#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

network security | Breaking Cybersecurity News | The Hacker News

Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software

Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software

Mar 14, 2024 Vulnerability / Network Security
Fortinet has warned of a critical security flaw impacting its FortiClientEMS software that could allow attackers to achieve code execution on affected systems. "An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests," the company  said  in an advisory. The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions - FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above) FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above) Horizon3.ai, which  plans  to release additional technical details and a proof-of-concept (PoC) exploit next week, said the shortcoming could be exploited to obtain remote code execution as SYSTEM on the server. Fortinet has credited Thiago Santana from the Forticlient
Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client

Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client

Mar 08, 2024 Network Security / Vulnerability
Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user. The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed ( CRLF ) injection attack against a user. Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session. "A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token," the company  said  in an advisory. "The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and servi
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
QEMU Emulator Exploited as Tunneling Tool to Breach Company Network

QEMU Emulator Exploited as Tunneling Tool to Breach Company Network

Mar 08, 2024 Endpoint Security / Network Security
Threat actors have been observed leveraging the  QEMU  open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed "large company" to connect to their infrastructure. While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose. "We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines," Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin  said . "Each of the numerous network devices is defined by its type and supports extra options." In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server. The Russian cybersecurit
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Mar 07, 2024 Malware / Network Security
Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023. "The threat actor is distributing Remote Access Trojans (RATs) including  SpyNote RAT  for Android platforms, and  NjRAT  and  DCRat  for Windows systems," Zscaler ThreatLabz researchers  said . The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts, indicating that the attackers are using typosquatting tricks to lure prospective victims into downloading the malware. They also come with options to download the app for Android, iOS, and Windows platforms. While clicking on the button for Android downloads an APK file, clicking on the Windows app button triggers the download of a batch script. The malicious batch script is responsible for executing a PowerShell script, which, in turn, downloads and exec
Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes

Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes

Mar 05, 2024 Email Security / Network Security
The threat actor known as  TA577  has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager ( NTLM ) hashes. The new attack chain "can be used for sensitive information gathering purposes and to enable follow-on activity," enterprise security firm Proofpoint  said  in a Monday report. At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world. The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks' success. The ZIP attachments – which are the most common delivery mechanism – come with an HTML file that's designed to contact an actor-controlled Server Message Block (SMB) server. "TA577's objective is to capture NTLMv2 Challenge/Response pairs from the SMB s
Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers

Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers

Mar 05, 2024 Vulnerability / Network Security
A new pair of security vulnerabilities have been disclosed in JetBrains TeamCity On-Premises software that could be exploited by a threat actor to take control of affected systems. The flaws, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3), have been addressed in version 2023.11.4. They impact all TeamCity On-Premises versions through 2023.11.3. "The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server," JetBrains  said  in an advisory released Monday. TeamCity Cloud instances have already been patched against the two flaws. Cybersecurity firm Rapid7, which discovered and reported the issues on February 20, 2024, said CVE-2024-27198 is a case of authentication bypass that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker. "Compromising a TeamCity server allows an attacker fu
GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

Feb 29, 2024 Linux / Network Security
Threat hunters have discovered a new Linux malware called  GTPDOOR  that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges ( GRX ) The  malware  is novel in the fact that it leverages the GPRS Tunnelling Protocol ( GTP ) for command-and-control (C2) communications. GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network ( PLMN ). Security researcher haxrob, who discovered two  GTPDOOR   artifacts  uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as  LightBasin  (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata. "When run, the f
Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

Feb 27, 2024 Malware / Network Security
An "intricately designed" remote access trojan (RAT) called  Xeno RAT  has been made available on GitHub, making it easily accessible to other actors at no extra cost. Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a "comprehensive set of features for remote system management," according to its developer, who goes by the name moom825. It includes a SOCKS5 reverse proxy and the ability to record real-time audio, as well as incorporate a hidden virtual network computing ( hVNC ) module along the lines of  DarkVNC , which allows attackers to gain remote access to an infected computer. "Xeno RAT is developed entirely from scratch, ensuring a unique and tailored approach to remote access tools," the developer  states  in the project description. Another notable aspect is that it has a builder that enables the creation of bespoke variants of the malware.  It's worth noting that moom825 is a
Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

