This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
379 Comments
Tomi Engdahl says:
https://www.securityweek.com/meta-swiftly-neutralizes-new-nodestealer-malware/
Tomi Engdahl says:
https://www.securityweek.com/cisco-warns-of-critical-vulnerability-in-eol-phone-adapters/
Cisco this week raised the alarm on a critical remote code execution (RCE) vulnerability impacting SPA112 2-Port phone adapters, which have reached end-of-life (EoL) status.
Tracked as CVE-2023-20126 (CVSS score of 9.8), the flaw impacts the web-based management interface of the phone adapters and can be exploited without authentication.
Tomi Engdahl says:
Apple Releases First-Ever Security Updates for Beats, AirPods Headphones
https://www.securityweek.com/apple-releases-first-ever-security-updates-for-beats-airpods-headphones/
Apple has released firmware updates for Beats and AirPods to patch a vulnerability that can be exploited to gain access to headphones via a Bluetooth attack.
Tomi Engdahl says:
https://www.securityweek.com/former-uber-cso-joe-sullivan-avoids-prison-time-over-data-breach-cover-up/
Tomi Engdahl says:
https://www.securityweek.com/azure-api-management-vulnerabilities-allowed-unauthorized-access/
Tomi Engdahl says:
Vulnerabilities
Fortinet Patches High-Severity Vulnerabilities in FortiADC, FortiOS
Fortinet has released patches for two high-severity vulnerabilities impacting FortiADC, FortiOS, and FortiProxy.
https://www.securityweek.com/fortinet-patches-high-severity-vulnerabilities-in-fortiadc-fortios/
Fortinet this week announced its monthly set of security updates that address nine vulnerabilities in multiple products, including two high-severity bugs in FortiADC, FortiOS, and FortiProxy.
Impacting the FortiADC application delivery controller, the most severe of these issues is tracked as CVE-2023-27999 and is described as “an improper neutralization of special elements used in an OS command vulnerability”.
An attacker could exploit the bug via crafted arguments to existing commands, allowing them to execute unauthorized commands. The attacker needs to be authenticated to exploit the vulnerability.
The issue impacts FortiADC versions 7.2.0, 7.1.1, and 7.1.0, and was addressed with the release of FortiADC versions 7.2.1 and 7.1.2.
The second high-severity flaw, CVE-2023-22640, is described as an out-of-bounds write in the sslvpnd component of FortiOS and FortiProxy.
The bug allows an authenticated attacker to send specifically crafted requests to achieve arbitrary code execution, Fortinet explains.
Tomi Engdahl says:
Biden, Harris Meet With CEOs About AI Risks
https://www.securityweek.com/biden-harris-meet-with-ceos-about-ai-risks/
Vice President Kamala Harris met with the heads of companies developing AI as the Biden administration rolls out initiatives to ensure the technology improves lives without putting people’s rights and safety at risk.
Vice President Kamala Harris met on Thursday with the heads of Google, Microsoft and two other companies developing artificial intelligence as the Biden administration rolls out initiatives meant to ensure the rapidly evolving technology improves lives without putting people’s rights and safety at risk.
President Joe Biden briefly dropped by the meeting in the White House’s Roosevelt Room, saying he hoped the group could “educate us” on what is most needed to protect and advance society.
“What you’re doing has enormous potential and enormous danger,” Biden told the CEOs, according to a video posted to his Twitter account.
The popularity of AI chatbot ChatGPT — even Biden has given it a try, White House officials said Thursday — has sparked a surge of commercial investment in AI tools that can write convincingly human-like text and churn out new images, music and computer code.
Tomi Engdahl says:
Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid
https://www.securityweek.com/critical-siemens-rtu-vulnerability-could-allow-hackers-to-destabilize-power-grid/
Siemens recently patched a critical vulnerability affecting some of its energy ICS devices that could allow hackers to destabilize a power grid.
A critical vulnerability affecting some of Siemens’ industrial control systems (ICS) designed for the energy sector could allow malicious hackers to destabilize a power grid, according to the researchers who found the security hole.
The vulnerability, tracked as CVE-2023-28489, impacts the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products, and it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units (RTUs) designed for telecontrol and automation in the energy supply sector, particularly for substations.
Patches are available in firmware versions CPCI85 V05 or later, and the German industrial giant also noted that the risk of exploitation can be reduced by limiting access to the web server on TCP ports 80 and 443 using a firewall.
