Cyber Attacks and Hacking

[RTH10260]

Roku says 576,000 user accounts hacked after second security incident

Zack Whittaker@zackwhittaker
6:04 PM GMT+2•April 12, 2024

Streaming giant Roku has confirmed a second security incident in as many months, with hackers this time able to compromise more than half a million Roku user accounts.

In a statement Friday, the company said about 576,000 user accounts were accessed using a technique known as credential stuffing, where malicious hackers use usernames and passwords stolen from other data breaches and reuse the logins on other sites.

Roku said in fewer than 400 account breaches, the malicious hackers made fraudulent purchases of Roku hardware and streaming subscriptions using the payment data stored in those users’ accounts. Roku said it refunded customers affected by the account intrusions.

The company, which has 80 million customers, said the malicious hackers “were not able to access sensitive user information or full credit card information.”

Roku said it discovered the second incident while it was notifying some 15,000 Roku users that their accounts were compromised in an earlier credential stuffing attack.

Following the security incidents, Roku said it rolled out two-factor authentication to users.



https://techcrunch.com/2024/04/12/roku- ... ts-hacked/

[RTH10260]

LockBit 3.0 Variant Generates Custom, Self-Propagating Malware
Kaspersky researchers discovered the new variant after responding to a critical incident targeting an organization in West Africa.

Jeffrey Schwartz, Contributing Writer
April 16, 2024

The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.

Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.

During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victim's network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions.

The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. "The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victim's infrastructure, as well as covering their tracks," says Cristian Souza, an incident response specialist at Kaspersky.

The organization in West Africa hit by the new LockBit variant is the only victim Kaspersky's Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. "However, we detected other incidents that used the leaked builder in other regions," he says.

The Appeal of LockBit 3.0 to Attackers




https://www.darkreading.com/endpoint-se ... ng-malware

[RTH10260]

“Highly capable” hackers root corporate networks by exploiting firewall 0-day
No patch yet for unauthenticated code-execution bug in Palo Alto Networks firewall.

DAN GOODIN -
4/12/2024, 10:48 PM

Highly capable hackers are rooting multiple corporate networks by exploiting a maximum-severity zero-day vulnerability in a firewall product from Palo Alto Networks, researchers said Friday.

The vulnerability, which has been under active exploitation for at least two weeks now, allows the hackers with no authentication to execute malicious code with root privileges, the highest possible level of system access, researchers said. The extent of the compromise, along with the ease of exploitation, has earned the CVE-2024-3400 vulnerability the maximum severity rating of 10.0. The ongoing attacks are the latest in a rash of attacks aimed at firewalls, VPNs, and file-transfer appliances, which are popular targets because of their wealth of vulnerabilities and direct pipeline into the most sensitive parts of a network.

“Highly capable” UTA0218 likely to be joined by others

The zero-day is present in PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability but is urging affected customers to follow the workaround and mitigation guidance provided here. The advice includes enabling Threat ID 95187 for those with subscriptions to the company’s Threat Prevention service and ensuring vulnerability protection has been applied to their GlobalProtect interface. When that’s not possible, customers should temporarily disable telemetry until a patch is available.

Volexity, the security firm that discovered the zero-day attacks, said that it’s currently unable to tie the attackers to any previously known groups. However, based on the resources required and the organizations targeted, they are "highly capable" and likely backed by a nation-state. So far, only a single threat group—which Volexity tracks as UTA0218—is known to be leveraging the vulnerability in limited attacks. The company warned that as new groups learn of the vulnerability, CVE-2024-3400 is likely to come under mass exploitation, just as recent zero-days affecting products from the likes of Ivanti, Atlassian, Citrix, and Progress have in recent months.

“As with previous public disclosures of vulnerabilities in these kinds of devices, Volexity assesses that it is likely a spike in exploitation will be observed over the next few days by UTA0218 and potentially other threat actors who may develop exploits for this vulnerability,” company researchers wrote Friday. “This spike in activity will be driven by the urgency of this window of access closing due to mitigations and patches being deployed. It is therefore imperative that organizations act quickly to deploy recommended mitigations and perform compromise reviews of their devices to check whether further internal investigation of their networks is required.”

