InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Operation Zero, a prominent zero-day broker, has announced a substantial bounty of up to $4 million for exploits targeting Telegram. This initiative underscores the escalating demand for vulnerabilities in widely used communication platforms.
Zero-day brokers like Operation Zero specialize in acquiring undisclosed software vulnerabilities, often to sell them to government agencies or other entities. The significant reward offered for Telegram exploits highlights the platform’s critical role in global communications and the potential impact of such vulnerabilities.
This development raises concerns about the security of messaging applications and the lengths to which organizations will go to uncover potential weaknesses. Users are reminded of the importance of staying updated on security practices and being cautious about the information shared over these platforms.
As the cybersecurity landscape evolves, the focus on securing communication channels like Telegram becomes increasingly vital. Both users and developers must remain vigilant against emerging threats to ensure the integrity and confidentiality of their communications.
The Zero Day Initiative (ZDI) blog discusses a series of critical vulnerabilities found in the Mazda in-vehicle infotainment (IVI) system. These vulnerabilities were identified by researcher Daan Keuper of Computest and were presented at the Pwn2Own 2023 Toronto contest. The IVI system in question, the Mazda Connect, is used in various models of Mazda vehicles and includes components such as a digital dashboard, navigation tools, and multimedia controls.
The vulnerabilities, categorized as command injection flaws, can be exploited to gain unauthorized access to the IVI system’s operating environment. This type of attack could allow an attacker to execute arbitrary commands, potentially leading to the compromise of vehicle control features and the personal data stored within the system. The issues stem from insufficient input validation within the system’s software components, allowing for external manipulation through crafted network packets or other entry points.
Mazda was notified of these findings as part of the responsible disclosure process. The company has since taken steps to release updates and patches to mitigate the identified vulnerabilities. However, as with many vehicle security flaws, there is concern about how quickly end-users and dealerships will apply these updates, highlighting the importance of prompt and widespread adoption of security patches.
The blog emphasizes the need for automotive manufacturers to integrate stronger security protocols within their software development life cycle. It also advocates for the broader automotive industry to prioritize cybersecurity measures as cars become more connected and software-reliant. The post closes with a call to action for car owners to remain vigilant about software updates and for manufacturers to enhance the robustness of their systems against potential threats.
Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.
This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.
The update includes 38 security fixes, with particular attention to those contributed by external researchers.
Details of the Zero-Day Vulnerability
The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.
The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.
While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.
The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.
This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.
In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.
Below is a table summarizing the key vulnerabilities addressed in this update:
Google says spyware vendors behind most zero-days it discovers…
Commercial spyware vendors (CSV) were behind 80% of the zero-day vulnerabilities Google’s Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide.
Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes.
Google’s TAG has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties.
Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors.
“This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild.” – Google
Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations.
Some notable CSVs highlighted in Google’s report are:
Cy4Gate and RCS Lab: Italian firms known for the “Epeius” and “Hermit” spyware for Android and iOS. The former acquired the latter in 2022, but operate independently.
Intellexa: Alliance of spyware firms led by Tal Dilian since 2019. It combines technologies like Cytrox’s “Predator” spyware and WiSpear’s WiFi interception tools, offering integrated espionage solutions.
Negg Group: Italian CSV with international reach established in 2013. It is known for “Skygofree” malware and “VBiss” spyware, targeting mobile devices through exploit chains.
NSO Group: Israeli firm famous for Pegasus spyware and other sophisticated espionage tools. It continues operations despite sanctions and legal issues.
Variston: Spanish CSV providing tailored security solutions. It collaborates with other vendors for zero-day exploits and is linked to the Heliconia framework, expanding in the UAE.
These vendors sell licenses to use their products for millions of dollars, allowing customers to infect Android or iOS devices using undocumented 1-click or zero-click exploits.
Some of the exploit chains utilize n-days, which are known flaws for which fixes are available, yet patching delays still make them exploitable for malicious purposes, often for extended periods.
Google says that CSVs have grown very aggressive in their hunt for zero-days, developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023.
In the appendix of Google’s detailed report, one can find a list of 74 zero-days used by 11 CSVs. Of those, the majority are zero-days impacting Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).
