This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
314 Comments
Tomi Engdahl says:
September Android updates fix zero-day exploited in attacks https://www.bleepingcomputer.com/news/security/september-android-updates-fix-zero-day-exploited-in-attacks/
The September 2023 Android security updates tackle 33 vulnerabilities, including a zero-day bug currently targeted in the wild. This high-severity zero-day vulnerability (CVE-2023-35674) is a flaw in the Android Framework that enables attackers to escalate privileges without requiring user interaction or additional execution privileges.
“There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” Google said in an advisory issued on Tuesday. “Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.”
Besides this actively exploited zero-day bug, the September Android security updates also address three critical security flaws in the Android System component and one in Qualcomm closed-source components.
Tomi Engdahl says:
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant https://thehackernews.com/2023/09/alert-phishing-campaigns-deliver-new.html
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week.
APT34, also known by the names Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten, and OilRig, has a track record of targeting telecommunications, government, defense, oil and financial services verticals in the Middle East since at least 2014 via spear-phishing lures that culminate in the deployment of various backdoors.
Tomi Engdahl says:
Mirai variant infects low-cost Android TV boxes for DDoS attacks https://www.bleepingcomputer.com/news/security/mirai-variant-infects-low-cost-android-tv-boxes-for-ddos-attacks/
A new Mirai malware botnet variant has been spotted infecting inexpensive Android TV set-top boxes used by millions for media streaming. According to Dr. Web’s antivirus team, the current trojan is a new version of the ‘Pandora’
backdoor that first appeared in 2015.
The primary targets of this campaign are low-cost Android TV boxes like Tanix
TX6 TV Box, MX10 Pro 6K, and H96 MAX X3, which feature quad-core processors capable of launching powerful DDoS attacks even in small swarm sizes.
Tomi Engdahl says:
https://www.securityweek.com/okta-says-us-customers-targeted-in-sophisticated-attacks/
Tomi Engdahl says:
Vulnerabilities
Chrome 116 Update Patches High-Severity Vulnerabilities
Google has released another weekly Chrome update, to address four high-severity vulnerabilities reported by external researchers.
https://www.securityweek.com/chrome-116-update-patches-high-severity-vulnerabilities/
Tomi Engdahl says:
AtlasVPN to Patch IP Leak Vulnerability After Public Disclosure
https://www.securityweek.com/atlasvpn-to-patch-ip-leak-vulnerability-after-public-disclosure/
AtlasVPN developers are working on a patch for an IP leak vulnerability after a researcher publicly disclosed the flaw due to being ignored.
AtlasVPN developers are working on a patch for an IP leak vulnerability whose details were made public by a researcher who decided to take the full disclosure route after responsible disclosure attempts were ignored.
The researcher, who apparently wants to remain anonymous, shared the details on the Full Disclosure mailing list and on Reddit, claiming that he had unsuccessfully attempted to contact AtlasVPN support in an effort to find a security contact or an official channel for reporting the vulnerability.
The security hole impacts the AtlasVPN Linux client and it can be exploited by luring the targeted user to a website hosting the exploit code.
AtlasVPN Linux Client 1.0.3 IP Leak Exploit
https://seclists.org/fulldisclosure/2023/Sep/0
Tomi Engdahl says:
https://www.securityweek.com/hacker-conversations-alex-ionescu/
Tomi Engdahl says:
Thousands of Popular Websites Leaking Secrets
https://www.securityweek.com/researchers-find-thousands-of-popular-websites-leaking-secrets/
Truffle Security has discovered thousands of popular websites leaking their secrets, including .git directories and AWS and GitHub keys.
Code security firm Truffle Security warns that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials.
According to the company, which provides an open source secret-scanning engine, 4,500 of the analyzed websites exposed their .git directory.
Created when a Git repository is initialized, a .git directory includes all the information necessary for a project, including code commits, file paths, version control information, and more.
In the case of some websites, Truffle Security notes, this directory can include their entire private source code. Exposed .git directories could provide attackers with access to the entire source code, configuration files, commit history, and access credentials.
“Attackers could use this inside knowledge to mount an attack against the victim’s web application or search the code for live credentials to third-party services like AWS,” the security firm says.
4,500 of the Top 1 Million Websites Leaked Source Code, Secrets
https://trufflesecurity.com/blog/4500-of-the-top-1-million-websites-leaked-source-code-secrets/
We scanned the Alexa Top 1 Million Websites for leaked secrets. We found thousands of exposed source code repositories and hundreds of live API keys.
