Cloud risk management and threat detection firm Rapid7 warns that it has seen organizations being compromised in attacks exploiting a recently patched Zoho ManageEngine vulnerability.

Tracked as CVE-2022-47966, the security defect exists in a third-party dependency (Apache xmlsec, also known as XML Security for Java, version 1.4.1), allowing attackers to execute arbitrary code remotely without authentication.

Deemed ‘critical severity’, the issue was brought to light in November 2022, when Zoho announced that patches were released for more than 20 on-premises products that are impacted.

A NIST advisory explains that the bug exists “because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.”

Earlier this month, automated penetration testing firm Horizon3.ai warned that there are at least a thousand vulnerable ManageEngine products exposed to the internet, and that all of them were susceptible to spray and pray attacks.

Horizon3.ai also published a proof-of-concept (PoC) exploit targeting the issue.

Now, Rapid7 says it has been responding to compromises resulting from the active exploitation of CVE-2022-47966. The attacks appear to have started before Horizon3.ai released its PoC exploit.

The cybersecurity firm underlines that some of the impacted products, including ADSelfService Plus and ServiceDesk Plus, are highly popular among organizations, and that they are known to have been targeted in previous attacks.

Other impacted products include Access Manager Plus, Active Directory 360, ADAudit Plus, ADManager Plus, Application Control Plus, Device Control Plus, Endpoint Central, Endpoint Central MSP, PAM 360, Password Manager Pro, Remote Monitoring and Management (RMM), SupportCenter Plus, and Vulnerability Manager Plus.

“Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun,” Rapid7 warns.

Threat intelligence company GreyNoise has also started seeing attacks exploiting CVE-2022-47966.

Related: Zoho Urges ManageEngine Users to Patch Serious SQL Injection Vulnerability

Related: CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation

Related: Zoho Patches Critical Vulnerability in Endpoint Management Solutions

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/wild-exploitation-recent-manageengine-vulnerability-commences

A sophisticated ad fraud scheme that spoofed over 1,700 applications and 120 publishers peaked at 12 billion ad requests per day before being taken down, bot attack prevention firm Human says.

Dubbed VastFlux, the scheme relied on JavaScript code injected into digital ad creatives, which resulted in fake ads being stacked behind one another to generate revenue for the fraudsters. More than 11 million devices were impacted in the scheme.

The JavaScript code used by the fraudsters allowed them to stack multiple video players on top of one another, generating ad revenue when, in fact, the user was never shown the ads.

VastFlux, Human says, was an adaptation of an ad fraud scheme identified in 2020, targeting in-app environments that run ads, especially on iOS, and deploying code that allowed the fraudsters to evade ad verification tags.

At the first step of the fraudulent operation, an application would contact its primary supply-side partner (SSP) network to request a banner ad to be displayed.

Demand-side partners (DSPs) would place bids for the slot and, if the winner was VastFlux-connected, several scripts would be injected while a static banner image was placed in the slot.

The injected scripts would decrypt the ad configurations, which included a player hidden behind the banner and parameters for additional video players to be stacked. The script would also call to the command-and-control (C&C) server to request details on what to be displayed behind the banner.

The received instructions include both a publisher ID and an app ID that VastFlux would spoof. The size of the ads would also be spoofed and only certain third-party advertising tags were allowed to run inside the hidden video player stack.

What Human discovered was that as many as 25 ads could be stacked on top of one another, with the fraudsters receiving payment for all of them, although none would be shown to the user.

Additionally, the cybersecurity firm noticed that new ads would be loaded until the ad slot with the malicious ad code was closed.

“It’s in this capacity that VastFlux behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with,” Human notes.

From late June into July 2022, Human attempted to take down the scheme using three mitigation actions, which eventually resulted in the VastFlux traffic being reduced by more than 92%.

The cybersecurity firm says it has identified the fraudsters and worked with the victim organizations to mitigate the fraud, which resulted in the threat actors shutting down their C&C servers.

“As of December 6th, bid requests associated with VastFlux, which reached a peak of 12 billion requests per day, are now at zero,” Human says.

