Search the Community

Network monitoring and security solution Progress Flowmon was found to be carrying a maximum-severity vulnerability which could allow threat actors to escalate privileges and gain full access to the target endpoint. As reported by BleepigComputer, the performance tracking, diagnostics, and network detection and response tool was vulnerable to CVE-2024-2389, a flaw allowing attackers to gain unauthenticated access to the Flowmon web interface, where they can execute arbitrary system commands. To gain this access, the attackers would need to craft a custom API request. Thousands of victims A proof-of-concept (PoC) is already available, but the vulnerability is apparently not being abused in the wild just yet. Users are advised to apply the released patch immediately. Progress has since been alerted of the discovery, and released a patch. Flowmon versions 12.x and 11.x are all vulnerable. First patched versions are 12.3.5 and 11.1.14. Those with automatic updates enabled will have gotten the patch already. Those who opted for manual updates need to go to the vendor’s download center. After applying the patch, Progress recommends upgrading all Flowmon modules, too. While the vulnerability was discovered and reported by researchers from Rhino Security Labs, BleepingComputer reminds that Italy’s CSIRT also warned about it, roughly two weeks ago. Rhino Security Labs published the technical details and a demo on how to use the vulnerability, but a PoC was made available as early as April 10. At this time, there are conflicting reports on the number of Flowmon instances exposed on the public web, and thus vulnerable. Some search engines show about 500 exposed servers, while others see fewer than 100 instances. In any case, around 1,500 companies around the world use Flowmon, BleepingComputer added, including SEGA, KIA, TDK, Volkswagen, and others. So far, there is no evidence of abuse in the wild. More from TechRadar Pro How a piece of Brazilian malware became a global cybercrime exportHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Almost a billion mobile users, holding various devices, could have had their communications revealed to malicious third parties, a report from cybersecurity researchers Citizen Lab claims. It says different device manufacturers have used different keyboard apps which were relaying unencrypted communications, transmitting keystrokes via plaintext, and similar. Tencent QQ Pinyin, Baidu IME, iFlytek IME, Samsung Keyboard on Android, Xiaomi (with keyboard apps from Baidu, iFlytek, and Sogou), OPPO, Vivo, Honor, all of these allowed potential threat actors to decrypt Chinese mobile users' keystrokes, completely passively, and without the users needing to send any extra network traffic. The team says it believes the keyboard apps found on these devices were “revealing the contents of users’ keystrokes in transit”. Keeping private talk private The only manufacturer whose keyboard app was secure is Huawei, the researchers said. As for Apple and Google, neither app has a feature to transmit keystrokes to cloud servers for cloud-based communications, it was said, which made it impossible to analyze the keyboards for the security of the feature. “However, we observed that none of the mobile devices that we analyzed included Google’s keyboard, Gboard, preinstalled, either,” the researchers claim. The researchers disclosed their findings to the manufacturers and say that as of April 1, almost all have addressed their issues. Only Honor and Tencent (QQ Pinyin) still remain a work in progress. To defend from potential eavesdroppers, users should keep their apps and mobile operating systems updated, and use a keyboard that fully works on the device. Developers, on the other hand, are advised to use well-tested and standard encryption protocols, instead of building their own, potentially vulnerable versions, The Hacker News reports. "Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users' keystrokes may have also been under mass surveillance," the researchers concluded. More from TechRadar Pro Discover if your data have been leaked with Proton Mail's new toolHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hundreds of thousands of WordPress websites are vulnerable to a critical severity flaw which allows threat actors to upload malware to the site through a bug in a plugin. As reported by BleepingComputer, Japan’s CERT recently found a critical severity flaw (9.8) in the Forminator plugin, built by WPMU DEV. The flaw, now tracked as CVE-2024-28890, allows threat actors to obtain sensitive information by accessing files on the server. The researchers also said the flaw could be used to change the contents of the site, mount denial-of-service (DoS) attacks, and more. No evidence of abuse Forminator is a plugin that allows WordPress operators to add custom contact, feedback, quizzes, surveys, polls, and payment forms. Everything is drag-and-drop and thus user-friendly, and plays well with many other plugins. WPMU DEV has addressed the issue and released a patch. Users are advised to apply it and bring their Forminator plugin to version 1.29.3 as soon as possible. At press time, the WordPress.org website shows at least 500,000 active downloads, of which 56% run the latest version. That leaves at least 230,000 websites that are possibly still vulnerable. So far, there is no evidence of CVE-2024-28890 being exploited in the wild, but given its destructive potential, and the simplicity to be abused, chances are abuse is just a matter of time. While WordPress itself is generally considered a safe platform, its various plugins and add-ons present a unique opportunity for hackers looking for a way in. As a general rule of thumb, WordPress admins are advised to keep the platform, the plugins, themes, and add-ons updated at all times, and to deactivate all of the add-ons that they don’t actively use. WordPress is the world’s number one website builder platform, with almost half of all websites on the internet being powered by the builder. More from TechRadar Pro This WordPress plugin vulnerability has put millions of websites at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

