A security issue was discovered in kube-apiserver that allows an
aggregated API server to redirect client traffic to any URL. This could
lead to the client performing unexpected actions as well as forwarding
the client’s API server credentials to third parties.
Yearly Archives: 2023
A Vulnerability in Atlassian Confluence Server and Data Center Could Allow for Data Destruction
A vulnerability has been discovered in Atlassian Confluence Server and Data Center which could allow for data destruction. Confluence is a collaboration tool that brings people, knowledge, and ideas together in a shared workspace. Successful exploitation of this vulnerability could allow an attacker to destroy instance data.
python-pillow-9.5.0-1.fc38
FEDORA-2023-1a120657f9
Packages in this update:
python-pillow-9.5.0-1.fc38
Update description:
Update to 9.5.0, backport fix for CVE-2023-44271.
Healthcare Data Breaches Impact 88 Million Americans
The Department of Health and Human Services said there has been a 239% increase in large breaches
[CVE-2023-46380, CVE-2023-46381, CVE-2023-46382] Multiple vulnerabilities in Loytec products
Posted by Chizuru Toyama on Nov 03
[+] CVE : CVE-2023-46380, CVE-2023-46381, CVE-2023-46382
[+] Title : Multiple vulnerabilities in Loytec LWEB-802, L-INX Automation Servers, L-IOB
I/O Controllers, L-VIS Touch Panels
[+] Vendor : LOYTEC electronics GmbH
[+] Affected Product(s) : LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, LIOB-586 firmware 6.2.3
[+] Affected Components :…
What Are the Risks of Clicking on Malicious Links?
A simple click of a link can’t cause any trouble, right? Wrong.
It doesn’t matter if you quickly close out of a window. It doesn’t matter if you only take a quick peek and don’t touch anything else while you’re on a risky webpage. Often, just clicking on a single link can compromise your device, online privacy, and even your identity.
Here’s everything you need to know to steer clear of malicious links and the viruses, malware and other problems that they may contain.
What Is a Risky Link?
A risky link is any hyperlink that redirects you to an unexpected webpage. Often, these webpages trick visitors into divulging personal information or the webpages download malicious payloads (viruses, malware, spyware, etc.) onto devices. While they often appear in phishing emails and texts, risky links can pop up anywhere: on social media, in comment sections, or on risky websites.
What Happens If You Click on a Risky Link?
A few nasty tricks, viruses, and malware could be lurking behind risky links. All it takes to fall for a cyber scheme is to click on a link. For example, a malicious link could bring you to a fake login page. This is a way for a phisher to steal your username, password, or answers to your security questions. Instead of logging into your bank account or an online shopping account, you’re actually handing your login credentials right to a scammer. From there, they could walk into your accounts, make purchases in your name, or steal your sensitive personally identifiable information (PII) attached to your account.
If a risky link downloads a virus or malware to your device, the effects could vary. Some viruses bring your device to a crawl and seriously limit your computing power. Mobile malware is a vast category of malicious software and it often makes its way onto devices through infected links. Malware can spy on you, watch your keystrokes, attach your device to a botnet, and overall compromise your device and the information it stores.
How Do You Steer Clear of Risky Links?
Avoiding risky links requires that you slow down and think before you click on anything. Scammers and phishers disguise their malicious links to look legitimate making them difficult to spot. Artificial intelligence tools like ChatGPT and Bard are making phishing correspondences more believable than attempts from a few years ago. If you move too fast, you could fall for scams that you’d normally sniff out if you were taking your time.
Here are a few tips that’ll go a long way toward keeping your device and PII out of the hands of cybercriminals.
Look before you leap. Before clicking on any link, preview it to make sure that it’s redirecting you where you expect it to. To preview a link on mobile, tap and hold the link. Check for typos or for very long and complicated strings of letters and numbers.
Be skeptical. It seems pessimistic, but reserve a tiny bit of skepticism for every “incredible deal!” “unbelievable story!” or “free download!” you encounter online. Just because a “company” advertises on Facebook doesn’t mean it’s a legitimate organization. Its business might not be selling t-shirts but phishing for personal information. Scammers often hide their malicious links behind clickbait.
Avoid risky websites. It makes sense that risky websites are home to risky links. Practice safe downloading practices and be extra diligent about the websites you visit. Avoid pirated content hubs as they’re often a haven of dangerous links. A safe browsing tool like McAfee WebAdvisor can alert you when you’re headed into dodgy territory.
What Tool Can Give You Peace of Mind?
McAfee Scam Protection fights malicious links with artificial intelligence-powered proactive alerts and automatic protection. The more you use it, the smarter McAfee Scam Protection becomes. When it detects a scam link in your texts, emails, or on social media, McAfee Scam Protection automatically alerts you to it. Additionally, if you accidentally click on a scam link, the app will block the malicious webpage from loading, protecting your device and online privacy from invaders.
Confidence in your ability to avoid or block risky links will go a long way toward lessening any unease you have about navigating the conveniences and entertainment the internet offers.
The post What Are the Risks of Clicking on Malicious Links? appeared first on McAfee Blog.
CVE-2022-45805
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Paytm Paytm Payment Gateway paytm-payments allows SQL Injection.This issue affects Paytm Payment Gateway: from n/a through 2.7.3.
Unmasking AsyncRAT New Infection Chain
Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy
AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware designed to compromise the security of computer systems and steal sensitive information. What sets AsyncRAT apart from other malware strains is its stealthy nature, making it a formidable adversary in the world of cybersecurity.
McAfee Labs has observed a recent AsyncRAT campaign being distributed through a malicious HTML file. This entire infection strategy employs a range of file types, including PowerShell, Windows Script File (WSF), VBScript (VBS), and more, in order to bypass antivirus detection measures.
Figure 1 – AsyncRAT prevalence for the last one month
Technical Analysis
A recipient receives a spam email containing a nefarious web link. When accessed, this link triggers the download of an HTML file. Within this HTML file, an ISO file is embedded, and this ISO image file harbors a WSF (Windows Script File). The WSF file subsequently establishes connections with various URLs and proceeds to execute multiple files in formats such as PowerShell, VBS (VBScript), and BAT. These executed files are employed to carry out a process injection into RegSvcs.exe, a legitimate Microsoft .NET utility. This manipulation of RegSvcs.exe allows the attacker to covertly hide their activities within a trusted system application.
Infection Chain
Figure 2 – Infection Chain
Stage 1: Analysis of HTML & WSF file
The sequence begins with a malicious URL found within the email, which initiates the download of an HTML file. Inside this HTML file, an ISO file is embedded. Further JavaScript is utilized to extract the ISO image file.
Figure 3 – Contents of HTML file
Figure 4 – Extracted ISO file when HTML is run
Within the ISO file is a WSF script labeled as “FXM_20231606_9854298542_098.wsf.” This file incorporates junk strings of data, interspersed with specific “<job>” and “<VBScript>” tags (as indicated in Figure 5 and highlighted in red). These tags are responsible for establishing a connection to the URL “hxxp://45.12.253.107:222/f[.]txt” to fetch a PowerShell file.
Figure 5 – Contents of WSF file
Stage 2: Analysis of PowerShell files
The URL “hxxp://45.12.253.107:222/f[.]txt” retrieves a text file that contains PowerShell code.
Figure 6 – Contents of the First PowerShell file
The initial PowerShell code subsequently establishes a connection to another URL, “hxxp://45.12.253.107:222/j[.]jpg,” and retrieves the second PowerShell file.
Figure 7 – Contents of Second PowerShell file
The PowerShell script drops four files into the ProgramData folder, including two PowerShell files, one VBS file, and one BAT file. The contents of these four files are embedded within this PowerShell script. It then proceeds to create a folder named “xral” in the ProgramData directory, where it writes and extracts these files, as depicted in Figure 8.
Figure 8 – Second PowerShell creating 4 files and writing content in them using [IO.File]::WriteAllText command
Figure 9 – Files extracted in the “ProgramData/xral” folder
Stage 3: Analysis of Files dropped in the ProgramData folder
Following this, the PowerShell script executes “xral.ps1,” which is responsible for establishing a scheduled task to achieve persistence. Additionally, it initiates the execution of the ” xral.vbs ” file.
Figure 10 – Content of VBS file
The VBS script proceeds to execute the “1.bat” file, which, in turn, is responsible for executing the final PowerShell script, “hrlm.ps1.”