These are our top 5 takeaways:
4,500 Heavily Visited Websites Publicly Exposed Source Code
Our research team discovered 4,500 of the most visited websites in the world publicly exposed their git directory (ie https://example.com/.git).
These git directories often contained the entire private source code for a given website. Attackers could use this inside knowledge to mount an attack against the victim’s web application or search the code for live credentials to third-party services like AWS.
Tomi Engdahl says:
Crash Dump Error: How a Chinese Espionage Group Exploited Microsoft’s Mistakes
https://www.securityweek.com/crash-dump-error-how-a-chinese-espionage-group-exploited-microsofts-errors/
Microsoft reveals how a crash dump from 2021 inadvertently exposed a key that Chinese cyberspies later leveraged to hack US government emails
Microsoft has published a post-mortem detailing multiple errors that led to Chinese cyberspies hacking into US government emails, blaming the embarrassing incident on a crash dump stolen from a hacked engineer’s corporate account.
The crash dump, which dated back to April 2021, contained a Microsoft account (MSA) consumer key that was used to forge tokens to break into OWA and Outlook.com accounts.
Tomi Engdahl says:
Investors Betting Big on Upwind for CNAPP Tech
https://www.securityweek.com/investors-betting-big-on-upwind-for-cnapp-tech/
Upwind raises a total of $80 million in just 10 months as investors pour cash into startups in the cloud and data security categories.
Tomi Engdahl says:
Cash-Strapped IronNet Faces Bankruptcy Options
https://www.securityweek.com/cash-strapped-ironnet-faces-bankruptcy-options/
It appears to be the end of the road for IronNet, the once-promising network security play founded by former NSA director General Keith Alexander.
It appears to be the end of the road for IronNet (OTCMKTS: IRNT), the once-promising network security play founded by former NSA director General Keith Alexander.
The company signaled grave financial distress in its latest SEC Form 8-K filing, warning it has run out of money and will furlough a majority of its workforce and severely scale back operations.
It’s a stunning end for a company that launched in 2018 with $78 million in funding and ambitious plans to cash in on an expanding market for enterprise-grade network security tools.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Microsoft says Chinese hackers who in June breached US government email accounts stole an MSA key from a crash dump after hacking a Microsoft engineer’s account — Microsoft says Storm-0558 Chinese hackers stole a signing key used to breach government email accounts from a Windows crash dump …
Hackers stole Microsoft signing key from Windows crash dump
https://www.bleepingcomputer.com/news/microsoft/hackers-stole-microsoft-signing-key-from-windows-crash-dump/
Microsoft says Storm-0558 Chinese hackers stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer’s corporate account.
The attackers used the stolen MSA key to breach the Exchange Online and Azure Active Directory (AD) accounts of roughly two dozen organizations, including government agencies in the United States, such as the U.S. State and Commerce Departments.
Tomi Engdahl says:
They exploited a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, which enabled them to forge signed access tokens and impersonate accounts within the targeted orgs.
China Seeks to Broaden iPhone Ban to State Firms, Agencies
https://www.bloomberg.com/news/articles/2023-09-07/china-plans-to-expand-iphone-ban-to-some-state-backed-firms-in-blow-to-apple#xj4y7vzkg
Beijing begins by banning the devices from certain bodies
It could deal blow to Apple and amplifies a self-reliance push
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Android Security Bulletin for September 2023 patches a privilege escalation zero-day flaw in Android 11-13 that “may be under limited, targeted exploitation” — The September 2023 Android security updates tackle 33 vulnerabilities, including a zero-day bug currently targeted in the wild.
September Android updates fix zero-day exploited in attacks
https://www.bleepingcomputer.com/news/security/september-android-updates-fix-zero-day-exploited-in-attacks/
The September 2023 Android security updates tackle 33 vulnerabilities, including a zero-day bug currently targeted in the wild.
This high-severity zero-day vulnerability (CVE-2023-35674) is a flaw in the Android Framework that enables attackers to escalate privileges without requiring user interaction or additional execution privileges.
“There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” Google said in an advisory issued on Tuesday.
Tomi Engdahl says:
https://hackaday.com/2023/09/01/this-week-in-security-not-a-vulnerability-bgp-bug-propogation-and-press-enter-to-hack/
[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?
But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned this a 9.8.
n early June, a Border Gateway Protocol (BGP) route started announcing from a small network in Brazil. That route had a BGP Entropy Label Capability Attribute as part of the attribute fields, but the length of that field set to zero. Most other BGP routers have no idea what this attribute means, so it’s ignored but passed on.
TPM Hacking Made Easy
Here on Hackaday, we’ve covered a couple different Trusted Platform Module (TPM) attacks, where an encryption key can be sniffed off a physical trace on the motherboard. It turns out, those attacks way over-complicate the matter, and you can just mash the enter key like a 6-year-old playing street fighter.
Tomi Engdahl says:
Traficomin palvelunestohyökkäyksen takana voi olla venäläinen hakkeriryhmä –
Kyberturvallisuuskeskus: kohteena useita eurooppalaisia tahoja
https://yle.fi/a/74-20049061
Liikenne- ja viestintävirasto Traficomin verkkosivut ovat tänään olleet palvelunestohyökkäyksen kohteena. Venäläinen hakkeriryhmä NoName 057(16) on ilmoittanut olevansa Traficomin kyberturvallisuuskeskuksen verkkosivuihin kohdistuneen hyökkäyksen takana.
Traficomin Kyberturvallisuuskeskus kertoo tietävänsä venäläisten hakkereiden lausunnoista.
– Hakkeriryhmä ilmoitti tänään Telegram-kanavallaan hyökänneensä useita eurooppalaisia viranomaistahoja kohtaan. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus oli yksi ilmoitetuista kohteista, kertoo Ylelle Kyberturvallisuuskeskuksen johtava asiantuntija Juhani Eronen.
Tomi Engdahl says:
Apple discloses 2 new zero-days exploited to attack iPhones, Macs https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/
Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 13 exploited zero-days patched since the start of the year.
“Apple is aware of a report that this issue may have been actively exploited,”
the company revealed in security advisories describing the security flaws. The bugs were found in the Image I/O and Wallet frameworks and are tracked as
CVE-2023-41064 (discovered by Citizen Lab security researchers) and
CVE-2023-41061 (discovered by Apple).
Tomi Engdahl says:
BLASTPASS – NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.
We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.
We expect to publish a more detailed discussion of the exploit chain in the future.
Tomi Engdahl says:
Cisco BroadWorks impacted by critical authentication bypass flaw https://www.bleepingcomputer.com/news/security/cisco-broadworks-impacted-by-critical-authentication-bypass-flaw/
A critical vulnerability impacting the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow remote attackers to forge credentials and bypass authentication. Cisco BroadWorks is a cloud communication services platform for businesses and consumers, while the two mentioned components are used for app management and integration.
The flaw, discovered internally by Cisco security engineers, is tracked as
CVE-2023-20238 and rated with a maximum CVSS score of 10.0 (critical). By exploiting the flaw, threat actors can freely execute commands, access confidential data, alter user settings, and commit toll fraud.
Tomi Engdahl says:
Apache Superset Part II: RCE, Credential Harvesting and More https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/
Apache Superset is a popular open source data exploration and visualization tool. In a previous post, we disclosed a vulnerability, CVE-2023-27524, affecting thousands of Superset servers on the Internet, that enables unauthorized attackers to gain admin access to these servers. We also alluded to methods that an attacker, logged in as an admin, could use to harvest credentials and execute remote code. We didn’t disclose these methods because they hadn’t been fixed yet at the time of that post.
In this post, we disclose all the issues we’ve reported to Superset, including two new high severity vulnerabilities, CVE-2023-39265 and CVE-2023-37941, that are fixed in the just released 2.1.1 version of Superset. We strongly recommend that all Superset users upgrade to this version.
Tomi Engdahl says:
Active North Korean campaign targeting security researchers https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/
In January 2021, Threat Analysis Group (TAG) publicly disclosed a campaign from government backed actors in North Korea who used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, TAG has continued to track and disrupt campaigns from these actors, finding 0-days and protecting online users.
Recently, TAG became aware of a new campaign likely from the same actors based on similarities with the previous campaign. TAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks. The vulnerability has been reported to the affected vendor and is in the process of being patched.
Tomi Engdahl says:
Cybercriminals target graphic designers with GPU miners https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021. The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer’s Custom Actions feature to make the software installers execute the malicious scripts.
The software installers targeted in this campaign are specifically used for 3-D modeling and graphic design, and most of them use the French language, indicating that the victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries.