When white-hat researchers discover and fix the exploited flaws, CSVs often incur significant operational and financial damage as they struggle to reconstruct a working alternative infection pathway.
“Each time Google and fellow security researchers discover and disclose new bugs, it causes friction for CSVs and costs them development cycles,” says Google.
“When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents CSVs from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating.”
However, this is not enough to stop the proliferation of spyware, as the demand for these tools is strong, and the contracts are too lucrative for CSVs to give up.
Google calls for more action to be taken against the spyware industry, including higher levels of collaboration among governments, the introduction of strict guidelines that govern the use of surveillance technology, and diplomatic efforts with countries hosting non-compliant vendors.
Google is proactively countering spyware threats through solutions like Safe Browsing, Gmail security, the Advanced Protection Program (APP), and Google Play Protect, as well as by maintaining transparency and openly sharing threat information with the tech community.
Barracuda Email Security Gateway (ESG) Appliance has been discovered with an Arbitrary code Execution vulnerability exploited by a China Nexus threat actor tracked as UNC4841.
Additionally, the vulnerability targeted only a limited number of ESG devices.
However, Barracuda has deployed a security update to all the active ESGs to address this vulnerability, and has been automatically applied to all the devices, which does not require any action from the user.
The new vulnerability has been assigned to CVE-2023-7102, and the severity is yet to be categorized.
Chinese Hackers Exploit New Zero-Day
This vulnerability exists due to using a third-party library, “Spreadsheet::ParseExcel,” in the Barracuda ESG appliances.
This open-source third-party library is vulnerable to arbitrary code execution that can be exploited by sending a specially crafted Excel email attachment to the affected device.
The Chinese Nexus threat actors have been using this vulnerability to deploy new variants of SEASPY and SALTWATER malware to the affected devices.
However, Barracuda has patched these vulnerabilities accordingly. Moreover, Barracuda stated, “Barracuda has filed CVE-2023-7102 about Barracuda’s use of Spreadsheet::ParseExcel which has been patched”.
Another vulnerability, CVE-2023-7101, affected the same spreadsheet: ParseExcel, and no patches or updates were available.
Nevertheless, both of these vulnerabilities were associated with a previously discovered vulnerability, CVE-2023-2868, that was exploited by the same threat group in May and June 2023.
Furthermore, a complete report about these vulnerabilities, along with additional information, has been published, which provides detailed information about this vulnerability and the previously discovered vulnerabilities.
Atlassian fixed a critical zero-day flaw in its Confluence Data Center and Server software, which has been exploited in the wild.
Software giant Atlassian released emergency security updates to address a critical zero-day vulnerability, tracked as CVE-2023-22515 (CVSS score 10), in its Confluence Data Center and Server software.
The flaw CVE-2023-22515 is a privilege escalation vulnerability that affects Confluence Data Center and Server 8.0.0 and later. A remote attacker can trigger the flaw in low-complexity attacks without any user interaction.
The company is aware that the vulnerability has been exploited in attacks.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.” reads the advisory published by the company.
“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.”
According to the advisory, the vulnerability doesn’t impact Atlassian Cloud sites. If customer’s Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
“It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.” reads a post published by Rapid7. “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.”
If admins are unable to upgrade their Confluence instances, as an interim measure the company recommends restricting external network access to them.
Atlassian also recommends mitigating known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances.
The software firm also recommends checking instances for the following indicators of compromise:
unexpected members of the confluence-administrator group
unexpected newly created user accounts
requests to /setup/*.action in network access logs
presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
In September 2022, threat actors were observed targeting unpatched Atlassian Confluence servers as part of an ongoing crypto mining campaign.
Trend Micro researchers warned of a crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 RCE vulnerability disclosed in early June 2022.
Qualcomm recently issued warnings about three zero-day vulnerabilities within its GPU and Compute DSP drivers that are currently being exploited by hackers. These warnings were initiated based on information received from Google’s Threat Analysis Group (TAG) and Project Zero teams. According to their reports, there is limited but targeted exploitation of vulnerabilities identified as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063.
In response to these imminent threats, Qualcomm has rolled out security updates designed to rectify the issues present within its Adreno GPU and Compute DSP drivers. The company has promptly communicated this information to the affected Original Equipment Manufacturers (OEMs), urging them to implement these security updates without delay.
One of the significant flaws, CVE-2022-22071, which was initially disclosed in May 2022, is categorized as a high-severity issue, with a CVSS v3.1 score of 8.4. This vulnerability is a use-after-free bug that can be exploited locally and affects widely-used chips, including the SD855, SD865 5G, and SD888 5G.
However, Qualcomm has opted to remain tight-lipped regarding the details of the other actively exploited vulnerabilities, namely CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063. Further information on these vulnerabilities is expected to be disclosed in the company’s security bulletin scheduled for December 2023.
In addition to these, Qualcomm’s recent security bulletin also shed light on three other critical vulnerabilities, each with severe implications:
CVE-2023-24855 involves memory corruption within Qualcomm’s Modem component. This occurs when processing security-related configurations prior to the AS Security Exchange and has a CVSS v3.1 score of 9.8.
CVE-2023-28540 relates to a cryptographic issue within the Data Modem component, resulting from insufficient authentication processes during TLS handshakes, with a CVSS v3.1 score of 9.1.
CVE-2023-33028 involves memory corruption in the WLAN firmware which occurs during the copying of pmk cache memory without conducting necessary size checks, and it holds a CVSS v3.1 score of 9.8.
In light of these findings, Qualcomm disclosed an additional 13 high-severity flaws along with three more vulnerabilities classified as critical, all of which were identified by the company’s engineers. In total, Qualcomm has released updates to address 17 vulnerabilities across various components while highlighting that three zero-day vulnerabilities are currently being actively exploited.
Of these identified vulnerabilities, three have been classified as critical, 13 are high-severity, and one is medium-severity. Qualcomm’s advisory noted: “There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.”
To safeguard against these vulnerabilities, patches for issues in the Adreno GPU and Compute DSP drivers have been issued and are readily available. OEMs have been duly notified and strongly urged to deploy these security patches at the earliest convenience to prevent potential exploitation.
Users of Qualcomm products are advised to stay vigilant and apply updates provided by OEMs as soon as they are released to ensure their devices are protected from these vulnerabilities. This proactive approach to device security is crucial in mitigating the risk of exploitation and maintaining the integrity and functionality of devices that play a pivotal role in various technological applications.
Google has designated a brand new CVE number for a major security vulnerability that has been discovered in the libwebp image library, which is used for displaying pictures in the WebP format. This flaw has been found to be exploited in the wild by malicious users. A major vulnerability that existed in Google Chrome for Windows, macOS, and Linux was addressed by a security update that was provided by Google. A CVE ID of CVE-2023-4863 has been assigned to the security flaw, and the vulnerability has been rated as having a severity of 8.8 (High).
As a result of the analysis of the vulnerability, it was found that the libwebp library included a heap buffer overflow vulnerability. This vulnerability allows a threat actor to conduct an out-of-bounds memory write by using a crafted HTML page to trigger the issue.
However, Google has once again reported this vulnerability, which is now known as CVE-2023-5129 and is being monitored. After further investigation, it was discovered that the vulnerability known as CVE-2023-41064 and this one also impacted the same libwebp library. The development comes after Apple, Google, and Mozilla provided remedies to address a flaw that may enable arbitrary code execution when processing a carefully designed picture. The bug is tracked separately as CVE-2023-41064 and CVE-2023-4863. The execution of arbitrary code might lead to a security breach. It is likely that both problems are solutions to the same fundamental issue that exists in the library. CVE-2023-41064 is claimed to have been linked with CVE-2023-41061 as part of a zero-click iMessage attack chain termed BLASTPASS to deliver a mercenary malware known as Pegasus, as stated by the Citizen Lab. At this time, we do not have access to any other technical specifics.
But the choice to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome belied the reality that it also affects practically every other program that depends on the libwebp library to handle WebP pictures, showing that it had a wider effect than was originally supposed. CVE-2023-4863 was discovered by Google security researchers and is tracked by the CVE identifier.
An investigation carried out by Rezillion over the last week has uncovered a comprehensive list of frequently used software programs, code libraries, frameworks, and operating systems that are susceptible to the CVE-2023-4863 vulnerability.
Additionally, the security researcher who found the vulnerabilities CVE-2023-41064 and CVE-2023-4863 reported both of them. This indicates that the researcher brought this issue to the attention of both firms, which led to the creation of two distinct CVEs in the past.
