All about Selenium Grid Tool

Selenium Grid’s widespread adoption among developers, combined with its default lack of authentication, makes it an appealing target for attackers. These campaigns exploit the tool’s ability to run code on remote systems, allowing attackers to distribute and execute malicious payloads, such as exploit kits, cryptominers, and proxyjackers. This poses a significant threat to organizations using Selenium Grid for testing and automation, as it can lead to unauthorized system access and malware infections.

Attackers exploited an unsecured Selenium Grid instance lacking authentication. They injected a base64-encoded Python script into the “goog” configuration, executed via the Python3 binary in the WebDriver setup.

The script disabled shell command history logging and downloaded a reverse shell (GSocket) from a remote server, which created an encrypted TCP connection, allowing remote command execution on the compromised system.

A malicious script, “pl,” retrieved from a command and control server, performs system checks, stops specific Docker containers, and sets the installation path.

It then downloads IPRoyal Pawn and EarnFM payloads, used for selling the user’s internet bandwidth as a proxy service and other malicious activities. Additionally, “pl” includes a base64-encoded script “tm,” which checks for root privileges, installs Docker if needed, and configures Docker images for “traffmonetizer” and “WatchTower.”

The attacker used a multi-stage approach, starting with a base64-encoded Python script injected into Chrome that decoded into a Bash script. This prepared the system, downloaded an ELF binary packed with UPX, and attempted to exploit CVE-2021-4043 for root access.

The binary connected to Tor nodes for C2 communication, deployed cryptomining binaries, set up cron jobs for persistence, and created temporary directories for mining files.

The SHC-compiled ELF binary “Top” is a Bash script that checks environment variables to determine its actions. It exits if “ABWTRX” is set, or modifies the PATH and cleans up processes and files if “AAZHDE” is not. It then runs the “top” command to display system processes. This script was used to exploit misconfigured Selenium Grid instances, underscoring the need for proper authentication and configuration to prevent attacks.

The post Hackers leverage Selenium Grid for malicious activity appeared first on First Hackers News.

Emansrepo Malware

All three phishing chains use 7z archive files to deliver payloads. Chain 1 uses a dropper disguised as a download page, triggering a fake download that redirects the user and installs a preconfigured Python infostealer.

Chain 2 uses a nested HTA file with JavaScript to decrypt and download a PowerShell script, which, like Chain 1, installs the Python stealer via a batch file. Chain 3 uses a BatchShield-obfuscated batch file to download and run a PowerShell script, leading to the same Python infostealer.

Emansrepo is a Python infostealer that targets user data in three stages:

1. Part 1: Steals user info and text files (under 0.2 MB) from Desktop, Documents, and Downloads folders, as well as login data, credit card info, and browsing history from various browsers.
2. Part 2: Targets PDF files (under 0.1 MB) and compresses browser extensions, crypto wallets, and game platform data into zip files.
3. Part 3: Collects browser cookies, zipping them into {process_name}_cookies.zip.

A new Remcos malware campaign, using a phishing email with a malicious DBatLoader attachment, mirrors the attack pattern of the earlier Python infostealer.

Both share identical email content but differ in distribution methods. The Remcos campaign uses a simpler approach, directly downloading and decrypting the Remcos payload, protected by a packer.

Emansrepo, an active threat actor since November, continuously evolves its attack methods and malware. FortiGuard urges organizations to stay vigilant due to the dynamic nature of these threats.

IOCs

Address

hxxps://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta[.]ipfs[.]dweb[.]link/wetrankfr[.]zip
hxxps://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y[.]ipfs[.]w3s[.]link/myscr649612[.]js
https://estanciaferreira[.]com[.]br/wp-includes/TIANJIN-DOC-05082024-xls[.]7z
hxxps://dasmake[.]top/reader/timer[.]php
hxxps://hedam[.]shop/simple/Enquiry.7z
191[.]101[.]130[.]185
192[.]236[.]232[.]35

Email address

stealsmtp@dasmake[.]xyz
hanbox@dasmake[.]xyz
publicsmtp@dasmake[.]xyz
publicbox@dasmake[.]xyz
minesmtp8714@dasmake[.]xyz
minestealer8412@dasmake.xyz
minesmtp8714@maternamedical[.]top
minestealer8412@maternamedical[.]top
extensionsmtp@maternamedical[.]top
filelogs@maternamedical[.]top
cookiesmtp@maternamedical[.]top
cooklielogs@maternamedical[.]top

Phishing mail

a6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921
9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99
9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c
915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32
64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333
b343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d
32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New Emansrepo Malware Targets Windows via HTML Files appeared first on First Hackers News.