Feb 22, 2024 Network Security / Penetration Testing
A recently open-sourced network mapping tool called  SSH-Snake  has been repurposed by threat actors to conduct malicious activities. "SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hernández  said . "The worm automatically searches through known credential locations and shell history files to determine its next move." SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a "powerful tool" to carry out  automatic network traversal  using SSH private keys discovered on systems. In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports  resolution of domains  which have multiple IPv4 addresses. "It's comp
New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

Feb 21, 2024 Network Security / Vulnerability
Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password. The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of  wpa_supplicant  and Intel's iNet Wireless Daemon ( IWD ), respectively. The flaws "allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password," Top10VPN  said  in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like  KRACK ,  DragonBlood , and  TunnelCrack . CVE-2023-52161, in particular, permits an adversary to gain unauthorized access to a protected Wi-Fi network, exposing exis
Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now

Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now

Feb 20, 2024 Vulnerability / Network Security
ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities are listed below - CVE-2024-1708 (CVSS score: 8.4) - Improper limitation of a pathname to a restricted directory aka "path traversal" CVE-2024-1709 (CVSS score: 10.0) - Authentication bypass using an alternate path or channel The company deemed the severity of the issues as critical, citing they "could allow the ability to execute remote code or directly impact confidential data or critical systems." Both the vulnerabilities impact ScreenConnect versions 23.9.7 and prior, with fixes available in version 23.9.8. The flaws were reported to the company on February 13, 2024. While there is no evidence that the shortcomings have been exploited in the wild, users who are running self-hosted or on-premise versions are recommended
Malicious 'SNS Sender' Script Abuses AWS for Bulk Smishing Attacks

Malicious 'SNS Sender' Script Abuses AWS for Bulk Smishing Attacks

Feb 16, 2024 Cyber Threat / Cloud Security
A malicious Python script known as  SNS Sender  is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service ( SNS ). The SMS phishing messages are designed to propagate malicious links that are designed to capture victims' personally identifiable information (PII) and payment card details, SentinelOne  said  in a new report, attributing it to a threat actor named ARDUINO_DAS. "The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery," security researcher Alex Delamotte said. SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale. The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition t
U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

Feb 16, 2024 Botnet / Network Security
The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities. "These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations," the U.S. Department of Justice (DoJ)  said  in a statement. APT28 , also tracked under the monikers BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is  assessed  to be linked to Unit 26165 of Russia's Main Directorate of the General Staff (GRU). It's known to be active since at least 2007. Court documents allege that the attackers pulled off their cyber espionage campaigns by relying on  MooBot , a Mirai
Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Feb 14, 2024 Patch Tuesday / Vulnerability
Microsoft has released patches to address  73 security flaws  spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation. Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity. This is in addition to  24 flaws  that have been fixed in the Chromium-based Edge browser since the release of the January 2024 Patch Tuesday updates . The two flaws that are listed as under active attack at the time of release are below - CVE-2024-21351  (CVSS score: 7.6) - Windows SmartScreen Security Feature Bypass Vulnerability CVE-2024-21412  (CVSS score: 8.1) - Internet Shortcut Files Security Feature Bypass Vulnerability "The vulnerability allows a malicious actor to inject code into  SmartScreen  and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both," Microsoft said a
Why Are Compromised Identities the Nightmare to IR Speed and Efficiency?

Why Are Compromised Identities the Nightmare to IR Speed and Efficiency?

Feb 12, 2024 Threat Intelligence / Cyber Resilience
Incident response (IR) is a race against time. You engage your internal or external team because there's enough evidence that something bad is happening, but you're still blind to the scope, the impact, and the root cause. The common set of IR tools and practices provides IR teams with the ability to discover malicious files and outbound network connections. However, the identity aspect - namely the pinpointing of compromised user accounts that were used to spread in your network - unfortunately remains unattended. This task proves to be the most time-consuming for IR teams and has become a challenging uphill battle that enables attackers to earn precious time in which they can still inflict damage.  In this article, we analyze the root cause of the identity of IR blind spots and provide sample IR scenarios in which it acts as an inhibitor to a rapid and efficient process. We then introduce Silverfort's Unified Identity Protection Platform and show how its real-time MFA and ident
Cybersecurity Resources