company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Zero Day

MS Exchange

Vulnerability

loading..
loading..
loading..

Microsoft exchange zero day vulnerability exploited in the wild

Microsoft has confirmed that two recently reported zero-day vulnerabilities in Microsoft Exchange Server...

30-Sep-2022
3 min read

Related Articles

loading..

Vulnerability

Cloudflare's security services face a critical trust vulnerability. Explore how ...

Cloudflare, a prominent cybersecurity vendor renowned for its website protection services, has recently been scrutinized due to a vulnerability that threatens the security of customer websites. This [Threatfeed](https://www.secureblink.com) delves into the technical intricacies of the vulnerability, its potential impact, and recommendations for mitigation. ## Understanding Cloudflare's Protection Mechanisms Cloudflare offers a range of security services like Web Application Firewall (WAF), DDoS protection, and Bot management. These defenses operate via reverse-proxy servers placed between a customer's web server (the "origin server") and its users, allowing Cloudflare to inspect incoming traffic for threats. The vulnerability arises when attackers manipulate the trust between Cloudflare and its customers by bypassing the protection mechanisms. ## Vulnerability Overview Cloudflare's documentation outlines various mechanisms to prevent attackers from overloading the origin server with malicious requests, encompassing layers of the OSI Model, including the Application Layer, Transport Layer, and Network Layer. Two of these mechanisms, "Authenticated Origin Pulls" and "Allowlist Cloudflare IP addresses," rely on the assumption that all traffic originating from Cloudflare can be trusted, while traffic from other sources should be rejected. However, this assumption opens the door to exploitation. ### Authenticated Origin Pulls "Authenticated Origin Pulls" is deemed "very secure" by Cloudflare. It involves using client SSL certificates to authenticate connections from Cloudflare's reverse proxy servers to the origin server. Customers are presented with two authentication options: a "Cloudflare certificate" or a custom certificate. The issue arises when customers opt for the convenient Cloudflare certificate. This shared certificate permits all connections originating from Cloudflare, regardless of the specific Cloudflare tenant initiating the connection. An attacker can set up a custom domain with Cloudflare, point it to the victim's IP address, and turn off protection features, thereby circumventing security measures. ### Allowlist Cloudflare IP Addresses The "Allowlist Cloudflare IP addresses" mechanism, categorized as "moderately secure," instructs the origin server to reject any connection not originating from within Cloudflare's IP address ranges. Similar to Authenticated Origin Pulls, this mechanism fails to account for tenant-specific distinctions. Attackers can exploit this by establishing a custom domain with Cloudflare, directing the DNS A record to the victim's IP address, and disabling protection features. Consequently, they can bypass the victim's configured security measures. ## Proof of Concept To illustrate the vulnerability, consider a scenario where a victim uses both "Authenticated Origin Pulls" with a Cloudflare Origin Certificate and "Allowlist Cloudflare IP addresses," as recommended by Cloudflare's official documentation. In contrast, the attacker sets up a domain without WAF protection, sharing the same origin IP address as the victim. - **Victim Configuration:** - Domain: victim.test - DNS A record points to: 203.0.113.42 - Authenticated Origin Pulls and Cloudflare Origin Certificate enabled - WAF Cloudflare Managed Ruleset and OWASP Core Ruleset enabled - Security Level: "I'm under attack" - **Attacker Configuration:** - Domain: attacker.test - DNS A record points to: 203.0.113.42 - Authenticated Origin Pulls and WAF disabled - Security Level: "Essentially off" In this setup, an attacker can successfully send malicious requests to 203.0.113.42 via attacker.test, bypassing the victim's WAF configuration, while the same requests would be blocked when sent via victim.test. ## Recommendations for Cloudflare Customers This vulnerability underscores the importance of not relying solely on the "Allowlist Cloudflare IP addresses" mechanism for protecting origin servers. Instead, consider it as a defense-in-depth measure. When implementing "Authenticated Origin Pulls," opt for custom certificates over the shared Cloudflare certificate. Additionally, explore alternative mechanisms for authenticating the Cloudflare tenant, as outlined in Cloudflare's documentation. These alternatives may involve trade-offs, such as running third-party code on sensitive webservers, but they provide a more robust defense against attacks.

loading..   02-Oct-2023
loading..   4 min read
loading..

LinkedIn

Espionage

Lazarus hacking group's cyber espionage: Learn how LightlessCan infiltrated a Sp...