In an advisory published on April 11, Siemens said it learned about the flaw from a team of researchers at cybersecurity consultancy SEC Consult, which is now part of Eviden, an Atos business.
Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek that an attacker who can exploit CVE-2023-28489 can take complete control of a device and they could potentially destabilize a power grid and possibly even cause blackouts by changing critical automation parameters. Threat actors could also leverage the vulnerability to implement backdoors.
However, the expert noted that since these devices are mostly used in critical infrastructure environments, they are typically ‘strongly firewalled’ and are not accessible directly from the internet.
“It cannot be ruled out though that some devices might be reachable through 3rd party support access connections or potential misconfigurations,” Greil explained.
Exploitation of CVE-2023-28489 can allow an attacker who has network access to the targeted device to gain full root access without any prior authentication. Exploitation of the flaw involves sending a specially crafted HTTP request to the targeted RTU.
The US Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory in April to inform organizations about the vulnerability.
Greil pointed out that Siemens Sicam products are among the first devices in the world to receive ‘maturity level 4’ certification in the Industrial Cyber Security category. This certification, IEC62443-4-1, indicates that security was an important factor throughout the design and development process and that the product has undergone rigorous testing.
Siemens CPCI85 Firmware of SICAM A8000 Devices
https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-07
https://cert-portal.siemens.com/productcert/txt/ssa-472454.txt
Automation and remote terminal units – SICAM A8000
https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid/substation-automation/automation-and-remote-terminal-units-sicam-a8000-series.html
TÜV NORD carries out world’s first Maturity Level 4 certification
https://www.tuev-nord-group.com/en/newsroom/news/details/article/tuev-nord-carries-out-worlds-first-maturity-level-4-certification/
TÜV NORD has carried out the world’s first Maturity Level 4 certification in the IECEE scheme in the Industrial Cyber Security (CYBR) category. This testifies to the achievement by Siemens AG’s “Lean Product Lifecycle @ SI EA” system of the highest level of process maturity. This places both Siemens and TÜV NORD at the forefront of certification activities in the globally established IECEE scheme.
“We congratulate Siemens on its terrific achievement and are pleased to have been able to make qualified use of our technical know-how and the IT expertise of our sister company TÜVIT,” says Matthias Springer, Cluster Manager for Functional Safety & Security at TÜV NORD. TÜV NORD is one of the few providers on the international market to have been accredited by both the German accreditation body (DAkkS) and the international standardisation organisation, the IECEE, to carry out all relevant validations and certifications pursuant to IEC 62443.
IEC 62443-4-1 is part of a family of standards whose goal is to ensure IT security for industrial automation systems. Companies that use networked components, be they in the control systems for an industrial plant, the control of railway vehicles or the protection technology used in an electricity substation, must protect their communications networks from cyber attacks – and that protection must be verifiable. This is assured by means of the analysis and evaluation of security concepts, measures and product development processes. This process was successfully certified by TÜV NORD at Siemens Smart Infrastructure, Electrification & Automotion (SI EA).
The IEC 62443 series of standards currently comprises eleven sub-standards. These cover the areas of organisation/processes, system and components alongside procedural and functional requirements. IEC 62443 thus covers the entire industrial spectrum and meets the requirements of operators, integrators and manufacturers alike.
Tomi Engdahl says:
Google otti käyttöön uuden tavan kirjautua sisään – ei enää salasanoja https://www.is.fi/digitoday/tietoturva/art-2000009562387.html
Avainkoodi on salasanaton vaihtoehto kirjautua Google-tilille ja toiveiden mukaan lukemattomiin muihin palveluihin tulevaisuudessa.
Passkey eli avainkoodi on puhelimeen tai tietokoneeseen tallennettava tunniste, jolla verkossa oleva käyttäjätili avataan. Kun kirjaudut verkkosivustolle tai sovellukseen puhelimellasi, et enää käytä salasanaa. Sen sijaan yksinkertaisesti avaat puhelimesi lukituksen, olipa siinä pin-koodi, kuviopiirto tai vaikka sormenjälkilukko.
Googlen tapauksessa avainkoodien avulla voi kirjautua Google-tilille käyttämällä sormenjälkeä, kasvoja, näytön lukitusta tai suojausavainlaitetta.
