Enlarge (credit: Getty Images )

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

Enlarge (credit: Getty Images)

Multiple threat actors—one working on behalf of a nation-state—gained access to the network of a US federal agency by exploiting a four-year-old vulnerability that remained unpatched, the US government warned.

Exploit activities by one group likely began in August 2021 and last August by the other, according to an advisory jointly published by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center. From last November to early January, the server exhibited signs of compromise.

Vulnerability not detected for 4 years

Both groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server. The advisory didn’t identify the agency other than to say it was a Federal Civilian Executive Branch Agency under the CISA authority.

(credit: Valve)

Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.

The vulnerability, tracked as CVE-2021-38003 , resided in the open source JavaScript engine from Google known as V8, which is incorporated into Dota 2 . Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t update its software to use the patched V8 engine until last month after researchers privately alerted the company that the critical vulnerability was being targeted.

Unclear intentions

A hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said . That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Besides patching the vulnerability last month, Valve also removed all four modes.

Enlarge (credit: Getty Images)

Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting.

“This is an unauthenticated RCE,” members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. “Exploitation is trivial and a PoC published.” PoC refers to a proof-of-concept code that exploits the vulnerability.

The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched in October in version 0.9.8.1147. Advisories didn’t go public until earlier this month, however, making it likely some users still aren’t aware of the threat.

Enlarge

For the past two weeks, hackers have been exploiting a critical vulnerability in the SugarCRM (customer relationship management) system to infect users with malware that gives them full control of their servers.

The vulnerability began as a zero-day when the exploit code was posted online in late December. The person posting the exploit described it as an authentication bypass with remote code execution, meaning an attacker could use it to run malicious code on vulnerable servers with no credentials required. SugarCRM has since published an advisory that confirms that description. The exploit post also included various “dorks,” which are simple web searches people can do to locate vulnerable servers on the Internet.

Network monitoring service Censys said that as of January 5, it had detected 291 SugarCRM servers infected using the zero-day. That’s close to 10 percent of the total 3,066 SugarCRM servers Censys detected. Infections were highest in the US, with 90, followed by Germany, Australia, and France. In an update on Tuesday, Censys said the number of infections hasn’t ticked up much since the original post.

Enlarge (credit: Getty Images )

It’s the second Tuesday of the month, and that means it’s Update Tuesday, the monthly release of security patches available for nearly all software Microsoft supports. This time around, the software maker has fixed six zero-days under active exploit in the wild, along with a wide range of other vulnerabilities that pose a threat to end users.

Two of the zero-days are high-severity vulnerabilities in Exchange that, when used together, allow hackers to execute malicious code on servers. Tracked as CVE-2022-41040 and CVE-2022-41082, these vulnerabilities came to light in September. At the time, researchers in Vietnam reported they had been used to infect on-premises Exchange servers with web shells, the text-based interfaces that allow people to remotely execute commands.

Better known as ProxyNotShell, the vulnerabilities affect on-premises Exchange servers. Shodan searches at the time the zero-days became publicly known showed roughly 220,000 servers were vulnerable. Microsoft said in early October that it was aware of only a single threat actor exploiting the vulnerabilities and that the actor had targeted fewer than 10 organizations. The threat actor is fluent in Simplified Chinese, suggesting it has a nexus to China.

Enlarge / A tin toy robot lying on its side. (credit: Getty Images )

On Thursday, a few Twitter users discovered how to hijack an automated tweet bot, dedicated to remote jobs, running on the GPT-3 language model by OpenAI. Using a newly discovered technique called a " prompt injection attack ," they redirected the bot to repeat embarrassing and ridiculous phrases.

The bot is run by Remoteli.io, a site that aggregates remote job opportunities and describes itself as "an OpenAI driven bot which helps you discover remote jobs which allow you to work from anywhere." It would normally respond to tweets directed to it with generic statements about the positives of remote work. After the exploit went viral and hundreds of people tried the exploit for themselves, the bot shut down late yesterday.

• 

  A screenshot of the Remoteli.io bot's Twitter bio. The bot experienced a prompt injection attack. [credit: Leastfavorite / Twitter ]

This recent hack came just four days after data researcher Riley Goodside discovered the ability to prompt GPT-3 with "malicious inputs" that order the model to ignore its previous directions and do something else instead. AI researcher Simon Willison posted an overview of the exploit on his blog the following day, coining the term "prompt injection" to describe it.

Enlarge (credit: Getty Images )

Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America.

Multiple news outlets have published articles like this one , which cited marketing materials and other evidence linking DSIRF to Subzero, a malicious toolset for “automated exfiltration of sensitive/private data” and “tailored access operations [including] identification, tracking and infiltration of threats.”

Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren’t necessarily the countries in which the DSIRF customers who paid for the attack resided.

Enlarge (credit: Drew Angerer | Getty Images )

Blame is mounting on Microsoft for what critics say is a lack of transparency and adequate speed when responding to reports of vulnerabilities threatening its customers, security professionals said.

Microsoft's latest failing came to light on Tuesday in a post that showed Microsoft taking five months and three patches before successfully fixing a critical vulnerability in Azure. Orca Security first informed Microsoft in early January of the flaw, which resided in the Synapse Analytics component of the cloud service and also affected the Azure Data Factory. It gave anyone with an Azure account the ability to access the resources of other customers.

From there, Orca Security researcher Tzah Pahima said, an attacker could: