Apple, Google release emergency security updates to fix WebKit, Chrome zero-days
Apple issued software updates for iOS, iPadOS, macOS, and Safari web browser to patch two security vulnerabilities that it said have come under active exploitation in the wild on older versions of its software. Both bugs affect the WebKit web browser engine.
One of the bugs (CVE-2023-42916) is an out-of-bounds read issue that could be exploited for arbitrary code execution when processing web content. The second vulnerability (CVE-2023-42917) is a buffer overflow issue that could result in arbitrary code execution when processing HTML content.
Apple said that CVE-2023-42916 and CVE-2023-42917 were already exploited against versions of iOS before iOS 16.7.1.
Separately, Google rolled out security updates for its Chrome browser to address multiple vulnerabilities, including an actively exploited zero-day flaw.
The said flaw (CVE-2023-6345) is an integer overflow issue in the Skia component in Chrome. This bug can be exploited remotely to achieve code execution on the target system. To do this, an attacker needs to trick the user into visiting a malicious webpage.
Qlik Sense vulnerabilities exploited in Cactus ransomware attacks
The Cactus ransomware gang has been observed exploiting three vulnerabilities in Qlik Sense business analytics servers for initial access to corporate networks. The three vulnerabilities are:
CVE-2023-41265 - An HTTP tunneling issue due to improper validation of HTTP headers. A remote user can send a specially crafted HTTP request over a tunneled connection and gain elevated privileges on the system
CVE-2023-41266 - A path traversal vulnerability due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system
CVE-2023-48365 - An HTTP interpretation issue due to improper validation of HTTP requests caused by an incomplete fix for #VU80193 (CVE-2023-41265). A remote authenticated user can elevate their privileges within the application by tunneling HTTP requests.
New GoTitan botnet exploits recently patched Apache ActiveMQ flaw
Multiple threat actors have been observed exploiting a recently patched critical vulnerability (CVE-2023-46604) in Apache ActiveMQ to disseminate several malware strains, including Sliver, Kinsing, and Ddostf.
According to a new report from researchers at Fortiguard Labs, the flaw has been weaponized by a new Golang-based botnet dubbed “GoTitan” designed for launching distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS, and a .NET program called “PrCtrl Rat” that implements remote control capabilities.
New BLUFFS attacks allow to break the encryption of Bluetooth sessions
Researchers at Eurecom detailed six new attacks collectively named “BLUFFS” (Bluetooth Forward and Future Secrecy) that can break the secrecy of Bluetooth sessions, allowing for device impersonation and man-in-the-middle (MitM) attacks.
The BLUFFS attacks involve a range of techniques, including session key downgrade attacks (attackers force the negotiation of weak encryption keys, making it easier to decrypt communications); forward secrecy attacks (attackers compromise past communications by exploiting vulnerabilities in future sessions); Denial-of-Service (DoS) attacks (attackers disrupt communication between devices, preventing legitimate users from accessing services).
The issues are tracked as CVE-2023-24023 and affect Bluetooth Core Specification 4.2 through 5.4.
Mass-exploitation of high-risk ownCloud bug observed in the wild
Threat actors have begun targeting a high-risk information disclosure flaw in the open-source file-sharing and collaboration software ownCloud mere days after the bug was publicly disclosed.
Tracked as CVE-2023-49103, the vulnerability resides in the Graphapi app (employs a third-party library (GetPhpInfo.php), which exposes the environment variables of the web server, including sensitive data such as the ownCloud admin password, mail server credentials, and license keys. The flaw impacts Graphapi versions 0.2.0 to 0.3.0.
US sanctions Sindbad crypto mixer allegedly used by North Korea’s Lazarus hackers
The US authorities have seized the virtual currency mixer Sinbad.io allegedly used by the North Korean government-backed hacker group Lazarus for laundering assets stolen in multiple crypto heists.
At the same time, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions against Sindbad, describing the cryptocurrency mixer as “a key money-laundering tool” of Lazarus Group.
Sinbad was used to launder a significant portion of the $100 million worth of crypto Lazarus stole in June 2023 from customers of Atomic Wallet, OFAC said. Lazarus also used the mixer “to launder a significant portion” of crypto stolen in the $620 million Axie Infinity theft and the $100 million Horizon Bridge heist.