Voice Over Wi-Fi flaw

Voice over Wi-Fi (VoWiFi) uses IPsec tunnels to route IP-based calls through mobile network operators’ core networks via the Evolved Packet Data Gateway (ePDG).

The process involves negotiating encryption parameters and exchanging keys via the Internet Key Exchange protocol, followed by authentication. VoWi-Fi enhances coverage and saves costs by providing cellular network access without traditional radio networks.

However, many operators still use outdated Diffie-Hellman groups, ignore 3GPP specs, and share private keys across regions, raising security concerns.

These vulnerabilities risk exposing VoWiFi communications to MITM attacks, compromising data integrity and confidentiality. Security practices in VoWiFi are assessed by examining carrier configurations on various smartphone platforms.

Devices like iPhones and Android models may use outdated or weak cryptographic algorithms, such as the insecure DH21024 group.

Apple uses single-algorithm settings for VoWiFi, while Android supports multiple options. Key lifetimes of 10 to 24 hours may allow for attacks.

This highlights the need for standardized VoWiFi configurations. An analysis of Internet Key Exchange (IKE) handshakes revealed vulnerabilities: 275 of 423 tested ePDG domains responded, and 33 rejected all key exchange methods.

Most alarmingly, session security was compromised as 12 operators shared ten static private keys, allowing decryption of session secrets. Poor practices, such as handshake and nonce reuse, violate IKEv2 specifications. These findings expose systemic flaws in VoWiFi, increasing vulnerability to man-in-the-middle attacks and underscoring the need for improved security measures in VoWiFi protocols.

Recommendations for Addressing Voice Over Wi-Fi Flaws:

1. Update Cryptographic Algorithms: Transition from outdated algorithms and weak Diffie-Hellman groups to more secure, modern algorithms.
2. Implement Strong Key Management: Avoid sharing static private keys across operators and ensure unique key management practices to prevent decryption of session secrets.
3. Enhance Configuration Standards: Standardize VoWiFi configurations across manufacturers and operators to ensure consistent security practices and reduce vulnerabilities.
4. Regularly Update Firmware: Ensure that all devices use the latest firmware versions to address known vulnerabilities and apply security patches promptly.
5. Improve Security Practices: Adhere strictly to IKEv2 specifications to prevent handshake and nonce reuse, which can lead to security breaches.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Critical Flaw in Voice Over Wi-Fi Allows Eavesdropping appeared first on First Hackers News.

What is SMS Bombing

SMS bombing, also known as text bombing or SMS flooding, is a cyberattack where an attacker sends a large volume of text messages to a target’s phone number in a short period of time. The purpose of SMS bombing is to overwhelm the target’s device with a flood of incoming messages, causing disruptions such as draining the phone’s battery, slowing down or crashing the messaging app, or even rendering the device temporarily unusable.

SMS bombing can be carried out using automated tools or scripts that send numerous messages to the target’s phone number. Attackers may use SMS bombing for various malicious purposes, including harassment, revenge, or disrupting the target’s communication.

SMS Bomber attacks can serve various purposes, including trolling, cyberbullying, or diverting the target’s attention.

These attacks often involve the use of simple scripts and are facilitated through underground forums, messaging platforms like Telegram, ICQ, and Discord, as well as open-source code sharing platforms such as GitHub and Replit. Throughout our research, our goal was to maintain a comprehensive understanding of SMS Bomber attacks and their impact.

Example of SMS Bombing

An example of SMS bombing might involve an individual using an automated tool or script to send hundreds or even thousands of text messages to a target’s phone number within a short period of time.

For instance, let’s say an individual wants to harass someone they have a grudge against. They obtain the target’s phone number and input it into an SMS bombing tool they found online. They set the tool to send 500 text messages to the target’s phone number every minute.

As a result, the target’s phone begins receiving an overwhelming number of text messages, causing their device to slow down or freeze. The continuous stream of messages may drain the phone’s battery quickly and make it difficult for the target to use their device for normal communication.

In this scenario, the attacker’s goal is to disrupt the target’s communication and cause frustration or inconvenience. SMS bombing attacks like this can have serious consequences for the target and are considered illegal and unethical.

