This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
370 Comments
Tomi Engdahl says:
FBI confirms access to Breached cybercrime forum database https://www.bleepingcomputer.com/news/security/fbi-confirms-access-to-breached-cybercrime-forum-database/
Today, the FBI confirmed they have access to the database of the notorious BreachForums (aka Breached) hacking forum after the U.S.
Justice Department also officially announced the arrest of its owner.
20-year-old Conor Brian Fitzpatrick (also known as Pompompurin) was charged for his involvement in the theft and sale of sensitive personal information belonging to “millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies” on the Breached cybercrime forum
Tomi Engdahl says:
Hackers drain bitcoin ATMs of $1.5 million by exploiting 0-day bug https://arstechnica.com/information-technology/2023/03/hackers-drain-bitcoin-atms-of-1-5-million-by-exploiting-0-day-bug/
Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that cant be reversed, the kiosk manufacturer has revealed. The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that arent entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface
Tomi Engdahl says:
Emotet malware distributed as fake W-9 tax forms from the IRS https://www.bleepingcomputer.com/news/security/emotet-malware-distributed-as-fake-w-9-tax-forms-from-the-irs/
A new Emotet phishing campaign is targeting U.S. taxpayers by impersonating W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with. Emotet is a notorious malware infection distributed through phishing emails that in the past contained Microsoft Word and Excel documents with malicious macros that install the malware. However, after Microsoft began blocking macros by default in downloaded Office documents, Emotet switched to using Microsoft OneNote files with embedded scripts to install the Emotet malware
Tomi Engdahl says:
Microsoft pushes OOB security updates for Windows Snipping tool flaw https://www.bleepingcomputer.com/news/microsoft/microsoft-pushes-oob-security-updates-for-windows-snipping-tool-flaw/
Microsoft released an emergency security update for the Windows 10 and Windows 11 Snipping tool to fix the Acropalypse privacy vulnerability.
Now tracked as CVE-2023-28303, the Acropalypse vulnerability is caused by image editors not properly removing cropped image data when overwriting the original file. For example, if you take a screenshot and crop out sensitive information, such as account numbers, you should have reasonable expectations that this cropped data will be removed when saving the image
Tomi Engdahl says:
Suomalainen pörssiyhtiö joutui kiristyshaittaohjelman kohteeksi ohjelmistoja käyttää yli 50 000 ihmistä
https://www.tivi.fi/uutiset/tv/9e916e0c-a85d-46ba-a9d5-16c751792ee4
Suomalainen yritysohjelmistotalo Lemonsoft on joutunut kiristyshaittaohjelmaiskun vuoksi ajamaan palveluitaan alas viikonloppuna. Lemonsoft-toiminnanohjausjärjestelmän lisäksi myös Kellokortti-työajanseurantajärjestelmä oli pois käytöstä.
Haittaohjelmahyökkäys alkoi lauantaina kello 15.00. Yhtiö sulki varotoimenpiteenä kaikki palvelimensa. Lemonsoftin lokien mukaan asiakkaiden tietoja ei ole vuotanut. Yhtiö aikoo tehdä tapauksesta poliisille tutkintapyynnön ja ilmoituksen tietosuojaviranomaisille.
Lemonsoft ajaa parhaillaan ylös palveluitaan. Kellokortti-palvelu palautettiin käyttöön sunnuntain ja maanantain välisenä yönä. Tiedon palautuspiste on perjantai 24. maaliskuuta kello 16.00
Tomi Engdahl says:
Hackers earn $1,035,000 for 27 zero-days exploited at Pwn2Own Vancouver https://www.bleepingcomputer.com/news/security/hackers-earn-1-035-000-for-27-zero-days-exploited-at-pwn2own-vancouver/
Pwn2Own Vancouver 2023 has ended with contestants earning $1,035,000 and a Tesla Model 3 car for 27 zero-day (and several bug collisions) exploited between March 22 and 24. During the hacking competition, security researchers have targeted devices in the enterprise applications and communications, local escalation of privilege (EoP), virtualization, servers, and automotive categories, all up-to-date and in their default configuration. The total prize pool for Pwn2Own Vancouver 2023 was over $1,000,000 in cash and a Tesla Model 3, which Team Synacktiv won
Tomi Engdahl says:
New MacStealer macOS malware steals passwords from iCloud Keychain https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware-steals-passwords-from-icloud-keychain/
A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files.
According to the Uptycs threat research team that discovered the new macOS malware, it can run on macOS Catalina (10.15) and up to the latest version of Apple’s OS, Ventura (13.2). hat information stealer also targeted credentials saved in browsers and cryptocurrency wallets, including Exodus, Phantom, Atomic, Electrum, and MetaMask.
With cryptocurrency wallets being highly targeted by threat actors, we will likely see further malware developers targeting macOS in their search for cryptocurrency wallets to steal
Tomi Engdahl says:
Supply Chain Attack via New Malicious Python Packages https://www.fortinet.com/blog/threat-research/supply-chain-attack-via-new-malicious-python-packages
By monitoring an open-source ecosystem, the FortiGuard Labs team discovered over 60 zero-day attacks embedded in PyPI packages (Python Package Index) between early February and mid-March of 2023. In this blog, we cover all the packages that were found, grouping them into similar attacks or behaviors. In this blog, we have reviewed several sets of packages, each with different styles of attacks, that we have gathered over the past month or so. The packages in each set seem to use similar methods of attack. Given the volume and variety of malicious packages we have discovered, Python end users should use caution when downloading packages and double-check them before use
Tomi Engdahl says:
How scammers employ IPFS for email phishing https://securelist.com/ipfs-phishing/109158/
Attackers have used and will continue to use cutting-edge technologies to reap profits. Of late, we observe an increase in the number of IPFS phishing attacks both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links.
Tomi Engdahl says:
Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
https://www.securityweek.com/microsoft-no-interaction-outlook-zero-day-exploited-since-last-april/
Microsoft says it has evidence that Russian APT actors were exploiting a nasty Outlook zero-day as far back as April 2022, upping the stakes on organizations to start hunting for signs of compromise.
Microsoft says it has evidence that Russian APT actors were exploiting a nasty Outlook zero-day as far back as April 2022, a disclosure that ups the stakes on organizations to start hunting for signs of compromise.
The vulnerability, tracked as CVE-2023-23397, was flagged in the ‘already exploited’ category when Redmond shipped a fix earlier this month and Microsoft’s incident responders have pinned the attacks on Russian government-level hackers targeting organizations in Europe.
“Microsoft has traced evidence of potential exploitation of this vulnerability as early as April 2022,” the company said in fresh documentation that provides guidance for investigating attacks linked to the Outlook flaw.
Microsoft also shipped a CVE-2023-23397 detection script and urged organizations to review the output of this script to determine whether an exploit was successful.
https://www.securityweek.com/microsoft-patch-tuesday-zero-day-attacks/
Guidance for investigating attacks using CVE-2023-23397
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
CVE-2023-23397 script
https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
Tomi Engdahl says:
GitHub Suspends Repository Containing Leaked Twitter Source Code
https://www.securityweek.com/github-suspends-repository-containing-leaked-twitter-source-code/
Twitter sent a copyright notice to code hosting service GitHub to request the removal of a repository that contained Twitter source code.
Social media platform Twitter on Friday sent a copyright violation notice to code hosting service GitHub to request the removal of a repository that contained Twitter source code.
Twitter, now owned by Elon Musk following last year’s $44 billion takeover deal, was looking to take down a public repository owned by GitHub user ‘FreeSpeechEnthusiast’.
According to Twitter, the repository illegally hosted “proprietary source code for Twitter’s platform and internal tools”.
In addition to the repository takedown, the social media platform was also asking for information that could help it identify the owner and the users who might have accessed the repository before it was suspended.
“Please preserve and provide copies of any related upload / download / access history (and any contact info, IP addresses, or other session info related to same), and any associated logs related to this repo or any forks thereof, before removing all the infringing content from GitHub,” the DMCA notice reads.
