Cybersecurity News

CISA’s Support for MITRE CVE, CWE programs Extended. 

Contract extension by CISA for MITRE CVE, CWE program prevents shutdown providing sign of relief for Cybersecurity community.

The CVE Program is the primary way software vulnerabilities are tracked maintained by MITRE. Recently the contract between MITRE, a non-profit research and development group including  the U.S. Department of Homeland Security (DHS) to operate the CVE program, was about to expire on April 16, 2025, with no renewal in place.

This created panic in cyber security world as the CVE Program was about  to expire. The United States Cyber security and Infrastructure Security Agency (CISA), stepped in during the last minute and renewed its funding for the software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program(CVE).

CISA ensured that the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs did not lapse.

Renewal of Contract with MITRE & Last Minute Rescue by CISA

‘The contract with MITRE is being extended for 11 months said a CISA’ spokesman..The importance of CVE Program is a focal point for cybersecurity program that is provides critical data and services for digital defense and research.

During the last minute when the contract was about to expire on tuesday night, the United States Cybersecurity and Infrastructure Security Agency (CISA) renewed its funding for the longtime software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program.

MITRE’s vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that “CISA identified incremental funding to keep the Programs operational.” With the clock ticking down before this decision came out, some members of the CVE Program’s board announced a plan to transition the project into new non profit entity called the CVE Foundation.

The CVE program is of prime importance for the entire cyber security community and CISA, the very reason for extending support so that there is no lapse in critical CVE services.

The extension will bring in a sense of security for cyber sec professionals, vendors, and government agencies worldwide can continue to rely on the CVE program for coordinated vulnerability tracking and response.

Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. 

Over the years there has been doubt among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor. The foundation has also written about its concern.

The cyber security community that includes researchers and cyber professionals were relieved on Wednesday, as the news flashed about the CVE Program hadn’t suddenly ceased to exist as the result of unprecedented instability in US federal funding.

Not only the US but every organization and every security tool is dependent on the CVE program and despite CISA’s last-minute funding, the future of the CVE Program is still unclear.

What makes the CVE program vital for cyber-security community?

Considering the importance of the CVE program, it should be fully funded to conduct job meant for its mission and well resourced.

On its 25th anniversary, the CVE Program continues playing vital role in global cybersecurity by identifying, defining, and cataloging publicly disclosed vulnerabilities. There is one CVE Record for each vulnerability in the catalog.

The vulnerabilities are discovered, then assigned and published by organizations globally that have partnered with the CVE Program

Lets wait for the 11 months contract funding that has been extended by CISA. Still the question remains about sustainability and neutrality of having a prominent globally recognized resource like CVE tied to a single government sponsor.

Sources: CISA Provides Last-Minute Support to Keep CVE Program Running

https://www.wired.com/story/cve-program-cisa-funding-chaos

Codefinger Ransomware attack encrypts Amazon S3 buckets

  • Ransomware crew dubbed Codefinger targets AWS S3 buckets
  • Sets data-destruct timer for 7 days
  • Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it

Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.

The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.

The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.

“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.

According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.

In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it. 

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.

Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.

As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.

Sources:

https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/

www.Bleeping computers.com

Adobe released Security updates Addressing critical ColdFusion vulnerability with (PoC) Exploit code

Adobe released security updates (APSB24-107) addressing an arbitrary file system vulnerability ColdFusion, identified as CVE-2024-53961,  is linked to a path traversal weakness with proof-of-concept (PoC) exploit code.

This could allow attackers to exploit the flaw and gain unauthorized access to arbitrary files on vulnerable servers. 

As per the updates Adobe ColdFusion versions 2023 and 2021 that addressed an arbitrary file proof-of-concept may enable attackers to read arbitrary files on vulnerable servers, potentially leading to unauthorized access and data exposure warns of critical ColdFusion bug with PoC exploit code.

Summary:

“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe earlier gave statement cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”

Key findings:

  • The vulnerability, CVE-2024-53961, affects ColdFusion 2021 and 2023.
  • Adobe has provided a patch to address the issue.
  • The vulnerability can potentially lead to unauthorized access and data exposure
  • The flaw has been given a Priority 1 severity rating, the highest possible level, due to its potential for exploitation in the wild.
  • Adobe has highlighted the critical nature of these updates and classified the vulnerability with a CVSS base score of 7.4, signifying a threat to the security of affected systems. 