How to prevent SMS bombing

To prevent SMS bombing, consider the following measures:

1. Use a Spam Filter: Enable spam filters on your messaging app or mobile device to automatically detect and block suspicious messages.
2. Enable Do Not Disturb Mode: Activate “Do Not Disturb” mode on your phone to silence notifications from unknown or unwanted numbers.
3. Block Suspicious Numbers: Block phone numbers that are sending spam or unwanted messages to prevent further communication.
4. Report Spam: Report spam messages to your mobile service provider or the appropriate authorities to help identify and stop the source of the spam.
5. Use Security Software: Install reputable security software on your device that includes features to detect and block spam messages.
6. Avoid Sharing Personal Information: Be cautious about sharing your phone number online or with unknown individuals or websites to minimize the risk of receiving unsolicited messages.
7. Update Software: Keep your messaging app and mobile operating system up to date with the latest security patches and updates to protect against known vulnerabilities.
8. Educate Yourself: Stay informed about the latest SMS bombing techniques and scams, and educate yourself on how to recognize and avoid suspicious messages.
9. Use Two-Factor Authentication (2FA): Enable two-factor authentication on your accounts whenever possible to add an extra layer of security and prevent unauthorized access, even if your phone number is compromised.
10. Contact Your Service Provider: If you are being targeted by SMS bombing or receiving a high volume of spam messages, contact your mobile service provider for assistance and advice on how to address the issue.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post SMS Bombing: The Risks and Dangers of Text Message Attacks appeared first on First Hackers News.

WHAT IS SYSDF RANSOMWARE?

SYSDF ransomware is another variant of the Dharma ransomware family, which has been active since 2016. Initially identified on February 16, it adds a unique “.SYSDF” extension to encrypted files, along with a complex mask containing attack details such as victim ID and contact email for the hackers. After encryption, affected files exhibit the following pattern:

Image1.png → Image1.png.id-C3B22A85.[Dec24hepl@aol.com].SYSDF

Upon finishing the encryption, malware creates its specific read.txt files in each folder that includes encrypted files, and also on the desktop. Additionally, malware spawns and opens a file named info.hta, so it acts as notification for a victim. Below, you can see the messages from both ransom notes.

Text in the read.txt ransom note:

all your data has been locked us


You want to return?


write email Dec24hepl@aol.com

HOW TO RECOVER .SYSDF FILES?

Regrettably, there are currently no viable options for decrypting files affected by Dharma ransomware. Many online file recovery services offered by purported “certified hackers” merely facilitate negotiations with cybercriminals. Paying these criminals is ill-advised, as it incentivizes further attacks. While losing files is undoubtedly unpleasant, statistics indicate that there are numerous avenues available for file recovery.

Explore options such as searching for backups or file duplicates stored outside the affected system or network. Even retrieving a previous version of the file is preferable to losing it entirely. Additionally, ransomware decryptors offer hope by exploiting vulnerabilities in encryption mechanisms, providing a means to recover files without payment. In January and February 2024 alone, four decryptors for various ransomware families were released. Exercise patience, as this option is becoming increasingly popular in combating ransomware attacks.

HOW TO REMOVE RANSOMWARE?

Before attempting any file recovery operations, it’s crucial to remove the malware first. SYSDF doesn’t vanish after completing encryption; it remains active, continuously seeking out new files to encrypt. Rest assured, it will swiftly encrypt any fresh, unencrypted files as soon as they are added to the disk.

The post SYSDF Ransomware: Analysis, .SYSDF File Recovery, and Removal Guide appeared first on First Hackers News.

WHAT IS A ZERO-DAY ATTACK?

A zero-day attack is a type of cyber threat that takes advantage of a software vulnerability unknown to the developer or vendor. Attackers exploit this undisclosed weakness before a fix or patch is available, making it challenging for security measures to detect or prevent such attacks. Zero-day attacks can target various applications, posing a significant challenge for cybersecurity professionals.

Cyber attackers exploit undisclosed vulnerabilities in programs or operating systems to execute their code more effectively. The frequently utilized exploits include those enabling remote code execution and privilege escalation, granting attackers extensive control within the compromised environment. These sophisticated attacks are typically directed at corporations, given their possession of more valuable data.

Exploiting a breach without raising alarms or attracting attention is made simple when the only individual aware of it is the criminal who discovered it. Even advanced EDR solutions may err by overlooking actions from trusted programs without recognizing their potential malicious intent. Hence, opting for an endpoint protection application capable of preventing zero-day attacks is a prudent choice.

