Multiple vulnerabilities have been discovered in VMware vRealize Log Insight, the most severe of which could allow for remote code execution. VMware vRealize Log Insight enables real-time logging for all components that build up the management capabilities of the SDDC. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Daily Archives: January 25, 2023
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH: NOW – TLP: CLEAR
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
HIDDENCOBRA (APT38) Responsible for 100M USD Cyberheist Against Blockchain Provider
Earlier the FBI announced that HIDDEN COBRA (also known as APT38/LAZARUS) is behind the latest cyberheist of 100M against cryptocurrency blockchain provider Horizon Bridge, which is a U.S. based startup owned by Harmony. The assets stolen by Lazarus were cryptocurrency coins – Ethereum, Binance Coin, Tether, USD Coin, and DAI.HIDDEN COBRA is a state sponsored organization headed by the North Korean government.What are the Technical Details of this Attack?HIDDEN COBRA used a combination of targeted attacks, specifically spearphishing campaigns designed to compel a user into unknowingly installing malware. Dubbed TraderTraitor, HIDDEN COBRA used fake recruitment efforts in the cryptocurrency space; using offers and templates designed to entice those working in positions in targeted companies within. They used the AppleJeus malware which was disguised as legitimate cryptocurrency applications. Targets included individuals and companies within the cryptocurrency exchange and financial service sectors.Who is HIDDEN COBRA/LAZARUS/APT38?HIDDEN COBRA has been linked to multiple high-profile, financially-motivated attacks in various parts of the world – some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around 81 million dollars in total.What Protections are Available?Fortinet customers running the latest (AV) definitions are protected by the following signatures:OSX/NukeSped.JRiskware/AlticGORiskware/DAFOMRiskware/CryptAISRiskware/TokenAISOSX/NukeSped.AA!trW64/Agent.IN!trW32/OSX_Nukesped.J!tr.bdrOSX/NukeSped.J!trAll network IOC’s are blocked by the WebFiltering Client.
Proof-of-Concept Released for Zoho ManageEngine RCE vulnerability (CVE-2022-47966)
FortiGuard Labs is aware of a report that Proof-of-Concept code for a critical Zoho ManageEngine RCE vulnerability is actively exploited was released to the public. Patched in October and November, 2022, the vulnerability affects multiple on-premise ManageEngine products and allows attackers to perform remote code execution with SYSTEM level privileges.Why is this Significant?Although a patch is available for the Zoho ManageEngine RCE vulnerability (CVE-2022-47966), proof -of-concept code is now available to the public and exploit attempts for CVE-2022-47966 are expected to pick up because of it. Patch should be applied as soon as possible.What is CVE-2022-47966?The vulnerability affects multiple on-premise ManageEngine products due to use of Apache Santuario. Successful exploitation of the vulnerability allows attackers to perform remote code execution with SYSTEM level privileges. The vulnerability exists only when Security Assertion Markup Language (SAML) Single Sing On (SSO) is enabled or was enabled depending on the Zoho ManageEngine products.Has the Vendor Released an Advisory for CVE-2022-47966?Yes, the advisory is available. See the Appendix for a link to “Security advisory for remote code execution vulnerability in multiple ManageEngine products”.Which ManageEngine Products are Vulnerable to CVE-2022-47966?Affected ManageEngine products are available in the advisory.Has the Vendor Released a Patch for CVE-2022-47966?Yes, a patch was released in October 27th, 28th, and November 11th in 2022 depending on the ManageEngine products.What is the Status of Protection?FortiGuard Labs released the following IPS signature in version xxx for CVE-2022-47966:Zoho.ManageEngine.xmlsec.SAML.SSO.Remote.Code.Execution (default action is set to “pass”)