Enlarge (credit: Getty Images)

Ransomware hackers have started exploiting one or more recently fixed vulnerabilities that pose a grave threat to enterprise networks around the world, researchers said.

One of the vulnerabilities has a severity rating of 10 out of a possible 10 and another 9.9. They reside in WS_FTP Server , a file-sharing app made by Progress Software. Progress Software is the maker of MOVEit, another piece of file-transfer software that was recently hit by a critical zero-day vulnerability that has led to the compromise of more than 2,300 organizations and the data of more than 23 million people, according to security firm Emsisoft. Victims include Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.

About as bad as it gets

CVE-2023-40044, as the vulnerability in WS_FTP Server is tracked, and a separate vulnerability tracked as CVE-2023-42657 that was patched in the same October 28 update from Progress Software, are both about as critical as vulnerabilities come. With a severity rating of 10, CVE-2023-40044 allows attackers to execute malicious code with high system privileges with no authentication required. CVE-2023-42657, which has a severity rating of 9.9, also allows for remote code execution but requires the hacker to first be authenticated to the vulnerable system.

Enlarge (credit: Getty Images)

Arm warned on Monday of active ongoing attacks targeting a vulnerability in device drivers for its Mali line of GPUs, which run on a host of devices, including Google Pixels and other Android handsets, Chromebooks, and hardware running Linux.

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Arm officials wrote in an advisory . “This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. There is evidence that this vulnerability may be under limited, targeted exploitation. Users are recommended to upgrade if they are impacted by this issue.”

The advisory continued: “A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn could give them access to already freed memory.”

Enlarge (credit: Getty Images)

Thousands of servers running the Exim mail transfer agent are vulnerable to potential attacks that exploit critical vulnerabilities, allowing remote execution of malicious code with little or no user interaction.

The vulnerabilities were reported on Wednesday by Zero Day Initiative, but they largely escaped notice until Friday when they surfaced in a security mail list. Four of the six bugs allow for remote code execution and carry severity ratings of 7.5 to 9.8 out of a possible 10. Exim said it has made patches for three of the vulnerabilities available in a private repository. The status of patches for the remaining three vulnerabilities—two of which allow for RCE—are unknown. Exim is an open source mail transfer agent that is used by as many as 253,000 servers on the Internet.

“Sloppy handling” on both sides

ZDI provided no indication that Exim has published patches for any of the vulnerabilities, and at the time this post went live on Ars, the Exim website made no mention of any of the vulnerabilities or patches. On the OSS-Sec mail list on Friday, an Exim project team member said that fixes for two of the most severe vulnerabilities and a third, less severe one are available in a “protected repository and are ready to be applied by the distribution maintainers.”

Enlarge (credit: Jose A. Bernat Bacete )

Travel rewards programs like those offered by airlines and hotels tout the specific perks of joining their club over others. Under the hood, though, the digital infrastructure for many of these programs—including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy—is built on the same platform. The backend comes from the loyalty commerce company Points and its suite of services, including an expansive application programming interface (API).

But new findings, published today by a group of security researchers, show that vulnerabilities in the Points.com API could have been exploited to expose customer data, steal customers' “loyalty currency” (like miles), or even compromise Points global administration accounts to gain control of entire loyalty programs.

The researchers—Ian Carroll, Shubham Shah, and Sam Curry—reported a series of vulnerabilities to Points between March and May, and all the bugs have since been fixed.

Enlarge (credit: Getty Images )

Two years ago, ransomware crooks breached hardware-maker Gigabyte and dumped more than 112 gigabytes of data that included information from some of its most important supply-chain partners, including Intel and AMD. Now researchers are warning that the leaked booty revealed what could amount to critical zeroday vulnerabilities that could imperil huge swaths of the computing world.

The vulnerabilities reside inside firmware that Duluth, Georgia-based AMI makes for BMCs, or baseband management controllers. These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it's turned off. BMCs provide what’s known in the industry as “lights-out” system management.

Lights out forever

Researchers from security firm Eclypsium analyzed AMI firmware leaked in the 2021 ransomware attack and identified vulnerabilities that had lurked for years. They can be exploited by any local or remote attacker with access to an industry-standard remote-management interface known as Redfish to execute malicious code that will run on every server inside a data center.

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images )

MOVEit, the file-transfer software exploited in recent weeks in one of the biggest cyberattacks ever , has received yet another security update that fixes a critical vulnerability that could be exploited to give hackers access to vast amounts of sensitive data.

On Thursday, MOVEit maker Progress Software published a security bulletin that included fixes for three newly discovered vulnerabilities in the file-transfer application. The most serious of them, tracked as CVE-2023-36934, allows an unauthenticated attacker to gain unauthorized access to the application database. It stems from a security flaw that allows for SQL injection, one of the oldest and most common exploit classes.

The vulnerability contains the same elements—and, likely, the same potentially devastating consequences—as one that came to light in late May when members of the Clop ransomware crime syndicate began mass-exploiting it on vulnerable networks around the world. To date, the Clop offensive has hit 229 organizations and spilled data affecting more than 17 million people, according to statistics tracked by Brett Callow, an analyst with security firm Emsisoft. Casualties include Louisiana and Oregon DMVs , the New York City Department of Education, and energy companies Schneider Electric and Siemens Electric.

Enlarge

The maintainers of the open-source software that powers the Mastodon social network published a security update on Thursday that patches a critical vulnerability making it possible for hackers to backdoor the servers that push content to individual users.

Mastodon is based on a federated model. The federation comprises thousands of separate servers known as "instances." Individual users create an account with one of the instances, which in turn exchange content to and from users of other instances. To date, Mastodon has more than 24,000 instances and 14.5 million users, according to the-federation.info , a site that tracks statistics related to Mastodon.

A critical bug tracked as CVE-2023-36460 was one of two vulnerabilities rated as critical that were fixed on Thursday . In all, Mastodon on Thursday patched five vulnerabilities.

Enlarge (credit: Getty Images)

Hundreds of Internet-exposed devices inside solar farms remain unpatched against a critical and actively exploited vulnerability that makes it easy for remote attackers to disrupt operations or gain a foothold inside the facilities.

The devices, sold by Osaka, Japan-based Contec under the brand name SolarView , help people inside solar facilities monitor the amount of power they generate, store, and distribute. Contec says that roughly 30,000 power stations have introduced the devices, which come in various packages based on the size of the operation and the type of equipment it uses.

Searches on Shodan indicate that more than 600 of them are reachable on the open Internet. As problematic as that configuration is, researchers from security firm VulnCheck said Wednesday , more than two-thirds of them have yet to install an update that patches CVE-2022-29303 , the tracking designation for a vulnerability with a severity rating of 9.8 out of 10. The flaw stems from the failure to neutralize potentially malicious elements included in user-supplied input, leading to remote attacks that execute malicious commands.

Enlarge (credit: Getty Images)

Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity rating of 9.8 out of a possible 10.

“At this stage if you have a vulnerable device exposed, assume compromise,” officials from Shadowserver, an organization that monitors Internet threats in real time, warned four days ago. The officials said the exploits are coming from a botnet that’s similar to Mirai, which harnesses the collective bandwidth of thousands of compromised Internet devices to knock sites offline with distributed denial-of-service attacks.

According to data from Shadowserver collected over the past 10 days, 25 of the top 62 Internet-connected devices waging “downstream attacks”—meaning attempting to hack other Internet-connected devices—were made by Zyxel as measured by IP addresses.