AVAINKOODI-hankkeessa ovat mukana myös esimerkiksi Microsoft ja Apple. Muutos suojaa verkkohyökkäyksiltä, joissa käyttäjää houkutellaan luovuttamaan salasanansa. Se myös torjuu heikkojen salasanojen uhkaa.
Avainkoodit edellyttävät tukea kehittäjiltä, ja voi viedä aikaa ennen kuin koodeja laajasti tuetaan. Teknologiasta on tuotu esiin myös mahdollisia ongelmia. On esitetty, että seurauksena käyttäjät saattavat joutua kahlituiksi ison teknologiayhtiön helmoihin entistäkin tiukemmin.
Avainkoodi on mahdollista aktivoida itselle kirjautumalla sisään omalla Google -tunnuksella hallintasivulle.
TEKNINEN haitta on ainakin perinteisesti koskenut passkey-avainten siirtoa. Eli jos käyttäjä haluaa vaikkapa vaihtaa Android-puhelimesta iPhoneen tai toisin päin, pääsyavaimia ei ole voinut helposti siirtää. Ongelma saattaa korjaantua tulevaisuudessa.
Google varoittaa käyttämästä avainkoodeja, jos kyseinen laite on yhteiskäytössä jonkun toisen kanssa. Jos hän saa näytön lukituksen avattua, hänellä on pääsy myös Google-tilillesi. Hätätapauksessa avainkoodin voi mitätöidä Google-tilin asetuksissa.
Tomi Engdahl says:
New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks
https://thehackernews.com/2023/05/new-vulnerability-in-popular-wordpress.html
Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.
The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites.
The plugin, which is available both as a free and pro version, has over two million active installations. The issue was discovered and reported to the maintainers on May 2, 2023.
“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path,” Patchstack researcher Rafie Muhammad said.
Tomi Engdahl says:
WordPress custom field plugin bug exposes over 1M sites to XSS attacks https://www.bleepingcomputer.com/news/security/wordpress-custom-field-plugin-bug-exposes-over-1m-sites-to-xss-attacks/
Security researchers warn that the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS). The two plugins are among WordPress’s most popular custom field builders, with 2,000,000 active installs on sites worldwide
Tomi Engdahl says:
Kimsuky hackers use new recon tool to find security gaps https://www.bleepingcomputer.com/news/security/kimsuky-hackers-use-new-recon-tool-to-find-security-gaps/
The North Korean Kimsuky hacking group has been observed employing a new version of its reconnaissance malware, now called ‘ReconShark,’ in a cyberespionage campaign with a global reach. Sentinel Labs reports that the threat actor has expanded its targeting scope, now targeting government organizations, research centers, universities, and think tanks in the United States, Europe, and Asia
Tomi Engdahl says:
Why Robot Vacuums Have Cameras (and What to Know About Them) https://securityintelligence.com/articles/why-robot-vacuums-have-cameras-what-to-know/
Robot vacuum cleaner products are by far the largest category of consumer robots. They roll around on floors, hoovering up dust and dirt so we dont have to, all while avoiding obstacles
Tomi Engdahl says:
Fleckpe Android Malware Sneaks onto Google Play Store with Over
620,000 Downloads
https://thehackernews.com/2023/05/fleckpe-android-malware-sneaks-onto.html
A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022. Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down
Tomi Engdahl says:
New Android updates fix kernel bug exploited in spyware attacks https://www.bleepingcomputer.com/news/security/new-android-updates-fix-kernel-bug-exploited-in-spyware-attacks/
Android security updates released this month patch a high-severity vulnerability exploited as a zero-day to install commercial spyware on compromised devices. The security flaw (tracked as CVE-2023-0266) is a use-after-free weakness in the Linux Kernel sound subsystem that may result in privilege escalation without requiring user interaction.