Tomi Engdahl says:
New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware https://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/
IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads.
Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as the emails reference then-recent amendments regarding conscription. Under the new ordinance, the state will bar individuals who fail to report for service from applying for loans, conducting real estate transactions, engaging in international travel, and suspend their driver’s license.
Tomi Engdahl says:
Mac users targeted in new malvertising campaign delivering Atomic Stealer https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising
The majority of the malvertising campaigns we have tracked for the past few months have targeted Windows users. That’s not surprising considering that Microsoft holds the largest market share for both desktop and laptop computers. However, we recently captured a campaign that was pushing both Windows and Mac malware, the latter being an updated version of the new but popular Atomic Stealer (AMOS) for Mac.
AMOS was first advertised in April 2023 as a stealer for Mac OS with a strong focus on crypto assets, capable of harvesting passwords from browsers and Apple’s keychain, as well as featuring a file grabber. The developer has been actively working on the project, releasing a new version at the end of June.
Tomi Engdahl says:
How an APT technique turns to be a public Red Team Project – Yoroi https://yoroi.company/research/how-an-apt-technique-turns-to-be-a-public-red-team-project/
DLL Sideloading (T1574.002) stands as a remarkably effective stratagem employed by adversaries to execute their own malicious code, while clandestinely leveraging the implicit trust placed in legitimate applications.
This report dissects the multifaceted nuances of DLL Sideloading, delving into its mechanics, the prevalence of victim applications, and its reverberating impact on the cybersecurity landscape.
At the core of DLL Sideloading lies the manipulation of trust. Adversaries artfully exploit the trust that users confer upon genuine applications to covertly introduce their malevolent payloads. This technique operates on the premise that antimalware engines are less likely to flag such activities as malicious, given the seemingly benign context of the attack. By infiltrating the trusted environment of legitimate software, attackers can operate incognito and evade the vigilant gaze of cybersecurity defenses.
Tomi Engdahl says:
FreeWorld ransomware attacks MSSQL—get your databases off the internet https://www.malwarebytes.com/blog/news/2023/09/freeworld-ransomware-attacks-via-mssql-take-your-databases-off-the-internet
When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals.
Microsoft’s Remote Desktop Protocol has been a favourite point of entry for ransomware gangs for several years now. Cybercriminals seek out machines with RDP exposed to the internet and attempt to guess their passwords, hoping to gain entry. They like RDP because it gives them exactly the same access as sitting at a chair in front of the computer, and because there are millions of targets to choose from.
Tomi Engdahl says:
Iranian hackers breach US aviation org via Zoho, Fortinet bugs https://www.bleepingcomputer.com/news/security/iranian-hackers-breach-us-aviation-org-via-zoho-fortinet-bugs/
State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command
(USCYBERCOM) revealed on Thursday. The threat groups behind this breach are yet to be named, but while the joint advisory didn’t connect the attackers to a specific state, USCYBERCOM’s press release links the malicious actors to Iranian exploitation efforts.
CISA was part of the incident response between February and April and said the hacking groups had been in the compromised aviation organization’s network since at least January after hacking an Internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall.
“CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat
(APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network,” reads the advisory.
Tomi Engdahl says:
https://www.securityweek.com/ibm-discloses-data-breach-impacting-janssen-healthcare-platform/
Tomi Engdahl says:
ICS/OT
Cisco Finds 8 Vulnerabilities in OAS Industrial IoT Data Platform
https://www.securityweek.com/cisco-finds-8-vulnerabilities-in-oas-industrial-iot-data-platform/
Vulnerabilities identified in the OAS Platform could be exploited to bypass authentication, leak sensitive information, and overwrite files.
Multiple vulnerabilities in the Open Automation Software (OAS) Platform can be exploited to bypass authentication, leak sensitive information, and overwrite files, Cisco warns.
Enabling communication and data transfer between servers, industrial control systems (ICS), IoT, and other types of devices, the OAS Platform is typically used in industrial operations and enterprise environments. It also supports logging and notifications, and cross-platform integrations.
On Wednesday, Cisco’s Talos security researchers disclosed eight vulnerabilities identified in the OAS Platform’s engine configuration management functionality, which allows users to load and save configurations to a disk and install them on other devices. Three of the bugs are rated high-severity.
