Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 3-9 August
0-day vulnerability actively exploited in the Android kernel
Google has released security patches in Android to fix a total of 46 vulnerabilities, including an actively exploited 0-day vulnerability. Specifically, this security flaw has been registered as CVE-2024-36971, CVSSv3 of 7.8, and is a post-release use after release (UAF) vulnerability in the Linux kernel's network path management and it is worth noting that, to be exploited, it requires system execution privileges.
According to Google researchers, this vulnerability is being exploited in a limited and targeted way to perform arbitrary code execution without user interaction on vulnerable devices. Finally, it should be noted that Google has not yet provided details on how the flaw is being exploited, nor which threat actor is behind the attacks.
Windows Smart App Control and SmartScreen flaw exploited since 2018
Researchers at Elastic Security Labs have discovered a design flaw in the Windows Smart App Control and SmartScreen applications that has been exploited since at least 2018. This vulnerability allows attackers to launch programs by handling LNK files (a technique called LNK stomping) without being detected by security controls designed to block suspicious applications.
To do this, a malicious actor can create LNK files with non-standard target paths or internal structures. When the user accesses the link or file in question, Windows Explorer looks for and identifies the matching .exe name, correcting the full path to use the correct canonical format. However, this also removes the MotW (Mark of the Web) tag used for security checks, updating the file on disk and starting the executable.
PromptWare: new attack technique against generative AI
Researchers Stav Cohen, Ron Bitton and Ben Nassi have published a paper detailing how applications powered by generative artificial intelligence (Gen-AI) are vulnerable to PromptWares. Specifically, in PromptWare attacks the Gen-AI is manipulated via user input to jailbreak the model so that, instead of serving the application it is embedded in, it goes on to attack it.
The researchers compare PromptWare's implementation to a zero-click polymorphic malware that requires no user interaction and directs its actions against the planning and execution architectures of the artificial intelligence model. The paper also details two possible ways of implementing PromptWare, differentiating between when the attacker knows the logic of the targeted application and when they do not, demonstrating in both cases the malicious capabilities of this new technique.
Google impersonation campaign distributing Latrodectus and ACR Stealer malware
Cyble researchers have published research reporting on a campaign that spoofs the official Google Security Centre website in order to distribute malware such as Latrodectus and ACR Stealer. Specifically, the actor behind these events tries to trick its victims into downloading a file that pretends to be Google Authenticator.
However, once the file is executed, the infection of two types of malware begins. On the one hand, ACR Stealer uses a technique known as Dead Drop Resolver (DDR) to avoid detection and is responsible for extracting information from the computer, as well as facilitating communication with its command and control (C&C) server. In addition, Latrodectus is deployed, a downloader that is characterised by several evasion functions, as well as updated encryption and new action commands that highlight the development of this tool.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