Apple released emergency security updates to address three new actively exploited zero-day vulnerabilities.
Apple released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild.
The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.
CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit.
An attacker can trigger the flaw by tricking the victim into visiting specially crafted web content that may lead to arbitrary code execution. The IT giant addressed the flaw with improved checks.
The second zero-day flaw, tracked as CVE-2023-41991, resides in the Security framework. An attacker can exploit this vulnerability to bypass signature validation using malicious apps. The company fixed the vulnerability by fixing a certificate validation issue.
The third zero-day, tracked as CVE-2023-41992, resides in the Kernel Framework. A local attacker can trigger the flaws to elevate their privileges. Apple fixed the flaw with improved checks.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.” reads the advisory published by the company.
The company fixed the three zero-day vulnerabilities with the release of macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1.
Fixes are available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Apple has already patched 16 actively exploited zero-day vulnerabilities in 2023, below is the list of the flaws fixed by the company:
In the past, Citrix was found to have a Zero-Day vulnerability in its Citrix NetScaler Application Delivery Controller (ADC), which made it possible for malicious actors to carry out remote code execution.
It was discovered that the zero-day vulnerability was being used in the wild, hence it was assigned the CVE ID 2023-3519 and the severity rating of 9.8 (Critical). Citrix did provide fixes to address the vulnerability, but there was no way to determine whether or not a particular Citrix appliance had been compromised.
A new report states that it has been discovered that more than 1900 NetScalers are still infected with a backdoor. This information was obtained during a recent investigation.
Mandiant has launched a tool to assist business defenders in determining whether Citrix networking devices have been hacked in light of the fact that thousands of Citrix networking products are still susceptible to a major vulnerability that has not been patched and are accessible on the internet.
Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0 are all compatible versions with which the IoC Scanner may be utilized.
On July 18, Citrix released a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products. The company also recommended that businesses that use the vulnerable products immediately deploy the fix. The vulnerability might be exploited to allow for the execution of unauthenticated remote code. The vulnerability is already being aggressively exploited by a number of threat organizations, who are doing so by establishing web shells within corporate networks and carrying out hundreds of attacks.
According to the findings of the researchers, there are still close to 7,000 examples available on the web. Around 460 of them had Web shells installed, most likely as a result of being compromised.
This application, which may be found on GitHub, was developed by Mandiant and has the ability to determine the file system paths of known malware, post-exploitation activities in shell history etc. The independent Bash script may be executed directly on a Citrix ADC device to search for known indications in files, processes, and ports. (The utility must be executed on the appliance in live mode while logged in as root.) According to Mandiant, it can also examine a forensic image that has been mounted for use in an investigation.
This application has a wide variety of functionality, such as scanning,
File system path that could be a malware Shell history for suspicious commands NetScaler directories and files that match with IOCs Suspicious file permissions or ownership Instances of Crontab Malicious processes running on the system
This solution, which was created in partnership with Citrix and Mandiant, has the only purpose of assisting enterprises in preventing compromised systems and scanning for evidence of their presence.
According to Mandiant, the IoC Scanner will do a “best-effort job” of detecting compromised items; nevertheless, it is possible that it may not be able to locate all infected devices or determine whether or not the device is susceptible to being exploited. According to the company, “This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519,” which is a vulnerability.
CODESYS, a widely-used integrated environment for controller programming, holds a strong presence in Operational Technology across diverse industries, such as:-
Factory automation
Energy
Mobile
Building
Embedded
Process
Backed by more than 500 manufacturers (including Schnieder Electric, Beckhoff, Wago, Eaton, ABB, Festo, etc.) and spanning various architectures that we have mentioned below, CODESYS powers millions of global devices:-
MIPS
Renesas
ARM
PowerPC
TriCore
Cybersecurity Researcher at Microsoft, Vladimir Eliezer Tokarev, recently identified several high-severity vulnerabilities and 16 zero-day vulnerabilities in CODESYS (CODESYS V3 SDK).
