Re: [SYSS-2024-038] DiCal-RED – Use of Password Hash Instead of Password for Authentication

Read Time:20 Second

Posted by J. Hellenthal via Fulldisclosure on Aug 27

Correct me if I’m wrong but I believe he is trying to relay that “on the backend” where the password hashes are
stored…. if accessed by those with admin access or a bad actor if you will gives them the immediate ability to access
every account without needing to decrypt the passwords.

This is a very bad practice.

Read More

USN-6981-1: Drupal vulnerabilities

Read Time:17 Second

It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)

It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)

Read More

The AI Fix #13: ChatGPT runs for mayor, and should we stop killer robots?

Read Time:34 Second

In episode 13 of “The AI Fix””, meat avatar Cluley learns that AI doesn’t pose an existential threat to humanity and tells meat avatar Stockley how cybersex is about to get very, very weird. Our hosts also learn that men lie on their dating profiles, hear ChatGPT steal somebody’s voice, and discover an AI that rick rolls its users.

Graham tells Mark about AI’s political ambitions and discovers what ChatGPT has in common with the reluctant ruler of the universe, while Mark introduces Graham to the Campaign to Stop Killer Robots.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

Read More

New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

Read Time:3 Minute, 54 Second

Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.

Image: Shutterstock.com

Versa Director systems are primarily used by Internet service providers (ISPs), as well as managed service providers (MSPs) that cater to the IT needs of many small to mid-sized businesses simultaneously. In a security advisory published Aug. 26, Versa urged customers to deploy a patch for the vulnerability (CVE-2024-39717), which the company said is fixed in Versa Director 22.1.4 or later.

Versa said the weakness allows attackers to upload a file of their choosing to vulnerable systems. The advisory placed much of the blame on Versa customers who “failed to implement system hardening and firewall guidelines…leaving a management port exposed on the internet that provided the threat actors with initial access.”

Versa’s advisory doesn’t say how it learned of the zero-day flaw, but its vulnerability listing at mitre.org acknowledges “there are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date.”

Those third-party reports came in late June 2024 from Michael Horka, senior lead information security engineer at Black Lotus Labs, the security research arm of Lumen Technologies, which operates one of the global Internet’s largest backbones.

In an interview with KrebsOnSecurity, Horka said Black Lotus Labs identified a web-based backdoor on Versa Director systems belonging to four U.S. victims and one non-U.S. victim in the ISP and MSP sectors, with the earliest known exploit activity occurring at a U.S. ISP on June 12, 2024.

“This makes Versa Director a lucrative target for advanced persistent threat (APT) actors who would want to view or control network infrastructure at scale, or pivot into additional (or downstream) networks of interest,” Horka wrote in a blog post published today.

Black Lotus Labs said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting the intrusions bear the hallmarks of the Chinese state-sponsored espionage group — including zero-day attacks targeting IT infrastructure providers, and Java-based backdoors that run in memory only.

In May 2023, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity Infrastructure Security Agency (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as “Bronze Silhouette” and “Insidious Taurus,” which described how the group uses small office/home office (SOHO) network devices to hide their activity.

In early December 2023, Black Lotus Labs published its findings on “KV-botnet,” thousands of compromised SOHO routers that were chained together to form a covert data transfer network supporting various Chinese state-sponsored hacking groups, including Volt Typhoon.

In January 2024, the U.S. Department of Justice disclosed the FBI had executed a court-authorized takedown of the KV-botnet shortly before Black Lotus Labs released its December report.

In February 2024, CISA again joined the FBI and NSA in warning Volt Typhoon had compromised the IT environments of multiple critical infrastructure organizations — primarily in communications, energy, transportation systems, and water and wastewater sectors — in the continental and non-continental United States and its territories, including Guam.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT [operational technology] assets to disrupt functions,” that alert warned.

In a speech at Vanderbilt University in April, FBI Director Christopher Wray said China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” and that China’s plan is to “land blows against civilian infrastructure to try to induce panic.”

Ryan English, an information security engineer at Lumen, said it’s disappointing his employer didn’t at least garner an honorable mention in Versa’s security advisory. But he said he’s glad there are now a lot fewer Versa systems exposed to this attack.

“Lumen has for the last nine weeks been very intimate with their leadership with the goal in mind of helping them mitigate this,” English said. “We’ve given them everything we could along the way, so it kind of sucks being referenced just as a third party.”

Read More

Here’s How Phishing Messages Break Through Email Filters

Read Time:5 Minute, 45 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Phishing is an email-borne malicious technique aimed at learning the sensitive credentials of users or spreading malware. This practice has been on the list of the top cyber threats to individuals and businesses for years. According to the latest Phishing Activity Trends Report by APWG, the total number of phishing attacks identified in Q1 2024 exceeded 963,000. The average wire transfer amount requested in business email compromise (BEC) attacks during this period reached $84,000, showing a 50% increase compared to the previous quarter.

