This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
183 Comments
Tomi Engdahl says:
https://www.pandasecurity.com/en/mediacenter/security/north-korea-stolen-crypto/
Hackers backed by North Korea have stolen billions of dollars in crypto over the last five years.
Tomi Engdahl says:
https://hackaday.com/2023/07/17/remote-code-execution-on-an-oscilloscope/
Tomi Engdahl says:
https://www.phonearena.com/news/android-devices-update-reminders_id148993#Echobox=1689626281
Tomi Engdahl says:
The bug can cause the chips to leak data at a rate of up to 30 kilobytes per core per second, according to some researchers.
Encryption-breaking, password-leaking bug in many AMD CPUs could take months to fix
“Zenbleed” bug affects all Zen 2-based Ryzen, Threadripper, and EPYC CPUs.
by Andrew Cunningham – Jul 25, 2023 6:31pm EET
https://arstechnica.com/information-technology/2023/07/encryption-breaking-password-leaking-bug-in-many-amd-cpus-could-take-months-to-fix/?utm_brand=ars&utm_source=facebook&utm_medium=social&utm_social-type=owned&fbclid=IwAR0n7gFzZVswDMUiLYNg5xsPdQPAS89ZzC3zNTxB45wWdC5pvtTnDXz1l8I
A recently disclosed bug in many of AMD’s newer consumer, workstation, and server processors can cause the chips to leak data at a rate of up to 30 kilobytes per core per second, writes Tavis Ormandy, a member of Google’s Project Zero security team. Executed properly, the so-called “Zenbleed” vulnerability (CVE-2023-20593) could give attackers access to encryption keys and root and user passwords, along with other sensitive data from any system using a CPU based on AMD’s Zen 2 architecture.
The bug allows attackers to swipe data from a CPU’s registers. Modern processors attempt to speed up operations by guessing what they’ll be asked to do next, called “speculative execution.” But sometimes the CPU guesses wrong; Zen 2 processors don’t properly recover from certain kinds of mispredictions, which is the bug that Zenbleed exploits to do its thing.
The bad news is that the exploit doesn’t require physical hardware access and can be triggered by loading JavaScript on a malicious website (according to networking company Cloudflare). The good news is that, at least for now, there don’t seem to be any cases of this bug being exploited in the wild yet, though this could change quickly now that the vulnerability has been disclosed, and the bug requires precise timing to exploit.
“AMD is not aware of any known exploit of the described vulnerability outside the research environment,” the company told Tom’s Hardware. Cloudflare also says there is “no evidence of the bug being exploited” on its servers.
Tomi Engdahl says:
Almost 40% of Ubuntu users vulnerable to new privilege elevation flaws
https://www.bleepingcomputer.com/news/security/almost-40-percent-of-ubuntu-users-vulnerable-to-new-privilege-elevation-flaws/
Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices.
Ubuntu is one of the most widely used Linux distributions, especially popular in the U.S., having an approximate user base of over 40 million.
Two recent flaws tracked as CVE-2023-32629 and CVE-2023-2640 discovered by Wiz’s researchers S. Tzadik and S. Tamari were recently introduced into the operating system, impacting roughly 40% of Ubuntu’s userbase.
Unfortunately, the risk of exploitation is imminent, as PoCs for the two flaws have been publicly available for a long time.
“Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu’s individual changes to the OverlayFS module,” warned the Wiz researchers.
“Weaponized exploits for these vulnerabilities are already publicly available given old exploits for past OverlayFS vulnerabilities work out of the box without any changes.”
Tomi Engdahl says:
Hackers are infecting Call of Duty players with a self-spreading malware
https://techcrunch.com/2023/07/27/hackers-are-infecting-call-of-duty-players-with-a-self-spreading-malware/
Tomi Engdahl says:
Ovela Android-haitake on noussut muutamassa kuukaudessa pelottavaan asemaan – satoja miljoonia latauksia
Samuli Leppälä27.7.202313:42HAITTAOHJELMATHAKKERITTIETOTURVA
SpinOK on saastuttanut Googlen Play Storesta ladattavia Android-sovelluksia
https://www.tivi.fi/uutiset/ovela-android-haitake-on-noussut-muutamassa-kuukaudessa-pelottavaan-asemaan-satoja-miljoonia-latauksia/9a5e37f8-19cb-4f40-94aa-bf01ae65809a
Tomi Engdahl says:
https://thehackernews.com/2023/07/new-openssh-vulnerability-exposes-linux.html
Tomi Engdahl says:
https://thehackernews.com/2023/07/gameoverlay-two-severe-linux.html
Tomi Engdahl says:
NYT: Yhdysvalloissa hallinto etsii kiinalaishakkereiden “tikittävää aikapommia” järjestelmistään
NYT: Yhdysvalloissa hallinto etsii kiinalaishakkereiden “tikittävää aikapommia” järjestelmistään
https://f7td5.app.goo.gl/F51nWu
Yhdysvalloissa presidentti Joe Bidenin hallinto uskoo Kiinan istuttaneen haittaohjelman Yhdysvaltain energia- ja viestintäverkkoon, kertovat lähteet Yhdysvaltain asevoimista sekä tiedustelu- ja kansallisen turvallisuuden viranomaiset New York Timesille. Lähteet kutsuvat haittaohjelmaa “tikittäväksi aikapommiksi”, jolla voitaisiin aiheuttaa häiriötä Yhdysvaltojen asevoimille konfliktitilanteessa.
Lehden mukaan haittaohjelma voi antaa Kiinan kansan vapautusarmeijalle mahdollisuuden häiritä Yhdysvaltojen sotilasoperaatioita, jos Kiina jossakin vaiheessa ryhtyy toimiin kapinallisena maakuntanaan pitämäänsä Taiwania vastaan. NY Times sanoo Kiinan voivan esimerkiksi katkaista vesi-, sähkö- ja viestintäyhteydet paitsi Yhdysvaltojen sotilastukikohtiin myös kotitalouksiin ja yrityksiin Yhdysvalloissa.
Yhdysvallat ja useat sen liittolaismaat sekä laitevalmistaja Microsoft varoittivat toukokuussa, että Kiinan valtioon liitetty kybertoimija Volt Typhoon on onnistunut tunkeutumaan Yhdysvaltain kriittiseen infrastruktuuriin verkossa ja että vastaavaa toimintaa on todennäköisesti meneillään maailmanlaajuisesti.
Yhdysvallat ja useat sen liittolaismaat sekä laitevalmistaja Microsoft varoittivat toukokuussa, että Kiinan valtioon liitetty kybertoimija Volt Typhoon on onnistunut tunkeutumaan Yhdysvaltain kriittiseen infrastruktuuriin verkossa ja että vastaavaa toimintaa on todennäköisesti meneillään maailmanlaajuisesti. Microsoftin mukaan kohteena oli tuolloin ollut Yhdysvalloille sotilaallisesti tärkeän Guamin alueen kriittinen infrastruktuuri.
Tomi Engdahl says:
GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users
https://thehackernews.com/2023/07/gameoverlay-two-severe-linux.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/
Tomi Engdahl says:
Android-puhelimet voivat pian varoittaa, jos kannoilla on pahantahtoinen Apple-laite
https://www.tivi.fi/uutiset/tv/d84a0ece-f320-4108-9156-901c9a818d51
Google ja Apple ilmoittivat toukokuussa ryhtyvänsä kimppaan bluetooth-seurantalaitteiden standardoinnissa. Tarkoitus on vaikeuttaa AirTagien ja Tile-kikkareiden avulla tehtävää stalkkausta ja ei-toivottua seurantaa.
Osana uudistusta Android-laitteet voivat pian ilmoittaa käyttäjälleen Applen AirTagista, joka näyttää roikkuvan mukana ilman omistajaansa.
Tomi Engdahl says:
P2PInfect server botnet spreads using Redis replication feature https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/
Threat actors are actively targeting exposed instances of SSH and Redis Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect.
Tomi Engdahl says:
Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor https://thehackernews.com/2023/07/patchwork-hackers-target-chinese.html
Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign.
