Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 26 - 31 October
CrossBarking: vulnerability in Opera exposes private APIs to attackers
Researchers at Guardio Labs discovered a security flaw that allows full access to Opera browser's private APIs, exposing serious risks. Opera grants access to certain private APIs to preferred domains, which allows its developers to improve features such as security and performance. However, researchers demonstrated how attackers can leverage these APIs to make unauthorized changes, hijack accounts and disable security extensions.
Named CrossBarking, this flaw can be exploited by inserting malicious code into websites with access to these private APIs, employing cross-site scripting (XSS) vulnerabilities or malicious Chrome extensions, which also work in Opera. In one test, they modified the DNS settings of a victim's browser, allowing them to spy on and manipulate his online activity.
Opera addressed the risk by blocking script execution on sites with access to private APIs, without removing those APIs or their compatibility with Chrome extensions.
New Google Chrome update
Google has published a security advisory informing about a new version of the Chrome web browser that fixes two high-criticality vulnerabilities. Specifically, the security flaws are registered as CVE-2024-10487, considered critical and caused by an out-of-bounds write in Dawn, and the flaw CVE-2024-10488, rated as high risk, which is caused by a post-release use in WebRTC.
It is worth noting as is customary in Google Chrome not to give more details with the aim that most users update the affected asset. Based on these facts, Google recommends that users update Chrome to version 130.0.6723.91/.92 for Windows and Mac and 130.0.6723.91 for Linux.
Windows downgrade security flaw allows access to Windows Update
SafeBreach security researcher Alon Leviev has published an analysis of security flaws that could allow Windows to be downgraded by bypassing the system's kernel. Specifically, the researcher developed Windows Downdate, a tool that makes it possible to create downgrades and expose a fully upgraded system to bugs that have already been fixed through deprecated components.
As a result, he identified the vulnerabilities CVE-2024-21302, CVSSv3 of 6.7 and CVE-2024-38202, CVSSv3 of 7.3 in BlackHat and DEFCON. However, despite fixing these flaws, Leviev notes that Microsoft has yet to address the Windows Update takeover issue, which is not considered a full-fledged vulnerability, but allows custom rootkits to be deployed that can bypass security controls, hide processes and network activity, or maintain stealth, among other things.
According to Microsoft, the company is actively developing mitigations to protect against such attacks.
Law enforcement authorities dismantle Redline and Meta infrastructure in Operation Magnus
The Dutch National Police in collaboration with other authorities such as the FBI, NCIS, the US Department of Justice, Eurojust, the NCA and police forces in Portugal and Belgium, have dismantled the infrastructure of infostealers Redline and Meta.
According to law enforcement sources, authorities claim to have gained access to the source code, including licence servers, REST-API services, dashboards, stealer binaries and Telegram bots of both malware. It is worth noting that both Meta and Redline share the same infrastructure, so it is believed that the creators and operators behind both projects are the same.
Finally, it is worth noting that this infrastructure outage announcement was reported on a website called Operation Magnus, which has a countdown timer that promises more news, mimicking the actions of criminal groups.
Black Basta targets organizations through Microsoft Teams
ReliaQuest has warned that the Black Basta ransomware has moved its social engineering attacks to Microsoft Teams. The malicious actors first flood an employee's inbox with emails, after which they contact employees through Microsoft Teams as external users, posing as the corporate IT helpdesk to assist with the ongoing spam problem. The accounts are created under Entra ID tenants that mimic the helpdesk.
Also, the sending of QR codes in chats has been observed, without the purpose being clear. The ultimate goal of the attack is for the target to install AnyDesk or launch Quick Assist for threat actors to gain remote access to their devices to subsequently install payloads and ultimately Cobalt Strike, providing full access to the compromised device.
ReliaQuest suggests organizations restrict external user communication in Microsoft Teams, allowing it only from trusted domains, as well as enabling logging, especially for the ChatCreated event, to find suspicious chats.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
