AIs Hacking Websites

Read Time:54 Second

New research:

LLM Agents can Autonomously Hack Websites

Abstract: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents.

In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs.

Read More

A Vulnerability in Apache OFBiz Could Allow for Remote Code Execution

Read Time:33 Second

A vulnerability has been discovered in the Apache OFBiz, which could allow for remote code execution. Apache OFBiz is an open source product for the automation of enterprise processes. It includes framework components and business applications for ERP, CRM, E-Business/E-Commerce, Supply Chain Management and Manufacturing Resource Planning. Successful exploitation could allow for remote code execution in the context of the Server. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Detecting anomalous O365 logins and evasion techniques

Read Time:2 Minute, 54 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Summary

Businesses across multiple industries, regardless of size, are at risk of being targeted with Microsoft 365 phishing campaigns. These campaigns trick users into visiting fake Microsoft login page where threat actors capture the user’s credentials. Even accounts with MFA can be victim to these types of attacks. There are several ways in which MFA is being bypassed with these types of campaigns.  

MFA Fatigue is one of the ways threat actors are bypassing MFA and this method attempts to exploit human error by repeatedly logging in with the stolen credentials causing an overwhelming number of MFA prompts in attempts to get the user to approve the login.  

Another MFA bypass technique is SIM Swapping. A SIM card is a small chip that your mobile carrier uses to hold identification information to tie your phone to you and your mobile carrier. Threat actors have found a weakness in this because there are scenarios where a customer may need a new SIM card (for example, they lost their phone). Carriers can transfer your identification information from your old SIM card to new one. SIM Swapping is when a threat actor abuses this feature and impersonates you to convince your mobile carrier to switch your phone number to a SIM card that is in the threat actor’s possession. This then allows the threat actor to receive MFA codes sent to your number via phone call or SMS.

Man in the Middle Attacks are another notable MFA bypass technique. With this method, threat actors will wait for a user to enter credentials into a fake login page, then wait for you to allow the login with a push notification or steal the session or token after you enter in your code. 

After gaining access to an O365 account, the threat actor typically does some reconnaissance on the user’s inbox and then will use the access to the user’s account to try to phish other users, typically with a financial motive. We commonly see inbox rules abused to try to hide the emails, so the user is unaware of the emails coming from their account.

Detection

24/7/365 Monitoring and Threat Detection such as Vertek’s Managed AlienVault Services

· AlienVault Unified Security Management uses a User Behavior Analytics platform to detect anomalous M365 logins by tracking user behaviors and login data.

· Enabling anomaly detection policies in Microsoft’s Defender for Cloud Apps. These alerts can be enabled in Defender, and then pulled into USM Anywhere where alerts can be investigated by Vertek’s SOC team when they occur.

· Custom alerts to alarm on suspicious logins and inbox rules.  

· Monthly reporting to identify risky users and missing security controls.

Mitigation

· Implementing regular user training, so users can identify phishing attempts and understand the importance of good passwords and only approving logins if they know the sign-in is legit.

· Leveraging Microsoft tools to flag users that have been phished as risky users.

· Disabling legacy protocols as they are favored in credential attacks because they cannot enforce MFA.

· Utilize Microsoft Intune or other mobile device management (MDM) tools to block sign-ins from unregistered devices.

· Using a Managed Threat Intelligence service that helps your organization identify risky users by using Dark Web monitoring tools to identify leaked credentials.  

Read More

ZDI-24-203: PDF-XChange Editor EMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-27325.

Read More

ZDI-24-204: PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-27326.

Read More