company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Exploit

PDF

loading..
loading..
loading..

Urgent Adobe Acrobat Reader Update Fixes Critical Zero Day Flaw Act Now!

Adobe Acrobat Reader users urged to update after patch fixes critical remote code execution zero-day vulnerability with public PoC exploit.

11-Sep-2024
4 min read

Related Articles

loading..

Vulnerability

Over 1,000 ServiceNow instances are misconfigured, leading to the unintentional ...

Over 1,000 ServiceNow Instances Found Leaking Corporate Knowledge Base Data: A Comprehensive Analysis Introduction A recent report has revealed that over 1,000 ServiceNow instances are misconfigured, leading to the unintentional exposure of sensitive corporate Knowledge Base (KB) data. These instances contain valuable organizational information, ranging from Personally Identifiable Information (PII) to internal credentials and access tokens, which could be exploited by malicious actors. Despite ServiceNow’s efforts to address these issues in their 2023 update, the misconfiguration of access controls remains a prevalent risk for organizations relying on the platform for managing their digital workflows. ### What is ServiceNow? ServiceNow is a cloud-based platform designed to facilitate various digital workflows, integrating IT service management, operations, HR tasks, customer service, and security tools. One of its essential features is the Knowledge Base (KB), which serves as a repository for internal guides, procedures, and other articles meant to streamline operational efficiency. KBs provide critical resources for authorized users but can become a significant security liability if not properly configured. ### Misconfigured KBs and Data Exposure Despite a 2023 ServiceNow security update aimed at preventing unauthorized access through new Access Control Lists (ACLs), many organizations failed to secure their KBs appropriately. The root cause lies in the User Criteria permission system, which many KBs rely on rather than ACLs, leading to a vulnerability that the 2023 update could not resolve. A major concern is that public-facing widgets within the platform, used by organizations for customer-facing tasks, did not receive the ACL security patch. Consequently, unauthorized individuals can access KB articles, which are indexed incrementally, by brute-forcing Knowledge Base article numbers using basic tools like Burp Suite. ### Scope of the Exposure According to Aaron Costello, Chief of SaaS Security Research at AppOmni, these exposed KB articles include sensitive organizational information such as: Personally Identifiable Information (PII) Internal system configurations User credentials and tokens Access details for live production systems The severity of the issue varies across instances, but the presence of this kind of information represents a serious risk for the affected organizations. Knowledge Base articles are typically structured with predictable ID formats (e.g., KB0000001), making it easy for attackers to systematically brute-force these identifiers and potentially retrieve a significant amount of sensitive data. ### **The Proof-of-Concept Attack** To demonstrate the severity of the misconfiguration, AppOmni developed a proof-of-concept (PoC) attack that showed how an unauthenticated external user could query public-facing widgets on a ServiceNow instance and retrieve KB article data by brute-forcing incremental article IDs. This vulnerability exploits the fact that ServiceNow instances often do not have stringent access controls, particularly when public widgets are involved. The attack begins by intercepting a token used for querying the ServiceNow instance, and then brute-forcing the article IDs until the attacker retrieves KB articles that were inadvertently exposed due to misconfigured permissions. Mitigating the Risk: Best Practices for Securing ServiceNow KBs To prevent unauthorized access to KB articles, organizations using ServiceNow are urged to implement specific security measures. AppOmni recommends the following actions to protect KB data: 1. User Criteria Configuration ServiceNow administrators should ensure that the User Criteria is correctly set to restrict access based on defined roles. Misconfigurations, such as leaving criteria like "Any User" or _"Guest User"_ enabled, make KB articles vulnerable to external access. 2. Turn Off Public Access If public access to KB articles is unnecessary, it is advisable to turn off this feature entirely. This will eliminate the risk of exposing sensitive data on the internet. 3. Implement Security Controls Organizations should activate the following ServiceNow security properties to protect KBs: glide.knowman.block_access_with_no_user_criteria (True): This ensures that no user, whether authenticated or unauthenticated, can access KB articles if User Criteria is not explicitly defined. glide.knowman.apply_article_read_criteria (True): This property enforces that even users with _"Can Contribute"_ permissions cannot read KB articles unless they are explicitly given "Can Read" access. glide.knowman.show_unpublished (False): Disables access to draft or unpublished KB articles, which often contain unreviewed, sensitive information. glide.knowman.section.view_roles.draft (Admin): Ensures that only users with administrative roles can access KB articles in a draft state. glide.knowman.section.view_roles.review (Admin): Restricts access to KB articles under review to specific administrative roles. 4. Pre-built Out-of-the-Box (OOB) Rules ServiceNow offers pre-configured OOB rules that automatically add Guest Users to the "Cannot Read" list for newly created KB articles. Enabling these rules will ensure that public access to KBs is restricted by default. ### ServiceNow's Response In response to this issue, ServiceNow has acknowledged the potential for KB misconfigurations and has initiated steps to mitigate the risk. As of September 4, 2024, ServiceNow began proactively assisting customers with configuring their KBs to better align with security best practices. A ServiceNow spokesperson emphasized the company’s commitment to ongoing customer support and extensible security protocols to ensure KBs are configured based on the specific needs of each organization. The widespread misconfiguration of ServiceNow instances has led to the exposure of sensitive Knowledge Base data, posing a significant security risk to enterprises. While ServiceNow has made efforts to improve security through ACL updates and proactive customer support, the onus remains on organizations to ensure that their KBs are properly secured. By implementing strict access controls, disabling unnecessary public access, and utilizing ServiceNow’s built-in security features, enterprises can minimize the risk of data exposure and safeguard their critical information. Organizations using ServiceNow should take immediate steps to audit their Knowledge Base configurations, ensure User Criteria is set correctly, and utilize all available security properties to prevent unauthorized access. Failure to do so could leave valuable corporate information vulnerable to exploitation by malicious actors.

