Hacking News #1 19 Feb
Google Chrome Zero-Day
Google on Monday rolled out fixes for eight security issues in the Chrome web browser, including a high-severity vulnerability that’s being actively exploited in real-world attacks, marking the first zero-day patched by the internet giant in 2022
Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” the company said in a characteristically brief statement acknowledging active exploitation of the flaw. Credited with discovering and reporting the flaw are Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group (TAG).
Google Chrome users are highly recommended to update to the latest version 98.0.4758.102 for Windows, Mac, and Linux to mitigate any potential threats. It’s worth noting that Google had addressed 17 zero-day flaws in Chrome in 2021
VMware on Tuesday patched several high-severity vulnerabilities impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition.
As of writing, there’s no evidence that any of the weaknesses are exploited in the wild. The list of six flaws is as follows –
- CVE-2021-22040 (CVSS score: 8.4) – Use-after-free vulnerability in XHCI USB controller
- CVE-2021-22041 (CVSS score: 8.4) – Double-fetch vulnerability in UHCI USB controller
- CVE-2021-22042 (CVSS score: 8.2) – ESXi settingsd unauthorized access vulnerability
- CVE-2021-22043 (CVSS score: 8.2) – ESXi settingsd TOCTOU vulnerability
- CVE-2021-22050 (CVSS score: 5.3) – ESXi slow HTTP POST denial-of-service vulnerability
- CVE-2022-22945 (CVSS score: 8.8) – CLI shell injection vulnerability in the NSX Edge appliance component
Successful exploitation of the flaws could allow a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host. It could also allow the adversary with access to settings to escalate their privileges by writing arbitrary files.
Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild.
Tracked as CVE-2022-24086, the shortcoming has a CVSS score of 9.8 out of 10 on the vulnerability scoring system and has been characterized as an “improper input validation” issue that could be weaponized to achieve arbitrary code execution.
Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants,” the company noted in an advisory published February 13, 2022.
The findings come as e-commerce malware and vulnerability detection company Sansec disclosed last week about a Magecart attack that compromised 500 sites running the Magento 1 platform with a credit card skimmer designed to siphon sensitive payment information.
According to a new report published by Microsoft’s RiskIQ this month, 165 unique command-and-control servers and skimmer injected URLs used by known Magecart threat actors were detected in January 2022, some of which include compromised, legitimate domains.
Apache Cassandra Database Software
Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations.
Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers.
Specifically, it was found that Cassandra deployments are vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:
- enable_user_defined_functions: true
- enable_scripted_user_defined_functions: true
- enable_user_defined_functions_threads: false
“When the [enable_user_defined_functions_threads] option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions,” Kaspi said, thereby allowing the adversary to disable the security manager and break out of the sandbox and run arbitrary shell commands on the server.
Cisco Email Appliances
Cisco has released security updates to contain three vulnerabilities affecting its products, including one high-severity flaw in its Email Security Appliance (ESA) that could result in a denial-of-service (DoS) condition on an affected device.
The weakness, assigned the identifier CVE-2022-20653 (CVSS score: 7.5), stems from a case of insufficient error handling in DNS name resolution that could be abused by an unauthenticated, remote attacker to send a specially crafted email message and cause a DoS.
Cisco credited researchers from ICT service provider Rijksoverheid Dienst ICT Uitvoering (DICTU) for reporting the vulnerability while pointing out that it’s not found any evidence of malicious exploitation.
Researchers warn New Golang-Base Botnet
Cybersecurity researchers have unpacked a nascent Golang-based botnet called Kraken that’s under active development and feature an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts.
“Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim’s system,” threat intelligence firm ZeroFox said in a report published Wednesday.
Discovered first in October 2021, early variants of Kraken have been found to be based on source code uploaded to GitHub, although it’s unclear if the repository in question belongs to the malware’s operators or if they simply chose to start their development using the code as a foundation.
U.S Says Russian Hackers Stealing
State-sponsored actors backed by the Russian government regularly targeted the networks of several U.S. cleared defense contractors (CDCs) to acquire proprietary documents and other confidential information pertaining to the country’s defense and intelligence programs and capabilities.
The sustained espionage campaign is said to have commenced at least two years ago from January 2020, according to a joint advisory published by the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).
“These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,” the agencies said. “The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.”