The activity, according to KnownSec 404 Team, entailed the use of a backdoor codenamed EyeShell.
Patchwork, also known by the names Operation Hangover and Zinc Emerson, is suspected to be a threat group that operates on behalf of India
Tomi Engdahl says:
Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/
Ivanti has warned customers about a second zero-day vulnerability in its Endpoint Manager Mobile (EPMM) product that has been exploited in targeted attacks.
Norwegian authorities announced on July 24 that a dozen government ministries had been targeted in a cyberattack involving exploitation of CVE-2023-35078, an Ivanti EPMM zero-day that allows an unauthenticated attacker to obtain sensitive information and make changes to impacted servers.
Further investigation by cybersecurity firm Mnemonic revealed the existence of CVE-2023-35081, a high-severity flaw that allows an authenticated attacker with administrator privileges to remotely write arbitrary files to the server.
Tomi Engdahl says:
Microsoft: Unpatched Office zero-day exploited in NATO summit attacks https://www.bleepingcomputer.com/news/security/microsoft-unpatched-office-zero-day-exploited-in-nato-summit-attacks/
Microsoft disclosed today an unpatched zero-day security bug in multiple Windows and Office products exploited in the wild to gain remote code execution via malicious Office documents.
Unauthenticated attackers can exploit the vulnerability (tracked as
CVE-2023-36884) in high-complexity attacks without requiring user interaction.
Successful exploitation could lead to a total loss of confidentiality, availability, and integrity, allowing the attackers to access sensitive information, turn off system protection, and deny access to the compromised system.
In a separate blog post, the company says the CVE-2023-36884 bug was exploited in recent attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.
Tomi Engdahl says:
Storm-0978 attacks reveal financial and espionage motives https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.
Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations.
Tomi Engdahl says:
Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/
Today is Microsoft’s July 2023 Patch Tuesday, with security updates for 132 flaws, including six actively exploited and thirty-seven remote code execution vulnerabilities.
While thirty-seven RCE bugs were fixed, Microsoft only rated nine as ‘Critical.’ However, one of the RCE flaws remains unpatched and is actively exploited in attacks seen by numerous cybersecurity firms.
This month’s Patch Tuesday fixes six zero-day vulnerabilities, with all of them exploited in attacks and one of them publicly disclosed.
—
Tomi Engdahl says:
US And EU Agree Big Tech Data Sharing Deal https://www.forbes.com/sites/emmawoollacott/2023/07/11/us-and-eu-agree-big-tech-data-sharing-deal/
The U.S. and EU have agreed a new data-sharing pact allowing European data to be stored in the U.S.—but privacy campaigners look set to challenge it.
U.S. companies such as Facebook and Google will be allowed to operate under the EU-U.S. Data Privacy Framework if they commit to a detailed set of privacy obligations.
These include deleting personal data when it is no longer necessary for the purpose for which it was collected, and ensuring continuity of protection when personal data is shared with third parties. If data is wrongly handled, EU residents can turn to a free-of-charge independent dispute resolution mechanism and an arbitration panel.
Tomi Engdahl says:
Bidenin vierailu Suomessa saattaa häiritä verkkoyhteyksiä – presidentillä saattaa olla Suomen vierailullaan mukana häirintälähetin
https://www.mtvuutiset.fi/artikkeli/bidenin-vierailu-suomessa-saattaa-hairita-verkkoyhteyksia-bidenilla-saattaa-olla-suomen-vierailullaan-mukana-hairintalahetin/8737484
Liikenne- ja viestintäviraston Kyberturvallisuuskeskuksen kyberpalveluiden kehityksen johtaja Pekka Jokinen pitää mahdollisena, että Yhdysvaltain presidentti Joe Bidenilla on Suomen vierailullaan mukana häirintälähetin eli jammeri.
Jammeri häiritsee tai estää radioliikenteen tietyllä taajuusalueella, eli sillä voitaisiin estää esimerkiksi puhelinliikenne presidentin lähettyvillä turvallisuussyistä.
