Cyber security aggregate rss news

Cyber security aggregator - feeds history

image for Update iPhone to iOS ...

 Threats

The latest versions of iOS and iPadOS (16.3) and macOS (Ventura 13.2) have fixed the vulnerabilities tracked as CVE-2023-23530 and CVE-2023-23531. We explain the nature of these bugs, why they deserve your attention, what Pegasus spyware has to do with it, and why you should take these and future iOS, iPad and macOS   show more ...

security updates seriously. NSPredicate, FORCEDENTRY, Pegasus, and all the rest To explain why these latest updates are important, we need a little background. The software foundation of apps made for Apple operating systems is called — though you may not believe it — the Foundation framework! Heres Apples description of it: The Foundation framework provides a base layer of functionality for apps and frameworks, including data storage and persistence, text processing, date and time calculations, sorting and filtering, and networking. The classes, protocols, and data types defined by Foundation are used throughout the macOS, iOS, watchOS, and tvOS SDKs. A little over two years ago, in January 2021, an iOS security researcher known as CodeColorist published a report that showed how implementation of the NSPredicate and NSExpression classes (which both make up part of the Foundation framework) can be exploited to execute arbitrary code. As it happens, these classes are responsible for sorting and filtering data. Whats key here in the context of what were telling you in this blogpost is that these tools allow to execute scripts on a device without verifying the digital signature of the code. CodeColorists main finding was that such scripts can help bypass Apple security mechanisms — including app isolation. This makes it possible to write a malicious app that steals data (such as users correspondence or random photos from the gallery) from other apps. March 2022 saw the release of a paper on the practical implementation of such an app — the FORCEDENTRY zero-click exploit — which was used to spread the infamous Pegasus malware. The vulnerabilities within NSPredicate and NSExpression allowed this malware to perform a sandbox escape and gain access to data and functions outside the strictly defined boundaries within which all iOS apps work. In the wake of both CodeColorists theoretical work and the hands-on study of the FORCEDENTRY exploit, Apple implemented a number of security measures and restrictions. However, a new study shows that these are still easy to bypass. Why CVE-2023-23530 and CVE-2023-23531 are dangerous The CVE-2023-23530 and CVE-2023-23531 vulnerabilities have become new ways to bypass these restrictions. The first, CVE-2023-23530, stems from how exactly Apple addressed the problem. Specifically, they drew up extensive denylists of classes and methods that pose an obvious security risk within NSPredicate. The catch is that, by using methods not included in the denylists, its possible to wipe these lists clean and then use the full set of methods and classes. The second vulnerability, CVE-2023-23531, relates to how processes within iOS and macOS interact with each other, and how the data-receiving process filters incoming information. Simply put, the process of sending data can add to it a contents verified tag, then feed the receiving process a malicious script that uses the NSPredicate, which in some cases will be executed without verification. According to the researchers, these two techniques for bypassing security checks allow exploitation of a number of other specific vulnerabilities. Attackers could use these vulnerabilities to gain access to user data and dangerous operating system features, and even install applications (including system ones). In other words, CVE-2023-23530 and CVE-2023-23531 can be used to create FORCEDENTRY-type exploits. To demonstrate the capabilities of CVE-2023-23530 and CVE-2023-23531, the researchers shot a video showing how a malicious app can be made to execute code inside SpringBoard (the standard application that manages the home screen on iOS) on an iPad. For its part, SpringBoard has elevated privileges and multiple access rights — including to the camera, microphone, call history, photos and geolocation data. Whats more — it can completely wipe the device. What this means for iOS and macOS security We should stress that the dangers posed by CVE-2023-23530 and CVE-2023-23531 are purely theoretical: thereve been no recorded cases of in-the-wild exploitation. Also, the iOS 16.3 and macOS Ventura 13.2 updates have patched them, so if you install them on time, you are, supposedly, safe. That said, we dont know how well Apple has patched the vulnerabilities this time. Perhaps workarounds will be found for these patches too. At any rate, in conversation with Wired, the researchers themselves were pretty sure that new vulnerabilities of this class will continue to appear. Keep in mind that, just being able to run scripts in iOS using NSPredicate is not enough for a successful hack. An attacker still needs to somehow get into the victims device to be able to do anything with it. In the case of FORCEDENTRY, this involved the use of other vulnerabilities: an infected PDF disguised as an innocent GIF file was slipped onto the target device through iMessage. The likelihood of such vulnerabilities being used in APT attacks is high, so it bears repeating the countermeasures you can take. We have a separate post about this where Costin Raiu, the Director of our Global Research & Analysis Team (GReAT), explains in detail how to protect yourself against Pegasus-class malware and why these measures work. Heres a brief summary of his advice: Restart your iPhone and iPad more often — its hard for attackers to gain a permanent foothold in iOS, and a restart often kills malware. Disable iMessage and FaceTime if its possible — these apps provide a convenient entry point for attacking iOS devices. Instead of Safari, use an alternative browser like, say, Firefox Focus. Dont follow links in messages. Install reliable protectionon all your devices. And finally (as we keep insisting ad infinitum), keep your operating systems up to date (and from now on, perhaps keep more watchful eye out for iOS, iPadOS and macOS updates as and when they are released).

image for Microsoft Patch Tues ...

 Security Tools

Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction. The Outlook vulnerability   show more ...

(CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the newest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without any user interaction by sending a booby-trapped email that triggers automatically when retrieved by the email server — before the email is even viewed in the Preview Pane. While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t accurately reflect its severity, said Kevin Breen, director of cyber threat research at Immersive Labs. Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash [Windows account password] and use it in an attack commonly referred to as “Pass The Hash.” “The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen said. “This is on par with an attacker having a valid password with access to an organization’s systems.” Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable. The other zero-day flaw being actively exploited in the wild — CVE-2023-24800 — is a “Security Feature Bypass” in Windows SmartScreen, part of Microsoft’s slate of endpoint protection tools. Patch management vendor Action1 notes that the exploit for this bug is low in complexity and requires no special privileges. But it does require some user interaction, and can’t be used to gain access to private information or privileges. However, the flaw can allow other malicious code to run without being detected by SmartScreen reputation checks. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24800 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. “Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs said. Seven other vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, meaning the updates address security holes that could be exploited to give the attacker full, remote control over a Windows host with little or no interaction from the user. Also this week, Adobe released eight patches addressing a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator. For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that. Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

image for Two U.S. Men Charged ...

 A Little Sunshine

Two U.S. men have been charged with hacking into a U.S. Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government   show more ...