Related: Google, Apple Remove ‘Scylla’ Mobile Ad Fraud Apps After 13 Million Downloads

Related: US Recovers $15 Million From Ad Fraud Group

Related: Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/sophisticated-vastflux-ad-fraud-scheme-spoofed-1700-apps-disrupted

Several vulnerabilities described as having critical and high impact, including ones allowing unauthenticated remote code execution, have been found and patched in OpenText’s enterprise content management (ECM) product.

The vulnerabilities were discovered by a researcher at cybersecurity consultancy Sec Consult in OpenText’s Extended ECM, which is designed for managing the distribution and use of information across an organization. Specifically, the flaws impact the product’s Content Server component.

The security firm this week published three different advisories describing its findings.

OpenText was informed about the vulnerabilities in October 2022 and patched them earlier this month with the release of version 22.4, according to Sec Consult.

One of the critical vulnerabilities, tracked as CVE-2022-45923, can allow an unauthenticated attacker to execute arbitrary code using specially crafted requests.

The second critical flaw, CVE-2022-45927, impacts the Java Frontend of the OpenText Content Server component and can allow an attacker to bypass authentication. Exploitation could ultimately lead to remote code execution.

Sec Consult has also identified five types of vulnerabilities in the Content Server component that can be exploited by authenticated attackers.

These issues, rated ‘high impact’, can be exploited to delete arbitrary files on the server, escalate privileges, obtain potentially valuable information, launch server-side request forgery (SSRF) attacks, and execute arbitrary code.

Proof-of-concept (PoC) code is available for the high-impact issues, but the advisories describing the critical flaws do not include PoC code in an effort to prevent malicious exploitation.

Related: Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms

Related: InfiRay Thermal Camera Flaws Can Allow Hackers to Tamper With Industrial Processes

Related: OpenText Acquires Email Security Firm Zix for $860 Million

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/critical-vulnerabilities-patched-opentext-enterprise-content-management-system

The European Union’s digital policy chief warned TikTok’s boss Thursday that the social media app will have to fall in line with tough new rules for online platforms set to take effect later this year.

EU Commissioner Thierry Breton held a video call with Shou Zi Chew, the CEO of TikTok, the popular Chinese-owned video sharing app that’s coming under increasing scrutiny from Western authorities over fears about data privacy, cybersecurity and misinformation.

The two discussed the company’s plans to comply with the bloc’s Digital Services Act, which is set to take effect for the biggest online companies in September. The act is a set of sweeping rules that will require platforms to reduce harmful online content and combat online risks.

“With younger audiences comes greater responsibility,” Breton said, according to a readout of the call. “It is not acceptable that behind seemingly fun and harmless features, it takes users seconds to access harmful and sometimes even life-threatening content.

Breton added that, with millions of young users in Europe, TikTok has a “special responsibility” to ensure its content is safe.

TikTok is hugely popular with young people but its Chinese ownership has stoked fears that Beijing could use it to scoop up user data or push pro-China narratives or misinformation. TikTok is owned by ByteDance, a Chinese company that moved its headquarters to Singapore in 2020.

Earlier this month, Shou met four other officials from the EU’s executive Commission in Brussels to discuss concerns ranging from child safety to investigations into user data flowing to China. In the U.S., at least 22 states, the military and Congress have banned the TikTok app from government-issued devices.

A London-based spokesperson for TikTok didn’t respond immediately to a request for comment. The company’s Brussels-based director of public policy and government relations, Caroline Greer, said on Twitter that Breton’s talk with Shou was a “good exchange” and that the “safety of our users is paramount.”

Breton said he is also concerned about allegations TikTok is spying on journalists and transferring reams of personal user data outside of Europe, in violation of the 27-country bloc’s strict privacy rules.

Bretaon said he “explicitly conveyed” to Shou that TikTok needs to “step up efforts to comply” with EU rules on data protection, copyright as well as the Digital Services At, which includes provisions for heavy fines or even a ban from the EU for repeat offenses that threaten the people’s lives or safety.

“We will not hesitate to adopt the full scope of sanctions to protect our citizens if audits do not show full compliance,” he said.