The most important of these are CVE-2023-31242 and CVE-2023-34998, two authentication bypass flaws that can be exploited using specially-crafted requests. The first can be triggered using a sequence of requests, while the second through sniffing network traffic.
https://blog.talosintelligence.com/eight-vulnerabilities-in-open-automation/
Tomi Engdahl says:
https://www.securityweek.com/crash-dump-error-how-a-chinese-espionage-group-exploited-microsofts-errors/
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-critical-vulnerability-in-broadworks-platform/
Tomi Engdahl says:
Wealthy Russian With Kremlin Ties Gets 9 Years in Prison for Hacking and Insider Trading Scheme
https://www.securityweek.com/wealthy-russian-with-kremlin-ties-gets-9-years-in-prison-for-hacking-and-insider-trading-scheme/
Vladislav Klyushin was sentenced to nine years in prison for his role in a nearly $100M stock market cheating scheme that relied on information stolen by hacking.
Tomi Engdahl says:
See Tickets Alerts 300,000 Customers After Another Web Skimmer Attack
https://www.securityweek.com/see-tickets-alerts-300000-customers-after-another-web-skimmer-attack/
See Tickets is informing 300,000 individuals that their payment card information was stolen in a new web skimmer attack.
Tomi Engdahl says:
Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers
https://www.securityweek.com/rigged-software-and-zero-days-north-korean-apt-caught-hacking-security-researchers/
Google again catches a North Korean APT actor targeting security researchers with zero-days and rigged software tools.
Tomi Engdahl says:
Malware & Threats
‘Atomic macOS Stealer’ Malware Delivered via Malvertising Campaign
A malware named Atomic macOS Stealer (AMOS) has been delivered to users via a malvertising campaign.
https://www.securityweek.com/atomic-macos-stealer-malware-delivered-via-malvertising-campaign/
Tomi Engdahl says:
Teknologiavalmistaja Asus kertoo, että kolmessa sen reitittimessä on havaittu kolme vakavaa haavoittuvuutta. Kaikki kolme reikää, CVE-2023-39238, CVE-2023-39239 sekä CVE-2023-39240, on luokiteltu kriittisiksi, ja niiden vaarallisuudelle on annettu CVSS 3.1 -asteikolla 9,8 pistettä kymmenestä.
https://www.tivi.fi/uutiset/kuluttajien-suosimissa-reitittimissa-ammottavia-reikia-paikkaa-valittomasti/f14cab51-30f2-40cb-8805-450daa4238a1
Tomi Engdahl says:
W3LL phishing kit hijacks thousands of Microsoft 365 accounts, bypasses MFA
https://www.bleepingcomputer.com/news/security/w3ll-phishing-kit-hijacks-thousands-of-microsoft-365-accounts-bypasses-mfa/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/september-android-updates-fix-zero-day-exploited-in-attacks/
Tomi Engdahl says:
U.K. and U.S. Sanction 11 Russia-based Trickbot Cybercrime Gang Members https://thehackernews.com/2023/09/uk-and-us-sanction-11-russia-based.html
The U.K. and U.S. governments on Thursday sanctioned 11 individuals who are alleged to be part of the notorious Russia-based TrickBot cybercrime gang.
“Russia has long been a safe haven for cybercriminals, including the TrickBot group,” the U.S. Treasury Department said, adding it has “ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals.”
The targets of the sanctions are administrators, managers, developers, and coders who are believed to have provided material assistance in its operations.
Tomi Engdahl says:
Päivitä iPhone ja Mac heti – pelkkä kuvan katseleminen voi olla vaarallista https://www.is.fi/digitoday/tietoturva/art-2000009842097.html
Teknologiayhtiö Apple kehottaa käyttäjiään päivittämään käyttöjärjestelmänsä.
IOS-, iPad-, macOS Ventura- ja watchOS-järjestelmistä löytyneet haavoittuvuudet antavat hyökkääjän suorittaa omaa ohjelmakoodiaan uhrin laitteessa.
Haavoittuvuuksia on kaksi. Nimellä CVE-2023-41064 tunnetussa haavoittuvuudessa laitteeseen voidaan hyökätä valokuvalla, johon on upotettu haitallista ohjelmakoodia. Haavoittuvuuden löysi Toronton yliopiston The Citizen Lab.
Toinen haavoittuvuus, nimeltään CVE-2023-41061, antaa hyökkääjän suorittaa omaa ohjelmakoodiaan lähettämällä uhrille haitallisen liitetiedoston.
Haavoittuvuuden löysi Apple itse.
Apple sanoo olevansa tietoinen siitä, että molempia haavoittuvuuksia on mahdollisesti jo käytetty hyökkäyksissä.
Tomi Engdahl says:
Probe reveals DHS relies on fake social media accounts to investigate targets https://therecord.media/dhs-uses-fake-social-media-accounts
The Department of Homeland Security (DHS) routinely relies on phony social media accounts to gather information about people, with little oversight, according to a years-long investigation by the Brennan Center for Justice (BCJ).
BCJ, a nonpartisan law and policy institute, began asking DHS for details of the program in 2018 under the Freedom of Information Act (FOIA). When the agency stonewalled, the institute retained a lawyer who sued for the documents.
They show, among other things, that Customs and Border Protection (CBP) uses “masked monitoring” of individuals by setting up fake social media accounts to research them — just one example of how at least 14 “social media operational use templates” are used to allow officers to obscure
Tomi Engdahl says:
DarkGate Loader Malware Delivered via Microsoft Teams https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams
In the last week of August, Truesec Cybersecurity Incident Response Team
(CSIRT) investigated a Microsoft Teams malware campaign delivering malware identified as DarkGate Loader.
On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign. The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely.
Both senders had an identical-sounding message with a link to an externally hosted file, “Changes to the vacation schedule.zip” (hosted on the senders SharePoint sites).
Tomi Engdahl says:
Associated Press warns that AP Stylebook data breach led to phishing attack https://www.bleepingcomputer.com/news/security/associated-press-warns-that-ap-stylebook-data-breach-led-to-phishing-attack/
The Associated Press is warning of a data breach impacting AP Stylebook customers where the attackers used the stolen data to conduct targeted phishing attacks.
The AP Stylebook is a commonly used guide on grammar, punctuation, and writing style for journalists, magazines, and newsrooms worldwide.
This week, the Associated press warns that an old third-party-managed AP Stylebook site that was no longer in use was hacked between July 16 and July 22, 2023, allowing the data for 224 customers to be stolen.
The stolen information includes a customer’s name, email address, street address, city, state, zip code, phone number, and User ID. For customers who entered tax-exempt IDs, such as a Social Security Number or Employer Identification Number, those IDs were stolen as well.
Tomi Engdahl says:
New Phishing Campaign Launched via Google Looker Studio
https://www.securityweek.com/new-phishing-campaign-launched-via-google-looker-studio/
Check Point has observed a wave of phishing attacks launched via Google Looker Studio to steal credentials and funds from intended victims.
Cybersecurity firm Check Point is warning of a new type of phishing attacks that abuse Google Looker Studio to bypass protections.
Google Looker Studio is a legitimate online tool for creating customizable reports, including charts and graphs, that can be easily shared with others.
As part of the observed attacks, threat actors are using Google Looker Studio to create fake crypto pages that are then delivered to the intended victims in emails sent from the legitimate tool itself.
The message contains a link to the fake report, claiming to provide the victim with information on investment strategies that would lead to significant returns.
The recipient is lured into clicking on the provided link, which redirects to a legitimate Google Looker page, hosting a Google slideshow claiming to provide instructions on how the recipient could receive more cryptocurrency.
Tomi Engdahl says:
Cisco ASA Zero-Day Exploited in Akira Ransomware Attacks
https://www.securityweek.com/cisco-asa-zero-day-exploited-in-akira-ransomware-attacks/
Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.
Cisco this week raised the alarm on a zero-day in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that has been exploited in Akira ransomware attacks since August.
Tracked as CVE-2023-20269 (CVSS score of 5.0, medium severity), the issue exists in the remote access VPN feature of Cisco ASA and FTD and can be exploited remotely, without authentication, in brute force attacks.
“This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explains in an advisory.
According to Cisco, an attacker with access to valid user credentials can exploit the flaw to establish a clientless SSL VPN session with an unauthorized user.
“In August 2023, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability once available and apply one of the suggested workarounds in the meantime,” Cisco notes.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC#fs
Tomi Engdahl says:
Malware & Threats
Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers
https://www.securityweek.com/rigged-software-and-zero-days-north-korean-apt-caught-hacking-security-researchers/
Google again catches a North Korean APT actor targeting security researchers with zero-days and rigged software tools.
Google’s threat hunting unit has again intercepted an active North Korean APT actor sliding into the DMs of security researchers and using zero-days and rigged software tools to take control of their computers.
