company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Elasticsearch

Data Breach

loading..
loading..
loading..

23 million accounts were exposed online from Mangatoon data breach

Mangatoon, a comic-reading platform, reported a data breach exposing 23 million accounts of users following unauthorized access detected from a...

11-Jul-2022
2 min read

Related Articles

loading..

Cyberattack

CDK Global's massive cyberattack disrupts operations for 15,000 car dealerships,...

In the past week, CDK Global, a prominent SaaS provider for car dealerships, suffered back to back cyberattacks. These breaches disrupted services for over 15,000 car dealerships in North America. This [Threatfeed](https://www.secureblink.com/cyber-security-news) delves into the technical aspects of these attacks, evaluates the impact, and explores potential recovery strategies. ## Overview of CDK Global CDK Global delivers a comprehensive SaaS platform catering to car dealerships. Their offerings encompass CRM, financing, payroll, support and service, inventory management, and back-office operations. The integration of an always-on VPN to CDK's data centers enables seamless access to these services for dealerships. ## Incident Breakdown ### Initial Cyberattack On the night of June 18, CDK Global encountered a cyberattack, prompting the shutdown of IT systems, phones, and applications to contain the threat. This attack incapacitated two data centers, disrupting dealership operations reliant on CDK’s platform. #### Attack Vector and Entry Point The attackers likely exploited the always-on VPN connection used by dealerships. This connection grants extensive access to CDK’s platform, making it a prime target for cybercriminals. Moreover, CDK’s software, with administrative privileges on client devices, posed an additional risk. ### Secondary Breach As CDK began restoring services on June 19, a second breach has transpired. This forced another shutdown, indicating that the initial threat was not fully mitigated. The rapid attempt to restore services without comprehensive security checks may have facilitated this subsequent attack. ## Technical Analysis ### Nature of the Attack While the exact malware remains unidentified, the pattern suggests a ransomware attack. Such attacks involve encrypting data and demanding ransom for decryption. Ransomware also involves data exfiltration, where threat actors use stolen data as leverage. ### Potential Exploits 1. **VPN Vulnerabilities**: Always-on VPNs are susceptible to various attacks, including man-in-the-middle (MITM) and brute force attacks. 2. **Admin Privileges Misuse**: Software running with administrative privileges can be exploited to deploy malicious updates or gain unauthorized access. 3. **Single-Sign-On (SSO) Weaknesses**: Transitioning to a modern SSO platform might introduce vulnerabilities if not adequately secured. #### VPN Exploit Simulation ```python import paramiko def connect_vpn(host, user, password): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(host, username=user, password=password) return client # Simulate VPN connection exploitation vpn_client = connect_vpn('vpn.example.com', 'admin', 'password123') stdin, stdout, stderr = vpn_client.exec_command('cat /etc/passwd') print(stdout.read().decode()) ``` ### Impact on Dealership Operations The attack has caused extensive disruption: - Inability to track and order parts. - Halted sales and financing processes. - Forced reliance on manual processes, leading to inefficiencies. ### Mitigation and Response #### Immediate Actions 1. **Disconnection of VPNs**: Advising dealerships to disconnect always-on VPNs to prevent lateral movement. 2. **Shutdown of Systems**: Temporarily disabling IT systems to halt the attack’s spread. #### Long-term Strategies 1. **Enhanced Monitoring**: Implementing real-time monitoring and anomaly detection systems. 2. **Zero Trust Architecture**: Adopting a Zero Trust approach to minimize trust zones. 3. **Regular Audits and Penetration Testing**: Conducting frequent security audits and penetration tests to identify and mitigate vulnerabilities. ### Implementing Zero Trust ```python from flask import Flask, request, jsonify app = Flask(__name__) # Simple example of token-based authentication TOKENS = {"valid_token_123": "user1"} @app.route('/secure-endpoint', methods=['POST']) def secure_endpoint(): token = request.headers.get('Authorization') if token in TOKENS: return jsonify({"message": "Access Granted"}) else: return jsonify({"message": "Access Denied"}), 403 if __name__ == '__main__': app.run(debug=True) ``` ## Future Recommendations ### Security Enhancements 1. **VPN Security**: Employ multi-factor authentication (MFA) and VPN segmentation. 2. **Privileged Access Management (PAM)**: Implement PAM solutions to control administrative access. 3. **SSO Security**: Ensure robust security protocols during SSO transitions, including thorough testing and validation. ### MFA for VPN ```python import pyotp # Generate OTP for MFA totp = pyotp.TOTP("base32secret3232") print("Your OTP is:", totp.now()) # Function to verify OTP def verify_otp(user_input_otp): return totp.verify(user_input_otp) user_otp = input("Enter your OTP: ") if verify_otp(user_otp): print("OTP Verified, Access Granted") else: print("Invalid OTP, Access Denied") ```

