US Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link, Apache, and Oracle vulnerabilities to its Known Exploited Vulnerabilities catalog.
CVE-2023-1389Â (CVSS score: 8.8) â TP-Link Archer AX-21 Command Injection Vulnerability. The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the routerâs language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.
The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security.Â
The Zero Day Initiative (ZDI) threat-hunting team recently reported that the Mirai botnet attempting to exploit the CVE-2023-1389 vulnerability (aka ZDI-CAN-19557/ZDI-23-451, CVSS v3: 8.8) in TP-Link Archer AX21 Wi-Fi routers.
Threat actors are actively taking advantage of critical vulnerabilities present in the PaperCut MF/NG print management software.
This exploitation aims to plant Atera remote management software onto the targeted servers to gain control over them. From more than 70,000 companies globally, it has over 100 million active users.
The vulnerabilities affecting the PaperCut MF/NG print management software are tracked as follows:-
Remote threat actors can exploit these vulnerabilities to gain unauthorized access and execute arbitrary code on PaperCut servers that have been compromised.
These flaws can be exploited without user interaction and are relatively easy to carry out, granting the attacker SYSTEM privileges. Recently, in the Shodan search engine, it has been observed that around 1700 PaperCut servers were exposed to the internet.
PoC Exploit Code
PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9, and later releases, have addressed both vulnerabilities.
Thatâs why security experts strongly advise users to upgrade to any of these patched versions to mitigate the risks associated with these flaws.
Horizon3 has recently released technical information, and a proof-of-concept (PoC) exploit for CVE-2023-27350.
Attackers can leverage this exploit to bypass authentication and execute arbitrary code on PaperCut servers that have not been patched.
By misusing the âScriptingâ feature for printers, the RCE exploit enables cybercriminals to achieve remote code execution.
Although Huntress has developed a PoC exploit to illustrate the danger associated with the ongoing attacks, they have not made it publicly available.
Currently, unpatched PaperCut servers are under attack, and the exploit code developed by Horizon3 is expected to be adopted by other threat actors for launching similar attacks in the future.
The CVE-2023-27350 vulnerability has been included in the list of actively exploited vulnerabilities by CISA.
Not only that, but even CISA has directed all federal agencies to secure their systems within the next three weeks, by May 12, 2023, to prevent further exploitation.
To prevent remote exploitation of the PaperCut servers, Huntress urged administrators to immediately implement the necessary security measures that cannot currently patch their PaperCut servers.
During the analysis, experts at Horizon3 identified a JAR that contains the SetupCompleted class in:-
In the SetupCompleted flow, the session of the anonymous user is unintentionally authenticated due to an error in the code.
While this function is triggered only after a userâs password is validated via a login process. In web applications, this type of vulnerability is dubbed:-
Session Puzzling
Huntress revealed that among the Windows machines with PaperCut installed in the customer environments they safeguard, approximately 1,000 were identified.
As per their observation, nearly 900 of those machines were still unpatched, and only one had been patched among the three macOS machines they monitored.
Organizations using PaperCut must ensure they have installed either PaperCut MF or NG versions 20.1.7, 21.2.11, or 22.0.9 to prevent exploitation.
DANGEROUS 0 DAY VULNERABILITY IN GOOGLE CHROME : CVE-2023-2136
The previous week, Google put out an emergency security fix for its browser, and today, the company rolled out another emergency security update to address a vulnerability that is being exploited in the wild. The update is now available for desktop versions of Google Chrome as well as the Android version of Chrome. Users are encouraged to install updates as soon as they are made available in order to safeguard their devices against prospective attacks that exploit these vulnerabilities.
Google has listed five of the eight security problems that were addressed in the most recent version to Google Chrome. Google says that these issues have been handled. The official Chrome Releases blog has provided documentation of these recent improvements. On the other hand, Google does not make publicly known the security flaws that were found during the companyâs own internal investigations.
Out-of-bounds memory access in the Service Worker API is a high-risk vulnerability (CVE-2023-2133).
Out-of-bounds memory access in the Service Worker API is a high-risk vulnerability (CVE-2023-2134).
Use after free in DevTools is a high-risk vulnerability (CVE-2023-2135).
Integer overflow in Skia, a high-risk vulnerability( CVE-2023-2136).
Heap buffer overflow in sqlite, rated as medium severity (CVE-2023-2137).
According to Googleâs findings, the security flaw CVE-2023-2136 is being actively exploited in the wild.
A 2D graphics library called Skia, which is frequently used in web browsers, operating systems, and other software applications, has a flaw known as CVE-2023-2136, which is an integer overflow vulnerability. An integer overflow happens when an arithmetic operation results in a number that is more than the maximum limit of the integer type. This causes the value to wrap around and become either much smaller or much bigger than what was meant for it to be. An integer overflow may be avoided by ensuring that the maximum limit of the integer type is not exceeded.
This indicates that threat actors have already started exploiting this vulnerability in order to target systems and breach them. The results of a successful exploit may be somewhat variable, but they almost always involve at least one of the following: unauthorized access to sensitive information; data corruption; or even a total system takeover.
The Chrome Stable channel has been updated to version 112.0.5615.137 for Windows and Mac, and it has been updated to version 112.0.5615.135 for Android; these updates will roll out over the next few days or weeks.
Samba is a free software project that runs on operating systems that are similar to UNIX and supports the Windows file sharing protocol. This protocol once went by the name SMB, but it was renamed CIFS a little while later. Computers running GNU/Linux, Mac OS X, or Unix in general may be perceived as servers or communicate with other computers in Windows-based networks in this fashion, making it possible for these machines to perform either role.
Samba has recently been found to have several security flaws, any one of which might possibly let an attacker obtain access to sensitive data. This poses a substantial danger to the systemâs security.
CVE-2023-0614 (CVSSV3 SCORE OF 7.7): ACCESS-CONTROLLED AD LDAP ATTRIBUTES CAN BE FOUND
The vulnerability known as CVE-2023-0614 has been discovered, and it enables attackers to access and possibly gain private information, such as BitLocker recovery keys, from a Samba AD DC. As the remedy for the prior vulnerability, CVE-2018-10919, was inadequate, companies that store such secrets in their Samba AD should assume that they have been compromised and need to be replaced.
Impact: The exposure of secret information has the potential to result in unauthorized access to sensitive resources, which presents a severe threat to the organizationâs security.
All Samba releases since the 4.0 version are impacted by this issue.
Workaround: The solution that is proposed is to avoid storing sensitive information in Active Directory, with the exception of passwords or keys that are essential for AD functioning. They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability.
They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability. This vulnerability, identified as CVE-2023-0922, affects the Samba AD DC administrative tool known as samba-tool. By default, this tool transmits credentials in plaintext whenever it is used to perform operations against a remote LDAP server. When samba-tool is used to reset a userâs password or add a new user, this vulnerability is triggered. It might theoretically enable an attacker to intercept the freshly set passwords by analyzing network traffic.
The transmission of passwords in plain text opens up the possibility of unwanted access to critical information and puts the security of the whole network at risk.
All versions of Samba released after 4.0 are included in this category.
Workaround: To reduce the risk of exploiting this issue, change the smb.conf file to include the line âclient ldap sasl wrapping = seal,â or add the âoption=clientldapsaslwrapping=sign option to each samba-tool or ldbmodify invocation that sets a password.
As is the case with vulnerabilities in other software, those in Samba may put an organizationâs security at severe risk. Administrators of Samba are strongly encouraged to update to these versions or to install the patch as soon as reasonably practical.
In response to a recent vulnerability identified in Outlook, Microsoft recently published a proper guide for its customers to help them discover the associated IoCs.
That Outlook vulnerability in question has been tracked as âCVE-2023-23397â with a CVSS score of 9.8 and marked as Critical.
As a result of this flaw, NTLM hashes can be stolen, and without any user interaction, they can be reused to execute a relay attack.
The threat actors use specially crafted malicious emails to exploit the vulnerability and manipulate the victimâs connection. As a result, this allows them to get control of an untrusted location.
The attacker can authenticate as the victim with the Net-NTLMv2 hash leaked to the untrusted network
The problem is that this approach was taken after it was weaponized by Russian threat actors and used as a weapon against the following sectors in Europe:
Government
Transportation
Energy
Military
It was reported in April 2022 that Microsoftâs incident response team had found evidence that the shortcoming could be exploited.
Attack chain & threat hunting Guidance
It has been identified that a Net-NTLMv2 Relay attack allowed a threat actor to gain unauthorized entry to an Exchange Server in one attack chain.
By exploiting this vulnerability, the attacker could modify mailbox folder permissions and maintain persistent access, posing a significant security risk.
The adversary used the compromised email account in the compromised environment to extend their access. It has been discovered that this is done by sending additional malicious messages through the same organization to other members.
CVE-2023-23397 can lead to credential compromise in organizations if they do not implement a comprehensive threat-hunting strategy.
As a first step, running the Exchange scanning script provided by Microsoft is important to detect any malicious activity. However, itâs imperative to note that for all scenarios, this script is not capable of providing any visibility into messages that are malicious in nature.
Multiple mailboxes can be opened at the same time by Outlook users. Messages received through one of the other services will still trigger the vulnerability if a user configured Outlook to open mailboxes from multiple services. The scanned mailboxes do not contain that message.
If a user wishes to move a message to a local file, they can do so. Finding evidence of a prior compromise in Archived messages may be possible in some cases.
You can no longer access your Exchange messages if they have been deleted from Exchange. It is recommended that incident responders review the security telemetry collected from all available channels in order to confirm the presence of IP addresses and URIs obtained from the PidLidReminderFileParameter values.
There are a number of data sources that can be used to gather data, including:-
Firewall logs
Proxy logs
Azure Active Directory sign-in logs for users of Exchange Online
IIS Logs for Exchange Server
VPN logs
RDP Gateway logs
Endpoint telemetry from endpoint detection and response (EDR)
Forensic endpoint data
Recommendations
Here below we have mentioned all the recommendations:-
To mitigate the issue, make sure to update Microsoft Outlook immediately.
Ensure that defense-in-depth mitigations are active in organizations leveraging Microsoft Exchange Server on-premises.
The script should be used to remove either the messages or just the properties if suspicious or malicious reminder values are observed.
In the event that a targeted or compromised user receives suspicious reminders or initiates incident response activities, they should be instructed to reset their passwords.
To mitigate the impact of possible Net-NTLMv2 Relay attacks, it is recommended that you use multifactor authentication.
On Exchange, you should disable unnecessary services that you donât need.
Block all IP addresses except those on an allowlist from requesting connections on ports 135 and 445.
If your environment has NTLM enabled, you should disable it.
Apache HTTP Server is one of the web servers that is used the most often throughout the globe. It is responsible for providing power to millions of websites and apps. Recent vulnerabilities found in the server, on the other hand, have the ability to disclose sensitive information and make it easier for attackers to carry out further attacks. The Apache HTTP Server has recently been found to contain two significant vulnerabilities, both of which are detailed below. It is imperative that you rapidly upgrade Apache HTTP Server to the most recent version in order to protect your system against the vulnerabilities described.
Apache HTTP Server request splitting vulnerability, CVE-2023-25690. This vulnerability is brought about by an issue that occurs in mod proxy whenever it is activated with a RewriteRule or ProxyPassMatch of some kind. This vulnerability might be used by a remote attacker to overcome access constraints in the proxy server, route undesired URLs to existing origin servers, and poison cache. Attacks using HTTP Request Smuggling are possible on Apache HTTP Server versions 2.4.0 through 2.4.55, if the server is configured with certain mod proxy settings. It occurs when mod proxy is enabled along with some form of RewriteRule or ProxyPassMatch. In these configurations, a non-specific pattern matches some portion of the user-supplied request-target (URL) data, and the matched data is then re-inserted into the proxied request-target utilizing variable substitution. This causes CVE-2023-25690 to be triggered. This might result in requests being split or smuggled, access rules being bypassed, and unwanted URLs being proxied to existing origin servers, all of which could lead to cache poisoning.
Versions of the Apache HTTP Server ranging from 2.4.30 to 2.4.55 are impacted by the problem. This attack is carried out by introducing unusual characters into the header of the origin response, which has the potential to either truncate or divide the response that is sent to the client. An attacker might take use of this vulnerability to inject their own headers into the request, causing the server to produce a split response.
Sudo is one of the most essential, powerful, and often used tools that comes as a core command pre-installed on macOS and practically every other UNIX or Linux-based operating system. It is also one of the programs that comes pre-installed as a core command. A system administrator has the ability to delegate authority to certain users or groups of users through the use of the sudo (su âdoâ) command, which provides an audit trail of the commands that were executed and the arguments that were passed to those commands. This allows the administrator to give certain users or groups of users the ability to run some or all commands as root or another user.
A new sudo vulnerability was found. It was on sudoedit (sudo -e) flaw. With it, attackers can edit arbitrary files, and therefore machines were at the risk of the pwned and having information steeled.
Researchers Matthieu Barjole and Victor Cutillas of Synacktiv uncovered the weakness, which was given the identifier CVE-2023-22809, in the sudoedit function for Linux. This vulnerability might enable a malicious user with sudoedit access to edit arbitrary files on a system running Linux.
In order to give its users with the ability to pick the editor of their choosing, Sudo makes use of environment variables that are supplied by the user. The contents of these variables provide additional information to the command that is ultimately sent to the sudo edit() function. The latter, on the other hand, is dependent on the existence of the â argument in order to establish the list of files that need to be edited. This list may be changed by the insertion of an additional â argument into one of the approved environment variables, which can then lead to a privilege escalation through the modification of any other file with the rights of the RunAs user. This problem appears after the sudoers policy validation has been completed. Versions of sudo that came out before 1.8.0 built the argument vector in a different way and are not impacted by this issue. It is strongly suggested that users get their systems up to date with the most recent version.
Orca, a business that specializes in cloud security, has disclosed information on four server-side request forgery (SSRF) vulnerabilities that affect several Azure services. Two of these vulnerabilities might have been exploited without the need for authentication.
They were able to attack two vulnerabilities without needing any authentication on the service (Azure Functions and Azure Digital Twins). This gave them the ability to make requests in the name of the server even though it did not own an Azure account.
The vulnerabilities in Azure SSRF that were discovered allowed an attacker to scan local ports, find new services, endpoints, and files. This provided valuable information on potentially vulnerable servers and services to exploit for initial entry, as well as the location of information that could be targeted. SSRF vulnerabilities are particularly dangerous due to the fact that if attackers are able to access the hostâs IMDS (Cloud Instance Metadata Service), this exposes detailed information on instances. This information includes the hostname, security group, MAC address, and user-data, and it could potentially allow attackers to retrieve tokens, move to another host, and execute code (RCE).
A server-side request forgery, also known as SSRF, is a web security vulnerability that enables an attacker to abuse a server-side application by making requests to read or update internal resources as well as submit data to external sources. This type of vulnerability is known as a server-side request forgery.
