Slot Gacor
vulnerabilities Archives ✔️ News For Finance
Home Archive by category vulnerabilities
More US agencies potentially hacked, this time with Pulse Secure exploits
Getty Images

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.

The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it’s installed.

Federal agencies, critical infrastructure, and more

Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zeroday vulnerability, tracked as CVE-2021-22893, was under active exploit.

In March, following the disclosure of several other vulnerabilities that have now been patched, Ivanti released the Pulse Secure Connect Integrity Tool, which streamlines the process of checking whether vulnerable Pulse Secure devices have been compromised. Following last week’s disclosure that CVE-2021-2021-22893 was under active exploit, CISA mandated that all federal agencies run the tool

“CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access,” Matt Hartman, deputy executive assistant director at CISA, wrote in an emailed statement. “We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”

CISA said it’s aware of compromises of federal agencies, critical infrastructure entities, and private sector organizations dating back to June 2020.

They just keep coming

The targeting of the five agencies is the latest in a string of large-scale cyberattacks to hit sensitive government and business organizations in recent months. In December, researchers uncovered an operation that infected the software build and distribution system of network management tools maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations—including Microsoft, antivirus maker Malwarebytes, and Mimecast—received follow-on attacks.
In March, hackers exploiting newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide.
Microsoft said that Hafnium, its name for a group operating in China, was behind the attacks. In the days that followed, hackers not affiliated by Hafnium began infecting the already-compromised servers to install a new strain of ransomware.
Two other serious breaches have also occurred, one against the maker of the Codecov software developer tool and the other against the seller of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and other network-connected devices. Both breaches are serious, because the hackers can use them to compromise the large number of customers of the companies’ products.

Ivanti said it’s helping to investigate and respond to exploits, which the company said have been “discovered on a very limited number of customer systems.”

“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we plan to issue a software update within the next few days,” a spokesperson added.

Actively exploited Mac 0-day neutered core OS security defenses
Getty Images

When Apple released the latest version 11.3 for macOS on Monday, it didn’t just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.

Together, the defenses provide a comprehensive set of protections designed to prevent users from inadvertently installing malware on their Macs. While one-click and even zero-click exploits rightfully get lots of attention, it’s far more common to see trojanized apps that disguise malware as a game, update, or other desirable piece of software.

Protecting users from themselves

Apple engineers know that trojans represent a bigger threat to most Mac users than more sophisticated exploits that surreptitiously install malware with minimal or no interaction from users. So a core part of Mac security rests on three related mechanisms:

  • File Quarantine requires explicit user confirmation before a file downloaded from the Internet can execute.
  • Gatekeeper blocks the installation of apps unless they’re signed by a developer known to Apple.
  • Mandatory App Notarization permits apps to be installed only after Apple has scanned them for malware.

Earlier this year, a piece of malware well known to Mac security experts began exploiting a vulnerability that allowed it to completely suppress all three mechanisms. Called Shlayer, it has an impressive record in the three years since it appeared.

Last September, for instance, it managed to pass the security scan that Apple requires for apps to be notarized. Two years ago, it was delivered in a sophisticated campaign that used novel steganography to evade malware detection. And last year, Kaspersky said Shlayer was the most detected Mac malware by the company’s products, with almost 32,000 different variants identified.

Clever evasion

Shlayer’s exploitation of the zero-day, which started no later than January, represented yet another impressive feat. Rather than using the standard Mach-O format for a Mac executable, the executable component in this attack was the macOS equivalent of a bash script, which executes a series of line commands in a particular order.

Normally, scripts downloaded from the Internet are classified as application bundles and are subject to the same requirements as other types of executables. A simple hack, however, allowed scripts to completely shirk those requirements.

By removing the info.plist—a structured text file that maps the location of files it depends on—the script no longer registered as an executable bundle to macOS. Instead, the file was treated as a PDF or other type of non-executable file that wasn’t subject to Gatekeeper and the other mechanisms.

One of the attacks began with the display of an ad for a fake Adobe Flash update:


The videos below show what a big difference the exploit made once someone took the bait and clicked download. The video immediately below depicts what the viewer saw with the restrictions removed. The one below that shows how much more suspicious the update would have looked had the restrictions been in place.

Shlayer attack with exploit of CVE-2021-30657.
Shlayer attack without exploit of CVE-2021-30657.

The bug, which is tracked as CVE-2021-30657, was discovered and reported to Apple by security researcher Cedric Owens. He said he stumbled upon it as he was using a developer tool called Appify while performing research for a “red team” exercise, in which hackers simulate a real attack in an attempt to find previously overlooked security weaknesses.

