Threat and Vulnerability Roundup for the week of August 13th to 19th


Welcome to Cyber Writes’ weekly Threat and Vulnerability Roundup, where we provide the most recent information on cybersecurity news. Take advantage of our extensive coverage and keep yourself updated.

All significant flaws exploits, and modern attack techniques have been highlighted. To keep your devices secure, we also provide the most recent software updates available.

These alarming findings have pushed businesses all across the world to review their cybersecurity postures and take urgent action. To be safe, keep up with our daily updates.

Vulnerability

Ford Cars Vulnerable to Remote Code Execution

Ford recently identified a buffer overflow flaw in the Wi-Fi driver used by it in the SYNC 3 infotainment system. After the discovery, Ford quickly alerted about this flaw and disclosed the vulnerability publicly.

Car hijacking by hackers exploiting various functions of the car is known, but the real-world execution of such attacks remains challenging.

Privilege Escalation & File Overwrite Flaw 

The vulnerabilities, CVE-2023-38401 and CVE-2023-38402, affect the HPE Aruba Networking Virtual Intranet Access (VIA) client for the Microsoft Windows operating system. If the exploit is successful, the attacker can overwrite arbitrary files.

HPE Aruba Networking has issued an upgrade to address these multiple high-severity vulnerabilities. There is no workaround for these vulnerabilities. 

Cisco Unified Communications Manager Flaw

An SQL injection vulnerability was discovered in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). 

Cisco Unified CM is used for handling voice and video calls, whereas Cisco Unified CM SME is used for session routing intelligence.

This SQL injection vulnerability allows an authenticated remote attacker to conduct SQL injection attacks on any affected system. However, Cisco has released software updates to fix this vulnerability.

Artificial Airplane Mode in iOS

The Airplane mode in smartphones ensures safe device use on flights, as this feature prevents interference with critical flight systems by deactivating all the wireless functions of the smartphone.

Researchers at Jamf Threat Labs have recently developed a post-exploit persistence method for iOS 16. If it is exploited successfully, it lets attackers set up a fake Airplane Mode with all the original Airplane Mode’s user interface features to hide their malicious app. This allows the attacker to keep access to the device even when the user thinks it is offline.

Zoom Zero Touch Flaws Enable Remote Attacks

As per reports, Several vulnerabilities were discovered in Zoom’s Zero Touch Provisioning (ZTP) that allows threat actors to gain full remote administration of the devices resulting in activities like eavesdropping, pivoting through devices, and building a botnet with compromised devices.

In addition to this, threat actors can also reconstruct the cryptographic routines with AudioCodes devices to decrypt sensitive information like passwords and configurations that are available due to improper authentication.

IBM Security Guardium Command Injection Flaw

A Command Injection vulnerability was recently discovered on IBM Security Guardium which allows threat actors to execute arbitrary commands on the affected system remotely.

This vulnerability was due to improper neutralization of special elements used in OS command (CWE-78).

IBM Security Guardium is a data protection platform that can be used by security teams to automatically analyze data environments considered sensitive.

Cisco Duo Device: Directory Traversal Attacks

The CryptoService function in the Cisco Duo Device Health Application for Windows has a vulnerability tracked as (CVE-2023-20229).

This might allow a low-privileged attacker to carry out directory traversal attacks and overwrite arbitrary files on a susceptible device.

Cisco has issued software upgrades to address this vulnerability. There are no workarounds for this issue.

Citrix ShareFile Flaw

Organizations use Citrix ShareFile, a cloud-based platform, to store and share large files. It also allows users to create branded, password-protected files through their services. 

ShareFile Storage Zone enables administrators to choose between ShareFile-managed, secure cloud, or IT-managed storage zones (On-Prem) within an organization’s data center.

ShareFile Storage Zone Controller is an extended ShareFile Software as a Service cloud storage that offers private data storage with a ShareFile account.

Hackers Breached US Air Force Satellite 

This year’s Hack-A-Sat competition challenged teams to hack into an actual satellite in orbit. The US Air Force Moonlighter, which was launched especially for the event, was the first real satellite the hackers were permitted to target.

