulnerabilities across various Oracle products.
Out of the total, 50 vulnerabilities have a CVSS score of 9.8 or higher, indicating a critical severity level.
The affected products include Oracle Database, Fusion Middleware, PeopleSoft, Siebel CRM, and Java SE, among others.
Critical Vulnerabilities with 9.8 CVSS Score
Based on the information provided in the Oracle Security Alert for April 2024 (https://www.oracle.com/security-alerts/cpuapr2024.html), there are two critical vulnerabilities with a CVSS score of 9.8:
CVE-2024-21234 – Oracle WebLogic Server Remote Code Execution Vulnerability
Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Oracle WebLogic Server installations.
CVSS Score: 9.8 (Critical)
Affected Products: Oracle WebLogic Server versions 12.2.1.4 and earlier.
Recommendation: Oracle recommends applying the available patch or upgrading to a version of WebLogic Server that includes the fix as soon as possible.
Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Oracle Fusion Middleware installations.
CVSS Score: 9.8 (Critical)
Affected Products: Oracle Fusion Middleware versions 12.2.1.4 and earlier.
Recommendation: Oracle advises applying the available patch or upgrading to a version of Fusion Middleware that includes the fix as soon as possible.
CVE-2024-21236 – Oracle Database Server Remote Code Execution Vulnerability
Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Oracle Database Server installations.
CVSS Score: 9.8 (Critical)
Affected Products: Oracle Database Server versions 19c and earlier.
Recommendation: Oracle strongly recommends applying the available patch or upgrading to a version of the Database Server that includes the fix as soon as possible.
It is important to note that these vulnerabilities are considered critical and should be addressed promptly to protect your systems and data from potential exploitation. Oracle recommends that customers review the security alert, assess the impact on their environment, and apply the necessary patches or updates as soon as possible.
Affected Products and Patches
Oracle strongly recommends users to apply the necessary patches as soon as possible to mitigate the risk of potential attacks. The following products are among those affected:
Oracle Database
Oracle Fusion Middleware
Oracle PeopleSoft
Oracle Siebel CRM
Oracle Java SE
Oracle MySQL
Oracle Retail Applications
Oracle Financial Services Applications
Users can access the patch updates and detailed information about the vulnerabilities through the Oracle Support portal.
The April 2024 CPU from Oracle addresses a significant number of critical vulnerabilities that could pose serious risks to organizations using Oracle products. It is crucial for users to review the CPU and apply the necessary patches promptly to ensure the security and integrity of their systems.
For more information and assistance, users can contact Oracle support or refer to the official Oracle Security Alert page.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Addressing a Diverse Range of Vulnerabilities
The 372 vulnerabilities addressed in this CPU cover a diverse range of security issues, including:
Database Security Enhancements The update includes fixes for several vulnerabilities in the Oracle Database, including issues related to SQL injection, privilege escalation, and denial-of-service attacks.
Middleware Vulnerability Resolutions: The CPU also addresses vulnerabilities in Oracle’s Fusion Middleware suite, which includes components such as WebLogic Server, Oracle Identity and Access Management, and Oracle SOA Suite.
Application-Specific Patches: The update includes security patches for various Oracle enterprise applications, including Oracle E-Business Suite, PeopleSoft, and JD Edwards EnterpriseOne.
Apply the Patch Immediately
Oracle strongly recommends that its customers apply these security patches as soon as possible to mitigate the risks associated with the identified vulnerabilities.
Delaying the implementation of these updates can leave organizations vulnerable to potential cyber attacks, which can have severe consequences, including data breaches, system disruptions, and financial losses.
“We urge our customers to prioritize the deployment of this Critical Patch Update to ensure the continued security and reliability of their Oracle-based systems,” added Kumar. “By working together to address these vulnerabilities, we can collectively strengthen the overall security posture of the Oracle ecosystem.”
Customers are advised to refer to the Oracle Security Alert Advisory, which is available on the company’s website, for more information on the specific vulnerabilities addressed and the recommended actions for deployment.
IfAre you from SOC and DFIR Teams, Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.