For weeks now, unidentified threat actors have been leveraging a critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software, running arbitrary code on vulnerable firewalls, with root privilege. Multiple security researchers have flagged the campaign, including Palo Alto Networks’ own Unit 42, noting a single threat actor group has been abusing a vulnerability called command injection, since at least March 26 2024. This vulnerability is now tracked as CVE-2024-3400, and carries a maximum severity score (10.0). The campaign, dubbed MidnightEclipse, targeted PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with GlobalProtect gateway and device telemetry enabled, since these are the only vulnerable endpoints. Highly capable threat actor The attackers have been using the vulnerability to drop a Python-based backdoor on the firewall which Volexity, a separate threat actor that observed the campaign in the wild, dubbed UPSTYLE. While the motives behind the campaign are subject to speculation, the researchers believe the endgame here is to extract sensitive data. The researchers don’t know exactly how many victims there are, nor who the attackers primarily target. The threat actors have been given the moniker UTA0218 for now. "The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," the researchers said. "UTA0218's initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with the users' DPAPI keys." In its writeup, The Hacker News reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a deadline of April 19 to apply the patch and otherwise mitigate the threat. "Targeting edge devices remains a popular vector of attack for capable threat actors who have the time and resources to invest into researching new vulnerabilities," Volexity said. "It is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks." More from TechRadar Pro North Korean hackers are posing as job interviewers - don't be fooledHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Another major WordPress plugin was found vulnerable to a high-severity flaw which allowed malicious actors to steal sensitive information from the website, including password hashes. LayerSlider has published a new security advisory, saying the product is now in version 7.10.1, but adding, “This update includes important security fixes." While the announcement does not detail the vulnerability fixed, The Hacker News reported that the project fixed an SQL injection vulnerability impacting versions 7.9.11 through 7.10.0. This vulnerability is now tracked as CVE-2024-2879, and has a severity score of 9.8 (critical). Targeting WordPress On its website, LayerSlider describes itself as a “visual web content editor, a graphic design software, and a digital visual effects application all in one”. It also claims to be used by “millions” of people worldwide. LayerSlider is a commercial WordPress plugin, with annual license packages ranging from $26 to $159. Being the world’s most popular website builder, and used by roughly half of all the websites in existence, WordPress is a major target for cybercriminals everywhere. However, with the platform generally considered safe, hackers have turned their attention to third-party themes and plugins, as these are rarely as secure as the platform itself. There are thousands of themes and plugins for WordPress, all of which build upon and improve the WordPress experience. Some are free to use, but commercial ones usually have a dedicated team that works on improvements and security. As a result, most of the time, hackers will go for free-to-use themes and plugins - many have millions of users, but have been abandoned by their developers and contain vulnerabilities that are never (or rarely) addressed. To remain secure, admins should only install themes and plugins they intend on using, and make sure they are always updated to the latest version. More from TechRadar Pro This WordPress plugin vulnerability has put millions of websites at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Security researchers have found a relatively easy and cheap way to clone the keycards used on three million Saflok electronic RFID locks in 13,000 hotels and homes all over the world. The keycard and lock manufacturer, Dormakaba, has been notified, and it is currently working to replace the vulnerable hardware - but it’s a long, tedious process, which is not yet done. Although first discovered back in 2022, the researchers have disclosed more information on the flaws, dubbed “Unsaflok”, in order to raise awareness. Cheap card cloning The flaws were discovered at a private hacking event was set up in Las Vegas, where different research teams competed to find vulnerabilities in a hotel room and all devices inside. A team, consisting of Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana, focused their attention on the Dormakaba Saflok electronic locks for hotel rooms. Soon enough, they found two flaws which, when chained together, allowed them to open the doors with a custom-built keycard. First, they needed access to any card from the premises. That could be the card to their own room. Then, they reverse-engineered the Dormakaba front desk software and lock programming device, which allowed them to spoof a working master key which can open any room on the property. Finally, to clone the cards, they needed to break into Dormakaba’s key derivation function. To forge the keycards, the team used a MIFARE Classic card, a commercial card-writing tool, and an Android phone with NFC capabilities. All of this costs just a few hundred dollars, it was said. With their custom-built keycard, the team would be able to access more than three million locks, installed in 13,000 hotels and homes all over the world. Following the publication of the findings, Dormakaba released a statement to the media, saying the vulnerability affects Saflok systems System 6000, Ambiance, and Community. It added that there is no evidence of these flaws ever being exploited in the wild. Via BleepingComputer More from TechRadar Pro This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of timesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Researchers have discovered a new side-channel vulnerability in Apple’s M-series of processors that they claim could be used to extract secret keys from Mac devices when they’re performing cryptographic operations. Academic researchers from the University of Illinois Urbana-Champaign, University of Texas at Austin, Georgia Institute of Technology, University of California, University of Washington, and Carnegie Mellon University, explained in a research paper that the vulnerability, dubbed GoFetch, was found in the chips’ data memory-dependent prefetcher (DPM), a optimization mechanism that predicts the memory addresses of data that active code could access in the near future. Since the data is loaded in advance, the chip makes performance gains. However, as the prefetchers make predictions based on previous access patterns, they also create changes in state that the attackers can observe, and then use to leak sensitive information. GoFetch risk The vulnerability is not unlike the one abused in Spectre/Meltdown attacks as those, too, observed the data the chips loaded in advance, in order to improve the performance of the silicon. The researchers also noted that this vulnerability is basically unpatchable, since it’s derived from the design of the M chips themselves. Instead of a patch, the only thing developers can do is build defenses into third-party cryptographic software. The caveat with this approach is that it could severely hinder the processors’ performance for cryptographic operations. Apple has so far declined to discuss the researchers’ findings, and stressed that any performance hits would only be visible during cryptographic operations. While the vulnerability itself might not affect the regular Joe, a future patch hurting the device’s performance just might. Those interested in reading about GoFetch in depth, should check out the research paper here. Via Ars Technica More from TechRadar Pro This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of timesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article