Cyber Security News — Past 24 hours | 25.05.2021

New High-Severity Vulnerability Reported in Pulse Connect Secure VPN

Ivanti, the company behind Pulse Secure VPN appliances, has published a security advisory for a high severity vulnerability that may allow an authenticated remote attacker to execute arbitrary code with elevated privileges. «Buffer Overflow in Windows File Resource Profiles in 9. X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,» the company said in an alert published on May 14. Pulse Secure customers are recommended to upgrade to PCS Server version 9.1R.

In the interim, Ivanti has published a workaround file that can be imported to disable the Windows File Share Browser feature by adding the vulnerable URL endpoints to a blocklist and thus activate necessary mitigations to protect against this vulnerability. While Ivanti has recommended turning off Windows File Browser on the Admin UI by disabling the option ‘Files, Window ‘ for specific user roles, CERT/CC found the steps were inadequate to protect against the flaw during its testing. «The vulnerable CGI endpoints are still reachable in ways that will trigger the ‘smbclt’ application to crash, regardless of whether the ‘Files, Windows’ user role is enabled or not,» it noted. «An attacker would need a valid DSID and ‘xsauth’ value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy».

The disclosure of a new flaw arrives weeks after the Utah-based IT software company patched multiple critical security vulnerabilities in Pulse Connect Secure products, including CVE-2021–22893, CVE-2021–22894, CVE-2021–22899, and CVE-2021–22900, the first of which was found to be actively exploited in the wild by at least two different threat actors.

Source — https://thehackernews.com/2021/05/new-high-severity-vulnerability.html

Researchers Link CryptoCore Attacks On Cryptocurrency Exchanges to North Korea

Since emerging on the scene in 2009, Hidden Cobra actors have used their offensive cyber capabilities to carry out espionage and cyber cryptocurrency heists against businesses and critical infrastructure. In recent years, Lazarus Group has further expanded its attacks to target the defense and aerospace industries. The group is said to have stolen an estimated $200 million, according to a ClearSky report published in June 2020, which linked CryptoCore to five victims located in the U. In addition, ClearSky said it reaffirmed the attribution by comparing the malware deployed in the CryptoCore campaign to other Lazarus campaigns and found strong similarities. «This group has successfully hacked into numerous companies and organizations around the world for many years,» ClearSky researchers said.

Source — https://thehackernews.com/2021/05/researchers-link-cryptocore-attacks-on.html

Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS

Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021–30713, the zero-day concerns a permissions issue in Apple’s Transparency, Consent, and Control framework in macOS that maintains a database of each user’s consents. The iPhone maker acknowledged that the issue may have been exploited in the wild but stopped short of sharing specifics. Specifically, the malware checked for screen capture permissions from a list of installed applications, such as Zoom, Discord, WhatsApp, Slack, TeamViewer, Upwork, Skype, and Parallels Desktop, to inject the malware into the app’s folder, thereby inheriting the necessary permissions required to carry out its nefarious tasks.

«By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval,» the researchers noted. XCSSET was also the subject of closer scrutiny last month after a new variant of the malware was detected targeting Macs running on Apple’s new M1 chips to steal wallet information from cryptocurrency apps. Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.

Source — https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html

New Bluetooth Flaws Let Attackers Impersonate Legitimate Devices

Adversaries could exploit newly discovered security weaknesses in Bluetooth Core and Mesh Profile Specifications to masquerade as legitimate devices and carry out man-in-the-middle attacks.
«Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing,» the Carnegie Mellon CERT Coordination Center said in an advisory published Monday.
The two Bluetooth specifications define the standard that allows for many-to-many communication over the short-range wireless technology to facilitate data transfer between devices in an ad-hoc network.
The Bluetooth Impersonation AttackS, aka BIAS, enable a malicious actor to establish a secure connection with a victim, without having to know and authenticate the long-term key shared between the victims, thus effectively bypassing Bluetooth’s authentication mechanism.

«Our attacks work even when the victims are using Bluetooth’s strongest security modes, e.g., SSP and Secure Connections. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device,» the researchers said.
The Android Open Source Project , Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are among the identified vendors with products impacted by these security flaws.

Source — https://thehackernews.com/2021/05/new-bluetooth-flaws-let-attackers.html

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT