Researchers Detail Apple’s Recent Zero-Click Shortcuts Vulnerability
Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent.
The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3.
“A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with “additional permissions checks.”
Apple Shortcuts is a scripting application that allows users to create personalized workflows (aka macros) for executing specific tasks on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems.
Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reporting the Shortcuts bug, said it could be weaponized to create a malicious shortcut such that it can bypass Transparency, Consent, and Control (TCC) policies.
Source: The hacker news / Dark reading / Securityweek
Link: https://thehackernews.com/2024/02/researchers-detail-apples-recent-zero.html
Link: https://www.securityweek.com/apple-shortcuts-vulnerability-exposes-sensitive-information/
VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk
VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw.
Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug.
“A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs),” the company said in an advisory.
EAP, deprecated as of March 2021, is a software package that’s designed to allow direct login to vSphere’s management interfaces and tools through a web browser. It’s not included by default and is not part of vCenter Server, ESXi, or Cloud Foundation.
Also discovered in the same tool is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) that could permit a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EAP session.
Source: The hacker news / Bleeping computer / VMWare knowledge base / Helpnet security
Link: https://thehackernews.com/2024/02/vmware-alert-uninstall-eap-now-critical.html
Link: https://kb.vmware.com/s/article/96442
Link: https://www.helpnetsecurity.com/2024/02/21/cve-2024-22245-cve-2024-22250/
WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites
A critical security flaw in the Bricks theme for WordPress is being actively exploited by threat actors to run arbitrary PHP code on susceptible installations.
The flaw, tracked as CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6.
It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024, merely days after WordPress security provider Snicco reported the flaw on February 10.
While a proof-of-concept (PoC) exploit has not been released, technical details have been released by both Snicco and Patchstack, noting that the underlying vulnerable code exists in the prepare_query_vars_from_settings() function.
Specifically, it concerns the use of security tokens called “nonces” for verifying permissions, which can then be used to pass arbitrary commands for execution, effectively allowing a threat actor to seize control of a targeted site.
The nonce value is publicly available on the frontend of a WordPress site, Patchstack said, adding there are no adequate role checks applied.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html
Link: https://www.securityweek.com/websites-hacked-via-vulnerability-in-bricks-builder-wordpress-plugin/
Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates
U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn’t pay, LockBit’s victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.
Dubbed “Operation Cronos,” the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities.
LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the U.S. Department of Justice (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.
LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.
Source: Krebs on security / Bleeping computer / The hacker news / Securityweek / Infosecurity magazine
Link: https://thehackernews.com/2024/02/us-offers-15-million-bounty-to-hunt.html
Link: https://www.infosecurity-magazine.com/news/operation-cronos-who-are-lockbit/
How to Use Tines’s SOC Automation Capability Matrix
Created by John Tuckner and the team at workflow and automation platform Tines, the SOC Automation Capability Matrix (SOC ACM) is a set of techniques designed to help security operations teams understand their automation capabilities and respond more effectively to incidents.
A customizable, vendor-agnostic tool featuring lists of automation opportunities, it’s been shared and recommended by members of the security community since its launch in January 2023, notably by Airbnb engineer Allyn Stott in his BSides and Black Hat talk, How I Learned to Stop Worrying and Build a Modern Detection & Response Program.
The SOC ACM has been compared to the MITRE ATT&CK and RE&CT frameworks, with one user saying, “it could be a standard for classification of SOAR automations, a bit like the RE&CT framework, but with more automation focus.” It’s been used by organizations in Fintech, Cloud Security, and beyond, as a basis for assessing and optimizing their security automation programs.
Here, we’ll take a closer look at how the SOC ACM works, and share how you can use it in your organization.
Source: The hacker news
Link: https://thehackernews.com/2024/02/how-to-use-tiness-soc-automation.html
How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity
VSS 3.1, the current model used by many organizations to measure vulnerability severity, has been around for about four years now. With CVSS 4.0, the creators are hoping to add additional context around how an attacker could exploit a certain vulnerability and what specific requirements need to be met before an adversary could carry out the exploit.
Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, said in a recent episode of Talos Takes that the main takeaway for users who just want to focus on the severity score (and whether an issue is particularly critical) will be in a new “attack requirements” field for scoring a vulnerability. Vulnerabilities that require a targeted software be configured in a certain way outside of its default state to be vulnerable are likely to have lower severity scores under CVSS 4.0, according to Gamblin.
FIRST also says that CVSS 4.0 offers “finer granularity through the addition of new base metrics and values,” including providing readers and administrators with new information about what attack requirements exist for an adversary to be successful, and whether user interaction is required or not for a vulnerability to be exploited.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/how-cvss-4-0-changes-vulnerability-severity/
X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon
Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe:
- A sharp increase in abuse of valid accounts
- A pivot in the approach of major ransomware groups
- Our analysis of the timing and shape of the impact of generative AI (gen AI) on cybersecurity
Cybercriminals prefer to take the path of least resistance to meet their objectives, and therefore it is concerning that, for the first time in our research, abusing valid accounts became a preferred means of access into victim environments for cybercriminals. Use of stolen credentials to access valid accounts surged 71% over the previous year and represented 30% of all incidents X-Force responded to in 2023, tied with phishing as the top infection vectors.
Source: IBM security intelligence
Link: https://securityintelligence.com/x-force/2024-x-force-threat-intelligence-index/