Tomi Engdahl says:
Chrome 111 Update Patches High-Severity Vulnerabilities
https://www.securityweek.com/chrome-111-update-patches-high-severity-vulnerabilities/
The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.
Google this week announced a Chrome 111 update that brings patches for eight vulnerabilities, including seven flaws that were reported by external researchers.
All seven of the externally reported issues are high-severity memory safety bugs, with four of them described as use-after-free vulnerabilities, a type of bug that could lead to arbitrary code execution, data corruption, or denial of service.
Tomi Engdahl says:
Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
https://www.securityweek.com/hackers-earn-over-1-million-at-pwn2own-exploit-contest/
Security researchers raked in more than $1 million in prizes at this year’s CanSecWest Pwn2Own software exploitation contest.
Tomi Engdahl says:
GoAnywhere Zero-Day Attack Hits Major Orgs
https://www.securityweek.com/goanywhere-zero-day-attack-hits-major-orgs/
Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra’s GoAnywhere software.
Tomi Engdahl says:
Australia Dismantles BEC Group That Laundered $1.7 Million
https://www.securityweek.com/australia-dismantles-bec-group-that-laundered-1-7-million/
Law enforcement in Australia announce the arrest of four individuals accused of running business email compromise (BEC) schemes.
Tomi Engdahl says:
GitHub Rotates Publicly Exposed RSA SSH Private Key
https://www.securityweek.com/github-rotates-publicly-exposed-rsa-ssh-private-key/
GitHub replaced the RSA SSH private key used to secure Git operations for GitHub.com after it was exposed in a public GitHub repository.
Tomi Engdahl says:
Is Your USB-C Dock Out To Hack You?
https://hackaday.com/2023/03/26/is-your-usb-c-dock-out-to-hack-you/
In today’s installment of Betteridge’s law enforcement, here’s an evil USB-C dock proof-of-concept by [Lachlan Davidson] from [Aura Division]. We’ve seen malicious USB devices aplenty, from cables and chargers to flash drives and even suspicious USB fans. But a dock, however, is new. The gist is simple — you take a stock dock, find a Pi Zero W and wire it up to a USB 2.0 port tapped somewhere inside the dock. Finding a Pi Zero is unquestionably the hardest part in this endeavor — on the software side, everything is ready for you, just flash an SD card with a pre-cooked malicious image and go!
On the surface level, this might seem like a cookie-cutter malicious USB attack. However, there’s a non-technical element to it; USB-C docks are becoming more and more popular, and with the unique level of convenience they provide, the “plug it in” temptation is much higher than with other devices. For instance, in shared workspaces, having a USB-C cable with charging and sometimes even a second monitor is becoming a norm. If you use USB-C day-to-day, the convenience of just plugging a USB-C cable into your laptop becomes too good to pass up on.
The Threat on Your Desk: Building an Evil USB-C Dock
https://research.aurainfosec.io/pentest/threat-on-your-desk-evil-usbc-dock/
https://github.com/RoganDawes/P4wnP1_aloa
Tomi Engdahl says:
https://hackaday.com/2023/03/25/recreating-one-of-historys-best-known-spy-gadgets/
Tomi Engdahl says:
https://hackaday.com/2015/12/08/theremins-bug/
Tomi Engdahl says:
Loudmouth DJI Drones Tell Everyone Where You Are
https://hackaday.com/2023/03/26/loudmouth-dji-drones-tell-everyone-where-you-are/
Back when commercial quadcopters started appearing in the news on the regular, public safety was a talking point. How, for example, do we keep them away from airports? Well, large drone companies didn’t want the negative PR, so some voluntarily added geofencing and tracking mechanisms to their own drones.
When it comes to DJI, one such mechanism is DroneID: a beacon on the drone itself, sending out a trove of data, including its operator’s GPS location. DJI also, of course, sells the Aeroscope device that receives and decodes DroneID data, declared to be for government use. As it often is with privacy-compromising technology, turns out it’s been a bigger compromise than we expected.