email accounts to publicly threaten and extort their victims. Prosecutors for the Eastern District of New York today unsealed criminal complaints against Sagar Steven Singh — also known as “Weep” — a 19-year-old from Pawtucket, Rhode Island; and Nicholas Ceraolo, 25, of Queens, NY, who allegedly also went by the handles “Convict” and “Ominus.” The Justice Department says Singh and Ceraolo belong to a group of cybercriminals known to its members as “ViLE,” who specialize in obtaining personal information about third-party victims, which they then use to harass, threaten or extort the victims, a practice known as “doxing.” “ViLE is collaborative, and the members routinely share tactics and illicitly obtained information with each other,” prosecutors charged. The government alleges the defendants and other members of ViLE use various methods to obtain victims’ personal information, including: -tricking customer service employees; -submitting fraudulent legal process to social media companies to elicit users’ registration information; -co-opting and corrupting corporate insiders; -searching public and private online databases; -accessing a nonpublic United States government database without authorization -unlawfully using official email accounts belonging to other countries. The complaint says once they obtained a victim’s information, Singh and Ceraolo would post the information in an online forum. The government refers to this community only as “Forum-1,” saying that it is administered by the leader of ViLE (referenced in the complaint at CC-1). “Victims are extorted into paying CC-1 to have their information removed from Forum-1,” prosecutors allege. “Singh also uses the threat of revealing personal information to extort victims into giving him access to their social media accounts, which Singh then resells.” Sources tell KrebsOnSecurity in addition to being members of ViLE, both Weep and Ominous are or were staff members for Doxbin, a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly. This is supported by the Doxbin administrator’s claimed responsibility for a high-profile intrusion at the DEA’s law enforcement data sharing portal last year. A screenshot of alleged access to the Drug Enforcement Agency’s intelligence sharing portal, shared by “KT,” the current administrator of the doxing and harassment community Doxbin. The government alleges that on May 7, 2022, Singh used stolen credentials to log into a U.S. federal government portal without authorization. The complaint doesn’t specify which agency portal was hacked, but it does state that the portal included access to law enforcement databases that track narcotics seizures in the United States. On May 12, 2022, KrebsOnSecurity broke the news that hackers had gained access to a DEA portal that taps into 16 different federal law enforcement databases. As reported at the time, the inside scoop on how that hack went down came from KT, the current administrator of the Doxbin and the individual referenced in the government’s complaint as “CC-1.” Indeed, a screenshot of the ViLE group website includes the group’s official roster, which lists KT at the top, followed by Weep and Ominus. A screenshot of the website for the cybercriminal group “ViLE.” Image: USDOJ. In March 2022, KrebsOnSecurity warned that multiple cybercrime groups were finding success with fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms and mobile telephony providers, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death. That story showed that the previous owner of the Doxbin also was part of a teenage hacking group that specialized in offering fake EDRs as a service on the dark web. Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name. When they raided Singh’s residence on Sept. 8, 2022 and seized his devices, investigators with Homeland Security found a cellular phone and laptop that allegedly “contained extensive evidence of access to the Portal.” The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police official to pose as a police officer in communication with U.S.-based social media platforms. “In these communications, Ceraolo requested personal information about users of these platforms, under the false pretense that the users were committing crimes or in life-threatening danger,” the complaint states. For example, on or about March 13, 2022, Ceraolo allegedly used the Bangladeshi police email account to falsely claim that the target of the EDR had sent bomb threats, distributed child pornography and threatened officials of the Bangladeshi government. On or about May 9, 2022, the government says, Singh sent a friend screenshots of text messages between himself and someone he had doxed on the Doxbin and was trying to extort for their Instagram handle. The data included the victim’s Social Security number, driver’s license number, cellphone number, and home address. “Look familiar?” Singh allegedly wrote to the victim. “You’re gonna comply to me if you don’t want anything negative to happen to your parents. . . I have every detail involving your parents . . . allowing me to do whatever I desire to them in malicious ways.” Neither of the defendants could be immediately reached for comment. KT, the current administrator of Doxbin, declined a request for comment on the charges. Ceraolo is a self-described security researcher who has been credited in many news stories over the years with discovering security vulnerabilities at AT&T, T-Mobile, Comcast and Cox Communications. Ceraolo’s stated partner in most of these discoveries — a 30-year-old Connecticut man named Ryan “Phobia” Stevenson — was charged in 2019 with being part of a group that stole millions of dollars worth of cryptocurrencies via SIM-swapping, a crime that involves tricking a mobile provider into routing a target’s calls and text messages to another device. In 2018, KrebsOnSecurity detailed how Stevenson earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their websites, all the while secretly peddling those same vulnerabilities to cybercriminals. According to the Justice Department, if convicted Ceraolo faces up to 20 years’ imprisonment for conspiracy to commit wire fraud; both Ceraolo and Singh face five years’ imprisonment for conspiracy to commit computer intrusions. A copy of the complaint against Ceraolo and Singh is here (PDF).

 Threat Actors

Cybercriminals, purportedly of Asia-Pacific origin, have launched attacks aimed at government and military organizations in Southeast Asian countries. According to EclecticIQ, Dark Pink APT is behind the campaign and attempts to cripple systems via a custom malware dubbed KamiKakaBot. There are used to execute arbitrary commands and pilfer sensitive data from users.

 Security Products & Services

OffSec (formerly Offensive Security) released Kali Linux 2023.1, the latest version of its popular penetration testing and digital forensics platform, accompanied by a technical preview of Kali Purple, a “one-stop shop for blue and purple teams.”

 Malware and Vulnerabilities

Criminals are exploiting a Microsoft SmartScreen bug to deliver Magniber ransomware, potentially infecting hundreds of thousands of devices, without raising any security red flags, according to Google's Threat Analysis Group (TAG).

 Malware and Vulnerabilities

Researchers from AhnLab have observed some unidentified threat actors use PlugX to exploit well-known flaws in remote desktop software to get complete control over the infected system. Several other threats, including the Sliver backdoor, Gh0st RAT, and XMRig coinminer, have abused the bugs in previous attacks. To   show more ...

prevent such threats, organizations are suggested to regularly review and update their security posture, and keep all the software updated.