The earliest attacks Volexity has seen took place on March 26 in what company researchers suspect was UTA0218 testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability. On April 7, the researchers observed the group trying unsuccessfully to install a backdoor on a customer’s firewall. Three days later, the group’s attacks were successfully deploying malicious payloads. Since then, the threat group has deployed custom, never-before-seen post-exploitation malware. The backdoor, which is written in the Python language, allows the attackers to use specially crafted network requests to execute additional commands on hacked devices.



https://arstechnica.com/security/2024/0 ... all-0-day/

[RTH10260]

New Vulnerability “LeakyCLI” Leaks AWS and Google Cloud Credentials
A critical vulnerability named LeakyCLI exposes sensitive cloud credentials from popular tools used with AWS and Google Cloud. This poses a major risk for developers, showing the need for strong security practices. Learn how to mitigate LeakyCLI and fortify your cloud infrastructure.

WAQAS
APRIL 16, 2024

Cloud infrastructure is the backbone of modern technology, and its security hinges on the tools developers use to manage it. However, a recently discovered vulnerability dubbed “LeakyCLI” exposes a critical weakness in these tools, potentially granting unauthorized access to sensitive cloud credentials.

This vulnerability affects the command-line interfaces (CLIs) used by major cloud providers like Amazon Web Services (AWS) and Google Cloud Platform (GCP). Security researchers at Orca Security identified LeakyCLI, which can inadvertently expose environment variables containing sensitive information like passwords and access keys within logs.

The Flaw and the Risk

CLIs are typically designed for use in secure environments. However, the integration with Continuous Integration and Continuous Deployment (CI/CD) pipelines, which automate development processes, introduces a security risk. LeakyCLI bypasses secret labelling mechanisms within CI/CD pipelines, potentially printing sensitive credentials to logs that shouldn’t contain them.

“CLI commands are by default assumed to be running in a secure environment,” explains an Orca advisory. “But coupled with CI/CD pipelines, they may pose a security threat.” This vulnerability creates a prime target for attackers employing social engineering tactics.



https://www.hackread.com/vulnerability- ... edentials/

[RTH10260]

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely
Hard-coded credentials last thing you want in home security app

Matthew Connatser
Mon 15 Apr 2024 // 22:35 UTC

Some smart locks controlled by Chirp Systems' software can be remotely unlocked by strangers thanks to a critical security vulnerability.

This remote exploitation is possible due to passwords and private keys being hard-coded in Chirp's Android app. Anyone who knows or finds these credentials can use them with an API maintained by smart lock supplier August to remotely open someone's Chirp-powered lock and thus unlock whatever door it is supposed to be protecting. Chirp has claimed its system is being used by over 50,000 households.

For those unfamiliar with this tech, Chirp provides application software to remotely control compatible locks, which can be bought from vendors such as August. It turns out it's possible to use the credentials inside the Chirp Android app to effectively masquerade as the developer via that aforementioned API, enumerate locks, and control them. Presumably victims would need to be using an August-supported lock; we note that Yale is a brand August uses as both are owned by the same parent, Sweden's Assa Abloy. We've asked August for more details.

Successful exploitation of this vulnerability could allow an attacker to take control and gain unrestricted physical access
The Chirp-side security flaw was given a CVSS severity score of 9.1 out of 10 last month. The US govt's Cybersecurity and Infrastructure Security Agency also issued an alert about the situation. The warning notes Chirp hasn't responded to CISA at all about fixing the hole.

As the watchdog put it, "Successful exploitation of this vulnerability could allow an attacker to take control and gain unrestricted physical access to systems using the affected product.

"Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access."

The vulnerability was discovered and disclosed to Chirp three years ago by Amazon Web Services senior engineer Matt Brown, who delved into Chirp's Android app because his apartment building switched over to the "smart" locks in March 2021. We note that Chirp updated its Android app last month after the CISA alert, to apply "bug fixes and improved stability," so the hole may have been quietly patched by now.




https://www.theregister.com/2024/04/15/ ... hirp_lock/

[RTH10260]

Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

MSRC / By MSRC /
March 08, 2024

This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM.

As we said at that time, our investigation was ongoing, and we would provide additional details as appropriate.

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.

It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.

Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.



https://msrc.microsoft.com/blog/2024/03 ... -blizzard/

[RTH10260]

UnitedHealth Data Leak May Affect ‘Substantial’ Swath of U.S.
The company said a ransom was paid to protect patient data.

Bloomberg News
Apr 23, 2024

(Bloomberg) -- UnitedHealth Group Inc. found files containing private information on a vast number of Americans whose data may have been compromised in a February cyberattack that upended the US health system.

A sample of the breached files found they contain personal information, including health data, that “could cover a substantial proportion of people in America,” according to a statement on the company’s website Monday.

The disclosure suggests the attack could be one of the largest health-care data breaches on record. Before the hack, Change Healthcare said it processed $2 trillion in health claims and handled 15 billion transactions per year. The disclosure is likely to add to pressure on the company from Washington to explain what led to the hack and how the company responded.

Two months after the attack on the company’s Change Healthcare unit came to light, the health-care system is still dealing with the repercussions. Among the many unanswered questions is how many people’s private data may have been exposed.

Tallying the privacy impacts may take months, UnitedHealth said. The company has not yet found evidence that doctors’ charts or full medical histories were exposed. It set up a website and call center to assist people with credit monitoring.

Companies typically have 60 days to report data breaches to the Department of Health and Human Services under health privacy rules. The agency opened an investigation into the incident last month.

Late last week, the HHS office that oversees data breach reporting said it hadn’t received notice from UnitedHealth, Change Healthcare, or other affected entities, according to its website.



https://www.itprotoday.com/attacks-and- ... l-swath-us

[RTH10260]

Hackers stole 340,000 Social Security numbers from government consulting firm

Lorenzo Franceschi-Bicchierai
6:30 PM GMT+2•April 8, 2024

U.S. consulting firm Greylock McKinnon Associates (GMA) disclosed a data breach in which hackers stole as many as 341,650 Social Security numbers.

The data breach was disclosed on Friday on Maine’s government website, where the state posts data breach notifications.

In its data breach notice sent by mail to affected victims, GMA said it was hit by an unspecified cyberattack in May 2023 and “promptly took steps to mitigate the incident.”

GMA provides economic and litigation support to companies and U.S. government agencies, including the U.S. Department of Justice, bringing civil litigation. According to its data breach notice, GMA told affected individuals that their personal information “was obtained by the U.S. Department of Justice (“DOJ”) as part of a civil litigation matter” supported by GMA.

The reasons and target of the DOJ’s civil litigation are not known. A spokesperson for the Justice Department did not respond to a request for comment.

GMA said that individuals notified of the data breach are “not the subject of this investigation or the associated litigation matters,” and that the cyberattack “does not impact your current Medicare benefits or coverage.”



https://techcrunch.com/2024/04/08/hacke ... ting-firm/

[RTH10260]

Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers

Zack Whittaker@zackwhittaker /
9:42 PM GMT+2•April 25, 2024

U.S. health conglomerate Kaiser is notifying millions of current and former members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter).

In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”

Kaiser said it subsequently removed the tracking code from its websites and mobile apps.

Kaiser is the latest healthcare organization to confirm it shared patients’ personal information with third-party advertisers by way of online tracking code, often embedded in web pages and mobile apps and designed to collect information about users’ online activity for analytics. Over the past year, telehealth startups Cerebral, Monument and Tempest have pulled tracking code from their apps that shared patients’ personal and health information with advertisers.

Kaiser spokesperson Diana Yee said that the organization would begin notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets where Kaiser Permanente operates, the spokesperson said.

The health giant also filed a legally required notice with the U.S. government on April 12 but made public on Thursday confirming that 13.4 million residents had information exposed.

U.S. organizations covered under the health privacy law known as HIPAA are required to notify the U.S. Department of Health and Human Services of data breaches involving protected health information, such as medical data and patient records. Kaiser also notified California’s attorney general of the data breach, but did not provide any further details.




https://techcrunch.com/2024/04/25/kaise ... ta-breach/

[RTH10260]

1,400 GitLab Servers Impacted by Exploited Vulnerability
CISA says a critical GitLab password reset flaw is being exploited in attacks and roughly 1,400 servers have not been patched.

ByIonut Arghire
May 2, 2024

A critical vulnerability in GitLab’s email verification process, which can lead to password hijacking, is being exploited in the wild, the US cybersecurity agency CISA warns.

Tracked as CVE-2023-7028 (CVSS score of 10/10), the flaw allows for password reset messages to be sent to email addresses that have not been verified, enabling attackers to hijack the password reset process and take over accounts.

GitLab patched the security defect in January 2024, warning that GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 to 16.7.1 are affected. Fixes were included in GitLab versions 16.5.6, 16.6.4, and 16.7.2 and backported to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

GitLab said at the time that it had not observed in-the-wild exploitation of CVE-2023-7028, but CISA on Wednesday added the bug to its Known Exploited Vulnerabilities (KEV) Catalog, saying it has evidence of active exploitation. SecurityWeek has not seen other reports of CVE-2023-7028 being targeted in attacks.

“GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover,” CISA notes.

At the end of January, The Shadowserver Foundation warned that over 5,300 internet-accessible GitLab servers had not been patched against the vulnerability, but that number dropped to around 1,400 as of May 1, new data from Shadowserver shows.



https://www.securityweek.com/1400-gitla ... erability/

[RTH10260]

UK

UK armed forces’ personal data hacked in MoD breach
Defence secretary to address MPs after names and bank details of armed forces members targeted by unnamed attacker

Tom Ambrose and agency
Tue 7 May 2024 10.16 CEST

The Ministry of Defence has suffered a significant data breach and the personal information of UK military personnel has been hacked.

A third-party payroll system used by the MoD, which includes names and bank details of current and past members of the armed forces, was targeted in the attack. A very small number of addresses may also have been accessed.

The department took immediate action and took the external network, operated by a contractor, offline.

Initial investigations found no evidence that data had been removed, according to the BBC and Sky, who first reported the story. The Guardian understands MPs will be addressed on the matter in the Commons on Tuesday, with Grant Shapps, the defence secretary, expected to make a statement in the afternoon.

Ministers will blame hostile and malign actors, but will not name the country behind the hacking.

Affected service personnel will be alerted as a precaution and provided with specialist advice. They will be able to use a personal data protection service to check whether their information is being used or an attempt is being made to use it.

All salaries were paid at the last payday, with no issues expected at the next one at the end of this month, although there may be a slight delay in the payment of expenses in a small number of cases.

The shadow defence secretary, John Healey, said: “So many serious questions for the defence secretary on this, especially from forces personnel whose details were targeted.

“Any such hostile action is utterly unacceptable.”

The MoD first discovered the attack several days ago and has since been working to understand its scale and impact. In March the UK and the US accused China of a global campaign of “malicious” cyber-attacks, in an unprecedented joint operation to reveal Beijing’s espionage.



https://www.theguardian.com/technology/ ... oll-breach

[Suranis]

How we used to do Cybersecurity.

Cybersecurity.jpg (51.56 KiB) Viewed 129 times

These days, we use a different gun.

[RTH10260]

REvil hacker behind Kaseya ransomware attack gets 13 years in prison

By Bill Toulas
May 2, 2024 10:44 AM 1

Yaroslav Vasinskyi, a Ukrainian national, was sentenced to 13 years and seven months in prison and ordered to pay $16 million in restitution for his involvement in the REvil ransomware operation.

According to the U.S. Department of Justice, Vasinskyi, also known by his alias "Rabotnik," was involved in over 2,500 REvil (Sodinokibi) attacks demanding ransom payments surpassing $700 million.

The cybercriminal and his co-conspirators engaged in double extortion, where they stole corporate data and then threatened to leak it publicly if the victim did not pay a ransom.

"Yaroslav Vasinskyi and his co-conspirators hacked into thousands of computers around the world and encrypted them with ransomware," stated Nicole M. Argentieri, head of the Justice Department's Criminal Division.

"Then they demanded over $700 million in ransom payments and threatened to publicly disclose victims' data if they refused to pay."

Vasinskyi was arrested in October 2021 while trying to enter Poland and was charged with conspiracy to commit fraud, intentional damage to a protected computer, and conspiracy to commit money laundering.

Law enforcement linked the long-term REvil affiliate to the Kaseya supply-chain ransomware attacks, which impacted over 1,500 companies worldwide.

At the time, REvil affiliates leveraged a zero-day flaw in Kaseya VSA, a remote monitoring and management (RMM) software used primarily by managed service providers (MSPs).

This flaw allowed the threat actors to simultaneously push encryptors to thousands of companies, causing one of the largest ransomware incidents in history.

In March 2022, the cybercriminal was extradited to the United States to stand trial for his actions, including at least nine confirmed ransomware attacks against U.S.-based organizations.

The maximum potential sentence for all counts was 115 years in prison plus forfeiture of all property and financial assets.

