What is the Vulnerability?The Versa Director GUI contains a zero-day dangerous file type upload vulnerability (CVE-2024-39717) that allows attackers to upload potentially malicious files, granting them system administrator access. This flaw effects the “Change Favicon” (Favorite Icon) option that can be misused to upload a malicious file ending with .png extension to masquerade as an image file. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-39717 to its “Known Exploited Vulnerabilities” list.What is the recommended Mitigation?Versa Networks has released a patch to address this vulnerability and has mentioned in their advisory that the vulnerability has already been exploited by an Advanced Persistent Threat actor.What FortiGuard Coverage is available?FortiGuard Labs recommends users to apply the patches released by the vendor to secure their systems and follow their system hardening guidelines.FortiGuard Labs has blocked known malware used in campaign related to the Versa Director Dangerous File Type Upload Vulnerability. Java/CVE_2024_39717.A!exploitThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.FortiGuard Labs is further investigating to provide protections and will update this Threat Signal Report with more information once it becomes available.
Monthly Archives: August 2024
Re: [SYSS-2024-038] DiCal-RED – Use of Password Hash Instead of Password for Authentication
Posted by J. Hellenthal via Fulldisclosure on Aug 27
Correct me if I’m wrong but I believe he is trying to relay that “on the backend” where the password hashes are
stored…. if accessed by those with admin access or a bad actor if you will gives them the immediate ability to access
every account without needing to decrypt the passwords.
This is a very bad practice.
USN-6981-1: Drupal vulnerabilities
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
The AI Fix #13: ChatGPT runs for mayor, and should we stop killer robots?
In episode 13 of “The AI Fix””, meat avatar Cluley learns that AI doesn’t pose an existential threat to humanity and tells meat avatar Stockley how cybersex is about to get very, very weird. Our hosts also learn that men lie on their dating profiles, hear ChatGPT steal somebody’s voice, and discover an AI that rick rolls its users.
Graham tells Mark about AI’s political ambitions and discovers what ChatGPT has in common with the reluctant ruler of the universe, while Mark introduces Graham to the Campaign to Stop Killer Robots.
All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.
Microsoft 365 Copilot Vulnerability Exposes User Data Risks
The flaw in Microsoft 365 Copilot allowed data theft using ASCII smuggling and prompt injection
MOVEit Hack Exposed Personal Data of Half Million TDECU Users
The Texas Dow Employees Credit Union told the Maine Attorney General the MOVEit data breach compromised information of over 500,000 members
New 0-Day Attacks Linked to China’s ‘Volt Typhoon’
Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.
Versa Director systems are primarily used by Internet service providers (ISPs), as well as managed service providers (MSPs) that cater to the IT needs of many small to mid-sized businesses simultaneously. In a security advisory published Aug. 26, Versa urged customers to deploy a patch for the vulnerability (CVE-2024-39717), which the company said is fixed in Versa Director 22.1.4 or later.
Versa said the weakness allows attackers to upload a file of their choosing to vulnerable systems. The advisory placed much of the blame on Versa customers who “failed to implement system hardening and firewall guidelines…leaving a management port exposed on the internet that provided the threat actors with initial access.”
Versa’s advisory doesn’t say how it learned of the zero-day flaw, but its vulnerability listing at mitre.org acknowledges “there are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date.”
Those third-party reports came in late June 2024 from Michael Horka, senior lead information security engineer at Black Lotus Labs, the security research arm of Lumen Technologies, which operates one of the global Internet’s largest backbones.
In an interview with KrebsOnSecurity, Horka said Black Lotus Labs identified a web-based backdoor on Versa Director systems belonging to four U.S. victims and one non-U.S. victim in the ISP and MSP sectors, with the earliest known exploit activity occurring at a U.S. ISP on June 12, 2024.
“This makes Versa Director a lucrative target for advanced persistent threat (APT) actors who would want to view or control network infrastructure at scale, or pivot into additional (or downstream) networks of interest,” Horka wrote in a blog post published today.
Black Lotus Labs said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting the intrusions bear the hallmarks of the Chinese state-sponsored espionage group — including zero-day attacks targeting IT infrastructure providers, and Java-based backdoors that run in memory only.
In May 2023, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity Infrastructure Security Agency (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as “Bronze Silhouette” and “Insidious Taurus,” which described how the group uses small office/home office (SOHO) network devices to hide their activity.
In early December 2023, Black Lotus Labs published its findings on “KV-botnet,” thousands of compromised SOHO routers that were chained together to form a covert data transfer network supporting various Chinese state-sponsored hacking groups, including Volt Typhoon.
In January 2024, the U.S. Department of Justice disclosed the FBI had executed a court-authorized takedown of the KV-botnet shortly before Black Lotus Labs released its December report.
In February 2024, CISA again joined the FBI and NSA in warning Volt Typhoon had compromised the IT environments of multiple critical infrastructure organizations — primarily in communications, energy, transportation systems, and water and wastewater sectors — in the continental and non-continental United States and its territories, including Guam.
“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT [operational technology] assets to disrupt functions,” that alert warned.
In a speech at Vanderbilt University in April, FBI Director Christopher Wray said China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” and that China’s plan is to “land blows against civilian infrastructure to try to induce panic.”
Ryan English, an information security engineer at Lumen, said it’s disappointing his employer didn’t at least garner an honorable mention in Versa’s security advisory. But he said he’s glad there are now a lot fewer Versa systems exposed to this attack.
“Lumen has for the last nine weeks been very intimate with their leadership with the goal in mind of helping them mitigate this,” English said. “We’ve given them everything we could along the way, so it kind of sucks being referenced just as a third party.”
FBI Flawed Data Handling Raises Security Concerns
A US Justice Department watchdog has found “significant weaknesses” in the FBI’s physical and online media storage and disposal processes
Suspected Cyber-Attack Causes Travel Chaos at Seattle Airport
The Port of Seattle revealed system outages at the city’s airport may have been caused by a cyber-attack, affecting early Labor Day travel
The Present and Future of TV Surveillance
Ars Technica has a good article on what’s happening in the world of television surveillance. More than even I realized.