The Hacker News - Cybersecurity News and Analysis: Vulnerability

Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as  CVE-2021-35247  (CVSS score: 5.3), the issue is an "input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation," Microsoft Threat Intelligence Center (MSTIC)  said . The flaw, which was discovered by security researcher Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior, and has been addressed in Serv-U version 15.3. "The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized," SolarWinds  said  in an advisory, adding it "updated the input mechanism to perform additional validation and sanitization." The IT management software maker also pointed out that "no downstre

Enterprise software maker Zoho on Monday issued patches for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorized actions in affected servers. Tracked as  CVE-2021-44757 , the shortcoming concerns an instance of authentication bypass that "may allow an attacker to read unauthorized data or write an arbitrary zip file on the server," the company  noted  in an advisory. Osword from SGLAB of Legendsec at Qi'anxin Group has been credited with discovering and reporting the vulnerability. The Indian firm said it remediated the issue in build version 10.1.2137.9. With the latest fix, Zoho has addressed a total of four vulnerabilities over the past five months — CVE-2021-40539  (CVSS score: 9.8) – Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus CVE-2021-44077  (CVSS score: 9.8) – Unauthenticated remote code execution vulnerability affecting Zoho ManageEn

An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed " CharmPower " for follow-on post-exploitation. "The actor's attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier to detect and attribute," researchers from Check Point  said  in a report published this week. The Israeli cybersecurity company linked the attack to a group known as  APT35 , which is also tracked using the codenames Charming Kitten, Phosphorus, and TA453, citing overlaps with toolsets previously identified as infrastructure used by the threat actor. Log4Shell  aka CVE-2021-44228 (CVSS score: 10.0) concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploite

Apple on Wednesday rolled out software updates for iOS and iPadOS to remediate a persistent  denial-of-service (DoS) issue  affecting the HomeKit smart home framework that could be potentially exploited to launch ransomware-like attacks targeting the devices. The iPhone maker, in its  release notes  for iOS and iPadOS 15.2.1, termed it as a "resource exhaustion issue" that could be triggered when processing a maliciously crafted HomeKit accessory name, adding it addressed the bug with improved validation. The so-called "doorLock" vulnerability, tracked as CVE-2022-22588, affects HomeKit, the software API for connecting smart home devices to iOS applications. Should it be successfully exploited, iPhones and iPads can be sent into a crash spiral simply by changing the name of a HomeKit device to a string larger than 500,000 characters and tricking the target into accepting a malicious Home invitation. Even worse, since HomeKit device names are backed up to iClou

Microsoft is warning of continuing attempts by nation-state adversaries and commodity attackers to take advantage of  security vulnerabilities  uncovered in the Log4j open-source logging framework to deploy malware on vulnerable systems. "Exploitation attempts and testing have remained high during the last weeks of December," Microsoft Threat Intelligence Center (MSTIC)  said  in revised guidance published earlier this week. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks." Publicly disclosed by the Apache Software Foundation on December 10, 2021, the remote code execution (RCE) vulnerability in Apache Log4j 2, aka  Log4Shell , has emerged as a new attack vector for  widespread exploitation  by a variety of threat actors. In the subsequent weeks, four more weaknesses in the utility have come to light —  CVE-2021-45046 ,  CVE-2021-45105 , 

The Apache Software Foundation (ASF) on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month. Tracked as  CVE-2021-44832 , the vulnerability is rated 6.6 in severity on a scale of 10 and impacts all versions of the logging library from 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4. While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later). "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JND

Microsoft said it won't be fixing or is pushing patches to a later date for three of the four security flaws uncovered in its Teams business communication platform earlier this March. The disclosure comes from Berlin-based cybersecurity firm Positive Security, which  found  that the implementation of the link preview feature was susceptible to a number of issues that could "allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and DoS'ing their Teams app/channels." Of the four vulnerabilities, Microsoft is said to have addressed only one that results in IP address leakage from Android devices, with the tech giant noting that a fix for the denial-of-service (DoS) flaw will be considered in a future version of the product. The issues were responsibly disclosed to the company on March 10, 2021. Chief among the flaws is a server-side request forgery ( SSRF ) vulnerability in the endpoint "/urlp

China's internet regulator, the Ministry of Industry and Information Technology (MIIT), has temporarily suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months on account of the fact that it failed to promptly inform the government about a critical security vulnerability affecting the broadly used Log4j logging library. The development was disclosed by  Reuters  and  South China Morning Post , citing a report from 21st Century Business Herald, a Chinese business-news daily newspaper. "Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China's telecommunications regulator," Reuters said. "In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms." Tracked as  CVE-2021-44228  (CVSS score: 10.0) and codenamed  Log4Shell  or LogJam, the cat

Cybersecurity researchers have discovered an entirely new attack vector that enables adversaries to exploit the Log4Shell vulnerability on servers locally by using a JavaScript WebSocket connection. "This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability," Matthew Warner, CTO of Blumira,  said . "At this point, there is no proof of active exploitation. This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network." WebSockets  allow for two-way communications between a web browser (or other client application) and a server, unlike HTTP, which is unidirectional where the client sends the request and the server sends the response. While the issue can be resolved by updating all local development and internet-facing environments to Log4j 2.16.0, Apache o