– Jos esimerkiksi saattue liikkuu ja mukana on tällainen laite, se kykenee estämään tai häiritsemään taajuusalueen hyvin pienellä alueella. Esimerkiksi kymmenen metriä.
—
Tomi Engdahl says:
Critical RCE found in popular Ghostscript open-source PDF library https://www.bleepingcomputer.com/news/security/critical-rce-found-in-popular-ghostscript-open-source-pdf-library/
Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux, has been found vulnerable to a critical-severity remote code execution flaw.
The flaw is tracked as CVE-2023-3664, having a CVSS v3 rating of 9.8, and impacts all versions of Ghostscript before 10.01.2, which is the latest available version released three weeks ago.
According to Kroll’s analysts, G. Glass and D. Truman, who developed a proof of concept (PoC) exploit for the vulnerability, code execution can be triggered upon opening a malicious, specially-crafted file.
Tomi Engdahl says:
GitHub goes passwordless, announces passkeys beta preview https://www.bleepingcomputer.com/news/security/github-goes-passwordless-announces-passkeys-beta-preview/
GitHub announced today the introduction of passwordless authentication support in public beta, allowing users to upgrade from security keys to passkeys.
Passkeys are associated with individual devices like computers, tablets, or smartphones and play a vital role in minimizing the likelihood of data breaches by protecting users against phishing attacks by thwarting credential theft and beach attempts.
They also enable logging into applications and online platforms using personal identification numbers (PINs) or biometric authentication methods, such as facial recognition or fingerprints.
By eliminating the need to remember and manage unique passwords for every app and website, they also vastly improve user experience and security.
Tomi Engdahl says:
Major Security Flaws in Popular QuickBlox Chat and Video Framework Expose Sensitive Data of Millions https://research.checkpoint.com/2023/major-security-flaws-in-popular-quickblox-chat-and-video-framework-expose-sensitive-data-of-millions/
Real-time chat and video services available within telemedicine, finance, and smart IoT device applications used by millions of people, rely on the popular QuickBlox framework. QuickBlox supplies mobile and web application developers with a SDK and APIs to deliver not only user management, real-time public and private chat features, for example, but also security features that ensure compliance with HIPAA and GDPR.
Claroty Team82, in collaboration with Check Point Research (CPR), conducted a joint research project to look at the security of the QuickBlox SDK. Together, we uncovered a few major security vulnerabilities in the QuickBlox platform architecture that, if exploited, could allow threat actors to access tens of thousands of applications’ user databases and put millions of user records at risk.
Tomi Engdahl says:
iOS 16.5.1 (c)—Update Now Warning Issued To All iPhone Users https://www.forbes.com/sites/kateoflahertyuk/2023/07/13/ios-1651-c-update-now-warning-issued-to-all-iphone-users/
Apple iOS 16.5.1 (c) has arrived, along with a warning to update now. That’s because iOS 16.5.1 (c) is an urgent iPhone security update that fixes a flaw already being used in real-life attacks.
The release of iOS 16.5.1 (c) comes after Apple issued iOS 16.5.1 (a) earlier this week, then pulled it again after reports that the update broke websites such as Facebook. The iPhone maker said it would fix the issue before re-releasing the security-only iPhone update, which is now here as iOS 16.5.1 (c).
Tomi Engdahl says:
Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts https://www.malwarebytes.com/blog/threat-intelligence/2023/07/criminals-target-businesses-with-malicious-extension-for-metas-ads-manager-and-accidentally-leak-stolen-accounts
Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.
In the past few weeks, there’s been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook’s own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has tracked and analyzed several threat actors such as DuckTail that have been active for a number of years with a particular interest for Facebook advertising accounts.
Now, we’ve discovered a new attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware.
While tracking this campaign, we noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.
Tomi Engdahl says:
Facebookista kiinalaistrollien leikkikenttä – tavoitteena kaaos
https://www.tivi.fi/uutiset/tv/3eeb5463-cd9f-4e36-b0db-05d048cbabb5
Sosiaalisessa mediassa ja eritoten Facebookissa tapahtuva kiinalaisista tileistä lähtöisin toteutettu provosoiva kommentointi on lisääntymässä.
Kyseistä toimintaa kutsutaan trollaamiseksi.
Tällaisten tilien tavoitteena on hakea uusia keinoja eripuran synnyttämiseen kansalaisten keskuudessa muissa valtioissa. Facebookin edustajat kertoivat asiasta Australian viranomaisille tiistaina.
Euroopassa Facebookin emoyhtiö Meta on poistanut hiljattain lukuisia valheellisia väittämiä levittäneitä tilejä. Kaikkia tilejä operoitiin järjestelmällisesti Kiinasta.
Tomi Engdahl says:
Microsoftilta karu yllätys: Hälyttävä Windows-aukko jäi korjaamatta, hyökkäyksistä epäillään Venäjää https://www.is.fi/digitoday/tietoturva/art-2000009719556.html
MICROSOFTIN tiistaina ilmestyneissä heinäkuun tietoturvakorjauksissa on paljon työsarkaa lomien myötä vajaavoimaisille yrityksille, mutta myös tavallisten käyttäjien on syytä korjata koneensa nopeasti. Bleeping Computer ja tietoturva-asiantuntija Brian Krebs koostavat tilanteen.
Korjauksia ilmestyi kaikkiaan 132 haavoittuvuudelle useissa Microsoftin tuotteissa. Mukana on 4 sellaista haavoittuvuutta, joihin alettiin hyökätä jo ennen paikkausten ilmestymistä. Ne koskevat esimerkiksi Windowsia ja Outlookia.
KUITENKIN yksi Windowsia ja Officea koskeva jo hyökkäysten alla oleva aukko jäi paikkaamatta monien ammattilaisten yllätykseksi. Microsoft tutkii kyseistä julkista haavoittuvuutta, mutta korjaus saatetaan nähdä vasta osana elokuun paikkauksia. Ellei Microsoft sitten julkaise hätäpäivitystä kesken normaalin rytminsä.
Haavoittuvuus CVE-2023-36884 on yhdistetty kyberrikollisjengiin nimeltä RomCom / Storm-0978. Tämän venäläisen ryhmän epäillään tukevan Venäjän hallituksen tiedusteluoperaatioita, ja ryhmä on myös liitetty kiristyshyökkäyksiin useita uhreja vastaan.
Tomi Engdahl says:
Zero-day deploys remote code execution vulnerability via Word documents https://www.malwarebytes.com/blog/news/2023/07/zero-day-deploys-remote-code-execution-vulnerability-via-word-documents
An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that
CVE-2023-36884 is tied to reports of a series of remote code execution vulnerabilities impacting Windows and Office products.
Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim.
However, an attacker would have to convince the victim to open the malicious file.
Tomi Engdahl says:
Shutterfly says Clop ransomware attack did not impact customer data https://www.bleepingcomputer.com/news/security/shutterfly-says-clop-ransomware-attack-did-not-impact-customer-data/
Shutterfly, an online retail and photography manufacturing platform, is among the latest victims hit by Clop ransomware.
Over the last few months, Clop ransomware gang has been exploiting a vulnerability in the MOVEit File Transfer utility to breach hundreds of companies to steal their data and attempt extortion against them.
“After a thorough investigation with the assistance of a leading third-party forensics firm, we have no indication that that any Shutterfly.com, Snapfish, Lifetouch nor Spoonflower consumer data nor any employee information was impacted by the MOVEit vulnerability.”
Tomi Engdahl says:
Analysis of Storm-0558 techniques for unauthorized email access https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
As described in more detail in our July 11 blogs, Storm-0558 is a China-based threat actor with espionage objectives. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. No other environment was impacted.
Microsoft has successfully blocked this campaign from Storm-0558. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.
Tomi Engdahl says:
Microsoft still unsure how hackers stole Azure AD signing key https://www.bleepingcomputer.com/news/microsoft/microsoft-still-unsure-how-hackers-stole-azure-ad-signing-key/
Microsoft says it still doesn’t know how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.