loading..   21-Jun-2024
loading..   4 min read
loading..

Vulnerability

Honeypot

Hackers exploit SolarWinds Serv-U CVE-2024-28995 flaw. 5,500-9,500 systems at ri...

# Technical Analysis and Research on CVE-2024-28995 Exploitation in SolarWinds Serv-U ## Overview The cybersecurity landscape is facing a critical threat with the active exploitation of a path traversal vulnerability in SolarWinds Serv-U software. This vulnerability, identified as CVE-2024-28995, poses significant risks to unpatched systems, demanding immediate attention and remediation. The flaw allows unauthenticated attackers to read arbitrary files on affected systems by manipulating HTTP GET requests. This technical analysis delves into the nuances of the vulnerability, the exploitation methods observed, and the necessary mitigation measures. ## Vulnerability Details ### CVE-2024-28995: Path Traversal Flaw CVE-2024-28995 is a high-severity directory traversal vulnerability in several SolarWinds Serv-U products, including: - Serv-U FTP Server 15.4 - Serv-U Gateway 15.4 - Serv-U MFT Server 15.4 - Serv-U File Server 15.4.2.126 and earlier versions The flaw arises from insufficient validation of path traversal sequences, allowing attackers to bypass security checks and access sensitive files. This vulnerability is particularly concerning as it does not require authentication, making it an attractive target for threat actors. ### Impact of the Vulnerability Exploiting this flaw enables attackers to read files from the filesystem, potentially exposing sensitive data and leading to further compromise. The affected versions of the software are widely deployed, amplifying the potential impact. Older versions (15.3.2 and earlier) are also vulnerable but will be unsupported after February 2025. ## Exploitation Techniques ### Public Proof-of-Concept (PoC) Exploits The availability of public PoC exploits has accelerated the exploitation of CVE-2024-28995. Over the weekend, Rapid7 analysts published a detailed technical write-up, outlining the steps to exploit this vulnerability. Following this, an independent researcher released a PoC exploit and a bulk scanner on GitHub, further simplifying the attack process. ### Observed Exploitation Activities Analysts from GreyNoise set up a honeypot to monitor exploitation attempts. They observed a range of attack strategies, from manual attempts to automated scripts. These requests exploit the path traversal flaw to access critical files like `/etc/passwd` on Linux and `win.ini` on Windows, which contain valuable configuration data. ## Detailed Technical Analysis ### Vulnerability Exploitation The exploitation process involves crafting HTTP GET requests that manipulate the directory paths to traverse the filesystem. By bypassing security checks, attackers can access files outside the intended directories. ### Mitigation Measures SolarWinds released version 15.4.2 Hotfix 2 (15.4.2.157) on June 5, 2024, which addresses this vulnerability by improving the validation of path traversal sequences. Administrators should apply this update immediately to mitigate the risk. These scripts demonstrate the simplicity of exploiting CVE-2024-28995, underscoring the need for prompt patching. ## Conclusion The active exploitation of CVE-2024-28995 in SolarWinds Serv-U products highlights the critical importance of timely vulnerability management. Unpatched systems are at high risk of compromise, with attackers leveraging publicly available exploits to access sensitive data. System administrators must apply the latest updates from SolarWinds to mitigate this threat. Continuous monitoring and adherence to security best practices are essential to safeguard against such vulnerabilities. --- By following the structured format and rigorous analysis, this technical research provides a comprehensive understanding of the CVE-2024-28995 exploitation, offering actionable insights for cybersecurity professionals.

loading..   20-Jun-2024
loading..   3 min read
loading..