Greer said TikTok “welcomed the opportunity” to reiterate its commitment to the Digital Services Act and outlined efforts to comply with EU rules on privacy and a voluntary code of practice on disinformation for tech companies.

Related: Five Ways TikTok Is Seen as Threat to US National Security

Related: FBI Director Raises National Security Concerns About TikTok

Related: China’s ByteDance Admits Using TikTok Data to Track Journalists

Previous Columns by Associated Press:

Tags:

https://www.securityweek.com/eus-breton-warns-tiktok-ceo-comply-new-digital-rules

Online payments system PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

“On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials,” the company said in the notification letter sent to the impacted individuals.

According to PayPal, between December 6 and 8, 2022, a third party accessed user accounts using login credentials obtained elsewhere. The unauthorized access was eliminated on December 8.

The company says the attackers likely obtained the login credentials via phishing or related nefarious activity, as it found no evidence that the company’s systems were breached.

The attackers, the company says, were able to access and potentially steal personal information from the victim accounts, including names, addresses, phone numbers, birth dates, individual tax identification numbers, and Social Security numbers.

“As of the time of writing, we have no information suggesting that any personal information was misused as a result of this incident, nor have there been unauthorized transactions on the affected accounts,” PayPal told the Maine Attorney General’s Office.

The online payments platform says it reset the passwords for the impacted user accounts and implemented “enhanced security controls to prevent any further unauthorized access”.

“We have not informed law enforcement of this incident, and this notification was not delayed as a result of a law enforcement investigation,” PayPal said.

The company told the Maine Attorney General that a total of 34,942 individuals were impacted in the incident.

In credential stuffing attacks, threat actors use leaked credentials obtained from a third-party source (often purchased on hacker forums) to access user accounts on different services. Such attacks are possible due to the reuse of credentials across multiple services.

Related: DraftKings Data Breach Impacts Personal Information of 68,000 Customers

Related: FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks

Related: NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/paypal-warns-35000-users-credential-stuffing-attacks

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands, according to data from Chainalysis.

A report published by the blockchain data company on Thursday shows that the cryptocurrency addresses known to have been used by ransomware groups received a total of $457 million last year, compared to $766 million in 2021, which represents a drop of more than 40%.

While Chainalysis may not be aware of all addresses used by these cybercrime gangs, it’s clear that ransomware profits have significantly decreased.

On the other hand, the volume of attacks does not seem to have dropped, with thousands of companies being targeted last year and tens of thousands of malware strains used in attacks.

According to data from Coveware, a company that helps organizations respond to ransomware attacks, the percentage of companies that paid up in 2022 dropped to 41%, from 50% in 2021 and 70% in 2020.

There are likely multiple factors that have resulted in fewer companies giving in to the cybercriminals’ extortion demands. One is that in many cases victims could risk violating sanctions if they pay up.

In recent years, after several cities and universities in the United States admitted paying significant ransoms to cybercriminals, the Treasury Department issued warnings to organizations facilitating ransomware payments — such as cyberinsurance companies, financial institutions, and providers of incident response — that they face legal action if the entities they pay are on sanctions lists.

In addition, cyberinsurance companies, which may have had to reimburse their customers for ransomware payments, have made some changes in terms of who they insure and what the insurance covers.

Data backups have also likely played an important role in the drop in ransomware payments. With ransomware attacks making many headlines in the past years, companies are increasingly backing up their data in case it’s encrypted by ransomware.

One noteworthy aspect is that there is a relatively small group of people that profits from ransomware attacks.

Chainalysis has pointed out that while there appears to be an increasing number of ransomware groups, in reality, the members of these groups likely overlap in many cases.

“We’ve seen time and time again that many affiliates carry out attacks for several different strains. So, while dozens of ransomware strains may technically have been active throughout 2022, many of the attacks attributed to those strains were likely carried out by the same affiliates,” the company noted.

Related: UK Warns Lawyers Not to Advise Ransomware Payments

Related: US Treasury Sanctions Crypto Exchange in Anti-Ransomware Crackdown

Related: European Union Extends Framework for Cyberattack Sanctions

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/ransomware-revenue-plunged-2022-more-victims-refuse-pay-report

A China-linked threat actor was observed exploiting a recently disclosed Fortinet FortiOS SSL-VPN vulnerability when it was still a zero-day, months before patches were released, Mandiant reports.

