Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Cyber Security Briefing, 30 September - 6 October
Apple patches two new 0-day vulnerabilities
Apple has released a new security update for iPhone and iPad that patches a 0-day vulnerability actively exploited in attacks. The flaw, named CVE-2023-42824, allows local attackers to perform privilege escalation due to a bug in the XNU kernel.
This vulnerability appears to have been actively exploited in iOS versions prior to 16.6. In the same security update, Apple has patched another 0-day, CVE-2023-5217 CVSS 8.8, vulnerability that caused a heap buffer overflow in the VP8 encoding of the open source libvpx video codec library. This same library had already been patched by Google recently.
Both vulnerabilities have been fixed in iOS 17.0.3 and iPadOS 17.0.3. Apple would have patched a total of 17 0-days actively exploited in attacks in 2023 with this new update.
Microsoft fixes products affected by two actively exploited 0-days
The company Microsoft has released security updates for its Edge, Teams and Skype products with the aim of patching two 0-day vulnerabilities affecting open-source libraries used by the three noted products.
Specifically, the security flaws are those registered as CVE-2023-4863, CVSSv3 of 8.8, which occurs due to a buffer overflow weakness in the WebP code library (libwebp), and whose exploitation could lead to the execution of arbitrary code. Likewise, vulnerability CVE-2023-5217, CVSSv3 of 8.8, which is also caused by a buffer overflow weakness in the VP8 encoding of the libvpx video codec library, and its exploitation by malicious actors could lead to application crashes or allow the execution of arbitrary code.
It should be noted that both vulnerabilities were classified as actively exploited, and for this reason the company recommends applying the corresponding updates to prevent possible compromise.
Campaign against online payment companies and PoS providers uncovered
A campaign that has been targeting online payment companies in Asia Pacific, North America and Latin America for more than a year was recently detected. BlackBerry's research team has tracked this activity under the name Silent Skimmer and attributes it to a threat actor of Chinese origin.
According to the research, victims of this campaign include online businesses and point-of-sale (PoS) providers. The attackers exploit vulnerabilities in web applications, especially those hosted on Internet Information Services (IIS), to compromise the payment page and capture victims' financial information. They also use open-source tools and privilege escalation, post-exploitation and code execution techniques.
In addition, the virtual private servers (VPS) used for C2 are chosen based on the geographic location of the victims to evade detection. The attack chain culminates in the implementation of a PowerShell-based remote access trojan, allowing remote control of the host, which connects to a remote server with additional utilities.
Lazarus targets Spanish aerospace company using new malware
ESET's team of researchers has published the results of an investigation in which they analyze the so-called Dreamjob operation, orchestrated by the North Korean malicious group Lazarus, using a new malware called LightlessCan.
On this occasion these malicious actors would have directed their actions against a Spanish aerospace company through LinkedIn. The methodology used consisted of tricking the company's employees into participating in a fake job selection process that required the victim to download a malicious file.
The payload is the NickelLoader malware, which implements two backdoors, a variant of BlindingCan and a new one called LightlessCan, which has 43 commands, although it could have 25 more yet to be implemented.
It also has strong protection measures to prevent external access to the victim's computer by security researchers. Finally, it should be noted that these actions are far from being for financial gain, as they are aimed at cyber espionaje.
Banking trojan campaign detected against users in Latin America
Kaspersky researchers reported a new campaign of the Zanubis banking trojan, which affects Android devices, posing as a Peruvian government application to trick users. This trojan was reportedly first observed in August 2022 and its main infection method is to disguise itself as legitimate apps and then obtain accessibility permissions and take control of the infected device.
Zanubis has been mainly targeting Latin America and has targeted more than 40 banks and financial institutions. The malware, which uses accessibility permissions to display fake screens about specific applications and steal credentials, also collects contact, application and metadata data.
Once installed, it locks the device and logs keystrokes or records the screen. In this new campaign, Zanubis was observed impersonating the Peruvian tax and customs authority.