Server-Side Request Forgery (SSRF) attacks often fall into one of these three categories:
Blind SSRF is a sort of SSRF attack that takes place when an attacker is able to influence a server to make requests, but the attacker does not get the answer that the server sends back to them. Because of this, determining whether or not the attack was effective is much more difficult. Semi-Blind SSRF is a form of SSRF attack that is very similar to Blind SSRF. The only difference is that the attacker is able to view part of the answer from the server, such as the response headers or the status code. This may provide the attacker the ability to obtain some limited information about the system they are attacking. Non-Blind SSRF, also known as Full SSRF, is a subtype of SSRF attack that takes place when an attacker has the ability to control a server in order to send requests and get the whole answer from the server. This gives the attacker the ability to learn more about the system they are targeting and gives them the opportunity to perhaps conduct other attacks. The four SSRF vulnerabilities that we found all fall into the third category, which is known as Full SSRF (sometimes referred to as Non-blind SSRF). To give you an idea of how easily these vulnerabilities can be exploited, Non-blind SSRF flaws can be leveraged in a variety of different ways, such as SSRF via XXE, SSRF via SVG file, SSRF via Proxy, SSRF via PDF Rendering, SSRF via vulnerable query string in the URL, and many more. These are just some of the ways that these vulnerabilities can be exploited.
It is essential to keep in mind that each and every SSRF vulnerability may be exploited to get unauthorized access to sensitive information or to launch further attacks against a target. This is the case regardless of the kind of SSRF attack that is being deployed. For this reason, it is essential for businesses to take the necessary precautions to protect their servers and networks against the kinds of attacks described above.
They were not successful in gaining access to any of the IMDS endpoints because Microsoft had implemented a variety of SSRF defenses, one of which was the environment variable known as X-IDENTITY-HEADER. However, even in the event that an attacker was unable to access the IMDS services, there was still a significant amount of potential harm that they might do, as was previously discussed.
After bringing Microsoftâs attention to the security flaws, the company moved quickly to fix them.
From a detailed report – compiled by security researcher Sam Curry – the findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem. https://lnkd.in/gdAXGjaN
The web applications and APIs of major car manufacturers, telematics (vehicle tracking and logging technology) vendors, and fleet operators were riddled with security holes, security researchers warn.
In a detailed report, security researcher Sam Curry laid out vulnerabilities that run the gamut from information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping the engines of cars. The findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem.
From web portals to car locks
Around six months ago, Curry and a few friends stumbled on a vulnerability in the mobile app of a scouter fleet at the University of Maryland, which caused the horns and headlights on all the scooters in the campus to turn on and stay on for 15 minutes. Curry subsequently became interested in doing further investigation along with researchers Neiko Rivera, Brett Buerhaus, Maik Robert, Ian Carroll, Justin Rhinehart, and Shubham Shah.
âWe thought it’d be awesome to dump a ton of time into hacking different car companies to see how many âhorns we could honkâ, but it quickly turned into hacking telematics infrastructure and things outside of the telematics APIs,â Curry told The Daily Swig.
The researchersâ findings, detailed on Curryâs blog, highlight an alarming number of critical vulnerabilities across different systems. For example, a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce potentially enabled attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information.
A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools. Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.
Elsewhere a vulnerability in Kiaâs web portal for dealers could have allowed attackers to create a fake session, register an account, associate it with any arbitrary vehicle VIN number, and gain access to lock, unlock, and remote start/stop mechanisms, as well as vehicle locations and vehicle camera feeds.
A poorly implemented SSO functionality in Ferrariâs web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify users or (worse yet) give themselves super-user permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.
Other vulnerabilities granted full remote control over the locks, engine, horn, headlights, and trunk of Hyundai and Genesis vehicles made after 2012. The researchers were also able to obtain full remote access to Honda, Nissan, Infiniti, and Acura vehicles.
Dangerous bug in telematics portal
Curry and his colleagues found a SQL injection vulnerability in the admin portal of Spireon, the parent company of several car telematics and fleet management vendors that collectively service 15 million vehicles. Curry described this as their âmost alarming findingâ because the vulnerability allowed them to gain administrator access to the companyâs platform.
âUsing our access, we could access all user accounts, devices (vehicles), and fleets,â he said. âSome of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.â
The researchers found they were able to lock starters, unlock vehicles, track vehicles, and send rogue dispatch addresses to vehicles like police cars and ambulances. The researchers further suspect the security shortcomings made it possible to install backdoors and run arbitrary commands on Spireon devices.
Half-baked
âThere were some car companies where you’d own one, then copy the exact same methodology to another car company and get in with the same vulnerability,â Curry said.
The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functionality for managing vehicles, purchase contracts, and telematic devices.
âFrom what it seems, car companies really rushed to install these devices,â Curry said. âCurrently, these installations mostly have limited functionality so you can only do things like track, unlock, and start the vehicle, but with companies like Tesla and Rivian building more connected vehicles which can actually be controlled remotely, I’m worried that market pressure will force these companies to build half-baked solutions which are open to attack.â
The American corporation Lexmark International, Inc. is a privately owned business that specializes in the production of laser printers and other image goods.
The researcher found that the product is susceptible to two vulnerabilities, either of which can be exploited by an adversary to copy file data from a source path to a destination path or to induce the server-side application to make requests to an unintended location. Both of these vulnerabilities are possible due to the fact that the product is vulnerable to both of these vulnerabilities. According to the specialists, the printer has two vulnerabilities that enable an authorized hacker to upload arbitrary files and run code with elevated privileges. Both of these vulnerabilities may be exploited by a malicious user.
