Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones
Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group’s Pegasus mercenary spyware.
The issues are described as below –
- CVE-2023-41061 – A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
- CVE-2023-41064 – A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.
While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with „assistance“ from the Citizen Lab.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / SANS internet storm center
Link: https://thehackernews.com/2023/09/apple-rushes-to-patch-zero-day-flaws.html
Link: https://www.securityweek.com/apple-patches-actively-exploited-ios-macos-zero-days/
Link: https://isc.sans.edu/diary/30200
Alert: Apache Superset Vulnerabilities Expose Servers to Remote Code Execution Attacks
Patches have been released to address two new security vulnerabilities in Apache Superset that could be exploited by an attacker to gain remote code execution on affected systems.
The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset’s metadata database.
Outside of these weaknesses, the latest version of Superset also remediates a separate improper REST API permission issue (CVE-2023-36388) that allows for low-privilege users to carry out server-side request forgery (SSRF) attacks.
„Superset by design allows privileged users to connect to arbitrary databases and execute arbitrary SQL queries against those databases using the powerful SQLLab interface,“ Horizon3.ai’s Naveen Sunkavally said in a technical write-up.
„If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write application configuration through SQLLab. This leads to harvesting credentials and remote code execution.“
CVE-2023-39265 relates to a case of URI bypass when connecting to the SQLite database used for the metastore, enabling an attacker to execute data manipulation commands.
Source: The hacker news
Link: https://thehackernews.com/2023/09/alert-apache-superset-vulnerabilities.html
Zero-Day Alert: Latest Android Patch Update Includes Fix for Newly Actively Exploited Flaw
Google has rolled out monthly security patches for Android to address a number of flaws, including a zero-day bug that it said may have been exploited in the wild.
Tracked as CVE-2023-35674, the high-severity vulnerability is described as a case of privilege escalation impacting the Android Framework.
„There are indications that CVE-2023-35674 may be under limited, targeted exploitation,“ the company said in its Android Security Bulletin for September 2023 without delving into additional specifics.
The update also addresses three other privilege escalation flaws in Framework, with the search giant noting that the most severe of these issues „could lead to local escalation of privilege with no additional execution privileges needed“ sans any user interaction.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2023/09/zero-day-alert-latest-android-patch.html
Link: https://www.securityweek.com/android-zero-day-patched-with-september-2023-security-updates/
Cisco BroadWorks impacted by critical authentication bypass flaw
A critical vulnerability impacting the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow remote attackers to forge credentials and bypass authentication. Cisco BroadWorks is a cloud communication services platform for businesses and consumers, while the two mentioned components are used for app management and integration.
The flaw, discovered internally by Cisco security engineers, is tracked as CVE-2023-20238 and rated with a maximum CVSS score of 10.0 (critical).
By exploiting the flaw, threat actors can freely execute commands, access confidential data, alter user settings, and commit toll fraud.
Source: Bleeping computer / Securityweek
Link: https://www.securityweek.com/cisco-patches-critical-vulnerability-in-broadworks-platform/
Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges
Identity services provider Okta on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions.
„In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users,“ the company said. The adversary then moved to abuse the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organization. The campaign, per the company, took place between July 29 and August 19, 2023.
Okta did not disclose the identity of the threat actor, but the tactics exhibit all the hallmarks of an activity cluster known as Muddled Libra, which is said to share some degree of overlap with Scattered Spider and Scatter Swine.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2023/09/okta-warns-of-social-engineering.html
Link: https://www.securityweek.com/okta-says-us-customers-targeted-in-sophisticated-attacks/
Outlook Hack: Microsoft Reveals How a Crash Dump Led to a Major Security Breach
Microsoft on Wednesday revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forge tokens and access Outlook by compromising an engineer’s corporate account. This enabled the adversary to access a debugging environment that contained information pertaining to a crash of the consumer signing system and steal the key. The system crash took place in April 2021.
„A consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (‚crash dump‘),“ the Microsoft Security Response Center (MSRC) said in a post-mortem report.
„The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.“
The Windows maker said the crash dump was moved to a debugging environment on the internet-connected corporate network, from where Storm-0558 is suspected to have acquired the key after infiltrating the engineer’s corporate account.
Source: The hacker news / Bleeping computer / Securityweek / Microsoft blog
Link: https://thehackernews.com/2023/09/outlook-breach-microsoft-reveals-how.html
Cybercriminals target graphic designers with GPU miners
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021.
The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer’s Custom Actions feature to make the software installers execute the malicious scripts.
The software installers targeted in this campaign are specifically used for 3-D modeling and graphic design, and most of them use the French language, indicating that the victims are likely across business verticals, including architecture, engineering, construction, manufacturing, and entertainment in French language-dominant countries.
The payloads include the M3_Mini_Rat client stub — which allows the attacker to establish a backdoor and download and execute additional threats, the Ethereum cryptocurrency-mining malware PhoenixMiner, and lolMiner, a multi-coin mining threat.
Cybercriminals are likely exploiting these particular software installers because of their need for high Graphics Processing Unit (GPU) power to function, which adversaries rely on to mine cryptocurrency.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/
Zero-day attacks are on the rise. Can patches keep up?
That latest cyberattack threatening your organization is likely coming from outside the corporate network. According to Mandiant’s M-Trends 2023 report, 63% of breaches came from an outside entity — a considerable rise from 47% the year before.
When it comes to how intruders are getting into the network, it depends on the organization’s location. Spearphishing is the top attack vector in Europe, while credential theft-based attacks are the number one type of attack in Asia, Kevin Mandia, Mandiant CEO, told an audience at RSA Conference 2023. In the United States, threat actors prefer to use vulnerabilities to gain access to the system.
“Right now, about 32% of the time, victim zero, when we know victim zero, it’s a vulnerability. Not a zero-day necessarily but a one-day, two-day,” Mandia said. That’s a worldwide viewpoint. In the U.S. alone, that rate is 38% of detected incidents.
Source: IBM security intelligence
Link: https://securityintelligence.com/articles/zero-day-attacks-are-on-the-rise-can-patches-keep-up/