一系列针对Windows Internet Key Exchange (IKE)协议扩展的攻击已经被发现。
根据安全公司Cyfirma最近与Infosecurity分享的一份新报告,发现的漏洞可能被用来攻击近1000个系统。
该公司观察到的攻击是一项活动的一部分,该活动由一名说普通话的威胁演员发起,大致翻译过来就是“给你流血”。
Cyfirma研究团队还观察到,未知黑客在地下论坛上共享一个利用链接,这可能被用来攻击脆弱的系统。
“在微软Windows的IKE协议扩展中发现了一个关键的漏洞,”该建议写道。
“这个漏洞……影响IKE协议扩展组件的未知代码,对该组件的操作将导致远程代码执行(RCE)。”
Cyfirma特别写道,该漏洞存在于用于处理IKEv1的代码中[…]该协议已弃用,但与遗留系统兼容。
该公司还澄清说,虽然IKEv2不受影响,但该漏洞会影响所有Windows服务器,因为它们同时接受V1和V2数据包,因此该漏洞非常严重。
“(概念证明)利用了易受攻击系统的svchost的内存损坏问题,”技术评论写道。
当系统中为Internet Key Exchange进程启用页面堆(一个调试插件)时,会发生内存损坏。托管Internet Key Exchange协议服务的exe进程在试图从分配的缓冲区以外读取数据时崩溃。
在归因方面,Cyfirma表示,威胁行为者目前尚不清楚,但该团队还观察到“流血吧”活动与俄罗斯网络犯罪分子之间的联系。
该公司写道:“从外部威胁景观管理的地缘政治变化的战略角度来看,俄罗斯和中国形成了战略关系。”
Cyfirma补充说,微软已经为这个问题分配了CVE-2022-34721,并通过增加对传入数据长度的检查和在长度太小时跳过该数据的处理来修复它。
原文如下:
A series of exploits have been found in the wild targeting Windows Internet Key Exchange (IKE) Protocol Extensions.
According to a new advisory recently shared by security company Cyfirma with Infosecurity, the discovered vulnerabilities could have been exploited to target almost 1000 systems.
The attacks observed by the company would be part of a campaign that roughly translates to “bleed you” by a Mandarin-speaking threat actor.
The Cyfirma Research team has also observed unknown hackers sharing an exploit link on underground forums, which could be used to target vulnerable systems.
“A critical vulnerability has been identified in Microsoft Windows IKE Protocol Extensions,” reads the advisory.
“This vulnerability […] affects unknown code of the IKE Protocol Extensions component, manipulation of which leads to remote code execution (RCE).”
In particular, Cyfirma wrote that the vulnerability lies in the code used to handle the IKEv1 […] protocol, which is deprecated but compatible with legacy systems.
The company has also clarified that while IKEv2 is not impacted, the vulnerability affects all Windows Servers because they accept both V1 and V2 packets, making the flaw critical.
“The [proof of concept] exploits a memory corruption issue with the svchost of the vulnerable system,” reads the technical write-up.
“Memory corruption occurs when Page Heap (a debugging plug-in) in the system is enabled for the Internet Key Exchange process. The exe process hosting the Internet Key Exchange protocol service crashes while attempting to read data beyond an allocated buffer.”
In terms of attribution, Cyfirma said the threat actor is currently unknown but also that the team observed connections between the “bleed you” campaign and Russian cyber-criminals.
“From a strategic viewpoint on changing geopolitical scenarios from external threat landscape management, Russia and China are observed to form a strategic relationship,” wrote the company.
Cyfirma added that Microsoft has allocated CVE-2022-34721 to the issue and fixed it by adding a check on incoming data length and skipping processing of that data if the length is too small.
1.本站上传的源码,均为平台购买,作者提供,网友推荐,互联网平台整理而来,请下载后24小时内删除。如有需要,请购买正版.
2.请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。
3.站内资源若侵犯了您的合法权益,请指出本站立即改正。
4.上述内容仅供学习参考及技术交流之用,未经相关的知识产权权利人同意,用户不得进行商业使用。
5.保姆式服务,百分百售后!
