alt=Abstract red digital background with white "ivanti" logo in the center.
Cyber security
2025-01-10 Post a Comment

Ivanti warns of new Connect Secure flaw used in zero-day attacks

By

Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.

The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers’ appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.

CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a unauthenticated attacker to remotely execute code on devices.

While the flaw impacts all three products, Ivanti says they have only seen it exploited on Ivanti Connect Secure appliances.

“We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure,” reads an Ivanti blog post.

“We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways.”

Ivanti has rushed out security patches for Ivanti Connect Secure, which are resolved in firmware version 22.7R2.5.

However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21, according to a security bulletin published today.

Ivanti Policy Secure: This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. We are not aware of these CVEs being exploited in Ivanti Policy Secure.

Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025. We are not aware of these CVEs being exploited in ZTA Gateways.

The company recommends all Ivanti Connect Secure admins perform internal and external ICT scans.

If the scans come up clean, Ivanti still recommends admins perform a factory reset before upgrading to Ivanti Connect Secure 22.7R2.5.

However, if the scans show signs of a compromise, Ivanti says a factory reset should remove any installed malware. The appliance should then be put back into production using version 22.7R2.5

Today’s security updates also fix a second vulnerability tracked as CVE-2025-0283, which Ivanti says is not currently being exploited or chained with CVE-2025-0282. This flaw allows an authenticated local attacker to escalate their privileges.

As Ivanti is working with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks, we will likely see reports about the detected malware shortly.

BleepingComputer contacted Ivanti with further questions about the attacks and will update this story if we receive a response.

In October, Ivanti released security updates to fix three Cloud Services Appliance (CSA) zero-days that were actively exploited in attacks.

read more
alt=1. Windows 10 security update for April 2019, enhancing system protection and addressing vulnerabilities.
Cyber security
2024-08-28 Post a Comment

Windows Downdate tool lets you ‘unpatch’ Windows systems

By

SafeBreach security researcher Alon Leviev has released his Windows Downdate tool, which can be used for downgrade attacks that reintroduce old vulnerabilities in up-to-date Windows 10, Windows 11, and Windows Server systems.

In such attacks, threat actors force up-to-date targeted devices to revert to older software versions, thus reintroducing security vulnerabilities that can be exploited to compromise the system.

Windows Downdate is available as an open-source Python-based program and a pre-compiled Windows executable that can help downgrade Windows 10, Windows 11, and Windows Server system components.

Leviev has also shared multiple usage examples that allow downgrading the Hyper-V hypervisor (to a two-year-old version), Windows Kernel, the NTFS driver, and the Filter Manager driver (to their base versions), and other Windows components and previously applied security patches.

“You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more,” SafeBreach security researcher Alon Leviev explained.

“Other than custom downgrades, Windows Downdate provides easy to use usage examples of reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, as well as examples for downgrading the hypervisor, the kernel, and bypassing VBS’s UEFI locks.”

Leviev-Windows-Downdate-tweet

As Leviev said at Black Hat 2024 when he disclosed the Windows Downdate downgrade attack—which exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities—using this tool is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions and Windows Update keeps reporting that the targeted system is up-to-date (despite being downgraded).

“I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access,” Leviev said.

“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world.”

While Microsoft released a security update (KB5041773) to fix the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw on August 7, the company has yet to provide a patch for CVE-2024-38202, a Windows Update Stack elevation of privilege vulnerability.

Until a security update is released, Redmond advises customers to implement recommendations shared in the security advisory published earlier this month to help protect against Windows Downdate downgrade attacks.

Mitigation measures for this issue include configuring “Audit Object Access” settings to monitor file access attempts, restricting update and restore operations, using Access Control Lists to limit file access, and auditing privileges to identify attempts to exploit this vulnerability.

read more
alt=1. A red triangle featuring a prominent hook attached to its base, symbolizing strength and stability.
Cyber security
2024-08-28 Post a Comment

Microsoft Sway abused in massive QR code phishing campaign

By

​A massive QR code phishing campaign abused Microsoft Sway, a cloud-based tool for creating online presentations, to host landing pages to trick Microsoft 365 users into handing over their credentials.

The attacks were spotted by Netskope Threat Labs in July 2024 after detecting a dramatic 2,000-fold increase in attacks exploiting Microsoft Sway to host phishing pages that steal Microsoft 365 credentials. This surge sharply contrasts the minimal activity reported during the year’s first half, showing the large scale of this campaign.

They primarily targeted users in Asia and North America, with the technology, manufacturing, and finance sectors being the most sought-after targets.

The emails redirected potential victims to phishing landing pages hosted on the sway.cloud.microsoft domain, pages that encouraged the targets to scan QR codes that would send them to other malicious websites.

Attackers often encourage victims to scan QR codes using their mobile devices, which typically come with weaker security measures, thus increasing the chances of bypassing security controls and allowing them to access phishing sites without restrictions.

“Since the URL is embedded inside an image, email scanners that can only scan text-based content can get bypassed. Additionally, when a user gets sent a QR code, they may use another device, such as their mobile phone, to scan the code,” the security researchers explained.

“Since the security measures implemented on mobile devices, particularly personal cell phones, are typically not as stringent as laptops and desktops, victims are then often more vulnerable to abuse.”

Sample Sway phishing page
Sample Microsoft Sway phishing page (Netskope)

The attackers employed several tactics to further boost their campaign’s effectiveness, like transparent phishing, where they stole the credentials and multi-factor authentication codes and used them to sign the victims into their Microsoft accounts while showing them the legitimate login page.

They also used Cloudflare Turnstile, a tool intended to protect websites from bots, to hide their landing pages’ phishing content from static scanners, helping to maintain the phishing domain’s good reputation and avoid getting blocked by web filtering services like Google Safe Browsing.

Microsoft Sway was also abused in the PerSwaysion phishing campaign, which targeted Office 365 login credentials five years ago using a phishing kit offered in a malware-as-a-service (MaaS) operation.

As Group-IB security researchers revealed at the time, those attacks tricked at least 156 high-ranking individuals at small and medium financial services companies, law firms, and real estate groups.

Group-IB said that over 20 of all harvested Office 365 accounts belong to executives, presidents, and managing directors at organizations in the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights