blog

Security Vulnerability Weekly 22/08/22 – Apple Vulnerability, Android Bugdrop Vulnerability, WordPress, CISA, and recent Hacks to Mailchimp and Twilio

Security Vulnerability news August

Security Vulnerability of the Week 22/08/22 

Previous Issues of vulnerability Weekly



This week we deep dive into Apple Vulnerability, CISA new vulnerability for September, Bugdrop new android vulnerabilities, recent hacks to twilio exposing digital ocaean clients and Mailchimp hack


Appsec

WordPress Hacked by fake Cloudflare

WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distribute NetSupport RAT and the RaccoonStealer password-stealing Trojan.

DDoS is a distributed denial of service, a technique used to bring down a website utilizing a sheer amount of traffic.

A report by Sucuri, details the actors are hacking poorly protected WordPress sites to add a heavily obfuscated JavaScript payload that displays a fake Cloudflare protection DDoS screen.

Fake DDoS protection screen

Fake DDoS protection screen (Sucuri)

Clicking on the link results in a download of files 

When a user opens the security_install.iso, they will see a file called security_install.exe, which is a Windows shortcut that runs a PowerShell command from the debug.txt file.

How to protect

Admins should check the theme files of their WordPress sites, as according to Sucuri, this is the most common infection point in this campaign.

Malicious code found in jquery.min.js (Sucuri)

Additionally, it is advisable to employ file integrity monitoring systems to catch those JS injections as they happen and prevent your site from being a RAT distribution point.

CISA adds 7 vulnerabilities to the list of threats actively exploited by hackers 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of bugs actively exploited by hackers, with the new flaws disclosed by Apple. Microsoft, SAP, and Google.

The seven vulnerabilities added on the 18 August, with CISA requiring all of them to be patched by September 8th, 2022.

CVE NumberVulnerability Title
CVE-2017-15944Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2022-21971Microsoft Windows Runtime Remote Code Execution Vulnerability
CVE-2022-26923Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2022-2856Google Chrome Intents Insufficient Input Validation Vulnerability
CVE-2022-32893Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-32894Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-22536SAP Multiple Products HTTP Request Smuggling Vulnerability

Apple released macOS and iOS/iPadOS security updates on Wednesday for the CVE-2022-32893 and CVE-2022-32894 vulnerabilities, explaining that they could be exploited to perform code execution on vulnerable devices (see below for details) 


INFRA/Network

Apple Zero Day Vulnerability takes internet by storm

Apple is again in the eye of the storm, with two zero-day now patched. Apple has released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities.

The two zero day enables remote exploitation and access to the camera, microphone and executes code with the highest privileges.

The vulnerability might be actively exploited as Apple said in the recent release. We covered the other set of vulnerabilities in the previous version of Security Vulnerability of the Week 08/08/22 

The list of issues is below –

  • CVE-2022-32893 – An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
  • CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges

Those are added to the existing:

  • CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
  • CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges

Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1

Apple on Thursday released a security update for Safari web browser (version 15.6.1) for macOS Big Sur and Catalina to patch the WebKit vulnerability fixed in macOS Monterey.

Bugdrop bypass the new Android’s security settings 

Hackers are researching and this time, successfully exploiting google play store security vulnerabilities 

“This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices,” ThreatFabric’s Han Sahin said in a statement shared with The Hacker News.

Dubbed BugDrop by the Dutch security firm, the app is created to bypass the new security feature in the modern version of android. 

ThreatFabric attributed the dropper to a cybercriminal group known as “Hadoken Security,” which is also behind the creation and distribution of the Xenomorph and Gymdrop Android malware families.

Banking trojans are typically deployed on Android devices through innocuous dropper apps that pose as productivity and utility apps, which, once installed, trick users into granting invasive permissions.

android malware

Users are advised to avoid falling victim to malware hidden in official app stores by only downloading applications from known developers and publishers, scrutinizing app reviews, and checking their privacy policies.

Cloud

Russian APT29 hackers leverage Azure services to hack Microsoft 365 users

The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022. The group’s expertise is to attack.

Mandiant, who has been tracking the activities of Cozy Bear (aka APT29 and Nobelium), reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.

In a report published today, Mandiant highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures).

“This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” warns Mandiant in an APT 29 whitepaper.

Mandiant’s second interesting finding is APT29 taking advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory (AD).

When users attempt to log in to a domain with self-enrollment policies for the first time, Windows will prompt them to enable MFA on the account.

Prompting a Windows domain user to enroll in MFA

Prompting a Windows domain user to enrol in MFA

Source: Microsoft

Hacks

Twilio Recent Breach expose 125 Customers

Twilio has been recently hacked, leveraging a side channel attack. In a recent statement, Twilio, the owner of the highly popular two-factor authentication (2FA) provider Authy, says that it has so far identified 125 customers who accessed their data during a security breach discovered last week.

The attackers gained access to Twilio’s network using credentials belonging to multiple employees, stolen in an SMS phishing attack.

After discovering the intrusion, Twilio revoked the compromised employee credentials to block the attackers’ access to its systems and started notifying affected customers.

The company also asked several U.S. mobile carriers to shut down the accounts used to deliver phishing messages. Still, the threat actors switched to new accounts and resumed their attacks.

SMS phishing message sent to Twilio employees

SMS phishing message sent to Twilio employees (Twilio)

MailChimp breach exposed DigitalOcean

DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets.

DigitalOcean has since switched to another email service provider. The company notified affected customers about the data breach yesterday.

DigitalOcean data breach notification

DigitalOcean data breach notification

Previous Issues of vulnerability Weekly



Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

November brings a new release of the platform; as most of the features will be released in v3 we are providing a preview of what’s to come
aeappsecphoenix-com
What is the real cost of manual vulnerability management? in this snapshot we analyse the size of the problem and the requirement for a better and more automated approach
Francesco Cipollone
AppSec Phoenix, the leader in ASOC, pioneering the cloud security and application security relationship, was selected amongst thousands of startups and the only one in cybersecurity as a finalist for the prestigious world communication awards. AppSec Phoenix’s Francesco Cipollone, pioneering the cloud security and application security relationship, was selected as a finalist for the innovator of the year award.
Francesco Cipollone
Francesco Cipollone dreamed of creating an organizations that helps all security professionals love back the work on vulnerability management and application security. AppSec Phoenix’s Francesco Cipollone, pioneering the cloud security and application security relationship, was selected as a finalist for the innovator of the year award.
Francesco Cipollone

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: Shield Security
This Site Is Protected By
Shield Security