Cyber security news March 2023

This posting is here to collect cyber security news in March 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

370 Comments

  1. Tomi Engdahl says:

    Huge Microsoft exploit allowed users to manipulate Bing search results and access Outlook email accounts https://www.theverge.com/2023/3/30/23661426/microsoft-azure-bing-office365-security-exploit-search-results
    A dangerous vulnerability was detected in Microsoft’s Bing search engine earlier this year that allowed users to alter search results and access other Bing users’ private information from the likes of Teams, Outlook, and Office 365. Back in January, security researchers at Wiz discovered a misconfiguration in Azure – Microsoft’s cloud computing platform – that compromised Bing, allowing any Azure user to access applications without authorization

    Reply
  2. Tomi Engdahl says:

    Oscar Softwareen tehdyn kyberhyökkäyksen tekijäksi ilmoittautui tunnettu nettikiristäjä
    https://www.tivi.fi/uutiset/tv/5d0821ac-0607-455a-85cb-998e41bfbb43
    Verkkokiristyksiin erikoistunut Play-niminen ryhmä on ilmoittanut olevansa yritysohjelmistotalo Oscar Softwareen viime viikolla tehdyn kyberhyökkäyksen takana. Ilmoitus on julkaistu pimeässä verkossa sivustolla, jolla Play on myös aiemmin kertonut hyökkäystensä kohteeksi joutuneiden yritysten nimiä

    Reply
  3. Tomi Engdahl says:

    Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
    https://www.securityweek.com/unpatched-security-flaws-expose-water-pump-controllers-to-remote-hacker-attacks/

    Water pumping systems made by ProPump and Controls are affected by several vulnerabilities that could allow hackers to cause significant problems.

    A water pumping system made by ProPump and Controls is affected by several vulnerabilities that could allow hackers to cause significant problems.

    The impacted product is the Osprey Pump Controller made by US-based ProPump and Controls, a company that specializes in pumping systems and automated controls for a wide range of applications, including golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial.

    The vulnerabilities were discovered by Gjoko Krstic, founder and chief information security engineer of Macedonian cybersecurity research firm Zero Science Lab. The security holes were identified during an assessment at a client that involved the analysis of actual devices — rather than just firmware image analysis, as is often the case with industrial control system (ICS) research.

    Krstic attempted to report his findings to the vendor directly, as well as through the US Cybersecurity and Infrastructure Security Agency (CISA) and Carnegie Mellon University’s Vulnerability Information and Coordination Environment (VINCE). However, the vendor has not responded and the vulnerabilities likely remain unpatched.

    Reply
  4. Tomi Engdahl says:

    ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
    https://www.securityweek.com/chatgpt-data-breach-confirmed-as-security-firm-warns-of-vulnerable-component-exploitation/

    OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an actively exploited vulnerability.

    Reply
  5. Tomi Engdahl says:

    Malware & Threats
    3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
    https://www.securityweek.com/3cx-confirms-supply-chain-attack-as-researchers-uncover-mac-component/
    3CX confirms investigating a security breach as the cybersecurity community is sharing more information on what appears to be a sophisticated supply chain attack.

    Reply
  6. Tomi Engdahl says:

    500k Impacted by Data Breach at Debt Buyer NCB

    NCB Management Services is informing roughly 500,000 individuals of a data breach impacting their personal information.

    https://www.securityweek.com/500k-impacted-by-data-breach-at-debt-buyer-ncb/

    Reply
  7. Tomi Engdahl says:

    Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
    https://www.securityweek.com/chinese-cyberspies-use-melofee-linux-malware-for-stealthy-attacks/

    The recently identified Melofee Linux implant allowed Chinese cyberespionage group Winnti to conduct stealthy, targeted attacks

    A recently identified stealthy Linux implant has allowed Chinese cyberespionage group Winnti to conduct targeted attacks under the radar, French cybersecurity firm ExaTrack warns.

    Dubbed ‘Melofee’ and targeting Linux servers, the malware is accompanied by a kernel mode rootkit and is installed using shell commands, a behavior like that of other Winnti Linux rootkits.

    The identified Melofee samples are likely dated April/May 2022 and share a common code base, but show small changes in communication protocol, encryption, and functionality. The main change between observed samples is the inclusion of a kernel mode rootkit in the newest version.

    The rootkit is a modified version of an open-source project called Reptile and has limited functionality, mainly installing a hook to hide itself and another to ensure communication with the userland component.

    The infection chain involves the use of shell commands to fetch an installer and a custom binary from an attacker-controlled server. Written in C++, the installer deploys both the rootkit and the server implant and ensures that both are executed at boot time.

    Mélofée: a new alien malware in the Panda’s toolset targeting Linux hosts
    https://blog.exatrack.com/melofee/

    We recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.

    We linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious Winnti group.

    In this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode rootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.

    Reply
  8. Tomi Engdahl says:

    Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
    https://www.securityweek.com/microsoft-cloud-vulnerability-led-to-bing-search-hijacking-exposure-of-office-365-data/

    An Azure Active Directory (AAD) misconfiguration leading to Bing.com compromise earned Wiz researchers a $40,000 bug bounty reward.

    A misconfiguration in Azure Active Directory (AAD) that exposed applications to unauthorized access could have led to a Bing.com takeover, according to cybersecurity firm Wiz.

    Microsoft’s AAD, a cloud-based identity and access management (IAM) service, is typically used as the authentication mechanism for Azure App Services and Azure Functions applications.

    The service supports different types of account access, including multi-tenant, where any user belonging to any Azure tenant can issue an OAuth token for them, unless proper restrictions are in place.

