Zero-Day Warning: It’s Possible to Hack iPhones Just by Sending Emails
Watch out Apple users!
The default mailing app pre-installed on millions of iPhones and iPads has been found vulnerable to two critical flaws that attackers are exploiting in the wild, at least, from the last two years to spy on high-profile victims.
The flaws could eventually let remote hackers secretly take complete control over Apple devices just by sending an email to any targeted individual with his email account logged-in to the vulnerable app. According to cybersecurity researchers at ZecOps, the bugs in question are remote code execution flaws that reside in the MIME library of Apple’s mail app—first, due to an out-of-bounds write bug and second, is a heap overflow issue.
Though both flaws get triggered while processing the content of an email, the second flaw is more dangerous because it can be exploited with ‘zero-click,’ where no interaction is required from the targeted recipients.
Source: The hacker news / Bleeping computer / Dark reading / Threatpost / BBC / ZECOPS blog
Researcher Discloses 4 Zero-Day Bugs in IBM’s Enterprise Security Software
A cybersecurity researcher today publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting an enterprise security software offered by IBM after the company refused to acknowledge the responsibly submitted disclosure.
The affected premium product in question is IBM Data Risk Manager (IDRM) that has been designed to analyze sensitive business information assets of an organization and determine associated risks. According to Pedro Ribeiro from Agile Information Security firm, IBM Data Risk Manager contains three critical severity vulnerabilities and a high impact bug, all listed below, which can be exploited by an unauthenticated attacker reachable over the network, and when chained together could also lead to remote code execution as root.
(Authentication Bypass -Command Injection -Insecure Default Password – Arbitrary File Download)
Source: The hacker news / Bleeping computer / Threatpost / Securityweek / Pedro Ribeiro on GITHub
Unpatchable ‘Starbleed’ Bug in FPGA Chips Exposes Critical Devices to Hackers
A newly discovered unpatchable hardware vulnerability in Xilinx programmable logic products could allow an attacker to break bitstream encryption, and clone intellectual property, change the functionality, and even implant hardware Trojans.
The details of the attacks against Xilinx 7-Series and Virtex-6 Field Programmable Gate Arrays (FPGAs) have been covered in a paper titled “The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs” by a group of academics from the Horst Goertz Institute for IT Security and Max Planck Institute for Cyber Security and Privacy.
Source: The hacker news / Securityweek
CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers
The United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a fresh advisory alerting organization to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers—even if they have already patched it.
The warning comes three months after another CISA alert urging users and administrators to patch Pulse Secure VPN environments to thwart attacks exploiting the vulnerability.
“Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access — and move laterally through — that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials,” CISA said.
Source: the hacker news / Threatpost / Securityweek
IT services giant Cognizant suffers Maze Ransomware cyber attack
Information technologies services giant Cognizant suffered a cyber attack Friday night allegedly by the operators of the Maze Ransomware, BleepingComputer has learned.
Cognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue. As part of its operations, Cognizant remotely manages its clients through end-point clients, or agents, that are installed on customer’s workstations to push out patches, software updates, and perform remote support services. On Friday, Cognizant began emailing their clients, stating that they had been compromised and included a “preliminary list of indicators of compromise identified through our investigation.” Clients could then use this information to monitor their systems and further secure them.
Source: Bleeping computer / Threatpost / Securityweek / Infosecurity magazine
(Last) Week in Ransomware – April 17th 2020 – Changing Tactics
There was not a lot of new ransomware variants released this week, but some pretty interesting news about operations changing their tactics to remain more profitable and to evade law enforcement. Sodinokibi/REvil is phasing out support for Bitcoin ransom payments in favor of Monero to make it harder for law enforcement to trace them. Finally, Nemty Ransomware is moving from a public ransomware-as-a-service to a private one to become more exclusive and entice more experienced affiliates to join their organization.
Source: Bleeping computer
Customer complaint phishing pushes network hacking malware
A new phishing campaign is underway that targets a company’s employees with fake customer complaints that install a new backdoor used to compromise a network.
For the past two weeks, BleepingComputer, and others we have spoken with, have been receiving fake emails pretending to be from their company’s “Corporate Lawyer”.
These emails utilize subjects like “Re: customer complaint in [insert company name]” or “Re: customer complaint for [recipient name]” and state that the recipient’s employer has received a customer complaint about them. Due to this, the employee will be fined and have the amount deducted from their salary.
Source: Bleeping computer
FBI: Extortion scammers more active due to stay-at-home orders
The U.S. Federal Bureau of Investigation (FBI) warned today of an increasing number of online extortion scam reports because a lot more people are being targeted due to the “stay-at-home” orders issued during the COVID-19 pandemic. “Because large swaths of the population are staying at home and likely using the computer more than usual, scammers may use this opportunity to find new victims and pressure them into sending money,” the alert issued by FBI’s Internet Crime Complaint Center (IC3) says. “The scammers are sending e-mails threatening to release sexually explicit photos or personally compromising videos to the individual’s contacts if they do not pay. While there are many variations of these online extortion attempts, they often share certain commonalties.”
Source: Bleeping computer
Sipping from the Coronavirus Domain Firehose
Security experts are poring over thousands of new Coronavirus-themed domain names registered each day, but this often manual effort struggles to keep pace with the flood of domains invoking the virus to promote malware and phishing sites, as well as non-existent healthcare products and charities. As a result, domain name registrars are under increasing pressure to do more to combat scams and misinformation during the COVID-19 pandemic.
Source: Krebs on security / Dark reading
NSA Issues Guidance for Combating Web Shell Malware
The US intelligence agency teamed up with Australian Signals Directorate in newly released information on how to protect Web servers from the malware.
Web shell malware, which executes arbitrary instructions on a targeted Web server, is a large and growing cybersecurity problem — and now government intelligence agencies are releasing guidance on how to defend against it. The US National Security Agency (NSA) and the Australian Signals Directorate (ASD) joined forces this week to issue a Cybersecurity Information Sheet on how to detect and mitigate this form of malware.
Source: Dark reading / NSA-ASD
Fast-Moving DDoS Botnet Exploits Unpatched ZyXel RCE Bug
A new variant of the Hoaxcalls botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed last month. That’s according to researchers at Radware, who also said that it’s notable how quickly Hoaxcalls operators have moved to weaponize the ZyXel bug, which as of this time of writing, has still not been addressed in a ZyXel advisory.
High-Severity Vulnerability in OpenSSL Allows DoS Attacks
An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks. The OpenSSL Project, which tracks the flaw as CVE-2020-1967, has described it as a “segmentation fault” in the SSL_check_chain function.
“Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the ‘signature_algorithms_cert’ TLS extension,” reads the advisory for this vulnerability.
Source: Securityweek / Open SSL Org Security Advisory
Vulnerability Spotlight: Zoom Communications user enumeration
Video conferencing and calling software has spiked in popularity as individuals across the globe are forced to stay home due to the COVID-19 pandemic. There are a plethora of players in this space, with one or two getting increased attention. One service in particular — Zoom — has received an enormous amount of attention from the media and users.
Today, Cisco Talos is disclosing a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization. There has been a lot of discussion around what is and is not a vulnerability and what security features should exist in video conferencing software. This is not the purpose of this blog. This disclosure is made in accordance with our vulnerability disclosure policy, in the interests of ensuring the security and privacy of users at-large against this information disclosure vulnerability.
Source: CISCO TALOS intelligence blog
You Can Run, But Can You Hide?
A true crime story about tracking fugitives, written by a. Veteran OSINT hunter and former policeman.
HTML5 Attacks – Episode 01
WebSocket is one of the technologies which was introduced in HTML5 and a new mechanism always introduces some kind of security risks, so lets go over one of the attacks which leverage websocket technology called Cross Site WebSocket Hijacking (CSWH).
Secjuice Squeeze Volume 20
Welcome to the 20th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, and upcoming events–lovingly prepared for you every week. This week’s volume compiled by Secjuice writers Sinwindie, Guise Bule and Miguel Calles.
Microsoft releases OOB security updates for Microsoft Office
Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications. Last month, Autodesk issued security updates for their Autodesk FBX Software Development Kit that resolves remote code execution and denial of service vulnerabilities caused by specially crafted FBX files. An FBX file is an Autodesk file format that is used to store 3D models, assets, shapes, and animations. To exploit these vulnerabilities, an attacker would create a malicious FBX file that would exploit “buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities” to perform a DoS attack or remotely execute code.
Source: Bleeping computer / Threatpost / Security week / Helpnet security / AUTODESK trust center security advisory / Microsoft ADV 200004