Adobe has issued advisory

  • Monitor systems for any signs of exploitation.
  • Adobe has provided a patch to address the vulnerability remediation to mitigate the risk of exploitation.
  • Consider implementing file system monitoring and logging to detect and prevent unauthorized file access.

Path traversal weakness in ColdFusion; CVE-2024-53961

What is Path Traversal?

Hackers uses a tactics by Tricking a web application into displaying the contents of a directory that was not on request by user to gain access to sensitive files on a server.

The path traversal weakness in ColdFusion could be exploited by an attacker to perform unauthorized file system reads on affected servers.

This means that an attacker could manipulate file paths to access sensitive files that are otherwise restricted. This kind of vulnerability can lead to exposure of critical system information, unauthorized access and data exposure.

Reference: https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/

Sophisticated Phishing Attack Exposed Over 600,000 Users to Data Theft; 16 Chrome Extensions Hacked

A sophisticated phishing attack exposed 600, 000 user data to theft as 16 Chrome Extensions got hacked amounting to credential theft. The attack targeted extension publishers through phishing emails where Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails. The malicious update mimicked official communications from the Chrome Web Store, stealing sensitive user data.

This breach puts Facebook ad users at high risk of account hacking or unknown access

Summary of the attack

The phishing email was designed to create a sense of urgency posing as Google Chrome Web Store Developer Support, warns the employee of the extension removal for policy violations. The message urges the recipient to accept the publishing policy.

As per Cyberhaven, a cybersecurity firm report mentioned about the impacted firms as the attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials.

16 Chrome Extensions, including popular ones like “AI Assistant – ChatGPT and Gemini for Chrome,” “GPT 4 Summary with OpenAI,” and “Reader Mode,” were compromised, exposing sensitive user data.

Response & Recommendations:

The attackers targeted browser extension publishers with phishing campaigns to gain access to their accounts and insert malicious code.
Extensions such as “Rewards Search Automator” and “Earny – Up to 20% Cash Back” were used to exfiltrate user credentials and identity tokens, particularly from Facebook business accounts.
Malicious versions of extensions communicated with external Command-and-Control (C&C) servers, such as domains like “cyberhavenext[.]pro.”

  • Cyberhaven released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation.
  • All users advised to revoke credentials, monitor logs, and secure extensions; investigations continue.
  • As per Cyberhaven, version 24.10.4 of Chrome extension was affected, and the malicious code was active for less than a day.
  • The malicious extension used two files: worker.js contacted a hardcoded C&C server to download configuration and executed HTTP calls, and content.js that collected user data from targeted websites and exfiltrated it to a malicious domain specified in the C&C payload.

Blue Yonder SaaS giant breached by Termite Ransomware Gang

The company acknowledged it is investigating claims by a public threat group linked to the November ransomware attack. 

Continue Reading

Godot Hijacked with Malware to infect Thousands of PC’s

Godot is a platform that host open source game development, where new Malware loader installed in its programming language

At least 17,000 devices were infected with infostealers and cryptojackers so far.

As per researchers cyber criminals have been building malicious code written in GDScript (Godot’s Python-like scripting language) calling on some 200 GitHub repositories and more than 220 Stargazer Ghost accounts.

Earlier hackers targeted the open sources gaming platform targeting users of the Godot Gaming Engine and researcher’s spotted that GodLoader would drop different malware to the infected devices mostly in RedLine stealer, and XMRig, a popular cryptojacker.

GodLoader, the researchers further explained, was downloaded at least 17,000 times, which is a rough estimate on the number of infected devices. However, the attack surface is much, much larger.

Check Point argues that in theory, crooks could hide malware in cheats, cracks, or modes, for different Godot-built games. Check Point detected four separate attack waves against developers and gamers between September 12 and October 3, enticing them to download infected tools and games.

Looking at the number of popular games developed with Godot, that would put the attack surface at approximately 1.2 million people.

Hackers delivered the GodLoader malware through the Stargazers Ghost Network, a malware Distribution-as-a-Service (DaaS) that masks its activities using seemingly legitimate GitHub repositories.

Technical Details

Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime.

There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.

Scroll to top