loading..   17-Sep-2024
loading..   5 min read
loading..

AT&T

$13Mn FCC Settlement Over 2023 Data Breach ...

The Federal Communications Commission (FCC) has reached a $13 million settlement with AT&T following an extensive investigation into the telecom giant's handling of customer data, specifically in relation to a vendor's cloud breach that occurred three years ago. This settlement is a direct consequence of findings that revealed significant gaps in AT&T’s data protection measures, raising concerns about the company’s ability to ensure supply chain security and prevent unauthorized access to sensitive customer information. The Breach: A Timeline of Events In January 2023, a security breach targeted AT&T's vendor, which was responsible for creating personalized video content, such as billing and marketing materials. This breach exposed the personal data of approximately 9 million AT&T wireless customers. Although critical details such as credit card numbers, Social Security numbers, and account passwords were not compromised, the exposed Customer Proprietary Network Information (CPNI) included first names, wireless account numbers, phone numbers, and email addresses. AT&T promptly notified affected customers, clarifying that the most sensitive personal information remained secure. The breach was particularly alarming because the vendor had been contractually obligated to destroy or return customer data after the contract ended—years before the actual breach. However, AT&T failed to adequately monitor the vendor's compliance with this obligation, leading to the unauthorized retention and eventual exposure of customer data. Supply Chain Integrity and Vendor Oversight Failures The FCC's investigation extended beyond the breach itself, delving into AT&T's broader privacy and cybersecurity practices. Central to the investigation was the issue of supply chain integrity—specifically, whether AT&T maintained sufficient oversight of its vendors' data handling practices. In this case, the vendor’s failure to destroy or return customer data in a timely manner exposed AT&T’s inadequate supervision of third-party compliance with contractual and regulatory obligations. The FCC's findings underscored the critical need for telecom companies to monitor not only their own data security protocols but also those of their vendors. As FCC Chairwoman Jessica Rosenworcel emphasized, "Carriers must take additional precautions given their access to sensitive information, and we will remain vigilant in ensuring that's the case no matter which provider a customer chooses." Strengthening Data Governance and Security Measures In response to the investigation, AT&T has committed to enhancing its data governance framework to prevent future breaches of this nature. Under the terms of the settlement, AT&T will implement a comprehensive Information Security Program designed to bolster customer data protection and ensure compliance with strict data retention and disposal policies. Key elements of this new Information Security Program include: Data Inventory Processes: AT&T will improve its ability to track data shared with third-party vendors, ensuring that all customer data is accounted for and adequately protected. Vendor Compliance: AT&T will ensure that its vendors adhere to strict data retention and disposal policies, thereby reducing the risk of unauthorized data exposure. Annual Compliance Audits: The company will conduct regular audits to assess its adherence to the new data security requirements, with a focus on minimizing the potential for future breaches. The FCC's Enforcement: A Message to the Telecom Industry The FCC's actions send a clear signal to the telecommunications industry regarding the importance of safeguarding consumer data. In a statement, Enforcement Bureau Chief Loyaan A. Egal reiterated that "Communications service providers have an obligation to reduce the attack surface and entry points that threat actors seek to exploit in order to access sensitive customer data." This case serves as a reminder that even if a company's own systems are not directly compromised, it remains accountable for breaches that occur within its supply chain. The Continuing Fallout: Additional Data Breaches Unfortunately for AT&T, the January 2023 breach was not an isolated incident. In July 2024, the company reported yet another significant data breach, in which threat actors accessed call logs for approximately 109 million customers. The attackers exploited vulnerabilities in AT&T's Snowflake account, exposing phone numbers, call durations, and communication metadata. However, the content of the calls, customer names, and highly sensitive personal information were not compromised. Despite these assurances, the sheer scale of the breach has raised further concerns about AT&T's ability to secure its customer data. Additionally, in April 2024, AT&T notified 51 million current and former customers of a data breach that was linked to an earlier hack in March 2023. This breach resulted in a massive leak of customer data, some of which had been offered for sale on the Breached hacking forum as early as 2021. These successive breaches have only intensified scrutiny of AT&T’s cybersecurity posture, pushing the company to take more aggressive steps in securing its data assets. Conclusion: A New Era of Data Accountability The $13 million settlement with the FCC marks a pivotal moment in the evolving landscape of data security within the telecommunications sector. For AT&T, the agreement represents a critical step toward rebuilding trust with its customers and ensuring that its vendors adhere to the highest standards of data protection. As digital threats continue to evolve, telecom providers must remain vigilant in securing not only their own systems but also the entire supply chain. This case serves as a stark reminder that privacy and security responsibilities do not end at a company’s front door—they extend throughout the entire vendor network. The FCC’s actions underscore the growing importance of regulatory oversight in holding telecom giants accountable for the security of their customers’ data in the digital age, reinforcing the necessity of proactive governance and comprehensive cybersecurity strategies. AT&T's future success will hinge on its ability to prevent similar incidents from recurring and demonstrate a genuine commitment to safeguarding the privacy and security of its users.