The Aerospace Corporation and the U.S. Air Force Research Laboratory developed the small cubesat known as Moonlighter, launched on June 5, 2023, on a SpaceX Falcon 9 rocket alongside a cargo payload for the International Space Station. 

Five teams participated in the challenge, with “mHACKeroni,” a team of five Italian cyber research firms members, taking first place this year. $50,000 was awarded for first place. 

Cyber Attacks

Fake Chrome Browser Updates

Reports indicate that there seems to be an ongoing campaign that lures victims into installing a Remote Administration Tool called NetSupport Manager with fake Chrome browser updates. 

Threat actors use this remote administration software as an info stealer and to take control of the victim’s computers. Investigations point this to a suspected SocGholish campaign which was previously conducted by a Russian threat actor but remains inconclusive.

However, the SVP of Trellix Advanced Research Center stated that “Chromium with 63.55% of market share is now the de facto most targeted browser for NetSupport RAT attacks, due to the global usage. Organizations need holistic global threat intelligence and innovative security solutions to get the governance and tools needed to reduce the cyber risk.”

Weaponized PDF to Deliver Malware

A malware campaign targeting the Ministries of Foreign Affairs of NATO-aligned countries was recently discovered, which used PDF files masquerading as a German Embassy email. One of the PDF files consists of Duke malware which was previously linked with a Russian-state-sponsored cyber espionage group, APT29.

APT29 was attributed to Russia’s Foreign Intelligence Service (SVR) and uses Zulip, an open-source chat application for command and control. This evades and hides the malicious network traffic behind legitimate traffic.

ATM Fleet Monitoring Software Flaws Enables Remote Hacking

ScrutisWeb is a secure solution that aids global organizations in monitoring ATMs, enhancing issue response time, and this solution is accessible through any browser.

The following things could be done with the help of this secure solution Monitor hardware, Reboot a terminal, Shut down a terminal, Send files, Receive files, Modify data remotely, and Monitor the bank card reader.

Cybersecurity researchers at Synack recently discovered several vulnerabilities in the ScrutisWeb ATM fleet monitoring software developed by Iagona.

Monti Ransomware Attack Linux Systems

The Monti ransomware was found in June 2022 that attracted notice due to its close resemblance to the Conti ransomware, both in name and tactics, drawing attention from cybersecurity experts and organizations.

Monti ransomware group has been observed to employ tactics similar to those of the Conti team, including utilizing their TTPs and leaked source code and tools.

Apart from this, Monti also consistently targeted the companies and posted their breaches to expose their details on a leaked site built by the operators of Monti.

SMS Bomber Attack 

In the current world of cybersecurity, security threats are evolving at a rapid pace, as there are always new problems to deal with.

Among the ever-evolving threats, SMS Bomber attacks are one of the modern attacks in the current threat landscape that can cause severe and adverse effects.

In SMS Bomber attacks the attacker hit the victim by flooding their phone number with numerous text messages. These large amounts of SMS overload the phones with unwanted triggers that flood the device with unwanted Vibrations, Alert sounds, and Notifications.

Hackers Attacking Web Services

Web servers are a prime target for threat actors due to their open and volatile nature. However, these servers must remain open to provide various web services to users.

Web services that are provided on Windows servers by the Web servers include the following elements:-

  • Internet Information Services (IIS) web servers
  • Apache Tomcat web servers
  • JBoss
  • Nginx

Cuba Ransomware Targeted Infrastructure Sector

The Cuba ransomware seems to be gaining more pace with each passing year, and this ransomware has been operating and active since 2019.

Until now, the operators of the Cuba ransomware have executed several high-profile attacks to target many industries and sectors. Besides this, it has already completed various prominent cross-industry episodes throughout early 2023.

Cybersecurity analysts at the BlackBerry Threat Research team recently analyzed a June campaign in which they revealed that this ransomware group attacked critical US infrastructure and a Latin American IT integrator.

Hackers Can Shutdown Data Center

Businesses are looking to digital transformation and cloud services to support new working practices. This would be extremely simple for criminals to get into essential data center power management gear, turn off electricity to numerous linked devices, and interrupt all types of services from crucial infrastructure to commercial applications.

The Trellix Advanced Research Centre focused exclusively on the power supply and management systems used in data centers.

Researchers discovered four vulnerabilities in CyberPower’s PowerPanel Enterprise Data Centre Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU).

Hackers Leverage  AWS S3 for Phishing

Hackers use legitimate Amazon Web Services (AWS) S3 buckets to send phishing emails. Recent trends have seen cybercriminals leveraging well-known platforms like Google, QuickBooks, and PayPal to send out phishing emails, making detection challenging for both security services and end-users.

In this new wave of phishing attacks, hackers are turning to AWS S3 Buckets to host phishing links, providing them with a more convincing and legitimate façade.

Discord.io Hacked

The data of 760,000 Discord.io members has been advertised for sale on a darknet forum by a hacker using the pseudonym “Akhirah”.

On Monday, August 14, 2023, a data breach seriously endangered almost 760K customers’ data privacy.

Using the platform Discord.io, users can make unique, personalized Discord invites. Email addresses, hashed passwords, and other user-specific information are included in the database that is being provided.

Hackers Use ChatGPT to Trick Victims

The “CryptoRom” scam uses ChatGPT to trick victims into downloading fake crypto-trading mobile applications. Android and iPhone users have reported increased instances of similar fraud utilizing apps from official app stores.

Within the app where they first establish contact with the target, the scammer(s) engage in an initial dialogue. 

Once on a private chat platform like WhatsApp, Telegram, or LINE, they promote the concept of exchanging cryptocurrency. They promise to “teach” the victim how to use a (fraudulent) cryptocurrency trading program and lead them through the installation and transfer of cash, ultimately diverting off as much of the victim’s money as they can. 

Hackers Turned Mac Systems into Proxy Exit Nodes

Besides Windows OS, now threat actors are also actively targeting Mac systems to accomplish their illicit goals. Cybersecurity analysts at AT&T Alien Labs recently observed that threat actors are actively turning Mac systems into proxy exit nodes.

The OSX malware, AdLoad, emerged in 2017, and since then, its two major campaigns were highlighted in 2021 by SentinelOne and in 2022 by Microsoft.

Microsoft’s report on UpdateAgent reveals that AdLoad, a malware that spreads through drive-by compromise, hijacks users’ traffic and injects advertisements and promotions into webpages and search results by redirecting it through the adware operators’ servers.

Phishing Attack Exploits Cloudflare R2 

The Cloudflare R2 hosting service like the following platforms, which provides a cost-effective large-scale data storage  platform to developers with no exit bandwidth charges:-

  • Amazon S3
  • Google GCS
  • Azure Blob Storage

For beta testing, the Cloudflare R2 was initially launched in May 2022, and in August 2022, Cloudflare launched its R2 cloud hosting service publicly.

The cybersecurity analysts at Netskope Threat Labs recently noted a shocking 61-fold surge in traffic to Cloudflare R2-hosted phishing pages from February to July 2023.

Threat actors are known to use several methods to lure victims into their websites and make them download their malicious payload, which will allow them to take full control of the system. 

However, a recent report indicated that threat actors have been using a malvertising campaign for dropping info stealers and other malware that are probably used for initial compromise for ransomware operations.

New Research

KAIROS – New Intrusion Detection Approach

Structured audit logs, known as provenance graphs, outline system execution history, and recent studies investigate using them for automated host intrusion detection, stressing on APTs mainly.

2000+ Citrix NetScalers Hacked

It has been discovered that an attacker installed web shells on susceptible Citrix NetScalers, exploiting the CVE-2023-3519 flaw to acquire persistent access. 

This critical zero-day vulnerability poses a significant risk as it can enable remote code execution (RCE) on both NetScaler ADC and NetScaler Gateway.

Exploiting this vulnerability, malicious actors have been successful in implanting web shells into the crucial infrastructure of an organization.



Source link