He published the code on Github that had a proof-of-concept (PoC) exploit for each of the four vulnerabilities. These vulnerabilities make it possible for an adversary to seize control of a vulnerable device.
According to the findings of the researcher, an attack may be carried out that compromises the device by exploiting all four of its vulnerabilities simultaneously.
The proof-of-concept attack has been successfully tested against a Lexmark MC3224adwe printer using the most recent version of the firmware, CXLBL.081.225; nevertheless, it is claimed to operate successfully against other printers and photocopiers as well.
The security flaw that was discovered in Lexmarkâs printer devices has not been fixed.
This Open Port Scanner tool helps to identify which TCP port is open on your target machine and also provides OS information, service information, and also traceroute.
The Nmap Port scanner tool is a web interface for the widely known Nmap port scanner which is implemented with the correct parameter so as to give speed and accuracy.
Zenmap/Nmap port scanner
The scanning process is sending packets to each port and listening for acknowledgment.
This is called an âSYN scanâ, which sends TCP SYN packets to each port. If a port replies with SYN-ACK, it is flagged as open and an RST is sent back by the Nmap port scanner.
In this way, no full TCP connection is established with the target machine.
IPVOID helps to identify services that are running on the server and view TCP open ports.
It also checks and verifies whether the firewall is working accurately. There are security services that block IPs that you donât hold, so try not to check.
IPVOID port Scanner
The online tool offers a wide range of scanning options to discover details about IP addresses.
This Open port scanner tool helps to check services that are available and running on the server.
If we want to check what OS version is running, and whether ports are open on a server, and whether the server has enabled a firewall or not, then, in this case, to check all the above information, it uses raw IP packets.
Network Port Scanner Tool
This tool is extremely useful to find out if your port forwarding is set up correctly or if your server applications are blocked or not by a firewall.
It helps you to identify which service is accessible outside of the intranet. Machines use a router with NAT to bind with the internet canât be obtained outside of the intranet.
Although, by using port forwarding, ports can deviate from the router to the particular machine.
MxToolBox
This Open port scanner online allows for verifying whether redirection works correctly or not.
Key Features
Round-trip SMTP monitoring.
Inbound and outbound email tests and header analysis.
This Open port scanner online tool is also known as â HideMy[.]nameâ. If anyone wants to hide their identity and access anything and everything, go for a Web proxy.
This tool hides and changes your IP address, and location and you will stay incognito while using the browser.
Proxy Tool
It is a median to the machine and required website. You can also watch blocked content and play online games as well.
You can surf the internet with maximum speed and connection. It gives protection, privacy, and liberty on any device while browsing.
It scanâs all the IP addresses and TCP and UDP ports to check network vulnerabilities.
You can run the scan from the command line as well, save scan configurations also, and minimize run time scan with multi-threading. Trace end-user and terminal machine connection activity.
Solar Winds Port Scanner
It recognizes unknown vulnerabilities and network protocols.
Yougetsignal is the open port checker tool that let you check any external IP address for open ports.
It is a useful tool to check for the restriction placed in the Firewall. With this tool, you can check for all TCP and UDP ports.
Yougetsignal Open port checker
With the listed above port scanner tools, you can determine the open ports in the network infrastructure.
It is always recommended to close the ports if they are not in use for security reasons.
Key Features
Port Forwarding Tester
What Is My IP Address
Network Location Tool
Visual Trace Route Tool
Conclusion
Listed are some of the free tools available online to check for the open ports on the server and for other DNS queries.
We have categorized some of the best port scanner and port checker tools to help to find the open ports and other port-related operations while performing a penetration test on the network.What is the security Risk due to Open Ports?
Most of the suspicious software behaves like a service waiting for connections from a remote assailant so as to give him data or authority over the machine. The most common security practice is to close unused ports in private machines, in order to block known access to any service which may keep running on the PC without the clientâs information, regardless of authorized service is being misconfigured or because of the suspicious software.Is Port Scanning illegal?
Port scanning itself is not illegal, but scanning the destination host without authorization is illegal and you will get into trouble. TCP Port scanners help the server administrators and penetration testers to examine at which ports the data is entering into the network and to protect it from invaders.
Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.
CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE).
GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code.
The malware uses an anti-analysis technique to avoid execution in virtualized environments.
âIn dissecting GuLoaderâs shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings.â reads the analysis published by CrowdStrike.
âNew redundant code injection mechanism means to ensure code execution by using inline assembly to bypass user mode hooks from security solutions.â
GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT.
Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file.
âGuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.â reads the analysis.
A recent GuLoader variant analyzed by the experts exhibits a multistage deployment:
The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory.
Thesecond stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victimâs machine.
The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code.
The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities.
âIt then maps that section via NtMapViewofSection on the suspended process.â continues the analysis. âIf this injection technique fails, it uses the following redundancy method:
a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll, to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub:
mov eax,18
mov edx,ntdll.77178850
call edx
ret 18
It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.â
Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader.