IDENTIFYING AND ADDRESSING ZERO-DAY EXPLOITS AND ATTACKS

Identifying and addressing zero-day exploits and attacks involves several key steps:

1. Continuous Monitoring: Implement robust monitoring systems to detect unusual patterns or behaviors within your network and systems. Real-time monitoring can help identify potential zero-day exploits early on.
2. Anomaly Detection: Utilize anomaly detection tools and machine learning algorithms to identify deviations from normal system behavior. Unusual network traffic, unexpected file modifications, or abnormal user activities can be indicators of zero-day exploits.
3. Threat Intelligence Feeds: Subscribe to threat intelligence feeds to stay informed about emerging threats and vulnerabilities. These feeds provide up-to-date information on potential zero-day exploits, enabling proactive measures.
4. Behavioral Analysis: Employ behavioral analysis tools that can identify malicious activities based on behavior rather than known signatures. This approach is effective against previously unseen threats.
5. Patch Management: Regularly update and patch software and systems to address known vulnerabilities. While this doesn’t directly identify zero-day exploits, it reduces the attack surface and makes it harder for attackers to find and exploit vulnerabilities.
6. User Training and Awareness: Educate users about phishing attacks and social engineering tactics, as these are common entry points for zero-day exploits. Users should be cautious about clicking on suspicious links or downloading attachments from unknown sources.
7. Network Segmentation: Implement network segmentation to limit the impact of potential exploits. Isolating critical systems and data can prevent lateral movement within the network.
8. Incident Response Plan: Develop and regularly update an incident response plan that includes procedures for addressing zero-day exploits. This ensures a coordinated and efficient response when an attack is detected.
9. Endpoint Protection: Utilize advanced endpoint protection solutions that employ heuristics, behavioral analysis, and other advanced techniques to identify and block zero-day exploits.
10. Collaboration: Engage with cybersecurity communities, share threat intelligence, and collaborate with industry peers to stay informed about evolving threats and effective mitigation strategies.

Organizations have faced persistent challenges in patch management, partly due to the sheer volume of patches requiring attention. In 2021 alone, more than 20,000 vulnerabilities were addressed, adding to the complexity of staying abreast of all the necessary updates.

Ignoring timely updates, many users believe they can postpone software updates for days or weeks without consequences. This practice poses significant risks, often underestimated by users. Additionally, patch management receives minimal emphasis in security awareness training, despite the Department of Homeland Security advising the application of critical patches within 15 days of release.

Identifying critical patches can pose a dilemma for security teams. They adhere to internal testing procedures to verify the reliability of patches before deployment, considering potential bugs or ineffectiveness that could cause harm. Additionally, IT teams have established processes to monitor and track patch deployments, ensuring comprehensive coverage to prevent any device or system from being left unpatched.

HOW TO PROTECT AGAINST ZERO-DAYS?

Protecting against zero-days involves implementing a multi-faceted approach:

1. Up-to-Date Security Measures:
   • Ensure all security software, including antivirus and intrusion detection systems, is updated regularly.
2. Network Segmentation:
   • Implement network segmentation to limit the impact of potential zero-day exploits, isolating critical systems.
3. User Training:
   • Educate users on recognizing phishing attempts and suspicious activities to minimize the risk of falling victim to zero-day attacks.
4. Behavioral Analysis:
   • Use behavioral analysis tools to identify anomalous activities and behaviors that may indicate a zero-day attack.
5. Threat Intelligence Feeds:
   • Subscribe to threat intelligence feeds to stay informed about emerging threats and vulnerabilities, including potential zero-days.
6. Patch Management:
   • Regularly update and patch software to reduce the attack surface and address known vulnerabilities, minimizing the risk of exploitation.
7. Zero-Day Threat Detection Tools:
   • Utilize advanced threat detection tools designed to identify patterns associated with zero-day attacks.
8. Endpoint Protection:
   • Employ robust endpoint protection solutions with heuristic and behavioral analysis capabilities to detect and prevent zero-day exploits.
9. Incident Response Plan:
   • Develop a comprehensive incident response plan that includes procedures specific to handling zero-day attacks, ensuring a swift and effective response.
10. Collaboration:
    • Engage with cybersecurity communities, share threat intelligence, and collaborate with industry peers to enhance awareness and preparedness against zero-day threats.
11. Continuous Monitoring:
    • Implement continuous monitoring of network traffic, user activities, and system behaviors to detect unusual patterns indicative of potential zero-day exploits.
12. Security Updates and Best Practices:
    • Stay informed about security updates, industry best practices, and recommended security configurations to strengthen overall defense against zero-day vulnerabilities.

The post Can Patches Prevent Zero-Day Attacks? appeared first on First Hackers News.

GITLAB ZERO-CLICK VULNERABILITY ALLOWS ACCOUNT HIJACKING

According to the company’s official description of CVE-2023-7028, a critical bug is present in a few versions. Exploiting this, a potential adversary can send a password reset email to any email address, enabling hackers to easily hijack accounts with varying access privileges. The simplicity of exploitation and the severity of potential consequences contribute to this vulnerability receiving a CVSS score of 10/10.

Accessing the repository grants attackers the ability to manipulate the stored code at will.

This includes activities such as selling corporate secrets, searching for potential software vulnerabilities, injecting malicious code to compromise employees’ systems, or even launching a supply chain attack. Patching this vulnerability is not just urgent; it requires immediate action.

According to GitLab, activating 2FA on the account could have prevented hijacking, as two-factor authentication is not vulnerable to the bug and remains securely verified. However, there are individuals who neglect the security of Git repository access, expanding the potential impact of CVE-2023-7028.

GITLAB 0-CLICK VULNERABILITY FIXES AVAILABLE

The company not only issued a security notification but also incorporated it into the patch notes for an update addressing the situation. According to the provided information, only version 16 is susceptible, particularly a series of its minor updates.

• 16.1 to 16.1.5
• 16.2 to 16.2.8
• 16.3 to 16.3.6
• 16.4 to 16.4.4
• 16.5 to 16.5.5
• 16.6 to 16.6.3
• 16.7 to 16.7.1

The latest available versions are 16.5.6, 16.6.4, and 16.7.2, leaving users of versions 16.4 and below with no current options. However, GitLab has provided backports of the vulnerability fix to versions 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, and 16.6.4. This implies that updating to the most recent version may not be necessary, and since no mitigation options are available, updates remain the only viable choice.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post GitLab Zero-Click Account Hijack Vulnerability Revealed appeared first on First Hackers News.

FBot hacking tool hijacking cloud and payment services

The tool, named FBot, possesses the capability for credential harvesting in spamming attacks, AWS account hijacking, and facilitates assaults against PayPal and various SaaS accounts.

As per documentation from the company’s SentinelLabs research unit, FBot is distinguished by a smaller footprint compared to similar tools, suggesting potential private development and a more targeted distribution approach.

SentinelLabs researcher Alex Delamotte analyzed the internals of the attack tool and identified functionalities geared towards targeting web servers, cloud services, and Software-as-a-Service (SaaS) technologies, including Aws, Office365, PayPal, Sendgrid, and Twilio.

While its primary purpose is to enable actors to hijack cloud, SaaS, and web services, Delamotte uncovered a secondary focus on acquiring accounts for the purpose of conducting spamming attacks.

“The tool incorporates various utilities, including an IP address generator and port scanner. Additionally, it features an email validator function that utilizes an Indonesian technology service provider for validating email addresses,” mentioned the SentinelLabs researcher.

The anti-malware company identified various features aimed at targeting payment services, such as a PayPal Validator feature, a SendGrid API key generator, and functionalities for harvesting key secrets.

Delamotte suggests that organizations implement multi-factor authentication (MFA) for AWS services with programmatic access and establish systems to notify security operations teams when a new AWS user account is added to the organization.

The researcher recommends configuring alerts for the addition of new identities or significant configuration changes to SaaS bulk mailing applications.

Indicators of Compromise

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Researchers identify FBot hacking tool hijacking cloud and payment services. appeared first on First Hackers News.

WHAT IS SMTP SMUGGLING?

SMTP (Simple Mail Transfer Protocol) Smuggling is a technique used by attackers to manipulate the behavior of mail servers during the email transmission process. It involves exploiting inconsistencies or variations in the way different servers interpret and implement the SMTP protocol.

In a typical SMTP transaction, there are two phases: the client’s request to the server (DATA phase) and the server’s response. SMTP Smuggling takes advantage of discrepancies in how proxy servers and mail servers interpret the length of the message content during these phases.

By carefully crafting the headers and body of an email, attackers can deceive the servers into misinterpreting the message length, leading to discrepancies between the front-end proxy server and the back-end mail server. This can result in various security issues, such as bypassing security filters, evading detection, and enabling malicious activities like spoofing or injecting arbitrary content into emails.

SMTP Smuggling attacks are a type of protocol-level manipulation, exploiting the intricacies of communication between different components in the email delivery process. Defending against SMTP Smuggling often involves implementing secure and consistent configurations across all involved mail servers and proxies to prevent the exploitation of these protocol variations.

