Overview

The Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability, CVE-2024-49138, to its Known Exploited Vulnerabilities (KEV) catalog based on evidence that this flaw is being actively exploited. The vulnerability, identified in the Microsoft Windows Common Log File System (CLFS), is a heap-based buffer overflow issue that has the potential to allow attackers to escalate privileges on vulnerable systems. As part of Microsoft’s Patch Tuesday release, this flaw was patched alongside other critical vulnerabilities.

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the CLFS driver. This driver is used by both user-mode and kernel-mode software in Windows for general-purpose logging. This vulnerability affects several versions of Microsoft Windows operating systems, including Windows 10 and 11, as well as several Windows Server versions.

Heap-based buffer overflow vulnerabilities, like CVE-2024-49138, are common attack vectors for cybercriminals. These flaws can result in system crashes, denial of service, or even allow malicious actors to execute arbitrary code. In the case of CVE-2024-49138, it allows attackers to escalate their privileges to the SYSTEM level, enabling them to take full control of a compromised system.

This issue was actively exploited in the wild before it was addressed by Microsoft, which makes it particularly dangerous. The flaw has been assigned a CVSSv3.1 score of 7.8 (high severity).

CVE-2024-49138 Impact on Affected Systems

The vulnerability affects a broad range of Windows operating systems. Specifically, it impacts Windows 11 versions 22H2, 23H2, and 24H2 for both x64 and ARM64-based systems. In addition, Windows 10 versions from 1607 to 22H2 are vulnerable, including x64, ARM64, and 32-bit systems.

Furthermore, several Windows Server versions are also impacted, spanning from 2008 to 2025. This includes versions such as Windows Server 2012, 2016, 2019, and 2022, with both Core and full installations being affected. These widespread vulnerabilities increase the potential for exploitation across various systems in both personal and enterprise environments.

Active Exploitation and Patch Release

Given that CVE-2024-49138 was actively exploited before the patch was released, Microsoft’s Patch Tuesday update for December 2024 was critical in addressing the issue. Microsoft rated this vulnerability as important, reflecting the immediate threat posed to organizations and users who have not yet applied the patch.

An official security update was issued for all affected systems, and users are encouraged to install it as soon as possible to mitigate the risk of attack. CISA’s inclusion of CVE-2024-49138 in its Known Exploited Vulnerabilities Catalog highlights the growing focus on vulnerabilities that attackers are actively targeting.

By cataloging such issues, CISA aims to increase awareness and ensure that organizations prioritize the application of patches for vulnerabilities that are under active exploitation.

Recommendations and Mitigation Strategies

To protect systems from CVE-2024-49138, organizations, and individual users should follow these best practices:

1. The Microsoft Patch Tuesday update for December 2024 addresses CVE-2024-49138. Ensure that all affected systems are updated with the latest patches. Microsoft provides an official patch link for direct updates.
2. Implement a consistent patch management strategy to ensure all vulnerabilities are patched as soon as updates are available. Automating patching processes can reduce the risk of missed updates, especially for critical vulnerabilities like CVE-2024-49138.
3. Organizations should use Security Information and Event Management (SIEM) systems to detect unusual activities associated with privilege escalation. Monitoring network traffic and system logs can help identify attempts to exploit CVE-2024-49138 before damage occurs.
4. An effective incident response plan is essential. Organizations should regularly test their response procedures for various vulnerabilities, including those that target Microsoft Windows components like the CLFS driver.
5. Users running older, unsupported versions of Windows should prioritize upgrading to supported versions to reduce their exposure to vulnerabilities such as CVE-2024-49138.

Conclusion

CISA’s inclusion of this flaw in its Known Exploited Vulnerabilities Catalog emphasizes the urgency of applying the December 2024 Patch Tuesday update. Organizations should adopt automated patch management, use SIEM systems for early detection, and have an incident response plan in place. Users running outdated Windows versions should upgrade to reduce vulnerability.

The post CISA Adds CVE-2024-49138 to the Known Exploited Vulnerabilities Catalog, Urgency for Microsoft Users appeared first on Cyble.

Blog – Cyble – ​Read More

Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on X and LinkedIn. 

In this malware analysis report, we will delve into Nova, a newly discovered fork of the Snake Keylogger family. This variant has been observed employing even more sophisticated tactics, signaling the continued adaptation and persistence of the Snake malware family in the cybersecurity landscape. 

Overview of Snake Keylogger 

Snake Keylogger, a .NET-based malware first identified in November 2020, is infamous for its credential-stealing and keylogging capabilities.

Read in-depth analysis of Snake Keylogger

It primarily spreads through phishing and spearphishing campaigns, where malicious Office documents or PDFs are used to deliver downloader scripts via PowerShell. Once executed, Snake Keylogger captures keystrokes, steals saved credentials, takes screenshots, and extracts clipboard data. 

As of 2024, Snake Keylogger has continued to evolve, adopting advanced evasion techniques such as process hollowing and heavily obfuscated code to avoid detection.  

This variant uses a suspended child process to inject its payload, which makes it more difficult for security software to identify and neutralize. Furthermore, reports indicate that Snake Keylogger has grown more prevalent, with significant spikes in zero-day detections, suggesting its ongoing threat to both personal and corporate cybersecurity. 

Technical Analysis Using ANY.RUN Sandbox 

Let’s run a sandbox analysis session using ANY.RUN’s Interactive Sandbox to discover the technical details of this malware.  

View analysis session 

In the HTTP Requests tab, we can see that Nova sends HTTP Requests to hxxp[://]checkip[.]dyndns[.]org/ to get the IP of the victim device: 

In DNS requests tab, Nova makes DNS requests to reallyfreegeoip[.]org to get the country name of the victim device: 

Unpacking 

Nova keylogger uses a protector written in AutoIt. There are several ways to unpack it: 

1. Decompiling the executable to AutoIt script (.au3) 

2. Executing the sample and letting it unpack itself in the memory, then dumping the process. This can be done with the help of the following tools: 

• Sandbox 
• Unpacme
• Pe-sieve 

Learn to unpack malware

According to Unpacme, the unpacked sample is obfuscated using the Net Reactor Obfuscator: 

Exeinfo also confirms this: 

The presence of numerous empty functions strongly suggests obfuscation, which aligns with the tools’ analysis. 

To address this, we can use NETReactorSlayer for deobfuscation. 

NETReactorSlayer performed exceptionally well in this task, successfully deobfuscating the sample. 

Deep Analysis 

Nova is capable of extracting sensitive data from a wide range of sources, including:

• Browsers: Chrome, Brave, Opera, Firefox, Edge, etc.
• Emaial Clients: Outlook, Foxmail, Thunderbird.
• FTP Clients: Filezilla.

It can also retrieve and decode the Windows product key.

Let’s take a closer look at these functionalities to understand their implications and the depth of Nova’s capabilities. 

Extracting and Decrypting Outlook Passwords №

Nova performs the following steps to extract and decrypt Outlook passwords: 

1. Initialization 

• Creates a list to store recovered account details. 
• Prepares an array of strings representing the password types to search for in the Windows registry. 

2. Accessing registry keys 

Nova opens the following registry keys, which are known to store Outlook profile information: 

• Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 
• Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 
• Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 
• Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 

3. Iterating through registry keys and subkeys 

• Nova scans the registry keys and their subkeys, checking for entries containing email or password data. 
• If such entries are found, Nova attempts to decrypt the password using the decryptOutlookPassword method. 

4. Decrypting passwords 

The decryptOutlookPassword method performs the following actions: 

• Takes the encrypted Outlook password as a byte array. 
• Removes the first byte from the array. 
• Decrypts the remaining data and converts it to a readable string. 
• Strips any null characters from the resulting string before returning it. 

5. Retrieving account details 

It retrieves the email value and converts it to a byte array using GetBytes. 

Then, it retrieves the SMTP server value, if available and adds the recovered account details to the list. 

Extracting and Decrypting Browser Login Information 

Various functions exist for extracting browser login credentials. For this analysis, we will focus on Chrome_Speed, which targets Google Chrome’s saved login data. 

1. Locating the Login Data file 

Chrome_Speed constructs the path to the Login Data SQLite file, where Chrome stores saved login credentials. Then verifies the existence of the Login Data file before proceeding. 

2. Retrieving Login entries 

It loops through each login entry, retrieving the origin_url, username_value, and password_value. 

3. Decrypting passwords 

If passwords are stored in Version 10 format, it uses the master key for decryption. For older formats, an alternative decryption method, Decrypttttt, is employed. 

Key Methods Analyzed 

Let’s analyze GetMasterKey and Decrypttttt methods: 

1. GetMasterKey 

GetMasterKey retrieves and decrypts the master key used by Google Chrome to protect saved passwords. It reads the encrypted master key from the Local State file located in the Chrome user data directory, then decrypts it for further use. 

The process begins by constructing the path to the Local State file, which stores the encrypted master key. 

It first checks for the existence of the Local State file; if the file is absent, the method returns null. 

Upon confirming the file’s presence, the contents are read, and a regular expression is employed to extract the encrypted master key. 

The method iterates through the matches to convert the encrypted key from a Base64 string into a byte array. 

Notably, a new byte array is created that excludes the first five bytes of the original array, as these bytes do not form part of the actual key. 

Finally, the method attempts to decrypt the trimmed key using the ProtectedData.Unprotect method, which is designed to decrypt data that has been secured with the ProtectedData.Protect method. 

The Unprotect method is a function that decrypts data protected by the Windows Data Protection API (DPAPI). It first checks if the input data is valid and compatible with NT-based systems.  

The method then pins the memory of the encrypted data and any optional entropy to avoid issues during decryption.  

It calls CryptUnprotectData to decrypt the data and handles errors by throwing exceptions when needed.  

Finally, it clears sensitive data from memory before releasing resources. 

2. Decrypttttt 

Decrypttttt method is a function that decrypts a byte array using the Windows Data Protection API (DPAPI). 

It begins by initializing data structures to hold the encrypted data and the decrypted output. 

The method pins the input byte array in memory to prevent the garbage collector from moving it during decryption. 

After setting up the necessary structures, it calls CryptUnprotectData API to perform the decryption. 

Once the data is decrypted, the method copies the output into a new byte array, converts it to a string, and removes any trailing null characters. 

Finally, it returns the decrypted string, ensuring proper handling of sensitive data throughout the process. 

Let’s get back to Chrome_Speed function  

It combines the URL, username, and password into a formatted string: 

"rn============X============rnURL: " 

    "rnUsername: " 

    "rnPassword: " 

    "rnApplication: Google Chromern=========================rn "

The formatted string is appended to a collection of stored credentials for further use or exfiltration. 

Extracting Windows Product Key 

The process of extracting the Windows product key involves accessing the system registry and decoding the DigitalProductID. Here’s a detailed breakdown: 

• Accessing the registry 

First it opens “Software\Microsoft\Windows NT\CurrentVersion” registry key 

• Fetching DigitalProductID 

Then, the DigitalProductID is fetched from the registry as a byte array. This ID is used to generate the Windows product key. 

• Extracting relevant bytes 

A specific portion of the DigitalProductID is copied into a new byte array. 

The product key is derived from bytes starting at index 52 in the sourceArray. 

• Decoding the product key 

The outer loop runs 25 times (from 0 to 24) to form the product key. The inner loop processes each byte in reverse (from 14 to 0) to decode and generate the corresponding characters. 

• Formatting the product key 

The method returns the formatted product key as a string (e.g., XXXXX-XXXXX-XXXXX-XXXXX-XXXXX) 

Getting Victim’s Info  

The process gathers key information about the victim, including: 

• IP Address 
• Country 
• PC Name 
• Date and Time 

It gets the victim’s IP by making a request to: hxxp[://]checkip[.]dyndns[.]org/ 

The country information is retrieved by querying:  hxxps[://]reallyfreegeoip[.]org/xml/ 

Data format 

The collected information is structured in a formatted string for further use: 

Getting Clipboard Data 

The process of extracting data from the clipboard involves the following steps: 

• IsClipboardFormatAvailable checks if the clipboard contains text in Unicode format 

• OpenClipboard opens the clipboard to allow examination and retrieval of data 

• GetClipboardData retrieves the data handle from the clipboard in the specified format 

Exfiltration 

Nova supports three data exfiltration methods: FTP, SMTP, or Telegram, depending on the configuration set by the malware author. 