Google’s Threat Analysis Group (TAG) on Thursday outed the government-backed hacking team’s social media accounts and warned that at least one actively exploited zero-day is being used and is currently unpatched.
Using platforms like X (the successor to Twitter) as their initial point of contact, the North Korean threat actor cunningly forged relationships with targeted researchers through prolonged interactions and discussions.
“In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package,” Google explained.
Active North Korean campaign targeting security researchers
Sep 07, 2023
3 min read
https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/
Tomi Engdahl says:
Apple Patches Actively Exploited iOS, macOS Zero-Days
https://www.securityweek.com/apple-patches-actively-exploited-ios-macos-zero-days/
Apple pushes out an urgent point-update to its flagship iOS and macOS platforms to fix a pair of security defects being exploited in the wild.
Tomi Engdahl says:
Financial Times:
How cybercriminals in Turkey teamed up with Russian émigré hackers to steal and sell tens of millions of credit card numbers, passwords, “hot” cookies, and more
Influx of Russian fraudsters gives Turkish cyber crime hub new lease of life
https://www.ft.com/content/d5ba3c90-c2f2-4d4e-9cf0-b929930ad8f7
Émigré hackers fleeing Putin’s military conscription prompts surge in activity involving stolen financial data
Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email [email protected] to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
https://www.ft.com/content/d5ba3c90-c2f2-4d4e-9cf0-b929930ad8f7
Cybercriminals in Turkey have teamed up with recently arrived Russian émigré hackers to flood a once moribund online marketplace with tens of millions of newly stolen personal credentials, an evolution in the transnational nature of such fraud.
Thousands of men, many of them trained software engineers, fled Russia for Turkey last September after president Vladimir Putin ordered military conscription for the war in Ukraine.
Some of them, Turkish police and security researchers said, turned to relatively low-level online scams and fraud to support themselves, pairing up with established Turkish counterparts to avoid detection, launder their earnings and sell credentials harvested from computers around the world into the European market.
Tomi Engdahl says:
Boot Unguarded: x86 Trust Anchor Downfalls to The Leaked OEM Internal Tools and Signing Keys
https://hardenedlinux.org/blog/2023-09-07-boot-unguarded-x86-trust-anchor-downfalls-to-the-leaked-oem-internal-tools-and-signing-keys/
By HardcoreMatrix
The HardcoreMatrix team specializes in firmware and infrastructure security, supply chain security, and threat modeling. We vividly illustrate the severe consequences that underlying threats pose to enterprise and personal information security.
One “Leak” can rule them all!
In March 2023, Micro-Star International (MSI) suffered a significant attack orchestrated by the Money Message ransomware group. Unfortunately, this is not just another random leak. The aftermath revealed a leak of internal data, including highly sensitive information such as the BootGuard private key. This key, integral to Intel’s hardware trust and cryptographic key management system, signifies an exploit vector can’t be fixed easily, allowing for bypassing of the primary security mechanism in specific device models. Additionally, the leaked data also exposed the UEFI firmware image signing key, further exacerbating the severity of the breach.
Why BootGuard matters to UEFI/x86 ecosystem
The BootGuard security mechanism, alongside CPU Microcode and CSME, forms the foundation of Intel’s core security mechanisms. It serves as a critical integrity protection mechanism rooted in the hardware trust system, while the UEFI firmware acts as a vital low-level software component within the computer system. The compromise of BootGuard, whether through successful attacks via vulnerability (e.g: CVE-2020-8705) or acquisition of the private key from OEM/ODM manufacturers, enables threat actors to exploit UEFI implementation flaws, configuration errors, and other vulnerabilities to achieve bypass numerous established security measures and mitigations, e.g: SMM_BWP, BWE/BLE, PRx hardware security mechanisms, SecureBoot and kernel security mitigation technologies such as HCVI, PatchGuard, kASLR, KDEP, SMEP, SMAP. Furthermore, mainstream antivirus software and EDR/XDR systems become ineffective, granting attackers persistent control over the compromised device.
Tomi Engdahl says:
Forgot The Key Generation
If there’s anything worse than losing your keys, it’s forgetting to generate them in the first place. VMware Aria has a CVSS 9.8 vulnerability, which boils down to a shared SSH key across all installs from version 6.0 to 6.10.
VMWare Aria Operations for Networks Static SSH key RCE CVE-2023-34039
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/