Vulnerability | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a novel attack that employs stolen cloud credentials to target cloud-hosted large language model (LLM) services with the goal of selling access to other threat actors. The attack technique has been codenamed  LLMjacking  by the Sysdig Threat Research Team. "Once initial access was obtained, they exfiltrated cloud credentials and gained access to the cloud environment, where they attempted to access local LLM models hosted by cloud providers," security researcher Alessandro Brucato  said . "In this instance, a local Claude (v2/v3) LLM model from Anthropic was targeted." The intrusion pathway used to pull off the scheme entails breaching a system running a vulnerable version of the Laravel Framework (e.g.,  CVE-2021-3129 ), followed by getting hold of Amazon Web Services (AWS) credentials to access the LLM services. Among the tools used is an  open-source Python script  that checks and validates keys for various offering

Two recently disclosed security flaws in Ivanti Connect Secure (ICS) devices are being exploited to deploy the infamous  Mirai botnet . That's according to  findings  from Juniper Threat Labs, which said the vulnerabilities  CVE-2023-46805 and CVE-2024-21887  have been leveraged to deliver the botnet payload. While CVE-2023-46805 is an authentication bypass flaw, CVE-2024-21887 is a command injection vulnerability, thereby allowing an attacker to chain the two into an exploit chain to execute arbitrary code and take over susceptible instances. In the attack chain observed by the network security company, CVE-2023-46805 is exploited to gain access to the "/api/v1/license/key-status/;" endpoint, which is vulnerable to command injection, and inject the payload. As  previously outlined  by Assetnote in their technical deep dive of the CVE-2024-21887, the exploit is triggered by means of a request to "/api/v1/totp/user-backup-code/" to deploy the malware. &quo

״Defenders think in lists, attackers think in graphs," said John Lambert from Microsoft, distilling the fundamental difference in mindset between those who defend IT systems and those who try to compromise them. The traditional approach for defenders is to list security gaps directly related to their assets in the network and eliminate as many as possible, starting with the most critical. Adversaries, in contrast, start with the end goal in mind and focus on charting the path toward a breach. They will generally look for the weakest link in the security chain to break in and progress the attack from there all the way to the crown jewels. Security teams must embrace the attacker's perspective to ensure their organization's cybersecurity defenses are adequate. Drawing an analogy to a daily life example, the standard way to defend our house from intrusion is to ensure all the doors are locked. But to validate that your house is protected requires testing your security like a burgla

There's a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you've got to remain prepared to confront those very same threats. As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard, you're only as secure as your weakest link. There's still one group that can inadvertently open the gates to unwanted threat actors—your own people. Security must be second nature for your first line of defense For your organization to thrive, you need capable employees. After all, they're your source for great ideas, innovation, and ingenuity. However, they're also human. And humans are fallible. Hackers understand no one is perfect, and that's precisely what they seek to exploit. This is why your people must become your first line of defense against cyber threats. But to do so, they need to learn how to defend thems

A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites. The  findings  come from WPScan, which said that the vulnerability ( CVE-2023-40000 , CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsupp‑user and wp‑configuser. CVE-2023-40000, which was  disclosed  by Patchstack in February 2024, is a stored cross-site scripting (XSS) vulnerability that could permit an unauthenticated user to elevate privileges by means of specially crafted HTTP requests. The flaw was addressed in October 2023 in version 5.7.0.1. It's worth noting that the latest version of the plugin is 6.2.0.1, which was  released  on April 25, 2024. LiteSpeed Cache has over 5 million active installations, with statistics showing that versions other than 5.7, 6.0, 6.1, and 6.2 are still active on 16.8% of all websites. According to the Automattic-owned company, the ma

The MITRE Corporation has offered more details into the recently disclosed cyber attack, stating that the first evidence of the intrusion now dates back to December 31, 2023. The attack, which  came to light last month , singled out MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE) through the exploitation of two Ivanti Connect Secure zero-day vulnerabilities tracked as CVE-2023–46805 and CVE-2024–21887, respectively. "The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials," MITRE  said . While the organization had previously disclosed that the attackers performed reconnaissance of its networks starting in January 2024, the latest technical deep dive puts the earliest signs of compromise in late December 2023, with the adversary dropping a Perl-based web shell calle