It compares the UltraSpeed.QJDFjPqkSr value against specific flags: 

• “#FTPEnabled”: If true, data is exfiltrated via FTP. 
• “#SMTPEnabled”: If true, data is exfiltrated via SMTP. 
• “#TGEnabled”: If true, data is exfiltrated via Telegram. 

In this particular sample, the exfiltration method is Telegram: 

As we see, there are no credentials provided for SMTP and FTP servers:

Telegram Exfiltration 

The code responsible for exfiltration through Telegram includes details about the bot and its endpoint for sending data: 

Telegram API endpoint: hxxps[://]api[.]telegram[.]org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI 

JSON Responses from the Telegram Bot API 

The provided images showcase JSON responses retrieved from the Telegram Bot API. These responses contain detailed information about bots that are directly associated with the NOVA family of malware. 

Code Reference to “NOVA” 

The malware’s source code explicitly mentions “NOVA”, reinforcing its attribution to this specific malware family. 

Conclusion 

The Nova variant of the Snake Keylogger represents a significant evolution of its predecessor, with advanced evasion techniques and a broader array of data exfiltration capabilities.  

Written in VB.NET, Nova leverages obfuscation methods such as Net Reactor Obfuscator and utilizes process hollowing to evade detection, making it a more persistent and stealthy threat. Through its sophisticated techniques, including credential harvesting from a wide variety of browsers, email clients, and other sensitive data, Nova demonstrates its ability to target both personal and corporate systems effectively. 

The malware is capable of extracting a wide range of valuable information, including saved passwords, credit card details, and system keys, from both browsers and email clients. In addition, its ability to gather data from a victim’s clipboard and exfiltrate it via multiple channels—such as FTP, SMTP, or Telegram—demonstrates its adaptability and versatility. 

While the use of Telegram as the exfiltration method in this specific sample shows a shift towards more covert communication, the ability to switch exfiltration methods allows the malware to avoid detection by security systems that might block certain channels. The malware’s integration with popular tools like Telegram also indicates its use in large-scale, automated cybercrime activities, making it a serious threat to organizations and individuals alike. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Get a 14-day free trial to test all features of ANY.RUN’s Interactive Sandbox →

IOCs

Nova:  

68f5247bd24e8d5d121902a2701448fe135e696f8f65f29e9115923c8efebee4  

Dropped files 

C:UsersadminAppDataLocalTempfondaco afb1dae7a6f2396c3d136e60144b02dd03c59ab10704918185d12ef8c6d7ec93 

C:UsersadminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupneophobia.vbs 66dbb9c8deadea9f848b1b55405738d8a65a733c804f1444533607c20584643e 

C2 URL

hxxps://api[.]telegram[.]org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument 

Bot Token

7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI 

Chat ID 

5679778644 

MITRE ATT&CK Techniques

The post Analysis of Nova: A Snake Keylogger Fork appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

From the perspective of information security, wireless networks are typically perceived as something that can be accessed only locally — to connect to them, an attacker needs to be physically close to the access point. This significantly limits their use in attacks on organizations, and so they are perceived as relatively risk-free. It’s easy to think that some random hacker on the internet could never simply connect to a corporate Wi-Fi network. However, the newly emerged Nearest Neighbor attack tactic demonstrates that this perception is not entirely accurate.

Even a well-protected organization’s wireless network can become a convenient entry point for remote attackers if they first compromise another, more vulnerable company located in the same building or a neighboring one. Let’s delve deeper into how this works and how to protect yourself against such attacks.

A remote attack on an organization’s wireless network

Let’s imagine a group of attackers planning to remotely hack into an organization. They gather information about the given company, investigate its external perimeter, and perhaps even find employee credentials in databases of leaked passwords. But they find no exploitable vulnerabilities. Moreover, they discover that all of the company’s external services are protected by two-factor authentication, so passwords alone aren’t sufficient for access.

One potential penetration method could be the corporate Wi-Fi network, which they could attempt to access using those same employee credentials. This applies especially if the organization has a guest Wi-Fi network that’s insufficiently isolated from the main network — such networks rarely use two-factor authentication. However, there’s a problem: the attackers are on the other side of the globe and can’t physically connect to the office Wi-Fi.

