Aggregator

Morphisec researchers have recently uncovered a critical vulnerability in Microsoft Outlook, identified as CVE-2024-30103. It can execute malicious code as soon as an email is opened. We will explore the technical aspects of CVE-2024-30103, examining how this vulnerability can be exploited and assessing its potential impact on your systems. This vulnerability presents a significant security […]

The post 0-Click Outlook Vulnerability Triggered RCE When Email is Opened – Technical Analysis appeared first on Cyber Security News.

Belarusian national Maksim Silnikau, who was operating under the ‘J.P. Morgan’ moniker, is believed to be one of the world’s most prolific Russian-speaking cybercriminals

保障新型电力系统稳步建设！

As digital currencies have grown, so have cryptocurrency scams, posing significant user risks. The rise of AI and deepfake technology has intensified scams exploiting famous personalities and events by creating realistic fake videos. Platforms like X and YouTube have been especially targeted, with scammers hijacking high-profile accounts to distribute fraudulent content. This report delves into the CryptoCore group's complex scam operations, analyzing their use of deepfakes, hijacked accounts, and fraudulent websites to deceive victims and profit millions of dollars.

The post CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations appeared first on Avast Threat Labs.

Ukrainian researchers have discovered a phishing campaign targeting local state agencies with remot

Full Disclosuremailing list archivesFrom: Security Explorations

As part of ongoing growth and digital transformation, many enterprises encounter the challenge of m

The traffic graphs on Cloudflare Radar have been enhanced to include HTTP request traffic. This new metric complements the existing bytes-based “HTTP traffic” view, and the new graphs can be found on Radar’s Overview and Traffic pages

That’s a wrap for Black Hat 2024! We had a great show and met many of you at the booth

That’s a wrap for Black Hat 2024! We had a great show and met many of you at the booth or on the show floor. I hope you were able to come by, watched a session by Jason Kent, Hacker in Residence at Cequence, or Parth Shukla, Security Engineer at Cequence, and maybe even entered […]

The post Cequence Storms Black Hat with API Security Testing for Generative AI Applications appeared first on Cequence Security.

The post Cequence Storms Black Hat with API Security Testing for Generative AI Applications appeared first on Security Boulevard.

Let’s face it: Cyberthreats aren’t going anywhere. As technology continues to evolve and grow, so

Healthcare / VulnerabilityCybersecurity researchers have discovered two security flaws in Microsof

Cybersecurity researchers have discovered two security flaws in Microsoft's Azure Health Bot Service that, if exploited, could permit a malicious actor to achieve lateral movement within customer environments and access sensitive patient data. The critical issues, now patched by Microsoft, could have allowed access to cross-tenant resources within the service, Tenable said in a new report shared

Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.

Key takeaways

• The Azure Health Bot Service is a cloud platform that allows healthcare professionals to deploy AI-powered virtual health assistants.
• Tenable Research discovered critical vulnerabilities that allowed access to cross-tenant resources within this service. Based on the level of access granted, it’s likely that lateral movement to other resources would have been possible.
• According to Microsoft, mitigations for these issues have been applied to all affected services and regions. No customer action is required. 

(Source: Image generated via ChatGPT 4o / DALL-E by Nick Miles)

An overview of the Azure Health Bot Service

This is how Microsoft describes the Azure Health Bot Service:

“The Azure Health Bot Service is a cloud platform that empowers developers in Healthcare organizations to build and deploy compliant, AI-powered virtual health assistants, that help them improve processes and reduce costs. It allows healthcare organizations to create experiences that act as copilots for their healthcare professionals to further manage administrative workloads, and experiences that engage with their patients.”

Essentially, the service allows healthcare providers to create and deploy patient-facing chatbots to handle administrative workflows within their environments. Thus, these chatbots generally have some amount of access to sensitive patient information, though the information available to these bots can vary based on each bot’s configuration.

While auditing this service for security issues, Tenable researchers became interested in a feature dubbed "Data Connections" in the service's documentation. These data connections allow bots to interact with external data sources to retrieve information from other services that the provider may be using, such as a portal for patient information or a reference database for general medical information.