“The method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft admitted in a new advisory published today.
The incident was reported by U.S. government officials after the discovery of unauthorized access to several government agencies’ Exchange Online email services.
Tomi Engdahl says:
Rockwell warns of new APT RCE exploit targeting critical infrastructure https://www.bleepingcomputer.com/news/security/rockwell-warns-of-new-apt-rce-exploit-targeting-critical-infrastructure/
Rockwell Automation says a new remote code execution (RCE) exploit linked to an unnamed Advanced Persistent Threat (APT) group could be used to target unpatched ControlLogix communications modules commonly used in manufacturing, electric, oil and gas, and liquified natural gas industries.
The company teamed up with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to analyze the exploit linked to APT threat actors, but they have yet to share how they obtained it.
“Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules,” the company said in a security advisory accessible only after logging in.
The targeted vulnerability (tracked as CVE-2023-3595) is caused by an out-of-bounds write weakness that can let attackers gain remote code execution or trigger denial-of-service states through maliciously crafted CIP messages.
Tomi Engdahl says:
Rogue Azure AD Guests Can Steal Data via Power Apps https://www.darkreading.com/black-hat/azure-ad-guests-steal-data-microsoft-power-apps
Guest accounts in Azure AD (AAD) are meant to provide limited access to corporate resources for external third parties — the idea is to enable collaboration without risking too much exposure. But enterprises may be unknowingly oversharing access to sensitive resources and applications with guests in Azure AD, paving the way for data theft and more.
An upcoming presentation at Black Hat USA in August will detail how a toxic combination of easily manipulated default guest account settings and promiscuous connections within Microsoft’s low-code development platform known as Power Apps can kick open the door to giving guest accounts wide-open access to the corporate jewels. Power Apps provides a rapid development environment for businesses to build custom apps that connect various online and on-premises data sources (such as SharePoint, Microsoft 365, Dynamics 365, SQL Server, and so on).
Researcher Michael Bargury, CTO of Zenity, will present his findings in a session on Thursday, Aug. 10, entitled, “All You Need is Guest.” He noted in the session writeup that guests can use undocumented APIs to gain access to corporate SQL servers, SharePoint sites, KeyVault secrets, and more; they can also create and control internal business applications to move laterally within the organization.
Tomi Engdahl says:
Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos https://www.esecurityplanet.com/threats/malicious-microsoft-drivers/
After Microsoft warned earlier this week that some drivers certified by the Windows Hardware Developer Program (MWHDP) are being leveraged maliciously, a Cisco Talos security researcher said the number of malicious drivers could number in the thousands.
“Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority,” Neal wrote. “Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection.”
Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. “This process is intended to ensure that drivers meet Microsoft’s requirements and security standards,” he wrote.
Still, there are exceptions – most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015.
If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won’t be blocked. “As a result, multiple open source tools have been developed to exploit this loophole,” Neal wrote.
Tomi Engdahl says:
Adobe warns of critical Colfdusion RCE bug exploited in attacks https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-colfdusion-rce-bug-exploited-in-attacks/
Adobe warns that a critical ColdFusion pre-authentication remote code execution vulnerability tracked as CVE-2023-29300 is actively exploited in attacks.
CVE-2023-29300 is rated as critical with a 9.8 severity rating, as it can be used by unauthenticated visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers in low-complexity attacks.
When first disclosed, the vulnerability had not been exploited in the wild.
However, as part of an email notification for a similar CVE-2023-38203 RCE flaw, Adobe also disclosed that CVE-2023-29300 was seen exploited in attacks.
“Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” reads an email notification seen by BleepingComputer.
Tomi Engdahl says:
JumpCloud discloses breach by state-backed APT hacking group https://www.bleepingcomputer.com/news/security/jumpcloud-discloses-breach-by-state-backed-apt-hacking-group/
US-based enterprise software firm JumpCloud says a state-backed hacking group breached its systems almost one month ago as part of a highly targeted attack focused on a limited set of customers.
On July 5, JumpCloud discovered “unusual activity in the commands framework for a small set of customers” while investigating the attack and analyzing logs for signs of malicious activity in collaboration with IR partners and law enforcement.
“Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers,” JumpCloud CISO Bob Phan said.
Tomi Engdahl says:
Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps https://thehackernews.com/2023/07/hackers-exploit-webapk-to-deceive.html
Threat actors are taking advantage of Android’s WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information.
“The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application,” researchers from CSIRT KNF said in an analysis released last week. “The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim’s device.”
“When a user installs a PWA from Google Chrome and a WebAPK is used, the minting server “mints” (packages) and signs an APK for the PWA,” Google explains in its documentation.
“That process takes time, but when the APK is ready, the browser installs that app silently on the user’s device. Because trusted providers (Play Services or
Samsung) signed the APK, the phone installs it without disabling security, as with any app coming from the store. There is no need for sideloading the app.”
Tomi Engdahl says:
VirusTotal Data Leak Exposes Some Registered Customers’ Details https://thehackernews.com/2023/07/virustotal-data-leak-exposes-some.html
Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform.
The security incident, which comprises a database of 5,600 names in a 313KB file, was first disclosed by Der Spiegel and Der Standard yesterday.
When reached for comment, Google confirmed the leak and said it took immediate steps to remove the data.
“We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform,” a Google Cloud spokesperson told The Hacker News.
Tomi Engdahl says:
FIN8 deploys ALPHV ransomware using Sardonic malware variant https://www.bleepingcomputer.com/news/security/fin8-deploys-alphv-ransomware-using-sardonic-malware-variant/
A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version.
Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment.
Tomi Engdahl says:
CISA orders govt agencies to mitigate Windows and Office zero-days https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-mitigate-windows-and-office-zero-days/
CISA ordered federal agencies to mitigate remote code execution zero-days affecting Windows and Office products that were exploited by the Russian-based RomCom cybercriminal group in NATO phishing attacks.
The security flaws (collectively tracked as CVE-2023-36884) have also been added to CISA’s list of Known Exploited Vulnerabilities on Monday.
Federal agencies have been given three weeks, until August 8th, to secure their systems by implementing mitigation measures shared by Microsoft one week ago.
Tomi Engdahl says:
Microsoft Exchange Online hit by new outage blocking emails https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-hit-by-new-outage-blocking-emails/
Microsoft is investigating an ongoing Exchange Online outage preventing customers from sending emails and triggering 503 errors on affected systems.
Impacted users report having issues with emails sent from Microsoft 365 environments being returned with “503 5.5.1 Bad sequence of commands”
errors.
“We’re investigating an issue where some users may be unable to send Exchange Online email messages due to a recent change to the free/busy infrastructure,”
Redmond tweeted.
Tomi Engdahl says:
Google Cloud Build bug lets hackers launch supply chain attacks https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/
A critical design flaw in the Google Cloud Build service discovered by cloud security firm Orca Security can let attackers escalate privileges, providing them with almost nearly-full and unauthorized access to Google Artifact Registry code repositories.
Dubbed Bad.Build, this flaw could enable the threat actors to impersonate the service account for the Google Cloud Build managed continuous integration and delivery (CI/CD) service to run API calls against the artifact registry and take control over application images.
This allows them to inject malicious code, resulting in vulnerable applications and potential supply chain attacks after deploying the malicious applications within customers’ environments.
Tomi Engdahl says:
New critical Citrix ADC and Gateway flaw exploited as zero-day https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/
Citrix today is alerting customers of a critical-severity vulnerability
(CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that already has exploits in the wild, and “strongly urges” to install updated versions without delay.
The security issue may be the same one advertised earlier this month on a hacker forum as a zero-day vulnerability.
Formerly Citrix ADC and Citrix Gateway, the two NetScaler products received new versions today to mitigate a set of three vulnerabilities.
The most severe of them received a score of 9.8 out of 10 and it is tracked as CVE-2023-3519. An attacker can exploit it to execute code remotely without authentication.
Tomi Engdahl says:
FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT https://www.malwarebytes.com/blog/threat-intelligence/2023/07/socgholish-copycat-delivers-netsupport-rat
Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads. As we have seen over the years, SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz.