This is where the Nearest Neighbor tactic comes into play. If the attackers conduct additional reconnaissance, they’ll most likely discover numerous other organizations whose offices are within the Wi-Fi signal range of the target company. And it’s possible that some of those neighboring organizations are significantly more vulnerable than the attackers’ initial target.

This may simply be because these organizations believe their activities are less interesting to cyberattack operators — leading to less stringent security measures. For example, they might not use two-factor authentication for their external resources. Or they may fail to update their software promptly — leaving easily exploitable vulnerabilities exposed.

One way or another, it’s easier for the attackers to gain access to one of these neighboring organizations’ networks. Next, they need to find within the neighbor’s infrastructure a device connected to the wired network and equipped with a wireless module, and compromise it. By scanning the Wi-Fi environment through such a device, the attackers can locate the SSID of the target company’s network.

Using the compromised neighboring device as a bridge, the attackers can then connect to the corporate Wi-Fi network of their actual target. In this way, they get inside the perimeter of the target organization. Having achieved this initial objective, the attackers can proceed with their main goals — stealing information, encrypting data, monitoring employee activity, and more.

How to protect yourself against the Nearest Neighbor attack

It’s worth noting that this tactic has already been used by at least one APT group, so this isn’t just a theoretical threat. Organizations that could be targeted by such attacks should start treating the security of their wireless local area networks as seriously as the security of their internet-connected resources.

To protect against the Nearest Neighbor attack, we recommend the following:

• Ensure that the guest Wi-Fi network is truly isolated from the main network.
• Strengthen the security of corporate Wi-Fi access — for instance, by using two-factor authentication with one-time codes or certificates.
• Enable two-factor authentication — not only for external resources but also for internal ones, and, in general, adopt the Zero Trust security model.
• Use an advanced threat detection and prevention system, such as Kaspersky Next XDR Expert.
• If you lack highly qualified in-house cybersecurity specialists, make use of external services such as Managed Detection and Response and Incident Response.

Kaspersky official blog – ​Read More

Overview

In response to the growing threat of cyber and financial crimes targeting individuals and organizations, INTERPOL has launched a new campaign called “Think Twice.” The campaign aims to raise awareness about the dangers of increasingly complex online threats, urging people to pause and think before making decisions online. The campaign highlights five key cyber threats: ransomware attacks, malware attacks, phishing, generative AI scams, and romance baiting.

With these crimes becoming more advanced and widespread, the campaign serves as a timely reminder of the importance of vigilance and careful decision-making in the digital world.

The Rising Threat of Cybercrime

Cybercrime is on the rise, with criminals using more advanced techniques to exploit vulnerable individuals and organizations. According to INTERPOL’s findings, ransomware attacks have increased by 70 percent, and malware attacks have risen by over 30 percent in just the past year.

Fostering a culture of cyber-awareness in the workforce is the first and last line of defense against cybercrime, as employees form the backbone of any cybersecurity strategy.

Phishing attacks have also evolved, becoming increasingly difficult to detect. Cybercriminals are now using sophisticated methods, including generative AI, to manipulate voices, images, and text, creating ultra-realistic human avatars to deceive victims. These scams are gaining traction, with scammers targeting victims worldwide using tactics that were once unimaginable. Another rising threat is romance baiting, where criminals use fake online profiles to form relationships with victims, only to later ask for money.

The “Think Twice” campaign, which will run from December 3 to December 19, 2024, emphasizes the importance of making informed choices online. By raising awareness of these growing threats, INTERPOL hopes to empower individuals and organizations to take proactive steps in safeguarding themselves against cybercrime.

Key Threats Highlighted by the “Think Twice” Campaign

The campaign focuses on five major threats that have been identified as rapidly growing concerns in the online space:

1. Ransomware Attacks:
   Ransomware continues to be one of the most disruptive forms of cybercrime. It involves criminals encrypting a victim’s data and demanding a ransom to unlock it. The rise of ransomware attacks has been staggering, with a 70 percent increase in the past year alone.
2. Malware Attacks:
   Malware attacks involve malicious software designed to infiltrate and damage computers or networks. Over 30 percent of malware attacks have increased in the past year, often spreading through emails, links, or infected files.
3. Phishing:
   Phishing scams involve tricking individuals into revealing sensitive information, such as passwords or financial data, through deceptive emails or messages. Phishing has become more sophisticated, with cybercriminals using AI-generated content to make their scams harder to detect.
4. Generative AI Scams:
   Generative AI scams involve using AI technology to create fake human avatars, voices, and images to deceive victims. These scams are gaining traction, with cybercriminals using realistic content to manipulate and steal money from victims.
5. Romance Baiting Scams:
   Romance baiting is a growing form of fraud where criminals create fake online profiles to form emotional connections with victims. After gaining their trust, they ask for money, often claiming to be in a financial emergency or need.

The “Think Twice” Campaign: Empowering Individuals and Organizations

The primary objective of the “Think Twice” campaign is to encourage individuals to pause and think before acting on digital content. INTERPOL urges people to verify the authenticity of messages, links, and requests before taking any action. This two-week awareness campaign will primarily run through social media channels, reaching individuals globally and educating them about the risks associated with cybercrime.

INTERPOL emphasizes the importance of adopting a mindset of caution and awareness when interacting with digital content. The campaign encourages individuals to:

• Pause and evaluate: Take a moment to verify the authenticity of any unsolicited emails, links, or messages.
• Check for credibility: Ensure the sources of information are legitimate, especially if you’re asked for personal or financial information.
• Verify identities: Even if a request seems to come from a familiar contact, always verify their identity through multiple channels.
• Stay informed: Learn about the latest cybercrime tactics and how to recognize them.
• Be cautious with online relationships: Especially when money is involved, approach online relationships with skepticism.

Taking Action Against Cybercrime: What Can You Do?

INTERPOL’s campaign is not just about raising awareness; it also provides a practical checklist for reducing the risks of cybercrime. Here are some simple steps that individuals and organizations can take to protect themselves:

1. Be cautious of unsolicited requests: Always be wary of emails or messages from unfamiliar sources. Avoid clicking on suspicious links or attachments.
2. Implement a cybersecurity culture: Businesses should foster a culture of cybersecurity awareness among employees, providing training and guidelines on handling potential threats.
3. Verify identities: If you receive a request for money or sensitive information from a known person, verify their identity before acting.
4. Use in-person verification: For high-risk situations, like online transactions or relationships, consider verifying details through face-to-face meetings or phone calls.
5. Stay informed: Cybercrime tactics are constantly evolving, so it’s crucial to stay updated on the latest scams and threats.

Conclusion

As cyber and financial crimes continue to grow in scale, INTERPOL’s “Think Twice” campaign serves as an essential reminder for individuals and organizations to remain vigilant. By pausing to consider their digital actions and verifying the authenticity of online content, people can reduce their exposure to threats like phishing, malware, and romance baiting.

As INTERPOL’s Secretary General Valdecy Urquiza said, cybersecurity is a shared responsibility. Through proactive measures and informed decisions, we can help build a safer digital world for everyone.

Source: https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-campaign-warns-against-cyber-and-financial-crimes

The post Think Twice Before You Click: INTERPOL Unveils Alarming Cybercrime Trends appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The TP-Link Archer C50 V4, a popular dual-band wireless router designed for small office and home office (SOHO) networks, has been found to contain multiple security vulnerabilities that could expose users to a range of cyber threats.

These TP-Link Archer router vulnerabilities, identified under the CVE-2024-54126 and CVE-2024-54127 identifiers, affect all firmware versions prior to Archer C50(EU)_V4_240917. The Indian Computer Emergency Response Team (CERT-In) flagged these vulnerabilities and the security of TP-Link Archer routers.

The vulnerabilities identified in the TP-Link Archer C50 V4 wireless router could allow attackers to exploit critical security holes in the device, leading to unauthorized access and potentially damaging consequences. Two specific issues have been highlighted: a flaw in the firmware upgrade process and the exposure of sensitive Wi-Fi credentials.

Details of the TP-Link Archer Router Vulnerabilities

The TP-Link Archer router vulnerabilities have been classified as medium risk. While the immediate impact may not be critical, the potential for exploitation remains a threat to network security. CVE-2024-54126 and CVE-2024-54127 were reported by Khalid Markar, Amey Chavekar, Sushant Mane, and Dr. Faruk Kazi from CoE-CNDS Lab, VJTI, Mumbai.

