Various media sources are reporting a mass supply-chain attack targeting 3CX VoIP telephony system users. Unknown attackers have managed to infect 3CX VoIP applications for both Windows and macOS. Now the cybercriminals are attacking their users via a weaponized application signed with a valid 3CX certificate. The show more ...
list of those users is quite something — consisting of more than 600,000 companies, including well-known brands from all over the world (American Express, BMW, Air France, Toyota, IKEA). A number of researchers have dubbed this malicious attack SmoothOperator. Apparently, trojans are hiding in all versions of the software that were released after March 3; that is, builds 18.12.407 and 18.12.416 for Windows, and 18.11.1213 and newer for macOS. According to 3CX representatives, the malicious code got into the program because of some unnamed trojanized open-source component that was used by the development team. The attack via trojanized 3CX software Citing researchers from various companies, BleepingComputer describes the attack mechanism via a trojanized Windows client as follows: The user either downloads an installation package from the companys official website and runs it, or receives an update for an already installed program; Once installed, the trojanized program creates several malicious libraries, which are used for the next stage of the attack; The malware then downloads .ico files hosted on GitHub with additional lines of data inside; These lines are then used to download the final malicious payload — the one used to attack end users. The mechanism for attacking macOS users is somewhat different. You can find its detailed description on the website of the Objective-See non-profit foundation. What are the hackers after? The downloaded malware is able to gather information about the system, as well as steal data and save credentials from Chrome, Edge, Brave, and Firefox browsers user profiles. In addition, attackers can deploy an interactive command shell, which, theoretically, allows them to do almost anything with the victims computer. Why is this attack is especially dangerous? The trojanized version of the program is signed with a legitimate 3CX Ltd. certificate issued by DigiCert — the same certificate used in earlier versions of the 3CX program. Moreover, according to Objective-See, the macOS version of the malware isnt only signed with a valid certificate, but also notarized by Apple! This means that the application is allowed to run on recent versions of macOS. How to stay safe The applications developers recommend urgently uninstalling trojanized versions of the program using the VoIP web client until the update is released. Its also wise to conduct a thorough investigation of the incident to make sure that attackers havent had time to take over your companys computers. In general, in order to control whats happening on the corporate network and to timely detect malicious activity, we recommend using Managed Detection and Response (MDR)-class services.
Episode 292 of the Transatlantic Cable Podcast is here! This week, the team talk about aggressive AI and how the DEA have turned Apple AirTags into a surveillance tool against criminals. Moving on, the team discuss recent news that Nvidias CTO thinks that crypto-currencies dont bring anything useful for society – show more ...
pretty bold words for a business that sold GPU cards to crypto-miners just a few years ago. To wrap up, discussion moves onto how the US is looking to block the use and sale of commercial spyware – however, theres a pretty big catch. If you liked what you heard, please consider subscribing. Microsofts Bing AI Now Threatening Users Who Provoke It The DEA Quietly Turned Apples AirTag Into A Surveillance Tool Cryptocurrencies add nothing useful to society, says chip-maker Nvidia President Biden kind of mostly bans commercial spyware from US govt
Business email compromise scams are moving beyond just stealing cash, with some threat actors fooling companies into sending goods and materials on credit, and then skipping out on payment.
Don't count on securing end users for system security. Instead, focus on better securing the systems — make them closed by default and build with a security-first approach.
Researchers spotted a new malware operation, named NullMixer, that hit over 8,000 targets within a week, with a special focus on North America, Italy, and France. The attackers use SEO poisoning, along with social engineering tactics to lure their potential victims, consisting mostly of IT personnel and technocrats. Now stay ahead of such threats with our state-of-the-art threat Intel exchange platform, CTIX.
The number of credential phishing emails sent spiked by 478%. Emotet and QakBot are the top malware families observed. For the eighth consecutive year, business email compromise (BEC) ranked as the top cybercrime.
AlienFox is a modular toolset comprising various custom tools and modified open-source utilities created by different authors. Threat actors use AlienFox to collect lists of misconfigured cloud endpoints from security scanning platforms.
A majority of organizations reported that global geopolitical instability has influenced their cyber strategy “moderately” or “substantially”. Their biggest concerns regarding cyberattacks are business continuity (67%) and reputational damage (65%).
While CrowdStrike suspects a North Korean state-backed hacking group it tracks as Labyrinth Collima is behind this attack, Sophos' researchers say they "cannot verify this attribution with high confidence."
Successful exploitation on unpatched devices using Sudo versions 1.8.0 through 1.9.12p1 could enable attackers to escalate privileges by editing unauthorized files after appending arbitrary entries to the list of files to process.