loading..   17-Sep-2024
loading..   5 min read
loading..

CISA

Cybersecurity and Infrastructure Security Agency (CISA) recently issued a direct...

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a directive to all U.S. federal agencies, urging immediate action to secure systems against a critical Windows vulnerability—CVE-2024-43461. Initially believed to be dormant, this zero-day flaw in the MSHTML component has now been confirmed to have been exploited in active attacks by the Void Banshee Advanced Persistent Threat (APT) group. Microsoft has since updated its advisory to acknowledge that this flaw, in conjunction with another vulnerability (CVE-2024-38112), was exploited in real-world attacks before being patched. 2. Vulnerability Overview: CVE-2024-43461 The vulnerability (CVE-2024-43461) is classified as a spoofing bug within the MSHTML engine, which is used by Internet Explorer and Microsoft Office applications. Exploiting this flaw allows attackers to execute arbitrary code on unpatched Windows systems, typically by luring targets into interacting with a maliciously crafted webpage or file. The core of the exploit lies in a flaw related to the way Internet Explorer prompts users after a file is downloaded. Attackers can craft a file with a hidden true file extension, misleading users into believing they are interacting with a benign document. This social engineering vector has become a hallmark of phishing campaigns and malware deployment strategies targeting vulnerable systems. 3. Attack Chain and Exploitation Void Banshee, a known APT group targeting organizations across North America, Europe, and Southeast Asia, exploited this vulnerability as part of a larger exploit chain that involved CVE-2024-38112. This attack chain was leveraged to deliver information-stealing malware, specifically the Atlantida malware, known for harvesting sensitive data such as passwords, authentication cookies, and cryptocurrency wallets from infected devices. The attack works by using malicious HTA (HTML Application) files disguised as PDF documents. The attackers used braille whitespace characters (encoded as %E2%A0%80) to push the .hta file extension out of view, tricking the victim into believing the file was a harmless document. Detailed Exploit Flow: 1. File Download Mechanism: The MSHTML engine fails to display the true file extension, allowing the crafted filename to appear benign (e.g., a .pdf file). 2. Execution Trigger: The user is prompted to open what they believe is a legitimate document. Upon execution, the system is compromised, and malicious code is run in the context of the current user. 3. Payload Delivery: Once executed, the HTA file initiates the download and installation of the Atlantida malware, which starts harvesting sensitive information from the victim's device. 4. Impact and Scope Void Banshee’s exploitation of this vulnerability has particularly severe implications for both public and private sector organizations. Once infected, affected systems can be used for: Data theft: Targeting sensitive user information such as login credentials, authentication cookies, and cryptocurrency wallets. Credential harvesting: The use of harvested data for lateral movement within networks. Financial gain: Many of the campaigns orchestrated by Void Banshee are financially motivated, focusing on high-value targets across various industries. CISA's directive underscores the critical nature of this vulnerability, classifying it as a high-priority exploit that must be patched immediately to prevent further breaches. 