Microsoft’s cyberphysical system researchers identified high-severity vulnerabilities in CODESYS V3 SDK that could lead to security risks for OT infrastructure. If you’re at #BHUSA, you can attend this session on August 10 to learn more: https://msft.it/60199ynQT
Besides this, Vladimir Eliezer Tokarev dubbed the 16 zero-day vulnerabilities that he found in CODESYS as “CoDe16,” a code name for this complete set of CODESYS zero-day vulnerabilities.
While the OT infrastructure could be affected severely by successfully exploiting all these high-severity vulnerabilities discovered in CODESYS V3 SDK.
Moreover, the Microsoft Threat Intelligence team also prompted and recommended that users at the BHUSA event (Black Hat USA 2023) attend their official session related to this vulnerability profile on August 10.
BHUSA Event Session
Cybersecurity researchers will detail the following key things during this event session:-
Exciting findings
Share technical insights into vulnerability discovery
Firmware extraction
Analysis
Apart from this, all the challenges, like proprietary network protocols and debugger-free analysis, will also be explored.
Security analysts will also unveil the root-cause for key flaws, and demonstrate the remote code execution chain to implant malicious payload, gaining full PLC control and factory floor manipulation.
Closing remarks will include the mitigation strategies, an open-source validation tool for CODESYS devices, and a live demo of successful RCE on an exposed system.
Recent news reports have brought attention to two serious zero-day vulnerabilities that pose a risk to the digital security of Apple products sold in every region of the world. Both of these vulnerabilities, which have been given the CVE identifiers CVE-2023-37450 and CVE-2023-38606, were found to be present in Apple’s WebKit browser engine and kernel component for several platforms. Both vulnerabilities have been actively exploited, which makes it imperative that quick attention be paid to these security flaws. WebKit has a security vulnerability that has been identified as CVE-2023-37450. If exploited, this vulnerability might enable malicious actors to execute arbitrary code on susceptible devices, giving them control of such devices. The attack begins when a victim visits a malicious website without their knowledge while using a device that has already been infected. The iPhone 8 and subsequent models, as well as all versions of the iPad Pro, iPad Air (3rd generation and later), iPad 5th generation and later, and iPad mini 5th generation and later, are included in the list of impacted devices. MacOS Ventura is also involved. A researcher who wishes to remain nameless discovered and reported this problem.
As a direct reaction to this vulnerability, Apple has strengthened its security mechanism against it by including more checks with iOS 16.6, iPadOS 16.6, and macOS Ventura 13.5. In spite of this, the corporation continues to exercise extreme caution, admitting in its security warnings that there is evidence suggesting that this vulnerability may have been actively exploited. The business disclosed this information in security warnings that described the vulnerability. “Apple is aware of a report that this issue may have been actively exploited,” the company said.
A KERNEL ZERO-DAY BUG WITH THE IDENTIFIER CVE-2023-38606
Experts from Kaspersky discovered the second vulnerability, which was given the identifier CVE-2023-38606. If this kernel issue were exploited, it would allow attackers to “modify sensitive kernel state” on iPhones and Macs, which would give them the ability to possibly take control of these devices. The technology giant disclosed this information in security advisories explaining the vulnerability. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” the firm said.
The danger affects a broad variety of Apple products, such as the macOS Big Sur, Monterey, and Ventura operating systems, as well as all iPhone models beginning with the iPhone 6s and moving forward. All versions of the iPad Pro, iPad Air starting with the 3rd generation, iPad starting with the 5th generation, iPad mini starting with the 5th generation, and the iPod touch starting with the 7th generation are all susceptible.
Apple has strengthened its state management in response to this vulnerability, which the company discovered very quickly. On the other hand, the tech giant has issued a warning that versions of iOS that were launched prior to iOS 15.7.1 may have been vulnerable to this bug.
In order for users to defend themselves against these attacks, it is strongly recommended that they upgrade their devices to the most recent versions of iOS, iPadOS, and macOS as quickly as they can.
The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA).
“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,” the agency shared in an advisory published on Thursday.
IoCs, IR and mitigation advice
The attack was reported to CISA and Citrix in July 2023, and Citrix announced fixes for it on July 18.
The security bulletin mentioned that “exploits of CVE-2023-3519 on unmitigated appliances have been observed,” but no additional details about the attacks or how to check whether an organizations had been a target had been publicly shared.