With the staggering statistics in mind, this hoax is among the strongholds of the global cybercrime economy. It comes as no surprise that there are plenty of security companies whose area of expertise is isolated to anti-phishing services that prevent rogue emails from reaching their customers’ inboxes. Since orchestrating these campaigns is becoming more difficult for criminals, they are developing more sophisticated attack vectors that get around mainstream defenses.

Phishers Are Thinking Outside the Box

Malicious actors leverage a few effective evasion techniques to make sure their misleading messages arrive at their destination. Here are several real-world stratagems used to obfuscate bad intentions and circumvent automated protection tools.

Hybrid “Vishing” Attacks Gaining Momentum

Voice phishing, or vishing, has become an effective social engineering scam over the years. The fact that the manipulation takes place over the phone plays into the hands of fraudsters, as it slips below the radar of traditional security controls. The caveat comes down to high reliance on factors like cold calls that many people ignore, which reduces the success rate of such hoaxes.

In an attempt to close that gap, criminals came up with a multi-step scheme that combines vishing and misleading emails. The idea is to contact a would-be victim initially with an email lure that contains a phone number in it. These messages will typically convey urgency by stating that the recipient might be locked out of their bank account, or that a suspicious financial transaction has been made without their consent.

The user is instructed to call the number specified in the email to solve the problem. However, instead of providing assistance, the scammer on the other end will try to learn sensitive information. The original phishing email doesn’t contain any suspicious attachments or links, which makes it look normal when inspected by spam filters and antivirus protections.

In some scenarios, criminals collect information about the victim from social media and other publicly accessible sources to make sure that the bait message correlates with their interests and lifestyle. The use of reliable data broker removal services can minimize the risk of exposure to this shady open-source intelligence (OSINT).

Compromised SharePoint Accounts

Another method for phishing scams to slide unnoticed into users’ inboxes is to piggyback on previously hacked SharePoint accounts. Email filters trust the domains used by this cloud-based collaborative service from Microsoft. The messages ask the recipients to click on an embedded secondary URL that leads to a malicious OneNote document disguised as a OneDrive for Business sign-in page. The credentials entered in this fake login form automatically go to the fraudsters.

Elusive Emails Impersonating Major Banks

This is a long-running hoax in phishing operators’ repertoire. The spoof email pretends to come from a popular financial institution such as the Bank of America. It asks the recipient to update their email address and provides a link leading to a credential phishing page camouflaged as the bank’s official site. To feign legitimacy, the scam includes an extra page where the victim is supposed to enter their security challenge question.

While the message is sent from a “@yahoo.com” email address rather than the real domain of the mimicked bank, many anti-phishing tools cannot identify it as potentially malicious. One of the reasons is that this fraud zeroes in on only several people in an organization rather than maximizing its reach. Filtering technologies mainly inspect large volumes of similar emails and may ignore messages coming in small quantities.

Secondly, the email passes security checks because it’s sent from a personal Yahoo account. Traditional verification instruments such as the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) confirm that the message doesn’t spoof the domain it’s coming from.

Thirdly, the blocklists integrated in a Secure Email Gateway (SEG) or the VPN of the user’s choice might not include the replica of the bank’s page due to its recent registration. Furthermore, the domain uses a valid SSL certificate issued by a trusted authority such as COMODO. This combo of techniques, plus subtle elements of urgency and pressure imposed upon a recipient via social engineering, makes this ostensibly simple phishing wave highly effective.

ZIP Archive with a Catch

One of the clever tricks in the modern criminal’s handbook is to cloak a malicious email attachment within a dodgy ZIP archive. The structure of a benign ZIP file normally includes a single “End of Central Directory” (EOCD) value that denotes the final component of the archive composition. Attackers are increasingly leveraging ZIP archives that contain two EOCD entries rather than one, which means that the attachments contain an extra archive structure hidden in plain sight.

The decompression engines built into some SEGs will only identify and vet the harmless “decoy” element while failing to detect and inspect the malicious sub-hierarchy of the archive. As a result of the furtive file extraction, a strain of info-stealing malware infects the victim’s computer.

Skewing an Email’s HTML Code

Yet another mechanism for getting around SEGs is to reverse the text in the source code of a message and then render it forward in the email itself. This way, security filters may allow the message to get through because its raw HTML content doesn’t match any known phishing templates. Meanwhile, the email will be shown to the would-be victim in a perfectly readable form.

A particularly tricky strand of this ruse involves Cascading Style Sheets (CSS), a programming tool designed for adding style elements to HTML documents. Attackers mishandle it to combine Latin and Arabic scripts in an email’s code. Since these scripts flow in different directions (left-to-right vs right-to-left), this method facilitates text reversing.

Vigilance is Key

While email filters are indispensable for protecting inboxes, they aren’t foolproof. Phishing schemes are constantly evolving, and some shadowy messages will slip through. The onus is ultimately on you, the recipient, to avoid being fooled. You can significantly reduce the risks by understanding the common phishing attempts and treating any email with a healthy dose of skepticism.

Read More