 Identity Theft, Fraud, Scams

According to various researchers and security firms, threat actors are already out hunting for SVB-exposed prey through both passive and active phishing scams, including similar fake domains and business email compromise (BEC) attacks.

 Trends, Reports, Analysis

The standard hasn't had a significant update since 2013. There were some minor amendments in 2017, but largely these were structural or grammatical updates. In 2022, things have changed dramatically, but also in very subtle ways.

 Breaches and Incidents

On Monday, the cybergang behind the Alphv ransomware added an entry to their leaks site claiming they breached Ring and threatening to release data supposedly stolen from the company.

 Trends, Reports, Analysis

The media industry is more visible to the public than virtually any other sector. Correspondingly, cyberattacks on media entities, even those that have a relatively minor impact or are unsuccessful, are highly visible to the public.

 Breaches and Incidents

The Cybernews research team recently discovered that the French-based multinational aviation company, the eighth largest aerospace supplier worldwide, was leaking sensitive data due to a misconfiguration of its systems.

 Feed

Ubuntu Security Notice 5952-1 - Sebastian Poeplau discovered that OpenJPEG incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 18.04 LTS.

 Feed

Debian Linux Security Advisory 5373-1 - Dave McDaniel discovered that the SQLite3 bindings for Node.js were susceptible to the execution of arbitrary JavaScript code if a binding parameter is a crafted object.

 Feed

Red Hat Security Advisory 2023-1241-01 - Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.2.1 serves as a replacement for   show more ...

Red Hat AMQ Streams 2.2.0, and includes security and bug fixes, and enhancements. Issues addressed include an information leakage vulnerability.

 Feed

This Metasploit module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication. When you   show more ...

send the vulnerable endpoint a ZIP file, it will extract an attacker controlled file to a directory of the attackers choice on the target system. This issue is exploitable on FortiNAC versions 9.4 prior to 9.4.1, FortiNAC versions 9.2 prior to 9.2.6, FortiNAC versions 9.1 prior to 9.1.8, all versions of FortiNAC 8.8, all versions of FortiNAC 8.7, all versions of FortiNAC 8.6, all versions of FortiNAC 8.5, and all versions of FortiNAC 8.3.

 Feed

Ubuntu Security Notice 5953-1 - It was discovered that IPython incorrectly processed REST API POST requests. An attacker could possibly use this issue to launch a cross-site request forgery attack and leak user's sensitive information. This issue only affected Ubuntu 14.04 ESM. It was discovered that IPython did   show more ...

not properly manage cross user temporary files. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM.

 Feed

Ubuntu Security Notice 5951-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute   show more ...

arbitrary code. It was discovered that the NVMe driver in the Linux kernel did not properly handle reset events in some situations. A local attacker could use this to cause a denial of service.

 Feed

Red Hat Security Advisory 2023-1158-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.31. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2023-1221-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include null pointer and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2023-1199-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Issues addressed include buffer overflow, double free, and use-after-free vulnerabilities.

 Feed

Ubuntu Security Notice 5950-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute   show more ...

arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Red Hat Security Advisory 2023-1202-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2023-1211-01 - The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Issues addressed include denial of service and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2023-1220-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

 Feed

Red Hat Security Advisory 2023-1203-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.

 Feed

Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The

 Feed

Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report shared with The

 Feed

The stakes could not be higher for cyber defenders. With the vast amounts of sensitive information, intellectual property, and financial data at risk, the consequences of a data breach can be devastating. According to a report released by Ponemon institute, the cost of data breaches has reached an all-time high, averaging $4.35 million in 2022. Vulnerabilities in web applications are often the

 Feed

A cyberespionage actor known as Tick has been attributed with high confidence to a compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities. "The attackers compromised the DLP company's internal update servers to deliver malware inside the software developer's network, and trojanized installers of legitimate tools used by the company, which

 Feed

A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022. "Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots," Cisco

2023-03
Aggregator history
Wednesday, March 15
WED
THU
FRI
SAT
SUN
MON
TUE
MarchAprilMay