The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch — version 2.17.0 — for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack. Tracked as  CVE-2021-45105  (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution ( CVE-2021-45046 ), which, in turn, stemmed from an "incomplete" fix for  CVE-2021-44228 , otherwise called the Log4Shell vulnerability. "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups," the ASF  explained  in a revised advisory. "When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control o

Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called  Khonsari  as well as a remote access Trojan named  Orcus  by exploiting the recently disclosed critical Log4j vulnerability . The attack leverages the remote code execution (RCE) flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension ".khonsari" and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files. Tracked as CVE-2021-44228 , the RCE vulnerability is also known by the monikers "Log4Shell" or "Logjam" and impacts versions 2.0-beta9 to 2.14.1 of the software library. In simple terms, the bug could force an affected system to download malicious software, giving the attackers a digital beachhead on servers located within corporate networks. Log4j is an op

Apple on Monday released updates to  iOS ,  macOS ,  tvOS , and  watchOS  with security patches for multiple vulnerabilities, including a remote jailbreak exploit chain as well as a number of critical issues in the Kernel and Safari web browser that were first demonstrated at the Tianfu Cup held in China two months ago. Tracked as CVE-2021-30955, the issue could have enabled a malicious application to execute arbitrary code with kernel privileges. Apple said it addressed the race condition bug with "improved state handling." The flaw also impacts macOS devices. "The kernel bug CVE-2021-30955 is the one we tried [to] use to build our remote jailbreak chain but failed to complete on time," Kunlun Lab's chief executive, @mj0011sec,  said  in a tweet. A set of similar kernel vulnerabilities were eventually harnessed by the Pangu Team at the  Tianfu hacking contest  to break into an iPhone13 Pro running iOS 15, a feat that netted the white hat hackers $330,000 in

Google has rolled out fixes for five security vulnerabilities in its Chrome web browser, including one which it says is being exploited in the wild, making it the  17th such weakness  to be disclosed since the start of the year. Tracked as  CVE-2021-4102 , the flaw relates to a  use-after-free bug  in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from corruption of valid data to the execution of arbitrary code. An anonymous researcher has been credited with discovering and reporting the flaw. As it stands, it's not known how the weakness is being abused in real-world attacks, but the internet giant issued a terse statement that said, "it's aware of reports that an exploit for CVE-2021-4102 exists in the wild." This is done so in an attempt to ensure that a majority of users are updated with a fix and prevent further exploitation by other threat actors. CVE-2021-4102 is the second use-after-free vulnerability in V8 the comp

Threat actors are actively weaponizing unpatched servers affected by the newly identified " Log4Shell " vulnerability in Log4j to install cryptocurrency miners, Cobalt Strike, and recruit the devices into a botnet, even as telemetry signs point to exploitation of the flaw nine days before it even came to light. Netlab, the networking security division of Chinese tech giant Qihoo 360,  disclosed  threats such as  Mirai  and  Muhstik  (aka Tsunami) are setting their sights on vulnerable systems to spread the infection and grow its computing power to orchestrate distributed denial-of-service (DDoS) attacks with the goal of overwhelming a target and rendering it unusable. Muhstik was previously spotted exploiting a critical security flaw in Atlassian Confluence ( CVE-2021-26084 , CVSS score: 9.8) earlier this September. The latest development comes as it has emerged that the vulnerability has been under attack for at least more than a week prior to its public disclosure on D

The Apache Software Foundation has released fixes to contain an  actively   exploited  zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems. Tracked as  CVE-2021-44228  and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue. "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from  LDAP  servers when message lookup substitution is enabled," the Apache Foundation  said  in an advisory. "From Log4j 2.15.0, this behavior has been disabled by default." Exploitation can be achieved by a single string of text, which c

Apple reportedly notified several U.S. Embassy and State Department employees that their iPhones may have been targeted by an unknown assailant using state-sponsored spyware created by the controversial Israeli company NSO Group, according to multiple reports from  Reuters  and  The Washington Post . At least 11 U.S. Embassy officials stationed in Uganda or focusing on issues pertaining to the country are said to have  singled out  using iPhones registered to their overseas phone numbers, although the identity of the threat actors behind the intrusions, or the nature of the information sought, remains unknown as yet. The attacks, which were carried out in the last several months, mark the first known time the sophisticated surveillance software has been put to use against U.S. government employees. NSO Group is the maker of Pegasus , military-grade spyware that allows its government clients to stealthily plunder files and photos, eavesdrop on conversations, and track the whereabou

Enterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months. The issue, assigned the identifier  CVE-2021-44515 , is an authentication bypass vulnerability that could permit an adversary to circumvent authentication protections and execute arbitrary code in the Desktop Central MSP server. "If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution," Zoho  cautioned  in an  advisory . "As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible." The company has also made available an  Exploit Detection Tool  that will help customers identify sig

The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning of active exploitation of a newly patched flaw in Zoho's ManageEngine ServiceDesk Plus product to deploy web shells and carry out an array of malicious activities. Tracked as  CVE-2021-44077  (CVSS score: 9.8), the issue relates to an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus versions up to and including 11305 that, if left unfixed, "allows an attacker to upload executable files and place web shells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files," CISA  said . "A security misconfiguration in ServiceDesk Plus led to the vulnerability," Zoho  noted  in an independent advisory published on November 22. "This vulnerability can allow an adversary to execute arbitrary code