Vulnerability Details in TP-Link Archer Router

1. Insufficient Integrity Verification During Firmware Upgrade (CVE-2024-54126)

One of the key vulnerabilities in the TP-Link Archer C50 router arises from an improper signature verification mechanism in the firmware upgrade process. This issue is present in the web interface of the router, which could be exploited by an attacker with administrative privileges. If the attacker is within the Wi-Fi range of the router, they could upload and execute malicious firmware, allowing them to compromise the device completely.

The absence of adequate integrity checks during firmware updates could enable an attacker to introduce backdoors or malicious code into the router. This would allow the attacker to control the device, manipulate network traffic, or even hijack the entire system, posing a serious security risk for users relying on this router for their home or business networks.

• Exposure of Wi-Fi Credentials in Plaintext (CVE-2024-54127)

The second vulnerability is related to the lack of proper access control on the serial interface of the TP-Link Archer C50 router. An attacker with physical access to the device could exploit this weakness by accessing the Universal Asynchronous Receiver-Transmitter (UART) shell. Once inside, the attacker could easily extract Wi-Fi credentials, including the network name (SSID) and password, which would give them unauthorized access to the targeted network.

This vulnerability in TP-Link Archer routers is particularly malicious because obtaining Wi-Fi credentials allows attackers to infiltrate the network, potentially exposing sensitive data, intercepting communications, or launching further attacks on connected devices. The ability to obtain such information without the need for remote access makes this vulnerability especially dangerous in situations where physical access to the device is possible.

Impact of the TP-Link Archer Vulnerability

The presence of these vulnerabilities in the TP-Link Archer C50 V4 router could lead to significant security risks, including:

• Compromise of the router: Malicious firmware uploads could enable attackers to control the device, potentially disrupting network operations or using it as a platform for launching further attacks.
• Exposure of sensitive information: The vulnerability related to the exposure of Wi-Fi credentials allows attackers to access the network and all connected devices. This could lead to data breaches, unauthorized surveillance, and even identity theft.
• Potential system compromise: Once the attacker gains access to the router or the Wi-Fi network, they may leverage this foothold to exploit other vulnerabilities in the network infrastructure, leading to a larger-scale attack.

Given that many home and small office networks rely on TP-Link Archer routers for wireless connectivity, these vulnerabilities have the potential to affect a large number of users. The impact could be particularly severe for businesses or individuals who store sensitive information or rely on secure communications.

Mitigating the Vulnerability in TP-Link Archer Router

To mitigate the risks associated with these vulnerabilities, TP-Link has released a firmware update designed to address the issues. The solution is available for download through the official TP-Link website and should be applied as soon as possible to protect the router from potential attacks. Some of the recommended actions include:

• Update Firmware: Users of the TP-Link Archer C50 V4 router are advised to upgrade to the latest firmware version, Archer C50(EU)_V4_240917. This update fixes the vulnerabilities by enhancing the integrity checks during the firmware upgrade process and securing access to the serial interface to prevent unauthorized access to Wi-Fi credentials.
• Firmware Upgrade Instructions: To ensure a smooth upgrade, users should follow the specific instructions provided by TP-Link, which include verifying the hardware version of the router, downloading the correct firmware, and ensuring the router is not powered off during the upgrade process. It is also recommended to use a wired connection during the upgrade to avoid any issues with wireless disconnections.

Conclusion

The discovery of vulnerabilities in the TP-Link Archer router highlights the critical need for users to stay updated with the latest firmware releases and security patches. The vulnerabilities in the TP-Link Archer C50 V4, including the insufficient integrity verification during firmware upgrades and the exposure of Wi-Fi credentials, present an ongoing security risks that could lead to unauthorized access and system compromise.

By upgrading to the latest firmware version, users can mitigate the risks associated with these vulnerabilities and protect their networks from potential exploitation. TP-Link Archer router users should take immediate action to secure their devices and ensure their networks remain safe from attackers seeking to exploit these flaws.

References

• https://www.cert-in.org.in/
• https://www.tp-link.com/en/support/download/archer-c50/v4/#Firmware
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54127
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54126

The post Security Risks in TP-Link Archer Router Could Lead to Unauthorized Access appeared first on Cyble.

Blog – Cyble – ​Read More