According to a recent report by Recorded Future’s Insikt Group, North Korean hackers have stolen a total of $3bn in cryptocurrency since 2017. North Korean threat actors were accused of stealing an estimated $1.7 billion worth of cryptocurrency in 2022 alone, a sum equivalent to approximately 5% of North Korea’s economy or 45% of its military budget, the firm noted.
Additionally, the OFAC sanctioned the North Korean cyberespionage group Kimsuky for gathering intelligence to support North Korea’s strategic objectives, along with eight individuals associated with DPRK state-owned weapons exporters, financial institutions, and front companies. The US authorities also sanctioned two people involved in generating revenue for the North Korean government through the exportation of North Korean workers.
North Korean hackers exploited MagicLine4NX zero-day in supply chain attacks
The National Cyber Security Centre (NCSC) and Korea's National Intelligence Service (NIS) released a joint cybersecurity advisory warning of a supply chain attack orchestrated by the North Korea-linked Lazarus threat group involving a zero-day vulnerability in Dream Security’s MagicLine4NX security authentication platform.
Tracked as CVE-2023-45797, the zero-day vulnerability is a buffer overflow issue that can be exploited by a remote hacker for code execution. The bug impacts MagicLine4NX versions 1.0.0.1 - 1.0.0.26.
The attacks started in March 2023, with the threat actors using the zero-day flaw to gain initial access to corporate networks. The hackers targeted organizations across the world, primarily South Korean entities.
North Korean hackers evolve their techniques by mixing malware from previous campaigns
North Korea-associated threat actors have been observed using a new tactic, which involves combining elements of software used in previous malware campaigns.
In the new campaign, the hackers behind macOS malware strains such as RustBucket and KandyKorn have been “mixing and matching” elements of these separate attacks to deliver the KandyKorn remote access trojan (RAT) payload using SwiftLoader, a dropper observed in the RustBucket campaign.
Chinese hackers caught stealing chip designs from Dutch semiconductor firm NXP
A China-linked hacker group, identified as 'Chimera,' maintained undetected access to the computer network of the Dutch chip giant NXP Semiconductors for over two years. The breach, which occurred from the end of 2017 to spring 2020, involved the theft of crucial data, including chip designs.
The cyberspies gained entry into NXP's network through compromised employee accounts. Once inside the company's network, the hackers navigated their way to secure servers, seeking out valuable chip designs and other proprietary information.
China-linked threat actor targets Uzbekistan and South Korea with new SugarGh0st RAT
Cisco’s Talos threat intelligence team uncovered a malicious campaign, likely originating in August 2023, leveraging a new remote access trojan (RAT) named “SugarGh0st.” The campaign appears to target the Uzbekistan Ministry of Foreign Affairs and users in South Korea.
The SugarGh0st RAT is a customized variant of the notorious Gh0st RAT, which has been active for over a decade. The infection process involves two chains utilizing Windows Shortcuts embedded with malicious JavaScript to deploy and initiate the SugarGh0st payload. One of the infection chains utilizes the DynamixWrapperX tool to enable Windows API function calls in the malicious JavaScript for executing shellcode. Talos suggests, with low confidence, that the campaign is orchestrated by a Chinese-speaking threat actor, based on artifacts found in the attack samples.
CERT-UA warns of new RemcosRAT attacks against Ukraine
Ukraine's CERT team has published technical details in Indicators of Compromise (IoCs) related to a new series of RemcosRAT attacks against Ukrainian entities.
October 2023 breach impacted all customer support system users, Okta said
Identity services provider Okta revealed that the scope of a data breach it suffered in October 2023 is much wider than initially thought. In an update on the situation, the company said that all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers were impacted by the incident. Customers in Okta’s FedRamp High and DoD IL4 environments (with a separate support system) are not affected. The Auth0/CIC support case management system was not accessed by the attackers.
Ransomware gang behind attacks on hundreds of orgs in 71 countries dismantled in Ukraine
An international law enforcement operation involving Ukrainian cyberpolice, Europol, Eurojust and law enforcement agencies from six countries has taken down a prolific ransomware gang that targeted hundreds of organizations in 71 countries across the world. The group specifically targeted large corporations deploying LockerGoga, MegaCortex, HIVE, Dharma and other ransomware to encrypt victims’ servers.