This Hacker Tool Can Pinpoint a DJI Drone Operator’s Exact Location
https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/
Every DJI quadcopter broadcasts its operator’s position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates.
Tomi Engdahl says:
Jos löydät iPhonesi tai iPadisi tältä listalta, on syytä toimia nopeasti https://www.is.fi/digitoday/art-2000009482178.html
Tomi Engdahl says:
Android apps digitally signed by the fast-growing e-commerce company Pinduoduo exploited a zero-day vulnerability, allowing them to surreptitiously take control of millions of end-user devices to steal personal data and install malicious apps, researchers say.
https://arstechnica.com/information-technology/2023/03/android-app-from-china-executed-0-day-exploit-on-millions-of-devices/?utm_social-type=owned&utm_medium=social&utm_source=facebook&utm_brand=ars
Tomi Engdahl says:
Venäläiset hakkerit muuttaneet strategiaansa – kyberiskut lisääntyneet Euroopassa, kertoo tuore raportti
https://f7td5.app.goo.gl/esZ32t
Lähetyskanava @updayFI
Venäläiset hakkerit muuttaneet strategiaansa – kyberiskut lisääntyneet Euroopassa, kertoo tuore raportti
Sodan alussa suurin osa kyberhyökkäyksistä koski vain Ukrainaa. Vuoden 2023 alussa ylivoimainen enemmistö häiriötilanteista tapahtui EU-maissa.
VIIME vuoden lopussa kyberiskut lisääntyivät huomattavasti Puolassa, Baltian maissa ja Pohjoismaissa, korkeaan teknologiaan sekä digitaaliseen turvallisuuteen keskittyvä yritys Thales kertoo tuoreessa raportissaan.
Ruotsissa tehtiin muihin Pohjoismaihin nähden erityisen paljon kyberiskuja.
Iskut ovat tähän mennessä olleet melko harmittomia palvelunestohyökkäyksiä, mutta laajemmin niiden tavoitteena on lisätä päätöksentekijöiden ja kansalaisten huolta, Thalesissa työskentelevä kyberturva-asiantuntija Jukka Nokso-Koivisto sanoo.
Tomi Engdahl says:
Microsoft korjasi hälyttävän kuvavirheen Windowsista – vahinko tapahtui jo https://www.is.fi/digitoday/tietoturva/art-2000009480040.html
MICROSOFT julkaisi korjauksen Windows 10:n ja Windows 11:n haavoittuvuuteen, joka vaarantaa rajaamalla käsiteltyjen kuvien turvallisuuden. Kuvista pois rajattuja alueita on mahdollista palauttaa, mikä uhkaa useiden netissä jo julkaistujen kuvien julkaisijoiden yksityisyyttä.
Windowsissa ongelma koskee 10:n osalta sen uudempaa Leikkaa ja luonnostele -työkalua (Snip & Sketch), ei vanhempaa, useimmissa koneissa silti olevaa Snipping Toolia. Ohjelmistojen termistö on hieman hankalaa, sillä Windows 11:n Snipping Tool on altis virheelle.
Haavoittuvuuden vakavuus on alhainen, koska sen onnistunut käyttäminen vaatii epätavallisia käyttäjän toimia ja useita sellaisia tekijöitä, jotka eivät ovat hyökkääjän hallinnassa. Jotta ongelma koskisi kuvaa, käyttäjän pitää luoda se tietyissä olosuhteissa:
Käyttäjän on otettava kuvakaappaus, tallennettava se tiedostoon, muokattava tiedostoa (esimerkiksi rajata sitä) ja sitten tallentaa muokattu tiedosto samaan paikkaan.
Käyttäjän pitää avata kuva Snipping Toolissa, muokata tiedostoa (kuten rajata sitä) ja tallentaa muokattu tiedosto samaan paikkaan.Jos kuvan yksinkertaisesti rajaa heti kaappauksen ottamisen jälkeen tallentamatta sitä ensin, ei ongelmaa synny.
WINDOWS 10:N Snip & Sketchin paikattu versio on 11.2302.20.0. Windows 11:n Snipping Toolin korjattu versio on 10.2008.3001.0.
