Blackhatsec

Security researchers have unveiled new techniques that allow attackers to exfiltrate sensitive data from air-gapped computers, which are systems physically isolated from unsecured networks. Despite air gaps being a strong security measure, these attacks demonstrate that determined adversaries can still find ways to breach such systems. Dr. Mordechai Guri and his team at Ben-Gurion University in Israel have published multiple papers detailing various  covert channels  that can be used to leak data from air-gapped systems. Their latest  research focuses  on exploiting computer components’ electromagnetic, acoustic, thermal, and optical emanations to transmit data to nearby receivers. One attack, dubbed  RAMBO  (Radiation of Air-gapped Memory Bus for Offense), exploits electromagnetic emissions from a computer’s RAM to leak data. Malware can generate controlled radio signals that encode stolen information by manipulating memory access patterns. Using a softwar...

A BlindEagle attack chain typically originates with a phishing email that contains a PDF attachment and a URL that points to a ZIP archive file. The PDF attachment contains the same URL as the one provided in the email body. In other words, the ZIP file can be either downloaded from the PDF or directly from the email. Upon clicking the URL (in either the email body or PDF), the victim downloads a ZIP archive from a Google Drive folder. This specific folder is under the ownership of a compromised account belonging to a regional government organization in Colombia. The ZIP archive contains a .NET BlotchyQuasar executable. The figure below provides for a high-level overview of the attack chain. The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan (RAT) known as Quasar RAT since June 2024. "Attacks have originated with phishing emails impersonating the Colomb...

Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications. Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server. Exploitation is facilitated by bypassing previous patches for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856; this patch bypass vulnerability is tracked as CVE-2024-45195 Vulnerability Context A handful of unauthenticated code execution CVEs for Apache OFBiz have been published in 2024. In August, the Cybersecurity and Infrastructure S...

Cisco has   warned of multiple critical vulnerabilities   in its Smart Licensing Utility, potentially enabling unauthenticated, remote attackers to collect sensitive information or gain administrative control over the software.  The vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, can be found in several versions of the software. Both have been rated a critical severity score of 9.8 on the CVSS scale, meaning exploitation of the flaw could result in a full system or data compromise. The company has released software updates to address these issues but emphasized that there are no workarounds available for the vulnerabilities. It also said that, to date, it has not found public exploits or evidence of malefactors exploiting these flaws. Impacted Products The vulnerabilities affect systems running a vulnerable version of Cisco Smart Licensing Utility. These flaws are not dependent on the system’s configuration, and they only pose a risk if the utility is ...

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct   BlackCat   (aka ALPHV) operation. "It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity company Morphisec said in a technical report. Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum. A notable aspect of the ransomware is that the executable embeds the compromised user's credentials, which are then used to run  PsExec , a legitimate tool that makes it possible to run programs remotely. Cicada3301's similarities with BlackCat also extend to its use of ChaCha20 ...

  A new attack vector has emerged, exploiting the critical vulnerability CVE-2023-22527 in Atlassian Confluence.  This  vulnerability , which affects the Confluence Data Center and Server products, has been weaponized using the Godzilla backdoor, a sophisticated file-less malware.  The implications of this exploit are significant, posing a severe risk to organizations worldwide. Understanding CVE-2023-22527 CVE-2023-22527  is a critical vulnerability with a Common Vulnerability Scoring System (CVSS) score 10, indicating its high severity. Discovered in older versions of Atlassian’s Confluence Data Center and Server, this flaw allows for remote code execution (RCE) through a template injection vulnerability. An unauthenticated attacker can exploit this to execute arbitrary code on the affected instance, potentially leading to unauthorized access and control over the server. Atlassian released a security advisory on January 16, 2024, urging users to patch their sy...