More than 50% of the 90,310 hosts have been found exposing a  Tinyproxy service  on the internet that's vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as  CVE-2023-49606 , carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, the latter of which is the latest version. "A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution," Talos  said  in an advisory last week. "An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability." In other words, an unauthenticated threat actor could send a specially crafted  HTTP Connection header  to trigger memory corruption that can result in remote code execution. According to  data  shared by attack surface management company Censys, of the 90,310 hosts exp

Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as  APT28 , drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S. The Czech Republic's Ministry of Foreign Affairs (MFA), in a statement, said some unnamed entities in the country have been attacked using a security flaw in Microsoft Outlook that came to light early last year. "Cyber attacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security, but also disrupt the democratic processes on which our free society is based," the MFA  said . The security flaw in question is  CVE-2023-23397 , a now-patched critical privilege escalation bug in Outlook that could allow an adversary to access Net-NTLMv2 hashes and then use them to authenticate themselves by means of a relay attack. G

HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems. Of the  10 security defects , four are rated critical in severity - CVE-2024-26304  (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol CVE-2024-26305  (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol CVE-2024-33511  (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol CVE-2024-33512  (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol A threat actor could exploit the aforementioned buffer overflow bugs by sending specially crafted packets destined to the Process Application P

Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability codenamed the Dirty Stream attack that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app's home directory. "The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation," Dimitrios Valsamaras of the Microsoft Threat Intelligence team  said  in a report published Wednesday. Successful exploitation could allow an attacker to take full control of the application's behavior and leverage the stolen tokens to gain unauthorized access to the victim's online accounts and other data. Two of the apps that were found vulnerable to the problem are as follows - Xiaomi File Manager (com.mi. Android.globalFileexplorer) - Over 1 billion installs WPS Office (cn.wps.moffice_eng) - Over 500 million installs While Android implem

Like antivirus software, vulnerability scans rely on a database of known weaknesses. That's why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn't existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speaking, vulnerability scanners aim to produce checks for as many vulnerabilities as possible. However, the number of vulnerabilities discovered year on year is now so high, reaching nearly 30,000 a year, or 80 a day, that it's impossible for a single scanning engine to keep up with them all.  As a result, even the very best, industry-leading leading scanners will struggle to check for every known vulnerability out there, and often they will favour certain sets of software known to be used by their customers. For example,  Intruder's analysis  from early 2023 which compared Tenable's Nessus and OpenVAS showed si

A never-before-seen botnet called  Goldoon  has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is  CVE-2015-2051  (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to  execute arbitrary commands  by means of specially crafted HTTP requests. "If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS)," Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li  said . Telemetry data from the network security company points to a spike in the botnet activity around April 9, 2024. It all starts with the exploitation of CVE-2015-2051 to retrieve a dropper script from a remote server, which is responsible for

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  a critical flaw impacting GitLab to its Known Exploited Vulnerabilities ( KEV ) catalog, owing to active exploitation in the wild. Tracked as  CVE-2023-7028  (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address. GitLab, which disclosed details of the shortcoming earlier this January, said it was introduced as part of a code change in version 16.1.0 on May 1, 2023. "Within these versions, all authentication mechanisms are impacted," the company  noted  at the time. "Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login." Successful exploitation of the issue can have serious consequences as it not only enables an adversary to take control of a GitLab user account, b

Operational Technology (OT)  refers to the hardware and software used to change, monitor, or control the enterprise's physical devices, processes, and events. Unlike traditional Information Technology (IT) systems, OT systems directly impact the physical world. This unique characteristic of OT brings additional cybersecurity considerations not typically present in conventional IT security architectures. The convergence of IT and OT Historically, IT and Operational Technology (OT) have operated in separate silos, each with its own set of protocols, standards, and cybersecurity measures. However, these two domains are increasingly converging with the advent of the Industrial Internet of Things (IIoT). While beneficial in terms of increased efficiency and data-driven decision-making, this convergence also exposes OT systems to the same cyber threats that IT systems face. Unique Cybersecurity Considerations for OT Real-time requirements Operational Technology systems often opera

Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system. The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine," Australian cybersecurity firm Tanto Security said in a report published today. Judge0 (pronounced "judge zero") is  described  by its maintainers as a "robust, scalable, and open-source online code execution system" that can be used to build applications that require online code execution features such as candidate assessment, e-learning, and online code editors and IDEs. According to its website, the service is used by 23 customers like AlgoDaily, CodeChum, and PYnative, among others. The project has been  forked 412 times on GitHub  to date. The flaws, discovered and reported by Daniel Cooper in March 2024, are l