Crypto

Kraken

Zero Day

Zero-day website bug allows anyone to increase the balances in a Kraken wallet l...

Kraken, a leading cryptocurrency exchange, recently revealed a critical security breach. Alleged security researchers exploited a zero-day website vulnerability, stealing $3 million in cryptocurrency. ## Vulnerability and Initial Discovery ### Identification of the Bug On June 9th, Kraken's security team received a vulnerability disclosure report about an "extremely critical" vulnerability. This flaw allowed users to artificially increase their wallet balances. The report, although vague, prompted immediate investigation by Kraken's Chief Security Officer, Nick Percoco. ### Nature of the Vulnerability The bug, introduced in January, allowed users to initiate deposits and have funds credited before the deposits were completed. This "deposit-before-completion" flaw effectively enabled attackers to create assets out of thin air within their Kraken accounts. ```python # Example of pseudo-code illustrating the flawed logic def deposit_funds(user, amount): if transaction_approved(): user.balance += amount else: user.balance += amount # Flawed logic, credits balance regardless ``` ### Initial Response and Containment Within minutes of the report, Kraken identified and isolated the bug. The flaw was patched within hours. This rapid response was crucial in limiting potential damage. ## Exploitation of the Vulnerability ### Malicious Activity Three individuals exploited the bug. The first, a supposed security researcher, used it to deposit $4 to their account. However, two others, informed by the initial researcher, withdrew nearly $3 million. This act bypassed Kraken's bug bounty protocols, transforming a security alert into a significant heist. ### Technical Breakdown The exploit involved initiating a deposit, having the system credit the amount, and then canceling the deposit before completion. This allowed the attackers to withdraw unearned funds. The critical flaw lay in the asynchronous processing of deposits. ```python # Simplified representation of the flawed deposit process def process_deposit(transaction): user = transaction.user user.balance += transaction.amount # Immediate balance update if not complete_transaction(transaction): rollback_transaction(transaction) # Missing logic to rollback user balance ``` ### Comparative Analysis with Previous Exploits Similar vulnerabilities have surfaced in the past. In 2020, a glitch at Coinberry allowed users to exploit instant e-transfers, stealing $3 million in Bitcoin. These incidents highlight the systemic risks in crypto exchanges' deposit handling processes. ## Ethical Considerations and Legal Actions ### Ethical Implications The researchers' refusal to return the stolen funds and their demands for negotiations resemble extortion rather than ethical hacking. Ethical hackers are expected to disclose vulnerabilities responsibly, without exploiting them for personal gain. ### Legal Proceedings Kraken is treating this breach as a criminal case. They have involved law enforcement to recover the stolen funds and hold the perpetrators accountable. This incident also raises questions about the effectiveness and integrity of bug bounty programs. ## Impact on Kraken and the Crypto Industry ### Financial and Reputational Damage While no clients' assets were directly at risk, Kraken's treasury bore the losses. The incident tarnishes Kraken's reputation, especially as it faces a lawsuit from the SEC for alleged securities law violations. It also comes at a critical time as the company considers an IPO next year. ### Industry-Wide Implications This breach serves as a stark reminder of the vulnerabilities within the crypto industry. It underscores the need for continuous security improvements and rigorous testing of financial systems to prevent similar exploits. ## Technical Recommendations ### Enhancing Security Protocols 1. **Asynchronous Transaction Handling**: Implement stricter validation for deposit completion before crediting user accounts. 2. **Regular Audits**: Conduct frequent and comprehensive security audits to identify potential vulnerabilities. 3. **Real-Time Monitoring**: Enhance real-time monitoring systems to detect and respond to unusual transaction patterns promptly. ```python # Improved deposit handling with validation checks def process_deposit(transaction): user = transaction.user if complete_transaction(transaction): user.balance += transaction.amount else: raise DepositError("Transaction not completed") ``` ### Strengthening Bug Bounty Programs 1. **Clear Protocols**: Establish clear guidelines for reporting and handling discovered vulnerabilities. 2. **Incentive Structures**: Ensure that bug bounty rewards are substantial enough to deter unethical behavior. 3. **Legal Safeguards**: Incorporate legal agreements to protect against misuse of disclosed vulnerabilities.

loading..   20-Jun-2024
loading..   4 min read