A list of indicators of compromise (IoCs) had been shared with select organizations, under the understanding that the info would not be widely shared (i.e., that the contents would be restricted to those organization and shared with its clients “on a need-to-know basis”).
“As we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time,” German IT consultant Manuel Winkel said on July 19.
He shared advice on how to check whether one’s organization has been hit, and advised on what to do if the result is positive.
CISA’s advisory offers more details about the threat actor activity in the attack detected at the critical infrastructure organization, delineates attack detection methods, and offers advice on incident response if compromise is detected.
In-the-wild exploitation of CVE-2023-3519
Greynoise has created a tag to show in-the-wild probing of internet-facing NetScaler ADC platforms and Gateways with authentication attempts through CVE-2023-3519, but so far there have been no detections.
Standalone and Nmap scripts for identifying vulnerable installations have been publishedon GitHub.
If what Winkel says is true – namely, that first exploits for CVE-2023-3519 have been available for purchase on the dark web for a while – it’s possible that there are many compromised organizations out there who didn’t manage to block the attackers’ lateral movement.
It’s currently impossible to say what the attackers’ ultimate goal is, but affected organizations may discover it soon if they don’t react quickly.
UPDATE (July 22, 2023, 10:55 a.m. ET):
Technicalanalyses of the flaw are now public and threat actors could use them to create a reliable exploit soon. Patch quickly!
Microsoft reported a previously unknown vulnerability known as a zero-day flaw that was present in many versions of Windows and Office and was being actively exploited in the wild. The vulnerability, which was tracked and given the identifier CVE-2023-36884, was used by nation-state actors and cybercriminals to acquire remote code execution by using infected Office documents. The massive information technology company is looking into allegations of many vulnerabilities that allow remote code execution and affect Windows and Office products. The firm said that it is aware of high-targeted attacks that aim to exploit these weaknesses using specially created Office documents. These attacks were exposed by the corporation. Microsoft is attempting to remedy the issue, and security researchers have suggested that it may be remedied with an out-of-band patch that can be sent prior to the August Patch Tuesday update.
Customers that make use of Microsoft Defender for Office are safeguarded against attachments that make an effort to take advantage of this vulnerability.
The adoption of the Block all Office programs from starting child processes Attack Surface Reduction Rule will prevent the vulnerability from being used in the present attack chains. This rule will reduce the attack surface.
In order to avoid being exploited, organizations that are unable to make use of these precautions may prevent themselves from being exploited by setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry entry. Please be aware that despite the fact that the aforementioned registry adjustments would prevent the problem from being exploited, they could disrupt the normally operating functionality of specific use cases that are linked to these apps. In this registry entry, add the names of the applications in the following list as values of type REG_DWORD with data 1:
Microsoft Patch Tuesday Security updates for May 2023 address a total of 40 vulnerabilities, including two zero-day actively exploited in attacks.
Microsoft’s May 2023 security updates address 40 vulnerabilities, including two zero-day flaws actively exploited in attacks. The flaws affect Microsoft Windows and Windows Components; Office and Office Components; Microsoft Edge (Chromium-based); SharePoint Server; Visual Studio; SysInternals; and Microsoft Teams.
Seven of the addressed vulnerabilities are rated Critical and 31 are rated Important in severity.
The two actively exploited zero-day vulnerabilities addressed with the relaese of Patch Tuesday Security updates for May 2023 are:
CVE-2023-29336 (CVSS 7.8) – Win32k Elevation of Privilege Vulnerability. This vulnerability is actively exploited in attacks. The flaw can be chained with a code execution bug to spread malware. The vulnerability was reported by researchers Jan Vojtěšek, Milánek, and Luigino Camastra from Avast Antivirus firm, a circumstance that suggests it was used as part of an exploit chain to deliver malware.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads the advisory.
CVE-2023-24932 (CVSS 6.7)– Secure Boot Security Feature Bypass Vulnerability. An attacker with physical access or Administrative rights to a target device could install an affected boot policy and bypass Secure Boot. The flaw was reported by Martin Smolar from ESET and Tomer Sne-or from SentinelOne.
“To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy,” reads Microsoft’s advisory.
The most severe vulnerabilities addressed by Microsoft are:
CVE-2023-24941 (CVSS 9.8) – Windows Network File System Remote Code Execution Vulnerability.