According to a Google Threat Analysis Group (TAG) report published in March, it was exploited as part of a complex chain of multiple 0-days and n-days in a spyware campaign targeting Samsung Android phones
Tomi Engdahl says:
Ransomware attack forces Dallas to shut down courts, disrupts some 911 services https://techcrunch.com/2023/05/04/ransomware-attack-forces-dallas-to-shut-down-courts-disrupt-some-911-services
The City of Dallas in Texas has confirmed a ransomware attack has downed key services, including 911 dispatch systems. City officials confirmed on Wednesday that a number of the citys servers had been compromised with ransomware, causing widespread service outages
Tomi Engdahl says:
Z-Library eBook site disrupted again by FBI domain seizures https://www.bleepingcomputer.com/news/technology/z-library-ebook-site-disrupted-again-by-fbi-domain-seizures/
The Federal Bureau of Investigation (FBI) continues to disrupt the world’s largest shadow eBook library, Z-Library, by seizing more domains used by the platform
Tomi Engdahl says:
Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry https://thehackernews.com/2023/05/dragon-breath-apt-group-using-double.html
An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism. “The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time,” Sophos researcher Gabor Szappanos said
Tomi Engdahl says:
New PaperCut RCE exploit created that bypasses existing detections https://www.bleepingcomputer.com/news/security/new-papercut-rce-exploit-created-that-bypasses-existing-detections/
A new proof-of-concept (PoC) exploit for an actively exploited PaperCut vulnerability was released that bypasses all known detection rules. The PaperCut vulnerability, tracked as CVE-2023-27350, is a critical severity unauthenticated remote code execution flaw in PaperCut MF or NG versions 8.0 or later that has been exploited in ransomware attacks
Tomi Engdahl says:
Twitter says ‘security incident’ exposed private Circle tweets https://www.bleepingcomputer.com/news/security/twitter-says-security-incident-exposed-private-circle-tweets/
Twitter disclosed that a ‘security incident’ caused private tweets sent to Twitter Circles to show publicly to users outside of the Circle. Twitter Circle is a feature released in August 2022 that allows users to send tweets to a small circle of people, promising to keep them private from the public
Tomi Engdahl says:
Meet Akira A new ransomware operation targeting the enterprise https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/
The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms. Launched in March 2023, Akira claims to have already conducted attacks on sixteen companies. These companies are in various industries, including education, finance, real estate, manufacturing, and consulting
Tomi Engdahl says:
Google and Apple cooperate to address unwanted tracking https://www.malwarebytes.com/blog/news/2023/05/google-and-apple-take-initiative-to-address-unwanted-tracking
Google and Apple have announced that they are looking for input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have stated that they will support the specification in future products. The specification will consist of a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Googles expected Grogu
Tomi Engdahl says:
Western Digital says hackers stole customer data in March cyberattack https://www.bleepingcomputer.com/news/security/western-digital-says-hackers-stole-customer-data-in-march-cyberattack/
Western Digital has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers’ data was stored in a Western Digital database stolen during the attack
Tomi Engdahl says:
Boot Guard Keys From MSI Hack Posted, Many PCs Vulnerable https://www.tomshardware.com/news/msi-bootguard-keys-leaked-to-internet
Files purloined during the substantial MSI hack last month have started to proliferate around the dark web. One of the more worrying things spotted among the digital loot is an Intel OEM private key. MSI would have used this to sign its firmware/BIOS updates to pass Intel Boot Guard verification checks. Now hackers can use the key to sign malicious BIOS, firmware and apps, which will look entirely like official MSI releases
Tomi Engdahl says:
New Cactus ransomware encrypts itself to evade antivirus https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encrypts-itself-to-evade-antivirus/
A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of large commercial entities. The Cactus ransomware operation has been active since at least March and is looking for big payouts from its victims
Tomi Engdahl says:
Taylor Hatmaker / TechCrunch:
Scammers appear to be hacking verified Meta accounts to impersonate the company and run Facebook ads asking users to download shady tools likely with malware — Sketchy Facebook pages impersonating businesses are nothing new, but a flurry of recent scams is particularly brazen.
Hacked verified Facebook pages impersonating Meta are buying ads from Meta
https://techcrunch.com/2023/05/05/hacked-verified-facebook-pages-impersonating-meta-are-buying-ads-from-meta/
Sketchy Facebook pages impersonating businesses are nothing new, but a flurry of recent scams is particularly brazen.
A handful of verified Facebook pages were hacked recently and spotted slinging likely malware through ads approved by and purchased through the platform. But the accounts should be easy to catch — in some cases, they were impersonating Facebook itself.
Social consultant Matt Navarra first spotted some of the ads, sharing them on Twitter. The compromised accounts include official-sounding pages like “Meta Ads” and “Meta Ads Manager.” Those accounts shared suspicious links to tens of thousands of followers, though their reach probably extended well beyond that through paid posts.