Tomi Engdahl says:
The Most Dangerous Codec in the World:
Finding and Exploiting Vulnerabilities in H.264 Decoders
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwrv.github.io%2Fh26forge.pdf&h=AT1ZQeezNLyRudiaHDQgiYF6mP6_c3SlgCfkdeRIDD-8boXNYnRThWv9MhlE8NaFL7jtLwYtet5_DiEcMjdow9GEVoR-e4tneqcy5tZIHF6d1kqBfncoXcIYZ92Sp48SXy5FGTANC-s8x64RYQ
Tomi Engdahl says:
Apple Issues Urgent Security Update for Older iOS and iPadOS Models https://thehackernews.com/2023/03/apple-issues-urgent-security-update-for.html
Apple on Monday backported fixes for an actively exploited security flaw to older iPhone and iPad models. The issue, tracked as CVE-2023-23529, concerns a type confusion bug in the WebKit browser engine that could lead to arbitrary code execution. The update is available in versions iOS 15.7.4 and iPadOS 15.7.4 for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). The disclosure comes as Apple rolled out iOS 16.4, iPadOS 16.4, macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5, tvOS 16.4, and watchOS 9.4 with numerous bug fixes
Tomi Engdahl says:
Joomla! CVE-2023-23752 to Code Execution https://vulncheck.com/blog/joomla-for-rce
On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. The advisory describes an “improper access check”
affecting Joomla! 4.0.0 through 4.2.7. The following day, a chinese-language blog shared the technical details of the vulnerability. The blog describes an authentication bypass that allows an attacker to leak privileged information. The blog’s disclosure was followed by a stream of exploits hitting GitHub, and multiple indicators of exploitation in the wild. The public exploits focus on leaking the victim’s MySQL database credentials – an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why
Tomi Engdahl says:
Crown Resorts confirms ransom demand after GoAnywhere breach https://www.bleepingcomputer.com/news/security/crown-resorts-confirms-ransom-demand-after-goanywhere-breach/
Crown Resorts, Australia’s largest gambling and entertainment company, has confirmed that it suffered a data breach after its GoAnywhere secure file-sharing server was breached using a zero-day vulnerability. The Blackstone-owned company has an annual revenue that surpasses $8 billion and operates complexes in Melbourne, Perth, Sydney, Macau, and London. This data breach was conducted by the Clop ransomware gang, which has shifted over the past year from encrypting files to performing data extortion attacks
Tomi Engdahl says:
https://www.securityweek.com/nigerian-bec-scammer-sentenced-to-prison-in-us/
Tomi Engdahl says:
Data Breaches
14 Million Records Stolen in Data Breach at Latitude Financial Services
https://www.securityweek.com/14-million-records-stolen-in-data-breach-at-latitude-financial-services/
Australian financial services provider Latitude says roughly 14 million user records were stolen in a recent cyberattack.
Australian financial services company Latitude Financial Services now says that roughly 14 million records were stolen in a cyberattack earlier this month.
The incident was disclosed in mid-March, when the company started notifying roughly 300,000 customers of a data breach impacting their personal information.
In an updated notification, the company this week announced that the incident, which has caused service disruptions, was bigger than initially determined.
Initially, the company said that the data breach occurred at two service providers. On March 16, however, the attackers compromised Latitude’s network, prompting the company to disconnect some systems to contain the incident.
“Once the attack was discovered, we took immediate and decisive action, including isolating systems, taking them offline to protect personal information. Unfortunately, this action continues to cause disruption to our services,” the company says.
The data breach resulted in the compromise of the personal information of current and past customers, and applicants in Australia and New Zealand, Latitude says.
The attackers stole roughly 7.9 million driver license numbers, including 3.2 million that were provided to the company over the past ten years. In addition, the attackers stole 6.1 million other records, including 5.7 million that were provided between (at least) 2005 and 2013.
Tomi Engdahl says:
China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
https://www.securityweek.com/chinas-nuclear-energy-sector-targeted-in-cyberespionage-campaign/
A South Asian espionage group named Bitter has been targeting the Chinese nuclear energy sector.
A South Asian advanced persistent threat (APT) actor has been targeting the nuclear energy sector in China in a recent cyberespionage campaign, Intezer reports.
Dubbed ‘Bitter’ and active since at least 2021, the group is known for the targeting of energy and government organizations in Bangladesh, China, Pakistan, and Saudi Arabia, and is characterized by the use of Excel exploits, and Microsoft Compiled HTML Help (CHM) and Windows Installer (MSI) files.
Continuing to target Chinese organizations, the group used updated first-stage payloads in the recently observed espionage campaign, added an extra layer of obfuscation, and employed additional decoys for social engineering.
The Bitter APT targeted recipients in China’s nuclear energy industry with at least seven phishing emails impersonating the embassy of Kyrgyzstan in China, inviting them to join conferences on relevant subjects.
Phishing Campaign Targets Chinese Nuclear Energy Industry
https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/
Tomi Engdahl says:
Cybercrime
Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
https://www.securityweek.com/thousands-access-fake-ddos-for-hire-websites-set-up-by-uk-police/
The UK’s National Crime Agency has been running several DDoS-for-hire websites to collect information about individuals looking to launch such attacks.
The UK’s National Crime Agency (NCA) has been running several fake DDoS-for-hire websites in an effort to infiltrate the cybercrime marketplace and collect information on individuals engaging in these types of activities.
The law enforcement agency has set up an unspecified number of websites that claim to allow users to launch distributed denial-of-service (DDoS) attacks against a specified target.
These types of services, also known as ‘booter’ or ‘stresser’ services, have posed a significant problem to many organizations around the world, as they allow individuals with limited skills and financial resources to launch highly disruptive attacks.
The fake DDoS-for-hire websites run by the NCA were set up as part of an international law enforcement operation named ‘Power Off’. Last year, the same operation resulted in the seizure of 46 internet domains associated with booter services.
The NCA recently decided to replace the homepage of one of its fake websites with a page informing visitors that their information has been collected and that they should expect to be contacted by law enforcement.
The identified users of the fake DDoS-for-hire websites who are located in the UK will be contacted by the NCA or police and warned about the consequences of their actions.
Tomi Engdahl says:
Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
https://www.securityweek.com/microsoft-no-interaction-outlook-zero-day-exploited-since-last-april/
Microsoft says it has evidence that Russian APT actors were exploiting a nasty Outlook zero-day as far back as April 2022, upping the stakes on organizations to start hunting for signs of compromise.
Tomi Engdahl says:
iOS Security Update Patches Exploited Vulnerability in Older iPhones
https://www.securityweek.com/ios-security-update-patches-exploited-vulnerability-in-older-iphones/
Apple has released security updates for older iPhones to address a vulnerability exploited in attacks.
Apple this week announced fresh security updates for macOS and iOS, including patches that address an exploited vulnerability in older iPhone models.
The issue, tracked as CVE-2023-23529, was initially addressed as a zero-day in mid-February, with the release of iOS and iPadOS 16.3.1 and macOS Ventura 13.2.1. Apple credited an anonymous researcher for reporting the bug.
Impacting WebKit, the flaw can lead to arbitrary code execution during the processing of maliciously crafted web content and was addressed with improved checks.
“Apple is aware of a report that this issue may have been actively exploited,” the Cupertino-based tech giant notes in its advisory.
Patches for this vulnerability are included in iOS 15.7.4 and iPadOS 15.7.4, which are now rolling out to all iPhone 6s and iPhone 7 models, first-generation iPhone SE, iPad Air 2, fourth-gen iPad mini, and seventh-gen iPod touch.
Tomi Engdahl says:
ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
https://www.securityweek.com/chatgpt-data-breach-confirmed-as-security-firm-warns-of-vulnerable-component-exploitation/
OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an actively exploited vulnerability.
ChatGPT creator OpenAI has confirmed a data breach caused by a bug in an open source library, just as a cybersecurity firm noticed that a recently introduced component is affected by an actively exploited vulnerability.