5. Mitigation and Patching Microsoft addressed this flaw with patches released during the July 2024 and September 2024 Patch Tuesdays. Initially, only CVE-2024-38112 was patched in July 2024, which disrupted part of the attack chain. However, a full remediation for CVE-2024-43461 required the additional September patch. Required Actions: Install July 2024 and September 2024 patches: Microsoft has issued security updates that address both vulnerabilities in the exploit chain. Ensuring both patches are installed is essential to fully protect affected systems. Awareness and Training: Organizations should educate employees on the dangers of opening files from untrusted sources and emphasize scrutiny of file extensions in downloaded content. 6. Federal Agencies Directive: CISA’s Mandate In response to the growing threat, CISA has added CVE-2024-43461 to its Known Exploited Vulnerabilities (KEV) Catalog. Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to secure their systems against this vulnerability by October 7, 2024. This directive emphasizes the importance of promptly applying patches and securing systems from such high-severity exploits. While this directive is aimed at federal agencies, it also serves as a warning to private organizations globally. Given the widespread use of Windows and the critical nature of this exploit, it is advisable for all organizations to prioritize patching and deploy protective measures against this threat. 7. Threat Actor Profile: Void Banshee APT Group Void Banshee is a financially motivated APT group known for sophisticated cyber-espionage operations. The group has been active in targeting high-value sectors across multiple regions, including North America, Europe, and Southeast Asia. Void Banshee is notorious for employing advanced techniques such as zero-day exploits, malware obfuscation, and data exfiltration strategies aimed at maximizing financial gain through unauthorized access and theft of sensitive data. Objectives of Void Banshee: Financial exploitation: Primarily focused on data theft that can be monetized, such as login credentials and cryptocurrency wallets. Targeting valuable industries: They have been particularly active in targeting industries with high financial stakes, such as banking, fintech, and large-scale enterprises. Their use of zero-day exploits, including CVE-2024-43461, demonstrates their capability to stay ahead of cybersecurity defenses and leverage newly discovered vulnerabilities before patches are widely deployed. 8. Conclusion The CVE-2024-43461 MSHTML spoofing vulnerability, exploited by Void Banshee, represents a critical security concern for organizations using Windows systems. The sophistication of this attack, coupled with its potential for significant data theft, underscores the need for timely patching and comprehensive mitigation strategies. As directed by CISA, federal agencies must take immediate action to secure their systems, and private organizations are urged to follow suit to avoid becoming victims of future attacks. With threat actors increasingly using advanced techniques such as hiding malicious payloads in seemingly harmless documents, user awareness and proper patch management are more critical than ever. Organizations must stay vigilant and prioritize the security of their systems by implementing the necessary updates and educating their users about the risks posed by social engineering and file-based attacks. 9. References: BleepingComputer: CISA warns of Windows flaw used in infostealer malware attacks Trend Micro: CVE-2024-43461 Exploited in the Wild Microsoft Security Update Guide CISA Binding Operational Directive 22-01

loading..   16-Sep-2024
loading..   6 min read
Company Logo
logo

Secure Blink automates the application and API security testing for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

Facebook Logo
Twitter Logo
LinkedIn Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2024 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303