The 24-year-old ransomware affiliate subsequently pleaded guilty to the 11-count indictment and was sentenced to roughly a tenth of the maximum sentence by the Northern District of Texas court. Vasinskyi will also have to pay $16,000,000 in restitution.

The U.S. DoJ announcement also highlighted the seizure of another 39.89138522 Bitcoin and $6.1 million related to ransom payments and operations indirectly linked to Vasinskyi.

REvil was one of the most successful ransomware operations in recent history, reaching its peak in 2021 with the Kaseya MSP supply-chain attack, a $50 million ransom demand from computer maker Acer, and blueprint leaks of unreleased upcoming Apple devices.

The ransomware-as-a-service shut down in October 2021 following the hijacking of its Tor sites and increased law enforcement efforts in Russia, eventually leading to several arrests a couple of months later.



https://www.bleepingcomputer.com/news/s ... in-prison/

[RTH10260]

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

May 08, 2024
NewsroomWeb Security / Vulnerability

LiteSpeed Cache Bug

A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites.

The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsupp‑user and wp‑configuser.

CVE-2023-40000, which was disclosed by Patchstack in February 2024, is a stored cross-site scripting (XSS) vulnerability that could permit an unauthenticated user to elevate privileges by means of specially crafted HTTP requests.

The flaw was addressed in October 2023 in version 5.7.0.1. It's worth noting that the latest version of the plugin is 6.2.0.1, which was released on April 25, 2024.

LiteSpeed Cache has over 5 million active installations, with statistics showing that versions other than 5.7, 6.0, 6.1, and 6.2 are still active on 16.8% of all websites.

According to the Automattic-owned company, the malware typically injects into WordPress files JavaScript code hosted on domains like dns.startservicefounds[.]com and api.startservicefounds[.]com.

Creating admin accounts on WordPress sites can have severe consequences, as it allows the threat actor to gain full control over the website and perform arbitrary actions, ranging from injecting malware to installing malicious plugins.



https://thehackernews.com/2024/05/hacke ... e-bug.html

[RTH10260]

Why Your VPN May Not Be As Secure As It Claims

May 6, 2024

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.

The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”

Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.



https://krebsonsecurity.com/2024/05/why ... it-claims/

[RTH10260]

Chinese Hackers Deployed Backdoor Quintet to Down MITRE
MITRE's hackers made use of at least five different Web shells and backdoors as part of their attack chain.

Nate Nelson, Contributing Writer
May 7, 2024

China-linked hackers deployed a roster of different backdoors and Web shells in the process of compromising the MITRE Corporation late last year.

Last month news broke that MITRE, best known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, was breached through Ivanti Connect Secure zero-day vulnerabilities. The hackers accessed its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.

On May 3, MITRE filled in some more details about five unique payloads deployed as part of an attack that lasted from New Year's Eve all the way through mid-March.



https://www.darkreading.com/cloud-secur ... down-mitre

[RTH10260]

Code Execution Vulnerability Found In R Language

written by Abeerah Hashim
May 7, 2024 10

Researchers caught a serious security vulnerability in the R programming language that could allow arbitrary code execution. Given the extensive application of this language, particularly for AI/ML projects, the vulnerability could have a huge impact following malicious exploitation.

Users urged to update their systems with the latest R Core release to receive the patch. R Language Vulnerability Could Have Widespread Consequences According to a recent report from HiddenLayer, their researchers found a serious code execution vulnerability in the R programming language.

As explained, the vulnerability existed due to the deserialization of untrusted data, and involves use of promise objects and lazy evaluation in R. A threat actor could exploit the flaw by tricking the victim user into opening a maliciously crafted RDS (R Data Serialization) formatted file or R package. Once done, the malicious file would execute arbitrary malicious R codes on the target machine.

While this sounds trivial, exploiting the flaw requires the victim user’s input. Thus, exploiting the flaw would require manipulating the victim via social engineering. Nonetheless, potential attackers could also consider deploying the maliciously crafted R packages on public repositories to target unsuspecting users.

The vulnerability has received the CVE ID CVE-2024-27322, with a high severity rating and a CVSS score of 8.8. HiddenLayer researchers have presented the detailed technical analysis about the flaw in their post, alongside sharing the following video which demonstrates the exploit.



https://latesthackingnews.com/2024/05/0 ... -language/