Security Vulnerability of the Week 22/08/22
Previous Issues of vulnerability Weekly
- Security Vulnerability of the Week 08/08/22 – Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 25/07/22– Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 10/07/22 – OPENSSL Hearbleed2, Apache Common, CuteBoi NPM exploit, Iconburst NPM exploit, Orbit attack, Follina Weaponization, Chrome’s latest vulnerabilities
- Security Vulnerability of the Week 04/07/22 – Jenkins massive plugins issue , zoho, Exchange backdoors, Edge high vuln
- Security Vulnerability of the Week 20/06/22 – PiPy leaking AWS credentials, illumina healthcare vulnerability, Sharepoint RCE, QNAP PHP Vuln
- Security Vulnerability of the Week 20/06/22 – Couchbase, Splunk, CISCO, Azure Synapse, Oracle Cloud
- Security Vulnerability of the Week 13/06/22 – Atlassian Confluence, Follina & Weaponization,
This week we deep dive into Apple Vulnerability, CISA new vulnerability for September, Bugdrop new android vulnerabilities, recent hacks to twilio exposing digital ocaean clients and Mailchimp hack
Appsec
WordPress Hacked by fake Cloudflare
WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distribute NetSupport RAT and the RaccoonStealer password-stealing Trojan.
DDoS is a distributed denial of service, a technique used to bring down a website utilizing a sheer amount of traffic.
A report by Sucuri, details the actors are hacking poorly protected WordPress sites to add a heavily obfuscated JavaScript payload that displays a fake Cloudflare protection DDoS screen.
Fake DDoS protection screen (Sucuri)
Clicking on the link results in a download of files
When a user opens the security_install.iso, they will see a file called security_install.exe, which is a Windows shortcut that runs a PowerShell command from the debug.txt file.
How to protect
Admins should check the theme files of their WordPress sites, as according to Sucuri, this is the most common infection point in this campaign.
Malicious code found in jquery.min.js (Sucuri)
Additionally, it is advisable to employ file integrity monitoring systems to catch those JS injections as they happen and prevent your site from being a RAT distribution point.
CISA adds 7 vulnerabilities to the list of threats actively exploited by hackers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of bugs actively exploited by hackers, with the new flaws disclosed by Apple. Microsoft, SAP, and Google.
The seven vulnerabilities added on the 18 August, with CISA requiring all of them to be patched by September 8th, 2022.
| CVE Number | Vulnerability Title |
| CVE-2017-15944 | Palo Alto Networks PAN-OS Remote Code Execution Vulnerability |
| CVE-2022-21971 | Microsoft Windows Runtime Remote Code Execution Vulnerability |
| CVE-2022-26923 | Microsoft Active Directory Domain Services Privilege Escalation Vulnerability |
| CVE-2022-2856 | Google Chrome Intents Insufficient Input Validation Vulnerability |
| CVE-2022-32893 | Apple iOS and macOS Out-of-Bounds Write Vulnerability |
| CVE-2022-32894 | Apple iOS and macOS Out-of-Bounds Write Vulnerability |
| CVE-2022-22536 | SAP Multiple Products HTTP Request Smuggling Vulnerability |
Apple released macOS and iOS/iPadOS security updates on Wednesday for the CVE-2022-32893 and CVE-2022-32894 vulnerabilities, explaining that they could be exploited to perform code execution on vulnerable devices (see below for details)
INFRA/Network
Apple Zero Day Vulnerability takes internet by storm
Apple is again in the eye of the storm, with two zero-day now patched. Apple has released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities.
The two zero day enables remote exploitation and access to the camera, microphone and executes code with the highest privileges.
The vulnerability might be actively exploited as Apple said in the recent release. We covered the other set of vulnerabilities in the previous version of Security Vulnerability of the Week 08/08/22
The list of issues is below –
- CVE-2022-32893 – An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
- CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges
Those are added to the existing:
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
- CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
- CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
- CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1
Apple on Thursday released a security update for Safari web browser (version 15.6.1) for macOS Big Sur and Catalina to patch the WebKit vulnerability fixed in macOS Monterey.
Bugdrop bypass the new Android’s security settings
Hackers are researching and this time, successfully exploiting google play store security vulnerabilities
“This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices,” ThreatFabric’s Han Sahin said in a statement shared with The Hacker News.
Dubbed BugDrop by the Dutch security firm, the app is created to bypass the new security feature in the modern version of android.
ThreatFabric attributed the dropper to a cybercriminal group known as “Hadoken Security,” which is also behind the creation and distribution of the Xenomorph and Gymdrop Android malware families.
Banking trojans are typically deployed on Android devices through innocuous dropper apps that pose as productivity and utility apps, which, once installed, trick users into granting invasive permissions.
Users are advised to avoid falling victim to malware hidden in official app stores by only downloading applications from known developers and publishers, scrutinizing app reviews, and checking their privacy policies.
Cloud
Russian APT29 hackers leverage Azure services to hack Microsoft 365 users
The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022. The group’s expertise is to attack.
Mandiant, who has been tracking the activities of Cozy Bear (aka APT29 and Nobelium), reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.
In a report published today, Mandiant highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures).
“This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” warns Mandiant in an APT 29 whitepaper.
Mandiant’s second interesting finding is APT29 taking advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory (AD).
When users attempt to log in to a domain with self-enrollment policies for the first time, Windows will prompt them to enable MFA on the account.
Prompting a Windows domain user to enrol in MFA
Source: Microsoft
Hacks
Twilio Recent Breach expose 125 Customers
Twilio has been recently hacked, leveraging a side channel attack. In a recent statement, Twilio, the owner of the highly popular two-factor authentication (2FA) provider Authy, says that it has so far identified 125 customers who accessed their data during a security breach discovered last week.
The attackers gained access to Twilio’s network using credentials belonging to multiple employees, stolen in an SMS phishing attack.
After discovering the intrusion, Twilio revoked the compromised employee credentials to block the attackers’ access to its systems and started notifying affected customers.
The company also asked several U.S. mobile carriers to shut down the accounts used to deliver phishing messages. Still, the threat actors switched to new accounts and resumed their attacks.
SMS phishing message sent to Twilio employees (Twilio)
MailChimp breach exposed DigitalOcean
DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets.
DigitalOcean has since switched to another email service provider. The company notified affected customers about the data breach yesterday.
DigitalOcean data breach notification
Previous Issues of vulnerability Weekly
- Security Vulnerability of the Week 08/08/22 – Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 25/07/22– Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 10/07/22 – OPENSSL Hearbleed2, Apache Common, CuteBoi NPM exploit, Iconburst NPM exploit, Orbit attack, Follina Weaponization, Chrome’s latest vulnerabilities
- Security Vulnerability of the Week 04/07/22 – Jenkins massive plugins issues , zoho, Exchange backdoors, Edge high vuln
- Security Vulnerability of the Week 20/06/22 – PiPy leaking AWS credentials, illumina healthcare vulnerability, Sharepoint RCE, QNAP PHP Vuln
- Security Vulnerability of the Week 20/06/22 – Couchbase, Splunk, CISCO, Azure Synapse, Oracle Cloud
- Security Vulnerability of the Week 13/06/22 – Atlassian Confluence, Follina & Weaponization,