“I found that Appify was able to turn a shell script into a double clickable ‘app’ (really just a shell script inside of the macOS app directory structure but macOS treated it as an app),” he wrote in a direct message. “And when executed it bypasses Gatekeeper. I actually reported it pretty quickly after discovering it and did not use it in a live red team exercise.”

Apple fixed the vulnerability with Monday’s release of macOS 11.3. Owens said that the flaw appears to have existed since the introduction of macOS 10.15 in June 2019, which is when notarization was introduced.

Owens discussed the bug with Patrick Wardle, a Mac security expert who previously worked at Jamf, a Mac enterprise security provider. Wardle then reached out to Jamf researchers, who uncovered the Shlayer variant that was exploiting the vulnerability before it was known to Apple or most of the security world.

“One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt,” Jamf researcher Jaron Bradley told me. “Further analysis leads us to believe that the developers of the malware discovered the zeroday and adjusted their malware to use it, in early 2021.”

Wardle developed a proof-of-concept exploit that showed how the Shlayer variant worked. After being downloaded from the Internet, the executable script appears as a PDF file named Patrick’s Resume. Once someone doubleclicks on the file, it launches a file called The exploit could just as easily execute a malicious file.

Patrick Wardle

In a 12,000-word deep-dive that delves into the causes and effects of the exploits, Wardle concluded:

Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to incredible shallow, yet hugely impactful flaws. How shallow? Well that fact that a legitimate developer tool (appify) would inadvertently trigger the bug is beyond laughable (and sad).

And how impactful? Basically macOS security (in the context of evaluating user launched applications, which recall, accounts for the vast majority of macOS infections) was made wholly moot.

Bradley published a post that recounted how the exploit looked and worked.

Many people consider malware like Shlayer unsophisticated because it relies on tricking its victims. To give Shlayer its due, the malware is highly effective, in large part because of its ability to suppress macOS defenses designed to tip-off users before they accidentally infect themselves. Those who want to know if they’ve been targeted by this exploit can download this python script written by Wardle.

Windows and Linux devices are under attack by a new cryptomining worm
Getty Images

A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.

Research company Juniper started monitoring what it’s calling the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.

The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.

Constantly growing arsenal

By March, Sysrv developers had redesigned the malware to combine the worm and miner into a single binary. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to make it better able to survive reboots and to have more sophisticated capabilities. The worm was exploiting six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP, and Drupal Ajax.

“Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a Thursday blog post.

Juniper Research

Thursday’s post listed more than a dozen exploits that are under attack by the malware. They are:

Exploit Software
CVE-2021-3129 Laravel
CVE-2020-14882 Oracle Weblogic
CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server
CVE-2019-10758 Mongo Express
CVE-2019-0193 Apache Solr
CVE-2017-9841 PHPUnit
CVE-2017-12149 Jboss Application Server
CVE-2017-11610 Supervisor (XML-RPC)
Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE) Apache Hadoop
Brute force Jenkins Jenkins
Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server
CVE-2019-7238 Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload Command Execution (No CVE) Tomcat Manager
WordPress Bruteforce WordPress

The exploits Juniper Research previously saw the malware using are:

  • Mongo Express RCE (CVE-2019-10758)
  • XXL-JOB Unauth RCE
  • XML-RPC (CVE-2017-11610)
  • CVE-2020-16846 (Saltstack RCE)
  • ThinkPHP RCE
  • CVE-2018-7600 (Drupal Ajax RCE)

Come on in, water’s great

The developers have also changed the mining pools infected devices join. The miner is a version of the open source XMRig that currently mines for the following mining pools:


A mining pool is a group of cryptocurrency miners who combine their computational resources to reduce the volatility of their returns and increase the chances of finding a block of transactions. According to mining pool profitability comparison site, the pools used by Sysrv are three of the four top Monero mining pools.

“Combined together, they almost have 50% of the network hash rate,” Kimayong wrote. “The threat actor’s criteria appears to be top mining pools with high reward rates.”

Juniper Research

The profit from mining is deposited into the following wallet address:


Nanopool shows that the wallet gained 8 XMR, worth roughly $1,700 USD, from March 1 to March 28. It’s adding about 1 XMR every two days.

Juniper Research

A threat to Windows and Linux alike

The Sysrv binary is a 64-bit Go binary that’s packed with the open source UPX executable packer. There are versions for both Windows and Linux. Two Windows binaries chosen at random were detected by 33 and 48 of the top 70 malware protection services, according to VirusTotal. Two randomly picked Linux binaries had six and nine.

The threat from this botnet isn’t just the strain on computing resources and the non-trivial drain of electricity. Malware that has the ability to run a cryptominer almost certainly can also install ransomware and other malicious wares. Thursday’s blog post has dozens of indicators that administrators can use to see if the devices they manage are infected.