In a nutshell, after the second powershell, the execution goes like:
xral.ps1 -> xral.vbs -> 1.bat -> hrlm.ps1
These various executions of different file types are strategically employed to circumvent both static and behavior-based antivirus detections.
Stage 4: Analysis of the final PowerShell file
Figure 11 – Content of final PowerShell file
As depicted in the preceding figure, this PowerShell file contains a PE (Portable Executable) file in hexadecimal format. This file is intended for injection into a legitimate process. In the second red-highlighted box, it’s evident that the attackers have obfuscated the process name, which will be revealed after performing a replacement operation. It is now evident that this PE file is intended for injection into “C:WindowsMicrosoft.NETFrameworkv4.0.30319RegSvcs.exe.” The process injection is accomplished through the Reflection Assembly load functionality of the PowerShell file, which allows access and invocation of .NET data from within PowerShell.
After the process injection, the RegSvcs utility is initiated and executed without any additional parameters.
Stage 5: Analysis of infected RegSvcs.exe
Once PowerShell successfully injects malicious code into RegSvcs, the compromised RegSvcs.exe runs, and the AsyncRAT server establishes a connection to it. The artifacts of this infected RegSvcs.exe running are illustrated in Figure 12.
Figure 12 – AsyncRAT server strings in RegSvcs
Further analysis uncovered that this sample possesses keylogging capabilities. It recorded all activities performed on the system after replication, storing this information in a “log.tmp” file within the TEMP folder for record-keeping purposes.
Figure 13 – Log file created in %temp% folder logging all keystrokes
Furthermore, this sample was actively engaged in the theft of credentials and browser-related data. Additionally, it attempted to search for cryptocurrency-related information, including data related to Bitcoin, Ethereum, and similar assets. The illicitly acquired data was being transmitted over TCP to the IP address 45[.]12.253.107 on port 8808.
Figure 14 – TCP information of RegSvcs.exe
Summary
The infection chain begins with a malicious URL embedded in a spam email, leading to the download of an HTML file containing an ISO. Within the ISO file, a WSF script connects to external URLs and downloads a PowerShell script, which, in turn, initiates a series of non-PE file executions and ultimately injects a hexadecimal-encoded PE file into the legitimate “RegSvcs.exe.” This compromised process connects to an AsyncRAT server. The malware exhibits keylogging capabilities, records user activities, and steals credentials, browser data, and crypto-related information. Data is exfiltrated over TCP to an IP address and port. This intricate chain leverages diverse file types and obfuscation methods to avoid detection, ultimately resulting in the attackers gaining remote control and successfully stealing data.
Indicator of Compromise (IOCs)
File
SHA256/URL
HTML
83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3
ISO
97f91122e541b38492ca2a7c781bb9f6b0a2e98e5b048ec291d98c273a6c3d62
WSF
ac6c6e196c9245cefbed223a3b02d16dd806523bba4e74ab1bcf55813cc5702a
PS1
0159bd243221ef7c5f392bb43643a5f73660c03dc2f74e8ba50e4aaed6c6f531
PS1
f123c1df7d17d51115950734309644e05f3a74a5565c822f17c1ca22d62c3d99
PS1
19402c43b620b96c53b03b5bcfeaa0e645f0eff0bc6e9d1c78747fafbbaf1807
VBS
34cb840b44befdd236610f103ec1d0f914528f1f256d9ab375ad43ee2887d8ce
BAT
1c3d5dea254506c5f7c714c0b05f6e2241a25373225a6a77929e4607eb934d08
PS1
83b29151a192f868362c0ecffe5c5fabe280c8baac335c79e8950fdd439e69ac
URL
hxxp://45.12.253[.]107:222/f[.]txt
hxxp://45.12.253[.]107:222/j[.]jpg
The post Unmasking AsyncRAT New Infection Chain appeared first on McAfee Blog.
UK AI Safety Institute: A Blueprint for the Future of AI?
One of the Institute’s missions is to cement the UK’s position as a world leader in AI safety
New York Increases Cybersecurity Rules for Financial Companies
Another example of a large and influential state doing things the federal government won’t:
Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function.
In a new addition, companies now face significant requirements related to ransom payments. Regulated firms must now report any payment made to hackers within 24 hours of that payment.