# Cybersecurity News Analysis: Lazarus Hacking Group Targets Spanish Aerospace Company In a recent cybersecurity incident, the notorious North Korean hacking group known as 'Lazarus' demonstrated their evolving tactics by targeting employees of a Spanish aerospace company. The attack involved a cunning blend of social engineering and the deployment of a previously undocumented backdoor named 'LightlessCan.' Let's dissect the technical details of this operation. ## Operation Dreamjob: A Deceptive Approach Lazarus initiated this attack with a deceptive LinkedIn message from a fake recruiter, masquerading as 'Steve Dawson' from Meta (Facebook). The target was lured into engaging with the attackers by feigning interest in a job opportunity. As the conversation progressed, the victim was asked to prove their proficiency in C++ programming, a clever ruse to introduce malicious payloads. ## Payload Delivery and Execution To deliver the malicious payloads, Lazarus employed ISO files containing executable quizzes. When executed, these files silently dropped an additional payload onto the victim's machine using DLL side-loading through 'mscoree.dll,' a legitimate program ('PresentationHost.exe'). This additional payload was the NickelLoader malware loader, responsible for deploying two backdoors, including 'LightlessCan.' ## miniBlindingCan: A Versatile Backdoor miniBlindingCan, a variant of BlindingCan with reduced functionality, was one of the backdoors deployed. This backdoor supports a range of commands, allowing the attacker to gather system information, update communication intervals with the command and control (C2) server, download and decrypt files, and execute shellcode. Its versatility makes it a potent tool for cyber espionage. ## LightlessCan: The Advanced Backdoor ESET's analysis revealed LightlessCan as the star of this attack. It's a successor to BlindingCan, boasting a more sophisticated code structure, different indexing, and enhanced functionality. In version 1.0, it supports a staggering 43 commands, with an additional 25 commands lurking in the code, yet to be implemented. What sets LightlessCan apart is its ability to mimic native Windows commands, such as 'ping' and 'ipconfig,' while remaining invisible to real-time monitoring tools. ## Evolving Defense Measures One intriguing defense measure implemented by Lazarus is the encryption of one LightlessCan payload with a key dependent on the target's environment. This tactic thwarts attempts by security researchers or analysts to access the victim's computer, emphasizing Lazarus' commitment to secrecy and espionage. ## Espionage Over Financial Gain This attack underscores that Lazarus' motives extend beyond mere financial gain, such as cryptocurrency theft. Their 'Operation Dreamjob' campaign reveals a strategic shift towards espionage, targeting sensitive information and intellectual property. ## Implications for Organizations For organizations in the crosshairs of threat groups like Lazarus, this development is concerning. The introduction of LightlessCan showcases the group's growing sophistication and adaptability. Enterprises must remain vigilant, continuously updating their cybersecurity defenses to counter evolving threats. ## Conclusion The Lazarus hacking group's recent attack on a Spanish aerospace company serves as a stark reminder of the ever-changing landscape of cybersecurity threats. Their blend of social engineering and the deployment of advanced backdoors like LightlessCan demonstrates the need for organizations to stay proactive and vigilant in defending against cyber adversaries. In this dynamic environment, understanding the nuances of such attacks is paramount to crafting effective defense strategies. As cybersecurity professionals, staying informed about the latest tactics and tools employed by threat actors is essential to safeguarding our digital assets and sensitive information. For the Spanish aerospace company, this incident serves as a wake-up call, highlighting the need for robust cybersecurity measures to protect against persistent and determined adversaries like Lazarus. The future of cybersecurity lies in continuous adaptation and proactive defense, and organizations must rise to the challenge to secure their digital infrastructure.

loading..   30-Sep-2023
loading..   3 min read
loading..

Vulnerability

Discover and address the critical JetBrains TeamCity vulnerability (CVE-2023-427...