Tomi Engdahl says:
Pro-Russian Hackers Claim Downing of French Senate Website
The French Senate’s website was offline on Friday after pro-Russian hackers claimed to have taken it down, in just the latest such cyberattack since Russia invaded Ukraine last year.
https://www.securityweek.com/pro-russian-hackers-claim-downing-of-french-senate-website/
Tomi Engdahl says:
New Android Trojans Infected Many Devices in Asia via Google Play, Phishing
The recently identified Fleckpe Android trojan has infected over 600,000 users in Southeast Asia via Google Play.
https://www.securityweek.com/new-android-trojans-infected-many-devices-in-asia-via-google-play-phishing/
Tomi Engdahl says:
Microsoft: Iranian hacking groups join Papercut attack spree https://www.bleepingcomputer.com/news/security/microsoft-iranian-hacking-groups-join-papercut-attack-spree/
Microsoft says Iranian state-backed hackers have joined the ongoing assault targeting vulnerable PaperCut MF/NG print management servers.
These groups are tracked as Mango Sandstorm (aka Mercury or Muddywater and linked to Iran’s Ministry of Intelligence and Security) and Mint Sandstorm (also known as Phosphorus or APT35 and tied to Iran’s Islamic Revolutionary Guard Corps)
Tomi Engdahl says:
Dallas courts, fire and police networks still crippled from ransomware incident https://therecord.media/dallas-ransomware-attack-courts-fire-police
All municipal courts in Dallas will be closed on Monday due to a ransomware attack that was announced last week. Despite statements from city officials claiming the recovery effort was slowly progressing, the fire and police departments told local news outlets they are facing massive issues as a result of the attack. In a statement on Sunday, the city said staff and vendors worked throughout this weekend to ensure progress toward service restoration after the city confirmed on Wednesday that its systems had been hit by ransomware
Tomi Engdahl says:
CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine https://thehackernews.com/2023/05/cert-ua-warns-of-smokeloader-and.html
An ongoing phishing campaign with invoice-themed lures is being used to distribute the SmokeLoader malware in the form of a polyglot file, according to the Computer Emergency Response Team of Ukraine (CERT-UA). The emails, per the agency, are sent using compromised accounts and come with a ZIP archive that, in reality, is a polyglot file containing a decoy document and a JavaScript file
Tomi Engdahl says:
Microsoft enforces number matching to fight MFA fatigue attacks https://www.bleepingcomputer.com/news/microsoft/microsoft-enforces-number-matching-to-fight-mfa-fatigue-attacks/
Microsoft has started enforcing number matching in Microsoft Authenticator push notifications to fend off multi-factor authentication (MFA) fatigue attacks. In such attacks (also known as push bombing or MFA push spam), cybercriminals flood the targets with mobile push notifications asking them to approve attempts to log into their corporate accounts using stolen credentials
Tomi Engdahl says:
Ransomware Group Claims Attack on Constellation Software
https://www.securityweek.com/ransomware-group-claims-attack-on-constellation-software/
The Alphv/BlackCat ransomware group claims to have stolen more than 1TB of data from Constellation Software.
The Alphv/BlackCat ransomware group has claimed responsibility for a cyberattack that Canadian software company Constellation Software disclosed last week.
Toronto-based Constellation Software is a company specialized in the acquisition of vertical market software firms. With a few notable exceptions, the company’s acquisitions have been small, of less than $5 million in value.
On May 4, Constellation Software revealed that it fell victim to a cyberattack that impacted “a limited number of its IT infrastructure systems”. The attack occurred on April 3, 2023.
The compromised systems were “related to internal financial reporting and related data storage by the operating groups and businesses of Constellation”, the company says in an incident notice on its website.
Tomi Engdahl says:
$1.1M Paid to Resolve Ransomware Attack on California County
https://www.securityweek.com/1-1m-paid-to-resolve-ransomware-attack-on-california-county/
A $1.1 million payment was made to resolve a ransomware attack on San Bernardino county’s law enforcement computer network.
Tomi Engdahl says:
1 Million Impacted by Data Breach at NextGen Healthcare
https://www.securityweek.com/1-million-impacted-by-data-breach-at-nextgen-healthcare/
NextGen Healthcare is informing roughly 1 million individuals that their personal information was compromised in a data breach.