Mandiant identified a North Korean threat actor, named APT43, conducting cyberespionage campaigns against government organizations in the U.S. and South Korea. Besides its own, APT43 leverages its own set of custom malware, such as Pencildown, Venombite, Pendown, Laptop, Hangman backdoor, and others, not used by other attackers.
The company’s founders argue that an organization’s identity surface is now the number one attack vector, yet as companies increasingly rely on an ever-growing number of third-party services, that’s also becoming increasingly hard to manage.
Over the past few months, threat actors have been spreading ShellBot and Moobot malware on exploitable servers. Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server.
A researcher was able to bypass OpenAI’s fix for the original account takeover issue, using a new payload, and discovered that all ChatGPT APIs were vulnerable to the bypass.
A recent update introduced a new SafeMoon smart contract function that burns tokens. Unfortunately, the function was mistakenly set to the public without restrictions, allowing anyone to execute it as they wished.
Benjamin Fabre founded DataDome in 2015 with Fabien Grenier, a longtime business partner, after the pair made the observation that most companies weren’t able to detect and block bots.
The Azure Pipelines flaw affected both the SaaS version of Azure DevOps Server and the self-hosted, on-premises version. Customers running the on-premises version need to patch their instances to remediate the RCE vulnerability.
Are you a crypto user addicted to Tor? Tor browser users across the world are under attack with trojanized versions of Tor browser installers, especially those in Russia and nearby regions. These infected browsers were being promoted as "security-strengthened" versions of the browser. Kaspersky warned against the most common mistake - downloading and running Tor from a third-party store.
A new phishing campaign has surfaced to drop Remcos RAT and Formbook malware through DBatLoader malware loader, revealed Zscaler researchers. The campaign is aimed at compromising systems in Europe. Actors also leverage a multi-layered obfuscated HTML file and OneNote attachments to propagate the DBatLoader payload.
AI allows you to craft very believable ‘spear-phishing’ emails and other written communication with very little effort, especially compared to what you have to do before.
A vulnerability exists in the Windows Ancillary Function Driver for Winsock (afd.sys) can be leveraged by an attacker to escalate privileges to those of NT AUTHORITYSYSTEM. Due to a flaw in AfdNotifyRemoveIoCompletion, it is possible to create an arbitrary kernel Write-Where primitive, which can be used to manipulate show more ...
internal I/O ring structures and achieve local privilege escalation. This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in January 2023 updates).
Ubuntu Security Notice 5986-1 - Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled certain memory operations. An attacker could possibly use these issues to cause the X Server to crash, execute arbitrary code, or escalate privileges.
Debian Linux Security Advisory 5380-1 - Jan-Niklas Sohn discovered that a user-after-free flaw in the Composite extension of the X.org X server may result in privilege escalation if the X server is running under the root user.
Red Hat Security Advisory 2023-1514-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, show more ...
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.
Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the Upper Level Protocol (ULP) subsystem in the show more ...
Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
Red Hat Security Advisory 2023-1513-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, show more ...
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.
Ubuntu Security Notice 5985-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle show more ...
indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
Red Hat Security Advisory 2023-1310-01 - An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1512-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9 and show more ...
includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.
Ubuntu Security Notice 5987-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that show more ...
a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.
Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 5983-1 - Cyku Hong discovered that Nette was not properly handling and validating data used for code generation. A remote attacker could possibly use this issue to execute arbitrary code.
3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers. "The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls
A group of academics from Northeastern University and KU Leuven has disclosed a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard, impacting a wide range of devices running Linux, FreeBSD, Android, and iOS. Successful exploitation of the shortcoming could be abused to hijack TCP connections or intercept client and web traffic, researchers Domien Schepers, Aanjhan Ranganathan,
Multi-cloud data storage, once merely a byproduct of the great cloud migration, has now become a strategy for data management. "Multi-cloud by design," and its companion the supercloud, is an ecosystem in which several cloud systems work together to provide many organizational benefits, including increased scale and overall resiliency.And now, even security teams who have long been the holdout
A new "comprehensive toolset" called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security
Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "The Super FabriXss vulnerability
A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG. "RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News. "The group has shown the ability to
A cryptocurrency hack leads us down a mazze of twisty little passages, Joe Biden's commercial spyware bill, and Utah gets tough on social media sites. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Register's Iain Thomson.
31-year-old Solomon Ekunke Okpe, of Lagos, was a member of a gang that devised and executed a variety of scams - including business email compromise (BEC), romance scams, working-from-home scams, and more - between December 2011 and January 2017. Read more in my article on the Hot for Security blog.