Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

February 17, 2023

Friday

RCE Critical Vulnerability found in the open-source antivirus program ClamAV

In order to address a serious vulnerability discovered in the ClamAV open-source antivirus engine that might allow remote code execution on vulnerable systems, Cisco has released security upgrades.

The problem, identified as CVE-2023-20032 (CVSS rating: 9.8), concerns a remote code execution scenario present in the HFS+ file parser component.

Versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier are affected by the bug. The flaw was found and reported by Simon Scannell, a security engineer with Google.

If the flaw is successfully exploited, the adversary may be able to crash the ClamAV scanning process and cause a denial-of-service (DoS) problem, or they may be able to run any arbitrary code with the same rights as the ClamAV scanning process.

The products listed below, according to networking equipment, are vulnerable:
Advanced Malware Prevention (AMP) for Endpoints, formerly known as Safe Endpoint (Windows, macOS, and Linux).
Safe Web Appliance, formerly known as Web Security Appliance .
Secure Endpoint Private Cloud.

It was additionally established that the products Secure Email Gateway (formerly known as Email Security Appliance) and Secure Email and Web Manager (previously known as Security Management Appliance) are unaffected by the vulnerability.

NEWS 1
RCE Critical Vulnerability found in the open-source antivirus program ClamAV

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

FatalRAT malware is being disseminated by hackers using Google Adwords and popular apps as cover

A recent fraudulent Google Adwords campaign targets Mandarin speakers in Southeast and East Asia, infecting target PCs with remote access trojans like FatalRAT.

ESET claimed in research released today that the assaults involve buying ad spots to show up in Google search results and directing consumers looking for popular software to shady websites hosting trojanized installers. The advertisements have subsequently been removed.

Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office are some of the spoofing software programs.

The majority of victims are concentrated in Taiwan, China, and Hong Kong, then Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar. The attackers’ final goals are yet unknown.

The most crucial aspect of the attacks is the creation of fake websites with typosquatting names to disseminate the malicious installer, which, in an effort to maintain the facade, installs the legitimate software but also drops a loader that activates FatalRAT.

This grants the attacker complete control over the impacted machine, allowing them to start files, execute arbitrary shell commands, harvest information from web browsers, and log keystrokes.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

February 17, 2023 /

Friday

Hackerzhome News

2

Have you heard?
Microsoft Claims That An Intel Driver Problem Causes Programs To Break On Windows PCs Know more!

Hackers use the new Frebniis virus to get access to Microsoft IIS systems.

Hackers use the new Frebniis virus to get access to Microsoft IIS systems.

On Microsoft’s Internet Information Services (IIS), hackers are distributing a brand-new piece of malware called “Frebniss” that secretly executes orders received via web requests.

The Threat Hunter Team at Symantec found Frebniis, and they claimed that it is actively being used against targets in Taiwan by an unidentified threat actor.

With services like Outlook on the Web for Microsoft Exchange, Microsoft IIS serves as both a web server and a platform for hosting web applications.

In the assaults Symantec has observed, the hackers take advantage of an IIS function known as “Failed Request Event Buffering” (FREB), which is in charge of gathering request metadata (IP address, HTTP headers, cookies).

Its goal is to assist server administrators in troubleshooting unusual HTTP status codes or issues with request processing.

A second HTTP parameter, a base64-encoded string, instructs Frebniis to communicate with and execute instructions on other systems through the compromised IIS, potentially accessing secured internal systems that are inaccessible from the internet.

However, sophisticated network traffic monitoring tools may be able to spot anomalous behavior from malware like Frebniis.

NEWS 3

Attacks by hackers begin to make use of the Havoc post-exploitation framework

Attacks by hackers begin to make use of the Havoc post-exploitation framework.
NEWS 4

Threat actors are reportedly migrating from expensive solutions like Cobalt Strike and Brute Ratel to the new Havoc command and control (C2) framework, which is open-source and free.

Havoc’s cross-platform compatibility and ability to go beyond Microsoft Defender on recent Windows 11 systems via sleep obfuscation, return address stack spoofing and indirect syscalls are among its more intriguing features.

Havoc, like other exploitation kits, comes with a wide range of modules that enable pen testers (and hackers) to carry out a variety of operations on exploited devices, including running commands, controlling processes, downloading extra payloads, fiddling with Windows tokens, and executing shellcode.

The “attacker” can view every one of their compromised devices, events, and task output using a web-based administration console.

A report from the research team at ReversingLabs earlier this month found that the framework was also installed using a malicious npm package (Aabquerys) that used a genuine module’s misspelling to disguise its malicious nature.

Scandinavian Airlines claims a cyberattack led to the disclosure of passenger data.

Swedish Airlines (SAS) has published a notice alerting customers that a recent multi-hour outage of its website and mobile application was brought on by a hack that also exposed client data.

The airline’s internet system was somehow broken as a result of the cyberattack, making passenger information accessible to other travelers. Contact information, past and upcoming flights, and the last four digits of the credit card number are all included in this data.

The airline, which has a fleet of 131 aircraft and flies passengers to 168 destinations, claims that the risk of this exposure is small because the financial data that was disclosed is incomplete and difficult to use. It also makes it clear that no passport information has been made public.

However, if threat actors or con artists gained access to the disclosed data during the attack, full names, and contact details are sufficient to enable them to carry out focused phishing attacks.

The threat actors claim that the reason they attacked SAS was because of an incident that happened on January 21, 2023, in Stockholm, Sweden, in which a far-right nationalist group burned a copy of the Holy Quran in protest of Turkey’s concerns about Sweden’s NATO membership bid.

Scandinavian Airlines claims a cyberattack led to the disclosure of passenger data.
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: