CySec News

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits.

Reference: https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a “format string vulnerability” affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.

Reference: https://thehackernews.com/2022/09/critical-rce-vulnerability-affects.html

QNAP has issued a new advisory urging users of its network-attached storage (NAS) devices to upgrade to the latest version of Photo Station following yet another wave of DeadBolt ransomware attacks in the wild by exploiting a zero-day flaw in the software.

Reference: https://thehackernews.com/2022/09/qnap-warns-of-new-deadbolt-ransomware.html

A new stealthy Linux malware known as Shikitega has been discovered infecting computers and IoT devices with additional payloads. The malware exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and eventually launches a cryptocurrency miner on infected devices.

Reference: https://www.bleepingcomputer.com/news/security/new-linux-malware-evades-detection-using-multi-stage-deployment/

Resecurity has identified a new underground service that allows cybercriminals to bypass 2FA authentication (MFA) authentication mechanisms on a large scale without the need to hack upstream services or the supply chain. EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session.

Reference: https://otx.alienvault.com/pulse/63175332703dcba6367c4087

Bitdefender analyzed a recent industrial espionage operation targeting a small (under 200 employees) technology company based in the United States. The attack was focused on information exfiltration and spans several months. A vast network of several hundred IP addresses (most of them originated from China) was used as part of this attack.

Reference: https://otx.alienvault.com/pulse/6310c8b1ae9f85af2d64d77d

The Securonix Threat research team has recently identified a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR. The new campaign incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system with the malware.

Reference: https://otx.alienvault.com/pulse/630f67c49a28f85f26b91f5a

Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-exchange-online-basic-auth-next-month/

South Korean chaebol Samsung on Friday said it experienced a cybersecurity incident that resulted in the unauthorized access of some customer information, the second time this year it has reported such a breach. “In late July 2022, an unauthorized third-party acquired information from some of Samsung’s U.S. systems,” the company disclosed in a notice. “On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected.”

Reference: https://thehackernews.com/2022/09/samsung-admits-data-breach-that-exposed.html

A bad Microsoft Defender signature update mistakenly detects Google Chrome, Microsoft Edge, Discord, and other Electron apps as ‘Win32/Hive.ZY’ each time the apps are opened in Windows. The issue started Sunday morning when Microsoft pushed out Defender signature update 1.373.1508.0 to include two new threat detections, including Behavior:Win32/Hive.ZY. Microsoft issued an update to fix the issue.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-falsely-detects-win32-hivezy-in-google-chrome-electron-apps/

Chile’s national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country. The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency. The hackers stopped all running virtual machines and encrypted their files, appending the “.crypt” filename extension.

Reference: https://www.bleepingcomputer.com/news/security/new-ransomware-hits-windows-linux-servers-of-chile-govt-agency/

The government of Montenegro has provided more information about the attack on its critical infrastructure saying that ransomware is responsible for the damage and disruptions. Public Administration Minister Maras Dukaj stated on local television yesterday that behind the attack is an organized cybercrime group. The effects of the incindet continue for the tenth day. The minister added that a “special virus” is used in this attack and there is a ransom demand of $10 million.

Reference: https://www.bleepingcomputer.com/news/security/montenegro-hit-by-ransomware-attack-hackers-demand-10-million/

A new Instagram phishing campaign is underway, attempting to scam users of the popular social media platform by luring them with a blue-badge offer. Blue badges are highly coveted as Instagram provides them to accounts it verified to be authentic, representing a public figure, celebrity, or brand. The spear emails in the recently observed phishing campaign inform recipients that they Instagram reviewed their accounts and deemed them eligible for a blue badge.

Reference: https://www.bleepingcomputer.com/news/security/thousands-lured-with-blue-badges-in-instagram-phishing-attack/

A critical command injection vulnerability in a Bitbucket product could allow an attacker to execute arbitrary code, researchers warn. Bitbucket is a Git-based source code repository hosting service owned by Atlassian. The flaw, tracked as CVE-2022-36804, is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center.

Reference: https://portswigger.net/daily-swig/critical-command-injection-vulnerability-discovered-in-bitbucket-server-and-data-center

Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company’s source code and proprietary technical information.

Reference: https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/

Microsoft Azure customers’ virtual machines (VMs) running Ubuntu 18.04 have been taken offline by an ongoing outage caused by a faulty systemd update. The outage started nine hours earlier, around 06:00 UTC, after the affected customers upgraded to systemd version 237-3ubuntu10.54 and their VMs started experiencing DNS errors, with no DNS resolver addresses available on impacted systems.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-azure-outage-knocks-ubuntu-vms-offline-after-buggy-update/

Five imposter extensions for the Google Chrome web browser masquerading as Netflix viewers and others have been found to track users’ browsing activity and profit of retail affiliate programs. “The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website,” McAfee researchers Oliver Devane and Vallabh Chole said.

Reference: https://thehackernews.com/2022/08/experts-find-malicious-cookie-stuffing.html

Nation-state threat actors are increasingly adopting and integrating the Sliver command-and-control (C2) framework in their intrusion campaigns as a replacement for Cobalt Strike. “Given Cobalt Strike’s popularity as an attack tool, defenses against it have also improved over time,” Microsoft security experts said. “Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry.”

Reference: https://thehackernews.com/2022/08/cybercrime-groups-increasingly-adopting.html

CVE’s of the Week

Cisco

CVE-2022-20921

Dell

CVE-2022-33932

CVE-2022-32480

CVE-2022-31238

CVE-2022-31237

GitLab has issued a security update to address a critical vulnerability that could lead to remote code execution (RCE). The vulnerability could allow an authenticated user to achieve remote code execution via the ‘Import from GitHub API’ endpoint, an advisory from GitLab reads. Tracked as CVE-2022-2884, the security issue is present in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1.

Reference: https://portswigger.net/daily-swig/gitlab-patches-critical-remote-code-execution-bug

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a security flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2022-0028 (CVSS score: 8.6), is a URL filtering policy misconfiguration that could allow an unauthenticated, remote attacker to carry out reflected and amplified TCP denial-of-service (DoS) attacks.

Reference: https://thehackernews.com/2022/08/cisa-warns-of-active-exploitation-of.html

Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps.

Reference: https://thehackernews.com/2022/08/researchers-find-counterfeit-phones.html

Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is “as nasty as Dirty Pipe.” Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level.

Reference: https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.html

More than 200 malicious packages have been discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.

Reference: https://www.bleepingcomputer.com/news/security/241-npm-and-pypi-packages-caught-dropping-linux-cryptominers/

Windows servers and workstations at dozens of organizations started to crash earlier today because of an issue caused by certain versions of VMware’s Carbon Black endpoint security solution.

Reference: https://www.bleepingcomputer.com/news/security/vmware-carbon-black-causing-bsod-crashes-on-windows/

WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distribute malware that installs the NetSupport RAT and the RaccoonStealer password-stealing Trojan.

Reference: https://www.bleepingcomputer.com/news/security/wordpress-sites-hacked-with-fake-cloudflare-ddos-alerts-pushing-malware/

Microsoft has released Sysmon 14 with a new ‘FileBlockExecutable’ option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-block-malicious-exes-from-being-created/

DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver “addon packages” such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.

Reference: https://otx.alienvault.com/pulse/6304f0ff85acf796fe08ef9c

LockBit 3.0 aka “LockBit Black”, noted in June of this year has coincided with a large increase of victims being published to the LockBit leak site, indicating that the past few months has heralded a period of intense activity for the LockBit collective.

Reference: https://otx.alienvault.com/pulse/630496070829b833c5cccc36

CVE’s of the Week

Cisco

Dell

Fortinet

Microsoft

VMWare

Android malware developers are already adjusting their tactics to bypass a new ‘Restricted setting’ security feature introduced by Google in the newly released Android 13.

Reference: https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/

Google has released a security update for the Chrome browser that addresses close to a dozen vulnerabilities, including a zero-day flaw that is being exploited in the wild. The security update is currently rolling out for Windows, Mac and Linux. Users who have automatic updates turned on should receive it in the coming days/weeks.

Reference: https://www.bleepingcomputer.com/news/security/google-fixes-fifth-chrome-zero-day-bug-exploited-this-year/

Windows users who have installed a new KB5012170 security update for Secure Boot have encountered various issues, ranging from boots failing with BitLocker Recovery prompts to performance issues. A UEFI bootloader loads immediately after a device is started and is responsible for launching the UEFI environment with the Secure Boot feature to allow only trusted code to be executed when starting the Windows booting process.

Reference: https://www.bleepingcomputer.com/news/microsoft/windows-kb5012170-update-causing-bitlocker-recovery-screens-boot-issues/

Exploit code has been released for a critical vulnerability affecting networking devices with Realtek’s RTL819x system on a chip (SoC), which are estimated to be in the millions. The flaw is identified as CVE-2022-27255 and a remote attacker could exploit it to compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points to signal repeaters.

Reference: https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/

Palo Alto Networks has issued a security advisory warning of an actively exploited high-severity vulnerability impacting PAN-OS, the operating system used by the company’s networking hardware products. The issue, tracked as CVE-2022-0028 (CVSS v3 – 8.6), is an URL filtering policy misconfiguration that could allow an unauthenticated, remote attacker to carry out amplified TCP denial-of-service (DoS) attacks.

Reference: https://www.bleepingcomputer.com/news/security/palo-alto-networks-new-pan-os-ddos-flaw-exploited-in-attacks/

Security analysts have found security issues in the payment system present on Xiaomi smartphones that rely on MediaTek chips providing the trusted execution environment (TEE) that is responsible for signing transactions. Attackers could exploit the weaknesses to sign fake payment packages using a third-party unprivileged application. The implications of such an attack would be to make the payment service unavailable or to sign transactions from the user’s mobile wallet to the threat actor’s account.

Reference: https://www.bleepingcomputer.com/news/security/xiaomi-phones-with-mediatek-chips-vulnerable-to-forged-payments/

Networking equipment major Cisco on Wednesday confirmed it was the victim of a cyberattack on May 24, 2022 after the attackers got hold of an employee’s personal Google account that contained passwords synced from their web browser.

Reference: https://thehackernews.com/2022/08/cisco-confirms-its-been-hacked-by.html

A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors. Dubbed ÆPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that’s akin to an “uninitialized memory read in the CPU itself.”

Reference: https://thehackernews.com/2022/08/pic-and-squip-vulnerabilities-found-in.html

As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues have been listed as publicly known at the time of the release.

Reference: https://thehackernews.com/2022/08/microsoft-issues-patches-for-121-flaws.html

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation Tracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

Reference: https://thehackernews.com/2022/08/cisa-issues-warning-on-active.html

Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices. The two security flaws tracked as CVE-2022-20842 and CVE-2022-20827 were found in the web-based management interfaces and the web filter database update feature, and are both caused by insufficient input validation.

Reference: https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-code-execution-bug-in-vpn-routers/

A security vulnerability in file transfer software CompleteFTP allowed unauthenticated attackers to delete arbitrary files on affected installations. Developed by EnterpriseDT of Australia, CompleteFTP is a proprietary FTP and SFTP server for Windows that supports FTPS, SFTP, and HTTPS.

Reference: https://portswigger.net/daily-swig/completeftp-path-traversal-flaw-allowed-attackers-to-delete-server-files

Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues, tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 – 9.8), impact VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager.

Reference: https://thehackernews.com/2022/08/vmware-releases-patches-for-several-new.html

Microsoft says that some of the Exchange Server flaws addressed as part of the August 2022 Patch Tuesday also require admins to manually enable Extended Protection on affected servers to fully block attacks. The company patched 121 flaws today, including the DogWalk Windows zero-day exploited in the wild and several Exchange vulnerabilities (CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516) rated as critical severity and allowing for privilege escalation.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-extended-protection-needed-to-fully-patch-new-bugs/

Open source DevOps platform Jenkins is warning users of unpatched security vulnerabilities impacting more than a dozen plugins. The organization’s latest security advisory lists a total of 27 plugin vulnerabilities, five of which were deemed to be ‘high’ impact and the majority of which remain unpatched.

Reference: https://portswigger.net/daily-swig/jenkins-security-unpatched-xss-csrf-bugs-included-in-latest-plugin-advisory

In the last few weeks of July 2022, researchers reported two attacks where Steganography was used to deliver malware payloads. In the first event, TAs compromised Alibaba OSS Buckets to Distribute Malicious Shell Scripts via Steganography. In the other event, KNOTWEED malware used the JPEG file to hide Corelump malware. Interestingly, the same technique was used in both incidents to hide the malware payload inside image files. The malicious code was appended after the image content, which ensured that the victim could only access the image without seeing the malicious code. However, accessing stegomalware will not execute any embedded content. Rather, it will be accessed and executed by other programs.

Reference: https://blog.cyble.com/2022/08/04/stegomalware-identifying-possible-attack-vectors/

Smart App Control, a Windows 11 security feature that blocks threats at the process level, now comes with support for blocking several file types threat actors have recently adopted to infect targets with malware in phishing attacks.

Reference: https://www.bleepingcomputer.com/news/microsoft/windows-11-smart-app-control-blocks-files-used-to-push-malware/

Microsoft has introduced an optional feature to its Edge browser that applies more stringent security controls when users visit unfamiliar websites. Enhanced security mode mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation, while activating additional operating system protections for the browser such as arbitrary code guard and hardware-enforced stack protection, according to Microsoft. It said these changes provide “defense in depth” by making it harder for malicious sites to leverage unpatched vulnerabilities in order to write to executable code into memory.

Reference: https://portswigger.net/daily-swig/microsoft-edge-deepens-defenses-against-malicious-websites-with-enhanced-security-mode

Atlassian has addressed a hardcoded credential flaw in Questions for Confluence and servlet filter bypasses in multiple other products. The Australian vendor of software development and collaboration tools issued security advisories with instructions for applying updates and mitigations (July 20).

Reference: https://portswigger.net/daily-swig/atlassian-patches-batch-of-critical-vulnerabilities-across-multiple-products

Zyxel has released patches for several of its firewall products following the discovery of two security vulnerabilities that left business networks open to exploitation.

Reference: https://portswigger.net/daily-swig/zyxel-firewall-vulnerabilities-left-business-networks-open-to-abuse

Recent years have seen a growing interest in the use of machine learning and deep learning in cybersecurity, especially in network intrusion detection and prevention. However, according to a study by researchers at the Citadel, a military college in South Carolina, US, deep learning models trained for network intrusion detection can be bypassed through adversarial attacks, specially crafted data that fools neural networks to change their behavior.

Reference: https://portswigger.net/daily-swig/adversarial-attacks-can-cause-dns-amplification-fool-network-defense-systems-machine-learning-study-finds

Serious vulnerabilities in Cisco Nexus Dashboard give attackers a viable path to executing arbitrary commands as root, uploading container image files, or performing cross-site request forgery (CSRF) attacks.

Reference: https://portswigger.net/daily-swig/cisco-patches-dangerous-bug-trio-in-nexus-dashboard

Microsoft is warning customers that Windows updates released since June 28 will trigger printing issues on devices connected using USB. “Microsoft has received reports of issues affecting some printing devices following installation of Windows updates released June 28 ( KB5014666) and later,” Redmond explained.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-windows-10-usb-printing-breaks-due-to-recent-updates/

Microsoft has reminded customers once again that Windows Server, version 20H2, will be reaching its End of Service (EOS) in less than a month, on August 9.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-reminder-windows-server-20h2-reaches-eos-next-month/

SonicWall has published a security advisory today to warn of a critical SQL injection flaw impacting the GMS (Global Management System) and Analytics On-Prem products

Reference: https://www.bleepingcomputer.com/news/security/sonicwall-patch-critical-sql-injection-bug-immediately/

Apple on Wednesday rolled out software fixes for iOS, iPadOS, macOS, tvOS, and watchOS to address a number of security flaws affecting its platforms. This includes at least 37 flaws spanning different components in iOS and macOS that range from privilege escalation to arbitrary code execution and from information disclosure to denial-of-service (DoS).

Reference: https://thehackernews.com/2022/07/apple-releases-security-patches-for-all.html

Microsoft announced in July 21 that it resumed the rollout of VBA macro auto-blocking in downloaded Office documents after temporarily rolling it back earlier this month following user feedback.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-blocking-office-macros-by-default-once-again/

Recent Windows 11 builds come with the Account Lockout Policy policy enabled by default which will automatically lock user accounts (including Administrator accounts) after 10 failed sign-in attempts for 10 minutes.

Reference: https://www.bleepingcomputer.com/news/microsoft/windows-11-now-blocks-rdp-brute-force-attacks-by-default/

A previously undetected malware dubbed ‘Lightning Framework’ that targets Linux systems can be used to backdoor infected devices using SSH and deploy rootkits to cover the attackers’ tracks. Described as a “Swiss Army Knife” in a report published by Intezer, Lightning Framework is a modular malware that also comes with support for plugins.

Reference: https://www.bleepingcomputer.com/news/security/new-lightning-framework-linux-malware-installs-rootkits-backdoors/

Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. While prior research has been published on specific incidents and variants, little is generally known about how attackers leverage the IIS platform as a backdoor.

Reference: https://otx.alienvault.com/pulse/62e10bfe0fd0859d190ceb38

CVE’s of the Week

Microsoft

Juniper Networks has pushed security updates to address several vulnerabilities affecting multiple products, some of which could be exploited to seize control of affected systems. The most critical of the flaws affect Junos Space and Contrail Networking, with the tech company urging customers to update to release versions 22.1R1 and 21.4.0, respectively.

Reference: https://thehackernews.com/2022/07/juniper-releases-patches-for-critical.html

A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data.

Reference: https://thehackernews.com/2022/07/new-air-gap-attack-uses-sata-cable-as.html

Researchers following the activities of advanced persistent (APT) threat groups originating from China, North Korea, Iran, and Turkey say that journalists and media organizations have remained a constant target for state-aligned actors. The adversaries are either masquerading or attacking these targets because they have unique access to non-public information that could help expand a cyberespionage operation.

Reference: https://www.bleepingcomputer.com/news/security/hackers-pose-as-journalists-to-breach-news-media-org-s-networks/

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

Reference: https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html

Google has taken steps to ax dozens of fraudulent apps from the official Play Store that were spotted propagating Joker, Facestealer, and Coper malware families through the virtual marketplace.

Reference: https://thehackernews.com/2022/07/several-new-play-store-apps-spotted.html

A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.

Reference: https://otx.alienvault.com/pulse/62cfdae1d229bd7943e0efee

In late June 2022, HP Wolf Security isolated an unusually stealthy malware campaign that used OpenDocument text (.odt) files to distribute malware. OpenDocument is an open, vendor-neutral file format compatible with several popular office productivity suites, including Microsoft Office, LibreOffice and Apache OpenOffice. As described in a blog post by Cisco Talos, the campaign targets the hotel industry in Latin America. The targeted hotels are contacted by email with fake booking requests. In the case below, the attached document was purportedly a guest registration document.

Reference: https://otx.alienvault.com/pulse/62d6a8c3abbfa5d5ea936d4a

In January 2022, a new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was discovered. Despite using simple malicious advertisements, the malware became widespread, potentially leaking data from thousands of users and organizations. In this article, Unit42 researchers examine the technical details of this malware, focus on the evolution between its different versions and describe changes in its infection process. This article also reviews new variants that have not yet been publicly reported.

Reference: https://otx.alienvault.com/pulse/62cfdc330e8f4188c32a3518

CVE’s of the Week

VMWare

CVE-2022-31655 – Score 3.5

CVE-2022-31654 – Score 3.5

Cisco

CVE-2022-20862 – Score 4
CVE-2022-20859 – Score 9
CVE-2022-20815 – Score 4.3
CVE-2022-20813 – Score 4.3
CVE-2022-20812 – Score 8.5
CVE-2022-20808 – Score 4
CVE-2022-20800 – Score 4.3
CVE-2022-20791 – Score 4
CVE-2022-20768 – Score 3.5
CVE-2022-20752 – Score 5

Dell

CVE-2022-33936 – Score 10
CVE-2022-32481 – Score 7.2
CVE-2020-35169 – Score 7.5
CVE-2020-35168 – Score 7.5
CVE-2020-35167 – Score 7.5
CVE-2020-35166 – Score 7.5
CVE-2020-35164 – Score 7.5
CVE-2020-35163 – Score 7.5
CVE-2020-29508 – Score 7.5
CVE-2020-29507 – Score 7.5
CVE-2020-29506 – Score 7.5
CVE-2020-29505 – Score 5

Microsoft

CVE-2022-33680 – Score 5.1
CVE-2022-33675 – Score 4.6
CVE-2022-33674 – Score 5.8
CVE-2022-33673 – Score 5.5
CVE-2022-33672 – Score 5.5
CVE-2022-33671 – Score 4
CVE-2022-33669 – Score 4
CVE-2022-33668 – Score 4
CVE-2022-33667 – Score 5.5
CVE-2022-33666 – Score 5.5
CVE-2022-33665 – Score 5.5
CVE-2022-33664 – Score 4
CVE-2022-33663 – Score 5.5
CVE-2022-33662 – Score 5.5
CVE-2022-33661 – Score 5.5
CVE-2022-33660 – Score 4
CVE-2022-33659 – Score 4
CVE-2022-33658 – Score 4
CVE-2022-33657 – Score 5.5
CVE-2022-33656 – Score 5.5
CVE-2022-33655 – Score 5.5
CVE-2022-33654 – Score 4
CVE-2022-33653 – Score 4
CVE-2022-33652 – Score 4
CVE-2022-33651 – Score 4
CVE-2022-33650 – Score 4
CVE-2022-33644 – Score 4.4
CVE-2022-33643 – Score 5.5
CVE-2022-33642 – Score 6.5
CVE-2022-33641 – Score 5.5
CVE-2022-33637 – Score 4
CVE-2022-30214 – Score 6
CVE-2022-30213 – Score 2.1
CVE-2022-30187 – Score 1.9
CVE-2022-22711 – Score 4
CVE-2022-22050 – Score 7.2
CVE-2022-22049 – Score 7.2
CVE-2022-22048 – Score 6.6
CVE-2022-22047 – Score 7.2
CVE-2022-22045 – Score 6.9
CVE-2022-22043 – Score 7.2
CVE-2022-22042 – Score 4
CVE-2022-22041 – Score 9
CVE-2022-22040 – Score 7.5
CVE-2022-22039 – Score 6
CVE-2022-22038 – Score 6.8
CVE-2022-22037 – Score 8.5
CVE-2022-22036 – Score 4.4
CVE-2022-22034 – Score 7.2
CVE-2022-22031 – Score 7.2
CVE-2022-22029 – Score 6.8
CVE-2022-22028 – Score 4.3
CVE-2022-22027 – Score 6.8
CVE-2022-22026 – Score 7.2
CVE-2022-22025 – Score 5
CVE-2022-22024 – Score 5.1
CVE-2022-22023 – Score 6.9
CVE-2022-22022 – Score 3.6
CVE-2022-21845 – Score 4.7

Microsoft reminded customers that Windows Server, version 20H2 will be reaching its End of Service (EOS) next month, on August 9.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-windows-server-20h2-reaches-eos-next-month/

Microsoft says last week’s decision to roll back VBA macro auto-blocking in downloaded Office documents is only a temporary change.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-says-decision-to-unblock-office-macros-is-temporary/

Cisco on Wednesday rolled out patches for 10 security flaws spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks. In a related development, Fortinet addressed as many as four high-severity vulnerabilities affecting FortiAnalyzer, FortiClient, FortiDeceptor, and FortiNAC.

Reference: https://thehackernews.com/2022/07/cisco-and-fortinet-release-security.html

Eight months after disclosing a high-severity privilege escalation flaw in vCenter Server’s IWA (Integrated Windows Authentication) mechanism, VMware has finally released a patch for one of the affected versions. This vulnerability (tracked as CVE-2021-22048 and reported by CrowdStrike’s Yaron Zinar and Sagi Sheinfeld) also affects VMware’s Cloud Foundation hybrid cloud platform deployments. Successful exploitation enables attackers with non-administrative access to unpatched vCenter Server deployments to elevate privileges to a higher privileged group.

Reference: https://www.bleepingcomputer.com/news/security/vmware-patches-vcenter-server-flaw-disclosed-in-november/

Microsoft has fixed 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution.

Reference: https://www.bleepingcomputer.com/news/security/microsoft-fixes-dozens-of-azure-site-recovery-privilege-escalation-bugs/

Microsoft says that Windows Autopatch, an enterprise service that automatically keeps Windows and Microsoft 365 software up to date, is generally available starting 11/7/2022. Windows Autopatch was first announced in April when Microsoft said it would be available for free to Microsoft customers with a Windows 10/11 Enterprise E3 license or greater starting July 2022 (it reached public preview in early June).