It has recently been discovered by researchers that Windows has a vulnerability that allows code execution that rivals EternalBlue in terms of potential. It is possible for an attacker to execute malicious code without authentication by exploiting this newly-tracked vulnerability CVE-2022-37958.
It is possible to exploit this vulnerability in a wormable way, which can lead to a chain reaction that can impact other systems that are vulnerable, and a new attack can be launched.
A greater range of network protocols is affected by this vulnerability as opposed to the earlier version, which gave attackers more flexibility.
Successful exploitation of this vulnerability allows any Windows application protocol that accesses the NEGOEX protocol may enable an attacker to remotely execute arbitrary code.
Despite the list of protocols that have been identified, there could be other protocols and standards that are affected as well.
On a target system, there is no user input or authentication required by a victim in order for this vulnerability to succeed. This vulnerability has been classified by Microsoft as âCritical,â with a maximum severity for all categories.
As a result, CVSS 3.1 now has an overall score of 8.1 out of 10. It is important to note that systems with unpatched default configurations are vulnerable to this flaw.
The reclassification was performed by X-Force Red in accordance with its responsible disclosure policy with Microsoft.
Recommendations
For the time being, IBM wonât release the full technical details regarding the vulnerabilities and patches until Q2 2023, in order to give defenders a chance and enough time to apply them.
Security Intelligence recommends that users and administrators apply the patch as soon as possible due to the widespread use of SPNEGO, which ensures that they are protected.
All systems running Windows 7 and newer are compatible with this fix, which is part of the security updates for September 2022.
Moreover, X-Force Red recommends the following additional recommendations:-
Identify which services are exposed to the internet, such as SMB and RDP.
You should continuously monitor your attack surface, including Windows Authentication-enabled servers.
In the event that the patch cannot be applied, set Kerberos or Net-NTLM as the default authentication providers on Windows and remove Negotiate as the default authentication provider.
WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under âcriticalâ severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 â Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as âwraparoundâ occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
âA heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().â
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the userâs device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory âAn integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.â
WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under âcriticalâ severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
WhatsApp 0-Day Bugs
CVE-2022-36934 – An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 â Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as âwraparoundâ occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
âA heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().â
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the userâs device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory âAn integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.â
Can a device be hacked when switched off? Recent studies suggest so. Letâs see how this is even possible.
Researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone â even if the device is off. The study examined the operation of the wireless modules, found ways to analyze the Bluetooth firmware and, consequently, to introduce malware capable of running completely independently of iOS, the deviceâs operating system.
With a little imagination, itâs not hard to conceive of a scenario in which an attacker holds an infected phone close to the victimâs device and transfers malware, which then steals payment card information or even a virtual car key.
The reason it requires any imagination at all is because the authors of the paper didnât actually demonstrate this, stopping one step short of a practical attack implementation in which something really useful nasty is loaded into the smartphone. All the same, even without this, the researchers did a lot to analyze the undocumented functionality of the phone, reverse-engineer its Bluetooth firmware, and model various scenarios for using wireless modules.
So, if the attack didnât play out, whatâs this post about? Weâll explain, donât worry, but first an important statement: if a device is powered off, but interaction with it (hacking, for example) is somehow still possible, then guess what â itâs not completely off!
How did we get to the point where switching something off doesnât necessarily mean itâs actually off? Letâs start from the beginningâŠ
Appleâs Low Power Mode
In 2021, Apple announced that the Find My service, which is used for locating a lost device, will now work even if the device is switched off. This improvement is available in all Apple smartphones since the iPhone 11.
If, for example, you lose your phone somewhere and its battery runs out after a while, it doesnât turn off completely, but switches to Low Power Mode, in which only a very limited set of modules are kept alive. These are primarily the Bluetooth and Ultra WideBand (UWB) wireless modules, as well as NFC. Thereâs also the so-called Secure Element â a secure chip that stores your most precious secrets like credit card details for contactless payments or car keys â the latest feature available since 2020 for a limited number of vehicles.
Bluetooth in Low Power Mode is used for data transfer, while UWB â for determining the smartphoneâs location. In Low Power Mode, the smartphone sends out information about itself, which the iPhones of passers-by can pick up. If the owner of a lost phone logs in to their Apple account online and marks the phone as lost, information from surrounding smartphones is then used to determine the whereabouts of the device. For details of how this works, see our recent post about AirTag stalking.
The announcement quickly prompted a heated discussion among information security experts about the maze of potential security risks. The research team from Germany decided to test out possible attack scenarios in practice.
When powering off the phone, the user now sees the âiPhone Remains Findable After Power Offâ message. Source
Find My after power off
First of all, the researchers carried out a detailed analysis of the Find My service in Low Power Mode, and discovered some previously unknown traits. After power off, most of the work is handled by the Bluetooth module, which is reloaded and configured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices to detect the not-really-off iPhone.
It turned out that the duration of this mode is limited: in version iOS 15.3 only 96 broadcast sessions are set with an interval of 15 minutes. That is, a lost and powered-off iPhone will be findable for just 24 hours. If the phone powered off due to a low battery, the window is even shorter â about five hours. This can be considered a quirk of the feature, but a real bug was also found: sometimes when the phone is off, the âbeaconâ mode is not activated at all, although it should be.