Healthcare solutions provider NextGen Healthcare has started informing roughly one million individuals that their personal information was compromised in a data breach.
Headquartered in Atlanta, Georgia, the company makes and sells electronic health records software and provides doctors and medical professionals with practice management services.
On Friday, NextGen Healthcare informed the Maine Attorney General’s Office that it started sending notification letters to more than one million individuals, to inform them about the incident.
According to the letters, NextGen Healthcare first identified suspicious activity on its systems on March 30, 2023. The investigation launched into the matter revealed that an unauthorized party had access to those systems between March 29 and April 14, 2023.
Tomi Engdahl says:
Vulnerability in Field Builder Plugin Exposes Over 2M WordPress Sites to Attacks
https://www.securityweek.com/vulnerability-in-field-builder-plugin-exposes-over-2m-wordpress-sites-to-attacks/
An XSS vulnerability in the Advanced Custom Fields WordPress plugin exposes more than 2 million sites to attacks.
A cross-site scripting (XSS) vulnerability in the Advanced Custom Fields WordPress plugin could be exploited to inject malicious scripts into websites.
Tracked as CVE-2023-30777, the vulnerability impacts both the free and paid versions of the plugin. Advanced Custom Fields has more than 2 million installs via the official WordPress app store.
The plugin provides site administrators with the ability to easily add fields to WordPress edit screens, posts, pages, and other site elements.
Identified by Patchstack security researcher Rafie Muhammad, CVE-2023-30777 is described as a high-severity reflected XSS bug impacting the plugin’s admin page.
“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site,” Patchstack notes in an advisory.
Tomi Engdahl says:
https://www.securityweek.com/ransomware-group-claims-attack-on-constellation-software/
Tomi Engdahl says:
https://www.securityweek.com/private-tweets-exposed-due-to-twitter-circle-security-bug/
Tomi Engdahl says:
https://www.securityweek.com/us-seizes-domains-of-13-ddos-for-hire-services/
Tomi Engdahl says:
New Linux kernel NetFilter flaw gives attackers root privileges
https://www.bleepingcomputer.com/news/security/new-linux-kernel-netfilter-flaw-gives-attackers-root-privileges/
A new Linux NetFilter kernel flaw has been discovered, allowing unprivileged local users to escalate their privileges to root level, allowing complete control over a system.
The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined.
The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem’s internal state.
According to a new advisory published yesterday, corrupting the system’s internal state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory.
As revealed by security researchers who posted on the Openwall mailing list, a proof-of-concept (PoC) exploit was created to demonstrate the exploitation of CVE-2023-32233.
The researcher states that the impacts multiple Linux kernel releases, including the current stable version, v6.3.1. However, to exploit the vulnerability, it is required first to have local access to a Linux device.
The exploit to be made public soon
Security researchers Patryk Sondej and Piotr Krysiuk, who discovered the problem and reported it to the Linux kernel team, developed a PoC that allows unprivileged local users to start a root shell on impacted systems.
The researchers shared their exploit privately with the Linux kernel team to assist them in developing a fix and included a link to a detailed description of the employed exploitation techniques and the source code of the PoC.
As the analysts further explained, the exploit will be published next Monday, May 15th, 2023, along with complete details about the exploitation techniques.
“According to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, I intend to publish both the description of exploitation techniques and also the exploit source code on Monday 15th,” reads a post to the Openwall mailing list.
A mitigating factor for CVE-2023-32233 is that remote attackers first must establish local access to a target system to exploit it.
Tomi Engdahl says:
FBI seizes 13 more domains linked to DDoS-for-hire services https://www.bleepingcomputer.com/news/security/fbi-seizes-13-more-domains-linked-to-ddos-for-hire-services/
The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as ‘booter’ or ‘stressor’ services. This week’s seizures are part of a coordinated international law enforcement effort (known as Operation PowerOFF) to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money
Tomi Engdahl says:
FBI disrupts sophisticated Russian cyberespionage operation https://cyberscoop.com/fbi-disrupts-russian-cyber-espionage-tool/
One of the Russian governments most sophisticated long-running cyberespionage operations was hacked and disrupted by the FBI as part of a sprawling international effort, officials with the U.S.
government announced Tuesday. The FBI operation dubbed Medusa targeted nearly 20-year-old malware operated by Turla, a unit within the Federal Security Service of the Russian Federation, which has been known for years as one of Russias premier cybersespionage outfits
Tomi Engdahl says:
Intel investigating leak of Intel Boot Guard private keys after MSI breach https://www.bleepingcomputer.com/news/security/intel-investigating-leak-of-intel-boot-guard-private-keys-after-msi-breach/
Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.