CVE-2023-42793, a critical vulnerability resulting in ripples, specifically targets TeamCity, JetBrains' popular CI/CD server. Its implications are significant, granting unauthenticated attackers the ability to execute arbitrary code on TeamCity servers, thereby facilitating remote code execution (RCE). Here, in this [Threatfeed](https://www.secureblink.com/cyber-security-news) we delve into the details of CVE-2023-42793, assess its consequences, and discuss the measures required to safeguard your systems. ## Key Information ### Sonar's Discovery The discovery of CVE-2023-42793 can be credited to Sonar's Vulnerability Research Team. They discovered a vulnerability that enables unauthenticated attackers to gain remote code execution privileges on TeamCity servers. This vulnerability poses an imminent threat, as it allows attackers to steal source code, access sensitive service secrets and private keys, manipulate the build process, and compromise the integrity of software releases. This vulnerability is not dependent on user interaction, making it an enticing target for malicious actors. Meanwhile, Greynoise is currently tracking many IP addresses from which CVE-2023-42793 exploit attempts are being made. ### Vulnerability Details The root cause of this vulnerability lies in an authentication bypass. Specifically, TeamCity versions 2023.05.3 and earlier of the on-premises variant are susceptible. Attackers can exploit this flaw without requiring a valid account on the target instance, rendering it easily exploitable. As a result, we are compelled to emphasize the urgency of prompt action to mitigate this risk. ## Impact ### The Gravity of RCE [CVE-2023-42793](https://nvd.nist.gov/vuln/detail/CVE-2023-42793) strikes at the heart of cybersecurity concerns. With RCE capabilities, attackers can not only pilfer source code but also gain access to highly confidential service secrets and private keys. Moreover, the ability to interfere with the build process by injecting malicious code jeopardizes the integrity of software releases. The most concerning aspect is that this vulnerability requires no user interaction, making it an attractive option for cybercriminals. ### Urgency of Action To underscore the urgency of the situation, it's crucial to note that this vulnerability does not necessitate a valid account on the targeted instance. Its trivial exploitability raises concerns about its potential exploitation in the wild. Shodan currently identifies over 3,000 on-premises TeamCity servers accessible from the Internet. ## Indicators of Compromise ### Unveiling Malicious Activity One crucial indicator of compromise is the existence of an authentication token named RPC2. This token's presence strongly suggests unauthorized and potentially malicious user activity on the server. It's essential to recognize that an attacker may attempt to cover their tracks by deleting or renaming this token post-exploitation. ## Technical Details ### Request Interceptors TeamCity employs request interceptors to execute specific actions for every HTTP request. A critical role of these interceptors is the authorization mechanism. These interceptors are part of the global request handling process and are often overlooked during security assessments. In the context of this vulnerability, a wildcard expression, "**/RPC2," was unintentionally included, disabling the authorization check for requests ending with "/RPC2." ### Request Path Parameters TeamCity offers a REST API for external application integration. While the documentation outlines endpoints, some hidden endpoints, like "/app/rest/users/<userLocator>/tokens/{name}," can be exploited. This specific endpoint allows an unauthenticated attacker to create a new authentication token with an arbitrary name, including "RPC2." ## Patch ### The Path to Security JetBrains swiftly addressed this vulnerability with the release of TeamCity version 2023.05.4. The patch removes the wildcard expression for the "/RPC2" pre-handling exception, ensuring that pre-handling is only disabled when "/RPC2" is accessed directly without additional prefixes in the requested path. This measure effectively prevents authentication bypass for other endpoints. ## Timeline ### Collaborative Efforts JetBrains and the Sonar Vulnerability Research Team maintained open communication throughout the discovery and remediation process. JetBrains' rapid response and efficient collaboration ensured a swift resolution to this critical security issue. - **September 6, 2023**: The vulnerability is reported to JetBrains. - **September 6, 2023**: JetBrains acknowledges receipt of the report. - **September 7, 2023**: JetBrains fixes the issue in the 2023.05 branch. - **September 12, 2023**: JetBrains prepares a plugin as a workaround. - **September 14, 2023**: JetBrains confirms the issue as a major security concern. - **September 18, 2023**: TeamCity version 2023.05.4 is released, addressing the vulnerability. - **September 18, 2023**: JetBrains notifies customers to update promptly. - **September 19, 2023**: CVE-2023-42793 is published. - **September 21, 2023**: Coordinated release of blog posts from JetBrains and Sonar. - **September 27, 2023**: Full disclosure follows the public release of an exploit. ## Learnings ### The Importance of Authorization This incident underscores the significance of authorization checks. While endpoints often receive individual checks, global request interceptors are frequently overlooked. These interceptors, part of the global attack surface, must not be neglected in security assessments. ### Taming Wildcards Wildcard expressions, while versatile, can inadvertently expose vulnerabilities. A more restrictive approach is advisable to prevent unintended vulnerabilities like the inclusion of "/**/RPC2."

loading..   30-Sep-2023
loading..   5 min read