The security bug, tracked as CVE-2022-42475 (CVSS score of 9.8), is described as a buffer overflow issue that could be exploited by remote, unauthenticated attackers to execute code or commands via crafted requests.

The flaw impacts FortiOS SSL-VPN versions 7.2.0 – 7.2.2, 7.0.0 – 7.0.8, 6.4.0 – 6.4.10, 6.2.0 – 6.2.11, and 6.0.15 and earlier, as well as FortiProxy SSL-VPN versions 7.2.0 – 7.2.1, and 7.0.7 and earlier.

In December 2022, Fortinet announced emergency patches for the bug, warning that it was already being exploited in attacks. Last week, the company warned that threat actors were seen exploiting CVE-2022-42475 to hack governments.

The company noted that the observed exploitation could be attributed to an advanced threat actor that, based on malware compilation times, could be located somewhere in the APAC region.

Now, Mandiant says that a China-linked threat actor started exploiting the vulnerability in October 2022, targeting a European government organization and a managed service provider in Africa.

The attackers deployed a backdoor called Boldmove, which can be used to enable lateral movement and the tunneling of commands to the command-and-control (C&C) server. Both Windows and Linux variants of the malware have been identified, with the latter tailored to run on FortiGate firewalls.

Mandiant says it has not directly observed exploitation of CVE-2022-42475 to deploy Boldmove, but identified hardcoded C&C IP addresses in the malware that Fortinet previously associated with the flaw’s exploitation.

The threat intelligence firm discovered Windows variants of the malware compiled in 2021, but says it did not see the threat in attacks before.

A fully featured backdoor written in C, Boldmove has a core set of features across the identified Windows and Linux variants, but at least one Linux iteration can modify the behavior and functionality of Fortinet firewalls.

The malware includes support for commands to list information on files, create/delete folders, move and replace files, execute shell commands, create an interactive shell, and delete and replace itself, among others.

The extended version of Boldmove can disable specific Fortinet daemons, likely to prevent logging, can modify proprietary Fortinet logs on the system, features a watchdog that allows it to persist across upgrades, and allows the attackers to send requests to an internal Fortinet service.

“We assess with low confidence that this operation has a nexus to the People’s Republic of China. China-nexus clusters have historically shown significant interest in targeting networking devices and manipulating the operating system or underlying software which supports these devices,” Mandiant notes.

Related: Fortinet Patches High-Severity Authentication Bypass Vulnerability in FortiOS

Related: Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack

Related: Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/chinese-hackers-exploited-fortinet-vpn-vulnerability-zero-day

A ransomware attack forced the parent company of KFC and Taco Bell to close several hundred restaurants in the United Kingdom this week.

A government filing posted Thursday says the attack impacted information technology systems. Yum Brands said the attackers took company data, but that there is no evidence customer data was stolen.

Around 300 U.K. stores were closed for one day but are now operational, Yum said. There are more than 1,000 KFC and Taco Bell outlets in the UK and Ireland, according to company websites, yet it did not divulge which brands were impacted.

Ransomware is used to hold a target’s data hostage until the attacker is paid, though it is not known if Yum paid any money in this case. Yum Brands Inc., based in Louisville, Kentucky, did not immediately respond to requests for comment from The Associated Press Thursday.

The UK was the European country most targeted by observed ransomware attacks last month with 21, with Germany No. 2 with 11, according to the cybersecurity firm NCC Group.

The company said it alerted law enforcement and hired cybersecurity professionals to conduct an investigation. The company also took some systems offline and installed enhanced monitoring technology.

Yum said it’s not aware of any other restaurant disruptions due to the attack and doesn’t expect the closures to have a material impact on its business.

Ransomware attacks have hit food companies before. In 2021, Brazil-based JBS SA — the world’s largest meat processing company — paid the equivalent of $11 million to hackers who broke into its computer system.

