info[at]nsec.ir
(+98)-31-33915336

News

 

 

Cisco's warning about the possibility of IP contamination of mobile phone

Summary:

Cisco has published a new security advisory about a critical flaw affecting the IP Phone 7800 and 8800 series firmware that could lead to remote code execution or a denial of service (DoS) condition.

 

Networking equipment specialist Cisco said it is working on a patch to address the vulnerability, which is identified as CVE-2022-20968 (CVSS score: 8.1). This vulnerability is caused by an ingress invalidation event in Cisco Discovery Protocol (CDP) packets received.

 

CDP is a proprietary network-independent protocol that is used to collect information about nearby connected devices such as hardware, software, and device name, etc. Enabled by default. "An attacker could exploit this vulnerability by sending Cisco Discovery Protocol traffic to an affected device," the company said in an alert published on December 8, 2022. "A successful exploit could allow an attacker to cause a stack overflow that could lead to remote code execution or a denial of service (DoS) condition on the affected device."

 

Cisco IP Phones running OS version 14.2 and earlier are affected by this vulnerability. A patch is scheduled for release in January 2023, and the company says there are no updates or fixes to fix the problem.

 

However, in deployments that support both LLDP or Link Layer Discovery Protocol and CDP for neighbor discovery, users can disable CDP to allow affected devices to advertise their identities and capabilities to LLDP to communicate directly with neighbors on a network. Change location.

 

"This change is not trivial and requires effort on the part of the company to evaluate any potential impact on devices, as well as the best approach to deploying this change in their company," the company says.

 

It also warned that it was aware of the availability of a proof-of-concept (PoC) exploit and that the flaw had been publicly disclosed. There is no evidence that this vulnerability has been actively exploited to date. Qian Chen of the Codesafe Legendsec team at Qi'anxin Group is responsible for discovering and reporting this vulnerability.

 

 

The use of two PoS malware by cybercriminals and the theft of more than 167,000 bank card information

Summary:

Two types of PoS malware, or Ponit of sale in other words, have stolen the information of 167,000 credit cards from payment terminals.

 

According to Group-IB, a Singapore-based cyber security company, information stolen in illegal forums has earned operators more than $3.3 million. A significant portion of attacks rely on JavaScripts (known as web skimmers) that are surreptitiously inserted into e-commerce websites to collect payment data. For this reason, PoS malware remains a constant threat. Last month, in a report, Kaspersky described new techniques Prilex had adopted to steal money through fake transactions.

 

The two malware Treasure Hunter and MajikPOS are similar in that they brute-force entry into PoS terminals or continuously purchase initial access from those known to the system. Then it extracts the card information from the system memory and sends it to the remote server.

 

It's worth noting that MajikPOS first appeared in early 2017 and mainly affected businesses across the US and Canada. Treasure Hunter (aka TREASUREHUNT), on the other hand, has been registered since 2014 and its source code was leaked in 2018.

 

Group-IB, which identified the command and control (C2) servers associated with the two PoS malware, noted that more than 77,000 payment records were compromised by MajikPOS between February and September 2022, and more than 90,000 payment records were also compromised. Compromised by Treasure Hunter. Most of the stolen cards appear to have been issued by banks in the United States, Puerto Rico, Peru, Panama, the United Kingdom, Canada, France, Poland, Norway and Costa Rica. The identity of the attackers behind the scheme is unknown, and it is currently unclear whether the stolen data has already been sold by the group for monetary gain.

 

If card issuing banks do not implement adequate protection mechanisms, this can have severe consequences. Enables attackers to use cloned cards to illegally withdraw funds and perform unauthorized transactions. Researchers point out that PoS malware has become less attractive to attackers in recent years due to some restrictions and security measures implemented in the card payment industry. Nevertheless, it remains a significant threat to the payments industry. Especially for businesses that have not yet implemented the latest security practices. So, it's too early to remove PoS malware and it's still with us.

 

Discovery of two Microsoft Exchange Server vulnerabilities

Summary:

Two vulnerabilities named CVE-2022-41082 and CVE-2022-41040 have been discovered in Microsoft Xchange Server.

 

Two new Microsoft Exchange Server zero-day vulnerabilities have been discovered. The first vulnerability, named CVE-2022-41040, allows the forgery of SSRF server-side requests. The second vulnerability, named CVE-2022-41082, allows remote access when the attacker has access to PowerShell. Microsoft has announced that it is aware of attacks and attempts from these two vulnerabilities to gain access to user computers. It also noted in the notice that the CVE-2022-41040 vulnerability can only be exploited by authenticated attackers. Once successfully exploited, it allows an attacker to exploit CVE-2022-41082 via remote code execution.

 

This company has announced that customers who use Exchange Online; Currently, no action is required as it has implemented protection measures for customers.

 

According to GTSC, the Vietnamese cybersecurity firm that first disclosed the persistent attacks, zero-day exploits were used to install Chopper shells for persistence and theft. They are also chained for lateral movements through sacrificial networks. GTSC also assumes that a Chinese threat organization is behind the ongoing attacks based on the code page of the web shells, which is a simplified Microsoft character for the Chinese language.

 

To reduce the availability of the vulnerabilities, Microsoft has announced that internal Microsoft Exchange clients should implement the following URL rewriting instructions and block Remote PowerShell ports.

 

Add a blocking rule to "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to stop known attack patterns.‎

English