CVE-2023-24943 (CVSS 9.8) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability.
Microsoft also addressed a remote code execution flaw in SharePoint Server, tracked as CVE-2023-24955, that was demonstrated by the Star Labs team at the Pwn2Own Vancouver 2023 exploit contest. The flaw was part of an exploit chain used to obtain code execution on the target server.
Apple Fixes Zero Day vulnerabilities for iOS And MacOS devices.
Apple recently released a security update for its iOS and MacOS devices, and fixing zero-day vulnerabilities that could allow cyber attackers to access users’ devices.
The iOS and iPadOS, version 15.7.5, addresses a vulnerability in the iOSurfaceAccelerator and WebKit engine that could allow an app and website to execute arbitrary code with kernel privileges processing maliciously.
Apple notes that this vulnerability has been actively exploited in the wild, making it especially important for users to update their devices as soon as possible.
Meanwhile, the MacOS update, including macOS Big Sur 11.7.6 and macOS Monterey 12.6.5, addressed with improved input validation.
macOS Big Sur 11.7.6
CVE-2023-28206
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: An out-of-bounds write issue was addressed with improved input validation.
iOS 15.7.5 and iPadOS 15.7.5
CVE-2023-28206
IOSurfaceAccelerator
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: An out-of-bounds write issue was addressed with improved input validation.
WebKit
CVE-2023-28205
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 254797
macOS Monterey 12.6.5
CVE-2023-28206
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.
Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.
The latest version of iOS and iPadOS is 16.4.1.
The latest version of macOS is 13.3.1.
The latest version of tvOS is 16.4.
The latest version of watchOS is 9.4.
Note that after a software update is installed for iOS, iPadOS, tvOS, and watchOS, it cannot be downgraded to the previous version.
As always, Apple is urging all users to update their devices to the latest iOS and MacOS as soon as possible to ensure they are protected against these critical security vulnerabilities. Users can download the updates to the iOS device Settings app, and the Software Update section of the System Preferences app on their MacOS device.
Recently, the FortiGuard Labs team made a groundbreaking discovery of several new zero-day attacks in the PyPI packages. The source of these attacks was traced back to a malware author known as “Core1337.” This individual had published a number of packages.
Here below we have mentioned the packages that are published by Core1337:-
3m-promo-gen-api
Ai-Solver-gen
hypixel-coins
httpxrequesterv2
httpxrequester
Between the 27th of January and the 29th of January 2023, these attacks were published. The recent discovery made by the FortiGuard Labs team revealed that each of the packages published by the malware author “Core1337” had only one version with an empty description.
However, what was alarming was the fact that all of these packages contained similar malicious code. This raises the question of the level of sophistication and the intentions behind these attacks.
Technical Analysisof the Packages
First of all, cybersecurity analysts have noticed something that looks like a URL for a webhook in its setup[.]py file:-
There is a similar code in each package’s setup.py file except for the URL of the webhook that is sent from each package. It appears that the URL in question may have a connection to the infamous “Spidey Bot” malware.
This particular strain of malware is notorious for its ability to pilfer personal information via Discord, as highlighted in a recent blog post by the organization. The blog, entitled “Web3-Essential Package,” delves into the dangers posed by the “Spidey Bot.”
Experts in the field have discovered potential malicious behaviors in a recent static analysis that was conducted by reviewing the setup.py script. During this process, the experts meticulously examined the code and were able to identify several key indicators that point toward malicious intent.
Experts in the field of malware analysis have gained a general understanding of the behavior of a particular strain of malware by carefully examining its primary function.
According to their findings, this malware may attempt to extract sensitive information from various browsers and the Discord platform and then store it in a file for later exfiltration.
In order to gain a better understanding of the inner workings of this piece of malware, experts have focused their attention on the “getPassw” function. This function is specifically designed to gather user and password information from the browser and then save it to a text file.
The malware has a self-proclaimed title of “Fade Stealer,” which it prominently displays in the form of its name being written at the top of its accompanying text file.
As for its ‘getCookie’ function, the behavior is similar to the one seen in its other functions. Based on the functions of “Kiwi,” “KiwiFile,” and “uploadToAnonfiles,” it appears that the malware is programmed to scan specific directories and select specific file names for the purpose of transferring them through a file-sharing platform:-
https[:]//transfer[.]sh
All these packages have one thing in common – they possess similar codes that are created for the purpose of launching attacks. While all these packages may have different names, the underlying intention and code structure is the same, which indicates the work of a single author.