    For multi-tenant applications, developers are responsible for checking a user’s original tenant and enforcing access policies to prevent unauthorized logins, but Wiz discovered that more than 25% of the multi-tenant apps accessible from the internet lack proper validation.

    Reply
  9. Tomi Engdahl says:

    The NUIT Attack Uses Near-Ultrasound Audio to Silently Command Your Voice Assistant
    By embedding commands in YouTube videos, streaming music, or even voice calls and Zoom meetings, NUIT can silently take control.
    https://www.hackster.io/news/the-nuit-attack-uses-near-ultrasound-audio-to-silently-command-your-voice-assistant-6d500487570b

    Reply
  10. Tomi Engdahl says:

    CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure
    The advisory comes the same week as a warning from the EU’s ENISA about potential for ransomware attacks on OT systems in the transportation sector
    https://www.darkreading.com/vulnerabilities-threats/cisa-warns-unpatched-vulnerabilities-ics-critical-infrastructure

    Reply
  11. Tomi Engdahl says:

    Hakkerit korkkasivat 130 firmaa, saaliin laajuus tulee vasta nyt ilmi – tärkein taho vaikenee
    Samuli Leppälä23.3.202308:13|päivitetty23.3.202308:13TIETOTURVAHAKKERIT
    Hakkerit ovat ilmeisesti massiivisen saaliin hyödyntämällä tiedostojen siirtelyyn käytetyn työkalun nollapäivähaavoittuvuutta.
    https://www.tivi.fi/uutiset/hakkerit-korkkasivat-130-firmaa-saaliin-laajuus-tulee-vasta-nyt-ilmi-tarkein-taho-vaikenee/b08c50a4-a84c-429c-b01a-3b649d662f3f

    Venäjään linkitetty hakkeriryhmä Clop väittää varastaneen 130 organisaation tietoja. Aseenaan rikollisryhmä käytti Fortan haavoittunutta GoAnywhere-työkalua, jota on käytetty useissa yhtiöissä ja organisaatioissa kookkaiden tiedostojen siirtelyyn. Iskussa hyödynnettiin palvelun nollapäivähaavoittuvuutta.

    Reply
  12. Tomi Engdahl says:

    Ransomware crooks are exploiting IBM file-exchange bug with a 9.8 severity
    If you haven’t patched your Aspera Faspex server, now would be an excellent time.
    https://arstechnica.com/information-technology/2023/03/ransomware-crooks-are-exploiting-ibm-file-exchange-bug-with-a-9-8-severity/

    Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

    The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

    In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

    Reply
  13. Tomi Engdahl says:

    Huijarit keksivät teksti­viesteihin uuden koukun – älä missään nimessä klikkaa
    Ainakin Danske Bankin nimissä lähetettävissä tekstiviesteissä pelotellaan Apple Payn kytkemisellä korttiin.
    https://www.is.fi/digitoday/tietoturva/art-2000009466540.html

    Reply
  14. Tomi Engdahl says:

    “Hackers exploit WordPress plugin flaw that gives full control of millions of sites”

    Hackers exploit WordPress plugin flaw that gives full control of millions of sites
    Elementor Pro fixed the vulnerability, but not everyone has installed the patch.
    https://arstechnica.com/information-technology/2023/03/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites/

    Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

    The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

    The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw.

    Reply
  15. Tomi Engdahl says:

    Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs
    https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-elementor-pro-wordpress-plugin-with-11m-installs/

    Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites.

    Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops.

    Reply
  16. Tomi Engdahl says:

    https://hackaday.com/2023/03/24/this-week-in-security-usb-boom-acropalypse-and-a-bitcoin-heist/

    Patch To Pwn

    How long does it take to deconstruct a patch, figure out the vulnerability, and turn it into a working proof of concept? A whole bunch of hardening has gone into our operating systems in the last few years to try to keep the reverse engineering window far enough ahead of the patch application curve. But ocassionally, the turnaround still manages to clock in at about a day.

    CVE-2023-21768 is a vulnerability in the Ancillary Function Driver, part of the Winsock API. The patch modifies kernel code, and it took some work for researchers at SecurityIntelligence to understand how to trigger the flaw from userspace. It’s an unchecked memory write, to a pointer supplied by userspace. The steps to set up the write were a bit complicated, but not insurmountable. This particular group of researchers opted to use a Windows I/O ring to map kernel memory into userspace, gaining a read/write primitive. And that’s pretty much game over for an exploit. Interestingly, another group of researchers found this same vulnerability being exploited in-the-wild in January, likely very shortly after the patch was released by Microsoft.

    Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours
    https://securityintelligence.com/posts/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/

    ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.

    However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can be introduced. By honing in on this newly introduced code, we demonstrate that vulnerabilities that can be trivially weaponized still occur frequently. In this blog post, we analyze and exploit a vulnerability in the Windows Ancillary Function Driver for Winsock, afd.sys, for Local Privilege Escalation (LPE) on Windows 11. Though neither of us had any previous experience with this kernel module, we were able to diagnose, reproduce, and weaponize the vulnerability in about a day. You can find the exploit code here.

    Patch Diff and Root Cause Analysis

    Based on the details of CVE-2023-21768 published by the Microsoft Security Response Center (MSRC), the vulnerability exists within the Ancillary Function Driver (AFD), whose binary filename is afd.sys. The AFD module is the kernel entry point for the Winsock API.

    Reply
  17. Lewis says:

    To be honest, I have owned my business for a long time, and recently the number of orders has grown very quickly. so I decided to use this source https://gosoftwarebuy.com/product-category/office . It has helped my company to manage the order load and we delivered everything on time. I suggest you try it.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*