Tag: Zero-day

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

Adobe has released an update for Flash Player that fixes a zero-day vulnerability that was used as part of an APT attack against Russia. This attack is being named “Operation Poison Needles” and targeted the Russian FSBI “Polyclinic #2” medical clinic.

According to research from Qihoo’s 360 Advanced Threat Response Team and Gigamon, on November 29, 2018 an attack was detected against Russia’s FSBI “Polyclinic #2” clinic. The site for this clinic indicates it provides medical and cosmetic services to the executive and higher level employees of the Russian Federation.

Read more about the zero-day and the APT attack on BleepingComputer.

Hackers can exploit this bug in surveillance cameras to tamper with footage

Researchers have discovered a vulnerability in Nuuo surveillance cameras which can be exploited to hijack these devices and tamper with footage and live feeds. Cybersecurity firm Digital Defense said that its Vulnerability Research Team (VRT) had uncovered a zero-day vulnerability in Nuuo NVRmini 2 Network Video Recorder firmware, software used by hundreds of thousands of surveillance cameras worldwide.

The vulnerability is an unauthenticated remote buffer overflow security flaw which can be exploited by attackers execute arbitrary code on the system with root privileges. Not only could threat actors harness the bug to access and modify camera feeds & recordings, but also to change the configuration and settings of cameras.

Read more about this zero-day vulnerability on ZDNet.

Researcher Drops Oracle VirtualBox Zero-Day

A researcher has disclosed the details of a zero-day vulnerability affecting Oracle’s VirtualBox virtualization software. The flaw appears serious as exploitation can allow a guest-to-host escape.

Russian researcher Sergey Zelenyuk discovered the security hole and he decided to make his findings public before giving Oracle the chance to release a patch due to his “disagreement with [the] contemporary state of infosec, especially of security research and bug bounty.” According to Zelenyuk, the vulnerability affects VirtualBox 5.2.20 and prior versions – 5.2.20 is the latest version – and it can be exploited on any host or guest operating system as the underlying bugs affect shared code.

Read more about the new VirtualBox zero-day on SecurityWeek.

Cisco zero-day exploited in the wild to crash and reload devices

The Cisco security team has revealed earlier the existence of a zero-day vulnerability affecting products that run Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerability has been exploited in the wild, according to a security advisory published by the company. No patches are available at the time of writing.

Cisco says it discovered the vulnerability, and the active attacks, while its staff was answering a support case. The vulnerability, which Cisco is tracking as CVE-2018-15454, “could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.”

Read more about the Cisco zero-day that has been exploited on ZDNet.

Magecart group leverages zero-days in 20 Magento extensions

Hackers are (ab)using unpatched zero-day vulnerabilities in approximately 20 Magento extensions to plant payment card skimmers on online stores, according to Dutch security expert Willem de Groot. The researcher has been tracking this recent campaign but has only identified two of the 20 extensions that hackers are targeting.

He’s now asking the wider infosec and web development community for help in identifying the other 18 extensions, so he can notify developers and have the zero-days fixed. The researcher has listed a series of URL paths through which hackers have been exploiting the zero-days to gain footholds on stores running the vulnerable extensions.

Read more about the research on the Magecart group on ZDNet.

Zero-day in popular jQuery plugin actively exploited for at least three years

For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan.

The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

Read more about the zero-day affecting the plugin used in hundreds, if not thousands, of projects on ZDNet.

Zero-days, fileless attacks are now the most dangerous threats to the enterprise

According to a study conducted by the Ponemon Institute and sponsored by Barkly, called the “2018 State of Endpoint Security Risk report,” nearly two-thirds of enterprise players have been compromised in the past 12 months by attacks which originated at endpoints, which the organization says is a 20 percent increase year-on-year. Such attacks can prove costly, with the average company enduring a cost of $7.12 million, or $440 per endpoint.

The report shows that zero-day vulnerabilities and fileless attacks are now deemed the most dangerous threats to the enterprise.

Read more about the findings of the new Ponemon study on ZDNet.

PowerPool Malware Uses Windows Zero-Day Posted on Twitter

There are several good reasons why you shouldn’t post zero-day exploits on social media. For starters, lurking attackers will snatch the code and leverage it in a malware campaign.

Such is the case with a Microsoft Windows zero-day bug shared on Twitter last week. The vulnerability affects the Advanced Local Procedure Call (ALPC) function within the Windows Task Manager in  Windows 7 through Windows 10. Two days after the vulnerability and proof-of-concept was posted on Twitter and GitHub, respectively, ESET researchers identified the exploit in a campaign from the PowerPool threat group.

Read more about the new PowerPool malware campaign on DarkReading.

Microsoft Windows Zero-Day Found in Task Scheduler

A zero-day flaw recently disclosed in Microsoft’s Windows task scheduler could enable a bad actor to gain elevated privileges. The flaw, which was disclosed on Twitter, does not yet have a patch. The issue exists in the Advanced Local Procedure Call (ALPC) interface of Microsoft Windows task scheduler. Essentially, the API function of ALPC does not check permissions, so that any potential local bad actor can alter them.

“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” according to a note issued by CERT. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.”

Read more about the recently disclosed zero-day flaw on Threatpost.

New zero-day in Adobe Flash Player allows hackers to control your system

Adobe Flash Player is a has been product but there are still many users who use it for media, advertisements, graphics, and animations. Over the years, different bugs have been discovered in Adobe Flash Player and they have made browser makers to abandon Flash Player in favor of other software.

If you’re still among those who use Flash Player, the Flash Player is grappling with another zero-day bug. In a security advisory published on Thursday, Adobe disclosed a critical remote code execution vulnerability that exists in Adobe Flash Player and earlier versions.

The vulnerability allows hackers and cybercriminals to exploit and gain complete control of your workstation, PC, and laptop. Adobe said that the vulnerability (CVE-2018-4878) is being exploited in the wild to deliver “limited, targeted attacks against Windows users,” allowing the attacker to take control of the system.

While Windows PCs are the primary target of the hackers, macOS, ChromeOS, Linux users running  v28.0.0.137 and below are also affected by the vulnerability according to Adobe advisory. Here are the Adobe Flash Player versions which have the zero-day flaw.

  • Adobe Flash Player Desktop Runtime (Windows, Macintosh)
  • Adobe Flash Player for Google Chrome (Windows, Macintosh, Linux, and Chrome OS)
  • Adobe Flash Player for Edge and IE 11 (Windows 10, 8.1)
  • Adobe Flash Player Runtime (Linux)

Cybercriminals can exploit the bug and remotely execute malware using web pages with flash content or via email containing documents with embedded malware-laden flash content. Adobe has advised users to enable Protected View for Microsoft Office of you work on Flash content files. Protected View will open malicious files in read-only mode and cannot execute the malware.

As Adobe is yet the issue a security patch for this zero-day, users are advised to disable flash player until the update arrives on February 5. Shifting from Flash Player to a new software would be the best remedy for this bug as Flash Player is destined for death.

However, if you wish to continue with Flash Player, you can check the version by visiting a web page with Flash content. Right-click on the content and click ‘About Adobe (or Macromedia).’ You can also visit this page to check the same. In Windows 10, you can visit Settings > Apps. Click the Adobe Flash’s entry in the list, and it’ll show the exact version.