Of most interest here is that the Bluetooth module is reprogrammed before power off; that is, its functionality is fundamentally altered. But what if it can be reprogrammed to the detriment of the owner?
Attack on a powered-off phone
In fact, the teamâs main discovery was that the firmware of the Bluetooth module is not encrypted and not protected by Secure Boot technology. Secure Boot involves multistage verification of the program code at start-up, so that only firmware authorized by the device manufacturer can be run.
The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. But the absence of Secure Boot allows an attacker to go further and completely replace the manufacturerâs code with their own, which the Bluetooth module then executes. For comparison, analysis of the iPhoneâs UWB module firmware revealed that itâs protected by Secure Boot, although the firmware isnât encrypted either.
Of course, thatâs not enough for a serious, practical attack. For that, an attacker needs to analyze the firmware, try to replace it with something of their own making, and look for ways to break in. The authors of the paper describe in detail the theoretical model of the attack, but donât show practically that the iPhone is hackable through Bluetooth, NFC or UWB. Whatâs clear from their findings is that if these modules are always on, the vulnerabilities likewise will always work.
Apple was unimpressed by the study, and declined to respond. This in itself, however, says little: the company is careful to keep a poker face even in cases when a threat is serious and demonstrated to be so in practice.
Bear in mind that Apple goes to great lengths to keep its secrets under wraps: researchers have to deal with closed software code, often encrypted, on Appleâs own hardware, with made-to-order third-party modules. A smartphone is a large, complex system thatâs hard to figure out, especially if the manufacturer hinders rather than helps.
No one would describe the teamâs findings as breathtaking, but they are the result of lots of painstaking work. The paper has merit for questioning the security policy of powering off the phone, but keeping some modules alive. The doubts were shown to be justified.
A half powered-off device
The paper concludes that the Bluetooth firmware is not sufficiently protected. Itâs theoretically possible either to modify it in iOS or to reprogram the same Low Power Mode by expanding or changing its functionality. The UWB firmware can also be examined for vulnerabilities. The main problem, however, is that these wireless modules (as well as NFC) communicate directly with the protected enclave that is Secure Element. Which brings us to some of the paperâs most exciting conclusions:
Theoretically, itâs possible to steal a virtual car key from an iPhone â even if the device is powered off! Clearly, if the iPhone is the car key, losing the device could mean losing the car. However, in this case the actual phone remains in your possession while the key is stolen. Imagine it like this: an intruder approaches you at the mall, brushes their phone against your bag, and steals your virtual key.
It is theoretically possible to modify the data sent by the Bluetooth module, for example, in order to use a smartphone to spy on a victim â again, even if the phone is powered off.
Having payment card information stolen from your phone is another theoretical possibility.
But all this of course still remains to be proven. The work of the team from Germany shows once more that adding new functionality carries certain security risks that must be taken into account. Especially when the reality is so different from the perception: you think your phone is fully off, when in fact it isnât.
This is not a completely new problem, mind. The Intel Management Engine and AMD Secure Technology, which also handle system protection and secure remote management, are active whenever the motherboard of a laptop or desktop computer is connected to a power source. As in the case of the Bluetooth/UWB/NFC/Secure Element bundle in iPhones, these systems have extensive rights inside the computer, and vulnerabilities in them can be very dangerous.
On the bright side, the paper has no immediate impact on ordinary users: the data obtained in the study is insufficient for a practical attack. As a surefire solution, the authors suggest that Apple should implement a hardware switch that kills the power to the phone completely. But given Appleâs physical-button phobia, you can be sure that wonât happen.
Sansec Threat Research Team noticed a surge in Magento 2 template attacks. This critical template vulnerability in Magento 2 tracked as (CVE-2022-24086) is increasing among eCommerce cyber criminals. The vulnerability allows unauthenticated attackers to execute code on unpatched sites.
Magento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. More than 150,000 online stores have been created on the platform. As of April 2021, Magento holds a 2.32% market share in global e-commerce platforms.
Critical Magento Vulnerability
Adobe patched this Magento 2 Vulnerability (CVE-2022-24086) in February 2022; later on the security researchers have created exploit code for the vulnerability that opens a way to mass exploitation.Â
Sansec researchers shared findings of 3 template hacks. The report says the observed attacks have been interactive; since the Magento checkout flow is very hard to automate. It starts with the creation of a new customer account and an order placement, which may result in a failed payment.
Part of the Injected Template Code
Experts say, this downloads a Linux executable called 223sam(.)jpg and launches it as a background process.
âIt is actually a Remote Access Trojan (RAT). While it remains in memory, it creates a state file and polls a remote server hosted in Bulgaria for commandsâ, Sansec
Researchers pointed out that RAT has full access to the database and the running PHP processes. Also, RAT can be injected on any of the nodes in a multi-server cluster environment.
Another variation of this attack is the attempted injection of a health_check.php backdoor. It creates a new file accepting commands via the POST parameter:
Malicious PHP file
A third attack variation has this template code, which replaces generated/code/Magento/Framework/App/FrontController/Interceptor.php. This malware is then executed on every Magento page request.