In March, the Money Message extortion gang attacked computer hardware maker MSI, claiming to have stolen 1.5TB of data during the attack, including firmware, source code, and databases
Tomi Engdahl says:
QR codes used in fake parking tickets, surveys to steal your money https://www.bleepingcomputer.com/news/security/qr-codes-used-in-fake-parking-tickets-surveys-to-steal-your-money/
As QR codes continue to be heavily used by legitimate organizationsfrom Super Bowl advertisements to enforcing parking fees and fines, scammers have crept in to abuse the very technology for their nefarious purposes. A woman in Singapore reportedly lost $20,000 after using a QR code to fill out a “survey” at a bubble tea shop, whereas cases of fake car parking citations with QR codes targeting drivers have been observed in the U.S. and the U.K
Tomi Engdahl says:
Royal ransomware gang quickly expands reign https://www.scmagazine.com/news/ransomware/royal-ransomware-expands-reign
The Royal ransomware group is aptly named. Theres an air of superiority in the way it taunts its victims. Royals members are the cream of the cybercriminal crop, and they know it. Royal has become increasingly active this year, using a wide variety of tools as it aggressively targets critical infrastructure organizations
Tomi Engdahl says:
New Linux kernel NetFilter flaw gives attackers root privileges https://www.bleepingcomputer.com/news/security/new-linux-kernel-netfilter-flaw-gives-attackers-root-privileges/
A new Linux NetFilter kernel flaw has been discovered, allowing unprivileged local users to escalate their privileges to root level, allowing complete control over a system. The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined
monkey mart says:
A pretty decent post overall. I just just discovered your blog and wanted to say that I have thoroughly liked reading the posts that you have published there. In any case, I will be subscribing to your RSS, and I really hope that you post something new very soon.
Tomi Engdahl says:
Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2023-patch-tuesday-fixes-3-zero-days-38-flaws/
Today is Microsoft’s May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws. Six vulnerabilities are classified as ‘Critical’ as they allow remote code execution, the most severe type of vulnerability
Tomi Engdahl says:
Building Automation System Exploit Brings KNX Security Back in Spotlight
https://www.securityweek.com/building-automation-system-exploit-brings-knx-security-back-in-spotlight/
A public exploit targeting building automation systems brings KNX security back into the spotlight, with Schneider Electric releasing a security bulletin.
A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.
KNX is a widely used open standard for commercial and residential building automation. It can be used to control security systems, lighting, HVAC, energy management, and many other smart building systems.
Its developers warned in 2021 that smart building installations, including ones based on KNX, had been increasingly targeted in attacks.
In one attack reported at the time, aimed at a German engineering company, hackers had taken control of internet-exposed building automation devices and locked the victim’s employees out of the system. For unclear reasons, the attackers had bricked hundreds of automation control devices, causing the building to lose all of its smart functionality.
In a security bulletin published late last month, Schneider Electric notified customers that it had become aware of the public availability of an exploit targeting KNX home and building automation systems.
The PoC exploit that Schneider is warning about, published in March, targets the company’s SpaceLynk and Wiser for KNX (formerly HomeLynk) products. However, the French industrial giant said its FellerLynk products are impacted as well.
The exploit targets two known vulnerabilities: one addressed by the vendor in February 2022 (CVE-2022-22809) and one addressed in August 2020 (CVE-2020-7525).
Threat actors could use the vulnerabilities to access admin functionality without a password through a directory traversal, or access the administration panel through a brute-force attack.
The hacker who made public this exploit recently also published PoCs targeting fueling systems.
Schneider issued a warning over KNX attacks back in 2021 and now says “this new exploit brings further attention to the recommended mitigations in that security bulletin”.
Tomi Engdahl says:
Vulnerabilities
Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
https://www.securityweek.com/microsoft-patch-tuesday-40-vulnerabilities-2-zero-days/
Microsoft’s May 2023 security updates address a total of 40 newly documented vulnerabilities, including two flaws already exploited in attacks.