The first discovery

This data connection feature is designed to allow the service’s backend to make requests to third-party APIs. While testing these data connections to see if endpoints internal to the service could be interacted with, Tenable researchers discovered that many common endpoints, such as Azure’s Internal Metadata Service (IMDS), were appropriately filtered or inaccessible. Upon closer inspection, however, it was discovered that issuing redirect responses (e.g. 301/302 status codes) allowed these mitigations to be bypassed.

“A server-side request forgery is a web security vulnerability that allows an attacker to force an application on a remote host to make requests to an unintended location.”

For example, by configuring a data connection within the service’s scenario editor, researchers were able to specify an external host under their control.

On this external host, researchers configured it to respond to requests with a 301 redirect response destined for Azure’s IMDS.

#!/usr/bin/python3 from http.server import HTTPServer, BaseHTTPRequestHandler def servePage(s, hverb): s.protocol_version = 'HTTP/1.1' s.server_version = 'Microsoft-IIS/8.5' s.sys_version = '' s.send_response(301) s.send_header('Location','http://169.254.169.254/metadata/instance?api-version=2021-12-13') s.end_headers() message = "" s.wfile.write(bytes(message, "utf8")) return class StaticServer(BaseHTTPRequestHandler): def do_GET(self): servePage(self, "GET") return def main(server_class=HTTPServer, handler_class=StaticServer, port=80): server_address = ('', port) httpd = server_class(server_address, handler_class) httpd.serve_forever() main()

After obtaining a valid metadata response, researchers attempted to obtain an access token for management.azure.com.

With this token, researchers were then able to list the subscriptions they had access to via a call to https://management.azure.com/subscriptions?api-version=2020-01-01, which provided them with a subscription ID internal to Microsoft.

Finally, researchers were able to list the resources they had access to via https://management.azure.com/subscriptions/<REDACTED>/resources?api-version=2020-10-01. The resulting list of resources contained hundreds and hundreds of resources belonging to other customers.

A quick fix

Upon seeing that these resources contained identifiers indicating cross-tenant information (i.e. information for other users/customers of the service), Tenable researchers immediately halted their investigation of this attack vector and reported their findings to MSRC on June 17, 2024. MSRC acknowledged Tenable’s report and began their investigation the same day. 

Within the week, MSRC confirmed Tenable’s report and began introducing fixes into the affected environments. As of July 2, MSRC has stated that fixes have been rolled out to all regions. To Tenable’s knowledge, no evidence was discovered that indicated this issue had been exploited by a malicious actor.

Doing it again

Once MSRC stated that this issue had been fixed, Tenable Research picked up where it left off to confirm that the original proof-of-concepts provided to MSRC during the disclosure process were no longer functional. As it turns out, the fix for this issue was to simply reject redirect status codes altogether for data connection endpoints, which eliminated this attack vector.

That said, researchers discovered another endpoint used for validating data connections for FHIR endpoints. This validation mechanism was more or less vulnerable to the same attack described above. The difference between this issue and the first is the overall impact. The FHIR endpoint vector did not have the ability to influence request headers, which limits the ability to access IMDS directly. While other service internals are accessible via this vector, Microsoft has stated that this particular vulnerability had no cross-tenant access.

As before, the researchers immediately halted their investigation and reported the finding to Microsoft, opting to respect MSRC’s guidance regarding accessing cross-tenant resources. This second issue was reported on July 9 with fixes available by July 12. As with the first issue, to Tenable’s knowledge, no evidence was discovered that indicated this issue had been exploited by a malicious actor.

Conclusion

The vulnerabilities discussed in this post involve flaws in the underlying architecture of the AI chatbot service rather than the AI models themselves. As explained by Lucas Tamagna-Darr in a Tenable research blog post last week, this highlights the continued importance of traditional web application and cloud security mechanisms in this new age of AI powered services.

Please see TRA-2024-27 and TRA-2024-28 for more information regarding each of the discoveries mentioned in this post.

Scammers have exploited the popularity of former President Donald Trump and tech mogul Elon Musk to deceive unsuspecting victims. According to a recent tweet by Avast Threat Labs, the fraudulent scheme involved hijacking YouTube accounts to broadcast fake interviews, and within just a few hours, it amassed approximately $9,000. Hijacked YouTube Accounts Fuel Deception The […]

The post CryptoScam Strikes Misusing Trump & Musk Interview appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Персонал отеля обыскивает номера хакеров – что они хотят найти?

Tuesday, August 13, 2