The police conducted searches in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, and arrested five key members of the ransomware gang, including its 32-year-old leader. The suspects allegedly developed and updated the malware, carried out cyberattacks and helped launder ransomware payments.
SSNDOB Marketplace admin sentenced to 8 years in prison
Vitalii Chychasov, the administrator of the dark web market SSNDOB that specialized in trading stolen data, was sentenced to eight years in prison.
SSNDOB, which operated through a series of domains, offered for sale stolen personal data, including the names, dates of birth, email addresses, passwords, credit card numbers, and Social Security numbers of millions of individuals. According to the US DoJ, the marketplace has listed the personal information for approximately 24 million US citizens and has made more than $19 million in revenue. The platform was dismantled in June 2022 by the US authorities.
Chychasov was arrested in Hungary in March 2022 and was extradited to the US in July of the same year. In July 2023, he pleaded guilty to conspiracy to commit access device fraud and trafficking in unauthorized access devices through the online scheme.
As part of his sentence, Chychasov will forfeit $5 million and the BLACKJOB.BIZ, SSNDOB.CLUB, SSNDOB.VIP, and SSNDOB.WS domains.
Russia-linked Black Basta ransomware operation generates over $100M from victims
The Black Basta ransomware operation, believed to be an offshoot of the notorious Russia-linked Conti ransomware gang, has amassed a staggering $107 million in Bitcoin ransom payments since its inception in early 2022, according to a joint research effort by Elliptic and Corvus Insurance.
The analysis reveals that Black Basta received payments from over 90 victims, with the largest ransom reaching $9 million and at least 18 ransoms exceeding $1 million. The average ransom payment for the identified cases stands at $1.2 million.
CISA warns of exploitationUnitronics PLCs used in water and wastewater systems
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of massive exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector, citing an attack where threat actors compromised a Unitronics PLC at a US water facility. While the agency didn’t name the victim, it likely refers to a recent incident where an Iranian-backed hacktivist group known as Cyber Av3ngers took control over water pumps in the town of Aliquippa, Pennsylvania, after exploiting a Unitronics PLC.
In related news, North Texas Municipal Water District (NTMWD), a water utility serving two million people in North Texas has suffered a cyber incident that affected its business computer network. However, core water, wastewater, and solid waste services have not been impacted by the attack.
On Monday, the cybercrime group known as Daixin Team added NTMWD to the list of victims on its dark web leak site. The gang claims to have stolen sensitive data from the company, including board meeting minutes, internal projects documentation, personnel details, audit reports, and threatens to leak it.
Hospitals in multiple US states had to divert patients after a cyberattack on hospital owner
Hospitals in at least four US states had to divert patients from their emergency rooms after a healthcare company was hit by a ransomware attack. Ardent Health, a hospital operator overseeing 30 medical facilities across the United States, has confirmed the ransomware incident. The attack had disrupted a substantial portion of its computerized services impacting hospital chains.
Emergency rooms in these facilities have been compelled to transfer patients to other hospitals to ensure continued healthcare provision.
Slovenia’s largest power generation company hit with ransomware
Slovenia's major power generation company, Holding Slovenske Elektrarne (HSE), has fallen victim to a ransomware attack, causing concern about the security of critical infrastructure in the country. The attack encrypted files and compromised the company's systems but didn’t impact power generation operations.
HSE said it has yet to receive a ransom demand. While the organization did not reveal what ransomware operation was responsible for the cyberattack, some media reports suggest the Rhysida ransomware gang may be behind the incident.
Ukrainian hacktivists expose the inner workings of Russian military propaganda
Ukrainian hacktivists have breached the Department of Information and Mass Communications (DIMC) of the Russian Ministry of Defense, headed by Igor Konashenkov, and gained access to the Russian media monitoring and analytics system Katyusha.
The analysis showed that Katyusha developed by the Moscow-based information technology firm M13 “is a kind of window dressing tool”. While it serves its purpose of gathering information, it incorrectly reflects the tone of the messages. Negative reports about the Russian Armed Forces and the military and political leadership of the Russian Federation are either disregarded or marked as neutral.