The American corporation Lexmark International, Inc. is a privately owned business that specializes in the production of laser printers and other image goods.
The researcher found that the product is susceptible to two vulnerabilities, either of which can be exploited by an adversary to copy file data from a source path to a destination path or to induce the server-side application to make requests to an unintended location. Both of these vulnerabilities are possible due to the fact that the product is vulnerable to both of these vulnerabilities. According to the specialists, the printer has two vulnerabilities that enable an authorized hacker to upload arbitrary files and run code with elevated privileges. Both of these vulnerabilities may be exploited by a malicious user.
He published the code on Github that had a proof-of-concept (PoC) exploit for each of the four vulnerabilities. These vulnerabilities make it possible for an adversary to seize control of a vulnerable device.
According to the findings of the researcher, an attack may be carried out that compromises the device by exploiting all four of its vulnerabilities simultaneously.
The proof-of-concept attack has been successfully tested against a Lexmark MC3224adwe printer using the most recent version of the firmware, CXLBL.081.225; nevertheless, it is claimed to operate successfully against other printers and photocopiers as well.
The security flaw that was discovered in Lexmark’s printer devices has not been fixed.
Aikido is the wiper tool that has been developed by the Or Yair of SafeBreach Labs, and the purpose of this wiper is to defeat the opponent by using their own power against them.
As a consequence, this wiper can be run without being given privileges. In addition, it is also capable of wiping almost every file on a computer, including the system files, in order to make it completely unbootable and unusable.
EDRs are responsible for deleting malicious files in two main ways, depending on the following contexts:-
Time of threat identification
Time of threat deletion
Window Opportunity (Safebreach)
As soon as a malicious file is detected and the user attempts to delete it, the Aikido wiper takes advantage of a moment of opportunity.
This wiper makes use of a feature in Windows allowing users to create junction point links (symlinks) regardless of the privileges of the users’ accounts, which is abused by this wiper.
A user who does not have the required permissions to delete system files (.sys) will not be able to delete those files according to Yair. By creating a decoy directory, he was able to trick the security product to delete the file instead of preventing it from being deleted.
Likewise, he placed a string inside the group that resembled the path intended for deletion, for example, as follows:-
C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers
Qualities of the Aikido Wiper
Here below we have mentioned all the general qualities of the Aikido Wiper:-
Fully Undetectable
Makes the System Unbootable
Wipes Important Data
Runs as an Unprivileged User
Deletes the Quarantine Directory
Product analysis and response from the vendor
It was found that six out of 11 security products tested by Or Yair were vulnerable to this exploit. In short, over 50% of the products in this category that is tested are vulnerable.
Here below we have mentioned the vulnerable ones:-
Defender
Defender for Endpoint
SentinelOne EDR
TrendMicro Apex One
Avast Antivirus
AVG Antivirus
Here below we have mentioned the products that are not vulnerable:-
Palo Alto XDR
Cylance
CrowdStrike
McAfee
BitDefender
Between the months of July and August of this year, all the vulnerabilities have been reported to all the vendors that have been affected. There was no arbitrary file deletion achieved by the researcher in the case of Microsoft Defender and Microsoft Defender for Endpoint products.
In order to cope with the vulnerabilities, three of the vendors have issued the following CVEs:-
This exploit was also addressed by three of the software vendors by releasing updated versions of their software to address it:-
Microsoft Malware Protection Engine: 1.1.19700.2
TrendMicro Apex One: Hotfix 23573 & Patch_b11136
Avast & AVG Antivirus: 22.10
This type of vulnerability should be proactively tested by all EDR and antivirus vendors to ensure that their products are protected from similar attacks in the future.
For organizations using EDR and AV products, the researcher strongly recommends that they consult with their vendors for updates and patches immediately.
A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.
On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender under the guise of a custom cybersecurity solutions provider.
In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.
Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.
Another one is used to deploy malicious PDF documents containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows). The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits.
A manifest file in the source code provides a product description (Image: Google)
In its report, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.
Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.