OpenAI said on Friday that it had taken the chatbot offline earlier in the week while it worked with the maintainers of the Redis data platform to patch a flaw that resulted in the exposure of user information.
The issue was related to ChatGPT’s use of Redis-py, an open source Redis client library, and it was introduced by a change made by OpenAI on March 20.
The chatbot’s developers use Redis to cache user information in their server, to avoid having to check the database for every request. The Redis-py library serves as a Python interface.
The bug introduced by OpenAI resulted in ChatGPT users being shown chat data belonging to others.
https://twitter.com/JordanLWheeler/status/1637853083865579520
If you use #ChatGPT be careful! There’s a risk of your chats being shared to other users!
Today I was presented another user’s chat history.
I couldn’t see contents, but could see their recent chats’ titles.
#security #privacy #openAI #AI
Tomi Engdahl says:
The docker image version used in OpenAI’s example, release 2022-03-17, is affected by CVE-2023-28432, a potentially serious information disclosure vulnerability. The security hole can be leveraged to obtain secret keys and root passwords and GreyNoise has already seen attempts to exploit the vulnerability in the wild.
Tomi Engdahl says:
WiFi protocol flaw allows attackers to hijack network traffic
https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form.
WiFi frames are data containers consisting of a header, data payload, and trailer, which include information such as the source and destination MAC address, control, and management data.
These frames are ordered in queues and transmitted in a controlled matter to avoid collisions and to maximize data exchange performance by monitoring the busy/idle states of the receiving points.
The researchers found that queued/buffered frames are not adequately protected from adversaries, who can manipulate data transmission, client spoofing, frame redirection, and capturing.
“Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic,”
Power-saving flaw
The IEEE 802.11 standard includes power-save mechanisms that allow WiFi devices to conserve power by buffering or queuing frames destined for sleeping devices.
When a client station (receiving device) enters sleep mode, it sends a frame to the access point with a header that contains the power-saving bit, so all frames destined for it are queued.
The standard, however, does not provide explicit guidance on managing the security of these queued frames and does not set limitations like how long the frames can stay in this state.
Once the client station wakes up, the access point dequeues the buffered frames, applies encryption, and transmits them to the destination.
An attacker can spoof the MAC address of a device on the network and send power-saving frames to access points, forcing them to start queuing frames destined for the target. Then, the attacker transmits a wake-up frame to retrieve the frame stack.
The transmitted frames are usually encrypted using the group-addressed encryption key, shared among all the devices in the WiFi network, or a pairwise encryption key, which is unique to each device and used to encrypt frames exchanged between two devices.
However, the attacker can change the security context of the frames by sending authentication and association frames to the access point, thus forcing it to transmit the frames in plaintext form or encrypt them with an attacker-provided key.
This attack is possible using custom tools created by the researchers called MacStealer, which can test WiFi networks for client isolation bypasses and intercept traffic destined for other clients at the MAC layer.
The researchers report that network device models from Lancom, Aruba, Cisco, Asus, and D-Link are known to be affected by these attacks
The researchers warn that these attacks could be used to inject malicious content, such as JavaScript, into TCP packets.
“An adversary can use their own Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” warn the researchers.
“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”
Cisco acknowledges flaw
The first vendor to acknowledge the impact of the WiFi protocol flaw is Cisco, admitting that the attacks outlined in the paper may be successful against Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities.
However, Cisco believes says that the retrieved frames are unlikely to jeopardize the overall security of a properly secured network.
Tomi Engdahl says:
Ransomware crooks are exploiting IBM file-exchange bug with a 9.8 severity https://arstechnica.com/information-technology/2023/03/ransomware-crooks-are-exploiting-ibm-file-exchange-bug-with-a-9-8-severity/
The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP-short for Fast, Adaptive, and Secure Protocol-to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow thats similar to email
Tomi Engdahl says:
Google finds more Android, iOS zero-days used to install spyware https://www.bleepingcomputer.com/news/security/google-finds-more-android-ios-zero-days-used-to-install-spyware/
Google’s Threat Analysis Group (TAG) discovered several exploit chains using Android, iOS, and Chrome zero-day and n-day vulnerabilities to install commercial spyware and malicious apps on targets’ devices. The attackers targeted iOS and Android users with separate exploit chains as part of a first campaign spotted in November 2022
Tomi Engdahl says:
WiFi protocol flaw allows attackers to hijack network traffic https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form. WiFi frames are data containers consisting of a header, data payload, and trailer, which include information such as the source and destination MAC address, control, and management data.