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-autopatch-is-now-generally-available/

Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks. Over the past year, threat actors have increasingly used “callback” phishing campaigns that impersonate well-known companies requesting you call a number to resolve a problem, cancel a subscription renewal, or discuss another issue. When the target calls the numbers, the threat actors use social engineering to convince users to install remote access software on their devices, providing initial access to corporate networks. This access is then used to compromise the entire Windows domain.

Reference: https://www.bleepingcomputer.com/news/security/hackers-impersonate-cybersecurity-firms-in-callback-phishing-attacks/

Recently Zimperium discovered and began monitoring the growth of a wide range of malicious browser extensions with the same extension ID as that of Google Translate, deceiving users into believing that they have installed a legitimate extension. Similar to app spoofing and cloning, these malicious applications look legitimate, but underneath the surface lies code that puts personal and enterprise data at risk. These malicious extensions can perform a wide variety of attacks based on the attacker’s purpose, as the malware includes a javascript injection method from the attacker’s controlled server.

Reference: https://otx.alienvault.com/pulse/62cc1954b78e7fe63ff90784

TrendMicro recently found a new ransomware family, which we have dubbed as HavanaCrypt, that disguises itself as a legitimate Google Software Update application and uses a Microsoft web hosting service IP address as its command-and-control (C&C) server to circumvent detection.

Reference: https://otx.alienvault.com/pulse/62c7f28fe2bd732167bb24dc

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has chosen the first set of quantum-resistant encryption algorithms that are designed to “withstand the assault of a future quantum computer.” The post-quantum cryptography (PQC) technologies include the CRYSTALS-Kyber algorithm for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

Reference: https://thehackernews.com/2022/07/nist-announces-first-four-quantum.html

The UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have released a joint letter urging the legal industry not to pay ransomware demands. The letter (PDF) was released following an increase in the number of ransomware payments as tracked by both organizations and a growing suspicion that solicitors are advising their clients to give in to extortionate demands.

Reference: https://portswigger.net/daily-swig/uk-ncsc-and-ico-urge-legal-sector-to-discourage-businesses-from-paying-ransomware-demands

Organizations are increasingly using machine learning (ML) models in their applications and services without considering the security requirements they entail, a new study by security consultancy NCC Group shows.

Due to the unique ways that machine learning systems are developed and deployed, they introduce new threat vectors that developers are often unaware of, the study finds, adding that many of the old and known threats also apply to ML systems.

Reference: https://portswigger.net/daily-swig/take-threats-against-machine-learning-systems-seriously-security-firm-warns

Gitlab has patched a critical vulnerability that could allow an attacker to execute code remotely. The security issue, which has been rated as critical, has been discovered in all versions of GitLab, starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. An authenticated user could import a maliciously crafted project leading to remote code execution, an advisory from GitLab reads. The bug (CVE-2022-2185) has been patched in the latest version.

Reference: https://portswigger.net/daily-swig/gitlab-patches-critical-rce-bug-in-latest-security-release

The Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched.

Reference: https://www.bleepingcomputer.com/news/security/jenkins-discloses-dozens-of-zero-day-bugs-in-multiple-plugins/

Google shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild. The shortcoming, tracked as CVE-2022-2294, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.

Reference: https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html

A widespread software supply chain attack has targeted the NPM package manager at least since December 2021 with rogue modules designed to steal data entered in forms by users on websites that include them.

Reference: https://thehackernews.com/2022/07/researchers-uncover-malicious-npm.html

Microsoft has expanded its confidential computing offering and now allows Azure cloud computing service customers to create hardware isolated virtual machines (aka confidential VMs) with Ephemeral OS disks. With this new public preview feature, Azure customers can create ephemeral OS disks only on the local VM storage (on VM cache or VM temp disk), thus ensuring that data remains 100% confidential since it will never be sent to remote Azure Storage.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-azure-now-has-confidential-vms-with-ephemeral-storage/

Microsoft has introduced a new Microsoft Defender for Endpoint (MDE) feature in public preview to help organizations detect weaknesses affecting Android and iOS devices in their enterprise networks.

Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-adds-network-protection-for-android-ios-devices/

A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards. The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday.

Reference: https://www.bleepingcomputer.com/news/security/rogue-hackerone-employee-steals-bug-reports-to-sell-on-the-side/