Threat and Vulnerability Roundup Aug27

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes. 

The latest attack techniques, significant weaknesses, and exploits have all been highlighted. We also provide the most latest software upgrades available to keep your devices secure.

These alarming findings aid in the process of identifying existing vulnerabilities in your systems, analyzing them, and determining how to patch them. Follow our regular updates and stay safe.

Vulnerability

Cisco FXOS SNMP Service Flaw

A Denial-of-Service (DoS) vulnerability has been discovered in the Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS 6300 Series Fabric Interconnects that could allow an authenticated, remote attacker to cause a denial-of-service condition on any affected device.

Due to improper handling, this specific flaw exists in SNMP (Simple Network Management Protocol) requests. 

A threat actor can exploit this vulnerability by sending a crafted SNMP request to a vulnerable device, causing this DoS condition. Successful exploitation causes the vulnerable device to reload, making the service unavailable.

Notepad++ Flaw

Several Buffer Overflow vulnerabilities have been discovered in Notepad++ that can be exploited by threat actors for malicious purposes. The severities of these vulnerabilities vary from 5.5 (Medium) to 7.8 (High).

The vulnerabilities are based on heap buffer write overflow and heap buffer read overflow on some functions and libraries used by Notepad++ software, identified by Gitlab security researcher JaroslavLobačevski (@JarLob).

Notepad++ is an open-source C++-based source code editor that works in Microsoft x86, x64, and AArch64-based architectures. Notepad++ supports tabbed editing and allows working with multiple files in a single window. Don Ho developed it.

VMware Aria Operations

As per reports, VMware has been reported with two critical vulnerabilities that could allow threat actors to perform an authentication bypass and gain arbitrary write access on VMware Aria Operations for Networks. 

Enterprises use VMware Aria Operations for Networks to build a highly available, optimized, and secure infrastructure that performs across multiple cloud environments. VMware has acted quickly and addressed these vulnerabilities.

Hackers Actively Attacking Cisco VPNs

Cisco ASA SSL VPN Appliances is a type of network security device that allows remote users to access a private network over the internet securely.

Since March 2023, the managed detection and response (MDR) teams of Rapid7 have noted a surge in threats to Cisco ASA SSL VPN devices, both physical and virtual.

Threat actors often exploit weak passwords or launch targeted brute-force attacks on ASA appliances lacking MFA, resulting in several incidents of Akira and LockBit groups deploying ransomware.

Hackers Attacking Unpatched Citrix NetScaler

Threat actors targeting unpatched Citrix NetScaler systems exposed to the internet are being tracked by Sophos X-Ops. 

As per research, the recent attacks are similar to attacks using CVE-2023–3519 delivering malware.

Citrix was discovered with a Zero-Day vulnerability on their Citrix NetScaler Application Delivery Controller (ADC) that allowed threat actors to perform remote code execution at the beginning of August.

BGP Error Handling Flaw

BGP is the backbone protocol and the internet’s “glue,” which directs the routing decisions between ISP networks to hold the internet under a set.

In short, this protocol, BGP, is completely an essential element necessary for the internet’s proper functionality.

Edge device software implementing BGP isn’t perfect, with both commercial and open-source versions showing issues in this crucial routing protocol.

While many flaws are minor and related to routing issues, a concerning BGP bug can propagate like a computer worm.

Critical Flaw in Zip Libraries

According to recent reports, several vulnerabilities have been discovered in widely used ZIP libraries of Swift and Flutter.

These packages are being utilized by numerous developers and applications, which significantly increases the potential attack surface.

Developers use ZIP packages to create a bundle of libraries, components, resources, and other app files used for the application’s functionality. A malicious ZIP package can severely impact the application and compromise its security.

Splunk IT Service Intelligence Injection Flaw

Splunk has been reported with a Unauthenticated Log injection vulnerability in the Splunk IT Service Intelligence (ITSI) product. This vulnerability exists in Splunk ITSI versions before 4.13.3 or 4.15.3. 

SplunkITSI is an Artificial Intelligence Operations (AIOps) powered monitoring and analytics solution that gives users visibility about the health of critical IT and business services and their infrastructure.

Junos OS Flaw

Junos OS and Junos OS Evolved are vulnerable to a DoS (Denial of Service) condition, which an unauthenticated, network-based attacker can exploit.

Juniper Networks has addressed this vulnerability on their security advisory along with certain workarounds.

Junos OS evolved, and Junos OS was built on Linux Kernel and FreeBSD kernel, respectively, that uses a BGP session, which enables the exchange of routing between the internet and the large networks of systems. 

Microsoft Edge Privilege Escalation

Microsoft Edge has published a release note that mentioned a Privilege escalation vulnerability with the CVE ID of CVE-2023-36741 and has a CVSS Score of 8.3 (High). This vulnerability exists in the Microsoft-Edge Chromium-based versions before 116.0.1938.62.

An unauthorized remote attacker can exploit this vulnerability, which requires user interaction.

Google Chrome Security Update

Google has updated the Stable and Extended Stable channels for Mac, Linux, and Windows to version 116.0.5845.140/.141 to address a security issue in Chrome.

One “high-severity” security patch is included in this version. This upgrade will roll out over the next days and weeks.

ArubaOS Switches Flaw

Multiple Switches have been identified in ArubaOS-Switch vulnerabilities, specifically about Stored Cross-site Scripting (Stored XSS), Denial of Service (DoS), and Memory corruption.

Aruba has taken measures to mitigate these vulnerabilities and has subsequently published a security advisory.

ArubaOS-Switch is owned by Aruba Networks, a Hewlett Packard Enterprise subsidiary. This allows users to manage their networks from a centralized location. Aruba Networks manufactures several networking products.

Cisco BroadWorks: XSS Attack

Cisco released a fix for the medium impact vulnerability found on CommPilot Application Software, allowing cross-site scripting against the user interface.

The Cisco BroadWorksCommPilot Application allows authenticated users to upload configuration files on the platform.

The lack of file validation and broken access control on the vulnerable upload servlet allows any authenticated user to upload a file, which could be abused to run arbitrary code on the server.

SAML Token Signature Bypass

VMware has been reported with a SAML token signature bypass vulnerability, which a threat actor can exploit to perform VMware Guest operations. CVE ID has been assigned for this vulnerability, and the severity was mentioned as 7.5 (High).

VMware tools are a set of modules and services for enabling several services in VMware products, which help better manage guest operating systems and flawless user interactions between the host and the guest operating system. VMware tools also can pass messages from the Host to the Guest operating system.

New Cyber Research

New Technique to Uncover Malicious Domains

The internet domains serve as a launchpad for threat actors to launch several cyber attacks. By exploiting the internet domains as a launchpad platform, threat actors can perform the following activities on Malicious Websites:-

  • Distribute malware
  • Facilitate command and control (C&C) communications
  • Host scam
  • Perform phishing attacks
  • Perform cybersquatting

Detecting malicious domains is an ongoing challenge, and in this scenario, MDD (Malicious Domain Detection) plays a key role, as it helps in identifying the domains that are linked to cyberattacks.

Threats & Vulnerabilities in AI Models

The rapid surge in LLMs (Large language models) across several industries and sectors has raised critical concerns about their safety, security, and potential for misuse.

Apart from this, with several extraordinary advancements, the LLM models are also vulnerable to several threats and flaws, as threat actors could easily abuse these AI models for several illicit tasks. 

LLMs like ChatGPT have gained huge popularity quickly, but they face challenges, including safety and security concerns, from adversarial examples to generative threats.

Cyber Attack

Smoke Loader Malware Locates Infected System

Recent reports reveal that malicious actors use Smoke loader botnets to infiltrate compromised systems and deploy Wi-Fi scanning executables.

This Wi-Fi scanning tool seems custom-written and is used for gathering information about a system’s geolocation through Google Geolocation API.

This malware has been termed Whiffy recon and uses nearby Wi-Fi access points to find the exact coordinates of an affected system. It is still unclear why this information is gathered and its usage.

DreamBus Botnet

A vulnerability affecting Apache RocketMQ servers was publicly disclosed in May 2023, allowing remote code execution through a gateway. RocketMQ is a cloud-native platform for messaging and streaming.

The command execution vulnerability has been reported in RocketMQ, affecting version 5.1.0 and below.

A remote, unauthenticated user can exploit this vulnerability by using the update configuration function to execute commands with the same access level as that of the RocketMQ user process. It has been assigned CVE-2023-33246. 

Hackers Abusing ChatGPTFor Cybercrime

Media and frequent innovative releases aggressively fuel the rapid industry rise of generative AI (Artificial Intelligence) ChatGPT. 

But, besides its innovative part, cybercriminals have also actively exploited these generative AI models for several illicit purposes, even before their rise.

Cybersecurity analysts at Trend Micro, Europol, and UNICRI jointly studied criminal AI exploitation, releasing the “Malicious Uses and Abuses of Artificial Intelligence” report a week after GPT-3’s debut in 2020.

Ransomware Via HTML Smuggling

Threat actors adopt the highly invasive techniques of HTML smuggling to launch  Nokoyawaransomware despite being delivered through macro and ICedID malware.

The Nokoyawa Ransomware variant has been active since February 2022 and shares the similarity of known ransomware groups Nemty and Karma.