These frames are ordered in queues and transmitted in a controlled matter to avoid collisions and to maximize data exchange performance by monitoring the busy/idle states of the receiving points
Tomi Engdahl says:
Exploring Potential Security Challenges in Microsoft Azure https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exploring-potential-security-challenges-in-microsoft-azure
Serverless computing has an ideal operational model, one that allows organizations to run services without provisioning and managing underlying infrastructure. With serverless technology, cloud service providers (CSPs) are in charge of all things related to infrastructure. In our new report, we performed exploitation simulations of user-provided code vulnerabilities among serverless services provided by the major CSPs in the market. We have chosen to zero in on Microsoft Azure, where we found the most number of sensitive environmental variables based on our investigation. Leaked environmental variables can lead to the full compromise of the entire serverless environment
Tomi Engdahl says:
Microsoft Defender mistakenly tagging URLs as malicious https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-mistakenly-tagging-urls-as-malicious/
Microsoft Defender is mistakenly flagging legitimate links as malicious, and some customers have already received dozens of alert emails since the issues began over five hours ago. As the company confirmed earlier today on Twitter, its engineers are investigating this service incident as a false positive. “We’re investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service. Additionally, some of the alerts are not showing content as expected,” Microsoft said
Tomi Engdahl says:
Moobot Strikes Again – Targeting Cacti And RealTek Vulnerabilities https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-cacti-and-realtek-vulnerabilities
FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. Moobot is a Mirai variant botnet that targets exposed networking dev. Moobot is a Mirai variant botnet that targets exposed networking devices. Compromised endpoints can be controlled by its C&C server and deliver further attacks, such as distributed denial-of-service attacks. The vulnerabilities mentioned above have a critical security impact that can lead to remote code execution. Therefore, it is highly recommended that patches and updates be applied as soon as possible
Tomi Engdahl says:
New OpcJacker Malware Distributed via Fake VPN Malvertising https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html
We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.
OpcJacker is an interesting piece of malware, since its configuration file uses a custom file format to define the stealer’s behavior.
Specifically, the format resembles custom virtual machine code, where numeric hexadecimal identifiers present in the configuration file make the stealer run desired functions. The purpose of using such a design is likely to make understanding and analyzing the malwares code flow more difficult for researchers
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cloudpanel-installations-use-the-same-ssl-certificate-private-key/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2023/03/hackers-drain-bitcoin-atms-of-1-5-million-by-exploiting-0-day-bug/
Tomi Engdahl says:
Microsoft pushes out PowerShell scripts to fix BitLocker bypass
Attackers exploiting the vulnerability could access encrypted data
https://www.theregister.com/2023/03/19/microsoft_fix_bitlocker_bypass/
Tomi Engdahl says:
Google: Turn off VoLTE, Wi-Fi calling due to severe Exynos modem vulnerabilities on Pixel 6, more
https://9to5google.com/2023/03/16/google-exynos-modem-vulnerabilities/
Tomi Engdahl says:
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
On March 29, 2023, CrowdStrike observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp – a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. The 3CXDesktopApp is available for Windows, macOS, Linux and mobile. At this time, activity has been observed on both Windows and macOS
Tomi Engdahl says:
Dissecting AlienFox | The Cloud Spammers Swiss Army Knife https://www.sentinelone.com/labs/dissecting-alienfox-the-cloud-spammers-swiss-army-knife/
SentinelLabs has identified a new toolkit dubbed AlienFox that attackers are using to compromise email and web hosting services.
AlienFox is highly modular and evolves regularly. Most of the tools are open-source, meaning that actors can readily adapt and modify to suit their needs