Now, there is a potential new competitor in the “fake updates” landscape that looks strangely familiar. The new campaign, which we call FakeSG, also relies on hacked WordPress websites to display a custom landing page mimicking the victim’s browser. The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut. While FakeSG appears to be a newcomer, it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish.
Tomi Engdahl says:
Cybersecurity firm Sophos impersonated by new SophosEncrypt ransomware https://www.bleepingcomputer.com/news/security/cybersecurity-firm-sophos-impersonated-by-new-sophosencrypt-ransomware/
Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation.
Discovered yesterday by MalwareHunterTeam, the ransomware was initially thought to be part of a red team exercise by Sophos.
However, the Sophos X-Ops team tweeted that they did not create the encryptor and that they are investigating its launch.
“We found this on VT earlier and have been investigating. Our preliminary findings shows Sophos InterceptX protects against these ransomware samples,”
tweeted Sophos.
Tomi Engdahl says:
JumpCloud breach traced back to North Korean state hackers https://www.bleepingcomputer.com/news/security/jumpcloud-breach-traced-back-to-north-korean-state-hackers/
US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne, CrowdStrike, and Mandiant.
“Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT,” said Hegel.
“The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.”
Cybersecurity firm CrowdStrike also formally tagged Labyrinth Chollima (whose activity overlaps with that of Lazarus Group, ZINC, and Black Artemis) as the particular North Korean hacking squad behind the breach based on evidence found while investigating the attack in collaboration with JumpCloud.
Tomi Engdahl says:
New P2PInfect worm malware targets Linux and Windows Redis servers https://www.bleepingcomputer.com/news/security/new-p2pinfect-worm-malware-targets-linux-and-windows-redis-servers/
Earlier this month, security researchers discovered a new peer-to-peer (P2P) malware with self-spreading capabilities that targets Redis instances running on Internet-exposed Windows and Linux systems.
The Unit 42 researchers who spotted the Rust-based worm (named P2PInfect) on July 11 also found that it hacks into Redis servers that have been left vulnerable to the maximum severity CVE-2022-0543 Lua sandbox escape vulnerability.
While over Internet-exposed 307,000 Redis servers have been discovered in the last two weeks, only 934 instances are potentially vulnerable to this malware’s attacks, according to the researchers.
Tomi Engdahl says:
Estée Lauder – internal data stolen after being hit by two separate ransomware attacks https://www.bitdefender.com/blog/hotforsecurity/estee-lauder-internal-data-stolen-after-being-hit-by-two-separate-ransomware-attacks/
If you thought hackers might be causing your company a few headaches, pity the folks at Estée Lauder.
Two different ransomware groups have listed the cosmetics maker on their leak sites on the dark web, as a result of seemingly separate attacks.
Beauty firm Estée Lauder has revealed earlier this week that it has suffered a “cybersecurity incident” that saw malicious hackers gain unauthorised access to its systems and the theft of data.
As Bleeping Computer reports, the ransomware group known as BlackCat posted a message on its leak site voicing its dissatisfaction that Estée Lauder Companies Inc has not responded to the extortion emails it has been sent:
BlackCat, meanwhile, says that Estée Lauder has also fallen victim to the Cl0p ransomware gang – which exploited vulnerabilities in the Progress MOVEit Transfer application to steal data.
Tomi Engdahl says:
Microsoft validation error allowed state actor to access user email of government agencies and others https://www.malwarebytes.com/blog/news/2023/07/microsoft-validation-error-allowed-state-actor-to-access-user-email-of-government-agencies-and-others
Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. The attacks were targeted and lasted for about a month before they were first discovered.
At first Microsoft assumed that the spies were using legitimate Azure Active Directory (Azure AD) tokens stolen by malware. But further analysis showed that Storm-0558 was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key to access OWA and Outlook.com.
This was only possible because of a validation error in Microsoft code. MSA
(consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.
Microsoft says it still doesn’t know how Storm-0558 stole the inactive MSA signing key.