SMTP smuggling centers around inconsistencies in how distinct servers process the end-of-data sequence (<CR><LF>.<CR><LF>). Through exploiting these variations, attackers can escape the standard message data, introducing unauthorized commands.

This method relies on the inbound server’s ability to accept multiple SMTP commands in a batch, a functionality widely supported by most servers today.

Thorough investigation into this vulnerability has uncovered that SMTP servers belonging to major email providers such as Microsoft, GMX, and Cisco are susceptible to this exploit. Although Microsoft and GMX have taken steps to address these issues, Cisco has categorized the findings as a feature rather than a vulnerability and has opted not to modify the default configuration.

WHAT IS THE DANGER OF SMTP VULNERABILITY?

SMTP smuggling poses alarming implications as attackers can send deceptive emails from seemingly credible sources, evading authentication checks like DKIM, DMARC, and SPF.

In essence, employing this technique could allow fraudsters to infiltrate corporate emails previously immune to spam. While companies implementing this security method are likely cognizant of the risks and employ additional protective measures, the exposure itself increases the overall vulnerability to potential cyberattacks.

MITIGATING THE EFFECTS OF VULNERABILITY

To mitigate the effects of SMTP vulnerability:

1. Implement Security Updates: Regularly update and patch SMTP servers to address known vulnerabilities and ensure they are equipped with the latest security measures.
2. Enable Encryption: Utilize encryption mechanisms, such as STARTTLS, to secure the communication channels between SMTP servers and prevent eavesdropping or unauthorized access.
3. Protocol Compliance: Ensure that SMTP servers adhere to standardized protocols and follow best practices to minimize the risk of exploitation through protocol-level vulnerabilities.
4. Network Monitoring: Implement robust network monitoring tools to detect unusual SMTP traffic patterns, which may indicate potential exploitation or malicious activities.
5. Authentication Mechanisms: Strengthen authentication mechanisms, including enforcing strong passwords and implementing multi-factor authentication, to prevent unauthorized access to SMTP servers.
6. Implement Access Controls: Configure access controls to restrict access to SMTP servers only to authorized personnel, reducing the risk of unauthorized manipulation or exploitation.
7. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the SMTP infrastructure.
8. User Awareness Training: Educate users about phishing attacks and social engineering tactics that may exploit SMTP vulnerabilities, emphasizing vigilance in email interactions.
9. Intrusion Detection and Prevention: Deploy intrusion detection and prevention systems to monitor and block suspicious activities or unauthorized access attempts targeting SMTP servers.
10. Collaborate with Vendors: Stay informed about vendor advisories, security updates, and patches related to SMTP vulnerabilities, and promptly apply recommended mitigations.
11. Incident Response Plan: Develop and maintain an incident response plan specific to SMTP vulnerabilities, outlining procedures for detecting, responding to, and recovering from potential security incidents.
12. Backup and Recovery: Regularly back up critical email data and ensure the availability of efficient recovery mechanisms to minimize data loss in the event of a security breach.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post SMTP Smuggling Emerges as a Fresh Email Security Concern appeared first on First Hackers News.

This vulnerability, impacting EPM versions 2021 and 2022 before SU5, has the potential to facilitate Remote Code Execution (RCE) on servers affected by it.

The vulnerability encompasses an SQL injection that operates without requiring authentication, granting attackers the capability to execute arbitrary SQL queries and potentially gain control over machines running the EPM agent. The severity of the issue is heightened, particularly when the core server utilizes SQL Express.

Details of the CVE-2023-39336 Vulnerability Affecting Ivanti EPM

Ivanti has issued an advisory available and restricted access for its customers here for comprehensive details and further information. While specific vulnerability details are currently withheld, likely to allow customers time for mitigation, they are slated to be disclosed in the upcoming days, and this blog will be promptly updated with the latest information.

In its security update for Avalanche, Ivanti addressed 22 vulnerabilities last month in its Mobile Device Management (MDM) product, with 13 of them categorized as critically severe.

These vulnerabilities were found in older versions of Avalanche (going back to 6.3.1 and potentially impacting all 6.X versions) and encompassed stack-based, unauthenticated, and heap-based buffer overflows. These vulnerabilities have the potential to allow Remote Code Execution without requiring user interaction. Over the course of the year, we have posted blog entries covering other noteworthy vulnerabilities affecting Ivanti products.

The post Ivanti Released a Patch in Endpoint Manager Solution (EPM) for a Critical Vulnerability appeared first on First Hackers News.