The DFIR report states that two threat actors were involved in the campaign: the distributor and the hands-on keyboard actor.

Top 3 Malware Loaders of 2023

SOC teams find malware loaders challenging, as the different loaders, even for the same malware, need distinct mitigation. 

Besides this, they are the key and most important elements for initial network access and payload delivery, for which remote-access software and post-exploitation tools are most sought.

Detecting a malware loader doesn’t always mean network compromise, as sometimes, in the kill chain, it’s stopped early.

However, cybersecurity analysts at ReliaQuest have recently uncovered a multitude of malware loaders that were observed to be the most active this year in 2023.

FBI Broke Qakbot Infrastructure

The FBI and the Justice Department have declared a global effort to disrupt and dismantle the Qakbot infrastructure utilized in ransomware attacks.

More than 700,000 victim computers were infected by the Qakbot malware, which contributed to ransomware deployments and caused damage worth hundreds of millions of dollars.

The United States, France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom all took part in the action with the technical assistance provided by Zscaler.

Hackers Can Abuse Windows Container to Bypass Organization Security

Recently, cybersecurity researchers at Deep Instinct have asserted that hackers can exploit the Windows container isolation framework to bypass organizations’ security defenses and mechanisms.

Containers revolutionize the way applications are packaged and isolated, empowering them with their complete runtime environment enclosed within.

Malicious Version of PyPi Package

ReversingLabs spotted “VMConnect” in early August, a malicious supply chain campaign with two dozen rogue Python packages on PyPI.

It’s been observed that these packages mimicked the following known open-source Python tools:-

  • vConnector
  • eth-tester
  • Databases

Cybersecurity researchers at ReversingLabs recently identified that a North Korean hacker group is actively deploying malicious versions of Python Packages in the PyPI repository.

Hackers Embedding Weaponized Word File into a PDF

To avoid detection, hackers employed a new method dubbed “MalDoc in PDF” to insert a malicious Word file into a PDF file.

Despite having magic numbers and a PDF-specific file format, a file created with MalDoc in PDF may be opened in Word.

If the file includes a configured macro, running it in Word causes VBS to launch and carry out malicious operations.

Hackers Disruptred Railway System Signals

Poland’s Railway infrastructure, a crucial transit route for Western weapons transported to Ukraine, has been compromised by cybercriminals.

The signals were intermingled with recordings of the Russian national anthem and a speech by President Vladimir Putin, according to the Polish Press Agency (PAP).

According to the information shared, the incident occurred on Saturday when hackers sent a signal that caused emergency train stops close to Szczecin, Poland. About 20 trains came to a complete stop, but services were soon resumed.

Threat Actors Abuse Google Groups

Threat actors continue to evolve their spam tactics by utilizing legitimate  Google Groups to send Fake order messages to target multiple users. 

Fake order scams work by notifying victims about the purchase status or confirmation that originally was not placed by the recipient.

They are motivated to steal the victim’s personal credentials – name, address, credit, or banking information, or trick the victim into installing malware on their computer.

Stealthy Android Malware

A recently discovered Android Trojan, dubbed “MMRat,” poses a serious threat to mobile banking security. Unlike other forms of malware, this Trojan is designed to evade detection from traditional antivirus software.

The security experts at TrendMicro have identified the Trojan as AndroidOS_MMRat.HRX, warning users to be cautious when downloading new apps or accessing their banking information from their Android devices.

This group has been committing bank fraud by targeting mobile users in Southeast Asia since late June 2023.

DarkGate Malware via Stolen Email Threads

The research revealed high malspam activity of DarkGate malware distributed via phishing emails to users through MSI files or VBs script payloads.

Darkgate malware has been active since 2018 and can download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation.

A user RastaFarEye has been advertising DarkGate Loader on the xss[.]is an exploit[.]in cybercrime forums since June 16, 2023, with different pricing models.

BadBazaar Malware via Google Play

The Android BadBazaar malware is being distributed through the Google Play store, Samsung Galaxy Store, and dedicated websites mimicking Signal Plus Messenger and FlyGram malicious applications.

These active campaigns are connected to the China-aligned APT organization known as GREF. Uyghurs and other Turkic ethnic minorities have historically been the target of the spyware known as BadBazaar.

The BadBazaar malware family has already been targeted, and the FlyGram malware was also observed being spread in a Uyghur Telegram channel.

Hackers Exploit Openfire Vulnerability

The Kinsing malware has resurfaced with a new attack method that exploits the Openfire vulnerability tracked as CVE-2023-32315. A path traversal attack caused by this vulnerability allows an unauthorized user access to the Openfire setup environment.

Researchers from Aqua Nautilus report that the threat actor may upload malicious plugins and create a new admin user as a result of this. The attacker eventually has complete control of the server.

Openfire is a real-time collaboration (RTC) server that serves as a chat platform for transmitting instant messages over the XMPP (Extensible Messaging and Presence Protocol).

Data Breach

Kroll Employee SIM Swapped

A high-profile cyber attack targeted a prominent company, Kroll. This attack utilized a sophisticated technique known as “SIM swapping,” which allowed the threat actor to gain unauthorized access to sensitive personal information.

On Saturday, August 19, 2023, Kroll was informed about the SIM swapping attack that targeted a T-Mobile US., Inc. account belonging to a Kroll employee.

Immediate actions were taken to secure the three affected accounts, said Kroll, a cybersecurity company.

2.6 Million DuoLingo Users’ Info Exposed 

The popular language learning platform has come under scrutiny as a post on a hacker’s forum offers access to information from 2.6 million customer accounts for a mere $1,500. 

Duolingo is an American educational technology company that produces learning apps and provides language certification.

The hacking forum post, created on a Tuesday morning, caught DuoLingo’s attention as it offered sensitive customer account details, including emails, phone numbers, courses taken, and other usage-related information for a price.

Mom’s Meals Breached

PurFoods, LLC, operating under the trade name Mom’s Meals, has announced the compromise of personal information affecting its clients and employees. 

The company acknowledged that its cybersecurity defenses had been compromised, allowing unauthorized access to a treasure trove of consumer data.

The incident occurred between January 16, 2023, and February 22, 2023, with the attack involving the encryption of specific files on the company’s network. 

Hackers Can Exploit Skype Vulnerability to Find User IP Address

Hackers can now capture your IP address and expose your physical location by sending a Skype link, even if you don’t click it.

An IP address, which stands for “Internet Protocol address,” is like a unique digital home address for your device on the internet.

The IP addresses are sensitive addresses because they can reveal certain information about you and your online activities like:-

  • Approximate location
  • Type of device you’re using
  • Websites you visit

Paramount Media Hacked

In a shocking turn of events, Paramount Media recently fell victim to a significant data breach, leading to the unauthorized access of user personal information. 

Paramount Media Networks(founded as MTV Networks in 1984 and known under this name until 2011) is an American mass media division of Paramount Global that oversees the operations of many of its television channels and online brands. 

The company’s brands include CBS, BET, Comedy Central, Paramount+, Pluto TV, MTV, Paramount Pictures, Showtime Netwo, Smithsonian Channel, and Nickelodeon. Paramount operates as a subsidiary of National Amusements Inc.

Forever 21 Systems Hacked

In a recent development, Forever 21 disclosed a cyber incident that came to light on March 20, 2023, affecting a limited number of its systems. 

Forever 21 is a multinational fast fashion retailer headquartered in Los Angeles, California, United States. Originally founded as the store Fashion 21 in Highland Park, Los Angeles, in 1984, it is currently operated by Authentic Brands Group and Simon Property Group, with about 540 outlets worldwide.

The clothing retailer took swift action upon discovering the breach, launching an immediate investigation and enlisting the support of prominent cybersecurity firms. 

Releases

Tor Announces Proof-of-Work Defense

Tor (The Onion Router) has officially introduced a Proof-of-Work (PoW) mechanism to defend from attackers doing Denial of Service attacks. Users worldwide have widely adopted Tor for hiding their IP addresses and maintaining their privacy.

The Onion services have always prioritized user privacy through IP address obfuscation, making it a prime target for threat actors. Though the Onion service has a traditional IP-based rate limiting in place, it has been violated by threat actors in multiple scenarios.

With the release of PoW, the Onion service will prioritize legitimate connections filtered by checking on the stress of the service. The incoming onion service connections are made to perform certain complex operations that vary based on the network stress. 

ChatGPT Enterprise

Several reports have indicated data leakage from ChatGPT ever since its release by the Microsoft-backed OpenAI in November 2022. Additionally, threat actors have been abusing the platform to gain unauthorized access or leak sensitive and confidential data. 

However, ChatGPT has released a new ChatGPT enterprise version, which is claimed to be SOC 2 compliant with Enterprise-grade security and privacy, including higher-speed ChatGPT-4 access. 

Several Fortune 500 companies have adopted ChatGPT for their business purposes. 

Mozilla Firefox 117

With the release of Mozilla Firefox 117, 13 vulnerabilities are patched, including seven ‘High Severity’ flaws and four memory corruption flaws.

Mozilla said that IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics components of the browser are all affected by these memory corruption issues, which might result in potentially exploitable crashes.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]