Related: Ransomware Attack on DNV Ship Management Software Impacts 1,000 Vessels

Related: Rackspace Completes Investigation Into Ransomware Attack

Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain

Previous Columns by Associated Press:

Tags:

https://www.securityweek.com/ransomware-shuts-hundreds-yum-brands-restaurants-uk

Drupal this week announced software updates that resolve a total of four vulnerabilities in Drupal core and three plugins, and which could lead to unauthorized access to data.

The Drupal core issue exists because the Media Library module does not perform proper checks on entity access in some cases, which could allow users who can edit content to view metadata about media items that they should not have access to.

An identical issue impacts the Media Library Form API Element plugin, which supports the use of the media library in custom forms, without having to use the Media Library Widget.

According to Drupal, both vulnerabilities are “mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field”.

The third flaw, which was patched in the Media Library Block plugin, which supports the rendering of media entities in a block, has a similar root cause: improper check of media access in some circumstances.

The vulnerability could allow users to see media items without authorization, provided that a block containing restricted media is placed on a page. To mitigate the bug, administrators can remove blocks referencing media items with access restrictions.

The fourth vulnerability was identified in the Entity Browser plugin, which enables users to “select entities from entity reference fields using a custom browser widget”.

Lack of proper entity access checks in some cases could allow users who have access to edit content to view entity metadata without authorization. Only users who can edit content using Entity Browser would be able to view the metadata.

The issues were resolved with the release of Drupal versions 10.0.2, 9.5.2, and 9.4.10, Media Library Form API Element version 2.0.6, Media Library Block version 1.0.4, and Entity Browser version 8.x-2.9.

Drupal assessed these vulnerabilities with a severity rating of ‘moderately critical’, which is roughly the equivalent of ‘medium severity’. More information on the resolved issues can be found on Drupal’s product security page.

Related: Drupal Updates Patch Vulnerability in Twig Template Engine

Related: Code Execution and Other Vulnerabilities Patched in Drupal

Related: Drupal Patches ‘High-Risk’ Third-Party Library Flaws

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/drupal-patches-vulnerabilities-leading-information-disclosure

Wireless carrier T-Mobile on Thursday fessed up to another massive data breach affecting  approximately 37 million current postpaid and prepaid customer accounts.

In a filing with the Security and Exchange Commission (SEC), T-Mobile said that an unidentified malicious actor abused an API without authorization to access customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. 

The telco provider said the data stolen did not include payment information, passwords or other sensitive data. 

T-Mobile said the data breach was detected on January 5 this year and was contained “within a day of learning of the malicious activity.”

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said.

The company said its systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event. 

From the 8-K filing:

The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed.

 

Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.

We currently believe that the bad actor first retrieved data through the impacted API starting on or around November 25, 2022. We are continuing to diligently investigate the unauthorized activity. In addition, we have notified certain federal agencies about the incident, and we are concurrently working with law enforcement. Additionally, we have begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements.

This isn’t the first time T-Mobile has scrambled to contain a major data breach.

Last year, the notorious Lapsus$ cybercrime gang compromised T-Mobile systems in a hacking carnage that led to source code access and access to an internal customer account management tool, which could be used to conduct SIM swapping.

T-Mobile has also disclosed data breaches affecting customer data in 2019 and 2020, and an incident that impacted more than 54 million customers in 2021. Last November, authorities in 40 U.S. states reached a settlement totaling more than $16 million with Experian and T-Mobile over data breaches suffered by the companies in 2012 and 2015.

According to the results of a survey released this week of more than 400 US-based professionals (more than 90% of whom were developers or security people), 53% claimed to have suffered an API breach, while 77% claimed their company was very or extremely effective in managing their tokens.

Related: Hackers Accessed Information of T-Mobile Prepaid Customers

Related: T-Mobile Notifying Customers of Another Data Breach

Related: Lapsus$ Hackers Gained Access to T-Mobile Systems, Source Code 

Related: US States Announce $16M Settlement With Experian, T-Mobile Over Data Breaches

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series.
Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:

Tags:

https://www.securityweek.com/t-mobile-says-hackers-used-api-steal-data-37-million-accounts