PHP eval Backdoor Created
Therefore, experts recommend the Magento 2 site administrators to upgrade their software to the latest version.
Two critical vulnerabilities have been found recently in the wireless LAN devices of Contec. These critical vulnerabilities were discovered by the cybersecurity analysts, Samy Younsi and Thomas Knudsen of Necrum Security Lab.
There are two models of the FLEXLAN FXA2000 and FXA3000 series from CONTEC which are primarily used in airplane installations as WiFi access points.
As a result, these devices offer extremely high-speed connectivity during flight trips for the following purposes:-
The Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVEâ2022â36158 and CVEâ2022â36159.
Necrum Security Labsâ researchers Samy Younsi and Thomas Knudsen have discovered two critical vulnerabilities in the wireless LAN devices manufactured by Contec. The company specializes in industrial automation, computing, and IoT communication technology.
Research Details
Reportedly, the Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVEâ2022â36158 and CVEâ2022â36159.
For your information, these devices are used in airplanes to offer internet connectivity. The abovementioned series of devices offer WiFi access points in airplanes to ensure uninterrupted high-speed internet communication so that passengers could enjoy music, movies, and even purchased goodies during the flight. Hence, these vulnerabilities can allow an adversary to hack the inflight entertainment system and more.
FXA2000 (left) and FXA3000 (right)
Researchers discovered the first vulnerability (CVEâ2022â36158) while performing the firmwareâs reverse engineering. They identified a hidden page, which wasnât listed in the Wireless LAN Manager interface. This page facilitates the execution of Linux commands on the device with root privileges. They could then access all system files and open the telnet port to gain complete access to the device.
The second vulnerability (CVEâ2022â36159) entailed the use of hard-coded, weak cryptographic keys and backdoor accounts. While investigating, they also learned that the shadow file contained the has of two users, including root and user, and within a few minutes they could access them through a brute-force attack.
How to Fix the Issues?
In their blog post, researchers explained that the device owner could change the accountâs user password from the web adminâs interface, which is the primary reason behind the emergence of these flaws. The root account is reserved for Contec for maintenance purposes.
Therefore, an attacker armed with the root hard-coded password can conveniently access all FXA2000 and FXA3000 series devices.
In order to fix the first issue, the hidden engineering web page must be removed from the under-production devices because the default password is weak and makes it easy for an attacker to inject a backdoor into the device using this page.
Furthermore, the company needs to generate a unique password for each device during the production phase for the second issue.
As pointed out by Eduard Kovacs of SecurityWeek, in its advisory, Contec explained that the vulnerabilities are connected to a private webpage created for developers to execute system commands and the page isnât linked to other pages available to users. These vulnerabilities have been addressed in versions 1.16.00 for the FX3000 series and 1.39.00 for FX2000 series devices.
Through careful examination of which ports, services, and software are most prevalent on the internet and the systems and regions where they run, the research team discovered that misconfigurations and exposures represent 88% of the risks and vulnerabilities across the internet.
âAssessing the state of the internet is crucial in understanding an organizationâs own risks and exposures,â said Zakir Durumeric, Chief Scientist of Censys.
Key findings
Misconfigurations â including unencrypted services, weak or missing security controls and self-signed certificates â make up roughly 60% of observed risks. When analyzing the risk profile of organizations across industries, missing common security headers accounted for the primary security error.
Exposures of services, devices, and information represent 28% of observed risks. This includes everything from accidental database to device exposures.
Critical vulnerabilities and advanced exploits only represent 12% of observed risks. When analyzing organizations by industry, the Computer and Information Technology industry had the widest spread of different risks, while Freight Shipment and Postal Services had the second widest.
Researchers also conducted a holistic assessment of the internetâs response to three major vulnerabilities â Log4j, GitLab and Confluence â to understand mitigation strategies based on how a vulnerability is perceived. From this analysis, Censys learned how the internet responds differently to vulnerability disclosures.
Three distinct types of behavior in response to vulnerability disclosures
Near-immediate upgrading: Systems vulnerable to Log4j acted quickly based on the widespread coverage of the vulnerability. By March 2022, Censys observed only 36% of potential vulnerable services were left unpatched.
Upgrading only after the vulnerability is being actively and widely exploited: While the GitLab vulnerability was being exploited, the remediation process acted slower than others until researchers discovered a botnet composed of thousands of compromised GitLab servers participating in DDoS campaigns.
Near-immediate response by taking the vulnerable instance off the internet entirely: Rather than upgrading, users chose to remove assets entirely from the internet after Confluenceâs vulnerability became public between June 2021 and March 2022.
The internet constantly evolves as new technologies emerge, vulnerabilities are discovered, and organizations expand their operations that interact with the internet. Security teams have the responsibility to protect their organizationsâ digital assets and need proper visibility into the entire landscape to do so.
Although vulnerabilities often garner the bigger headlines, itâs undetected misconfigurations and exposures that create the most risk for an organization, making it important to regularly assess any new hosts or services that appear in your infrastructure. Regardless of vulnerability type, providing organizations with the visibility and tools needed to strengthen their security posture introduces a proactive, more vigilant approach to digital risk management.
