blog

Security Vulnerability Weekly 22/08/22 – Apple Vulnerability, Android Bugdrop Vulnerability, WordPress, CISA, and recent Hacks to Mailchimp and Twilio

Security Vulnerability news August

Security Vulnerability of the Week 22/08/22 

Previous Issues of vulnerability Weekly



This week we deep dive into Apple Vulnerability, CISA new vulnerability for September, Bugdrop new android vulnerabilities, recent hacks to twilio exposing digital ocaean clients and Mailchimp hack


Appsec

WordPress Hacked by fake Cloudflare

WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distribute NetSupport RAT and the RaccoonStealer password-stealing Trojan.

DDoS is a distributed denial of service, a technique used to bring down a website utilizing a sheer amount of traffic.

A report by Sucuri, details the actors are hacking poorly protected WordPress sites to add a heavily obfuscated JavaScript payload that displays a fake Cloudflare protection DDoS screen.

Fake DDoS protection screen

Fake DDoS protection screen (Sucuri)

Clicking on the link results in a download of files 

When a user opens the security_install.iso, they will see a file called security_install.exe, which is a Windows shortcut that runs a PowerShell command from the debug.txt file.

How to protect

Admins should check the theme files of their WordPress sites, as according to Sucuri, this is the most common infection point in this campaign.

Malicious code found in jquery.min.js (Sucuri)

Additionally, it is advisable to employ file integrity monitoring systems to catch those JS injections as they happen and prevent your site from being a RAT distribution point.

CISA adds 7 vulnerabilities to the list of threats actively exploited by hackers 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of bugs actively exploited by hackers, with the new flaws disclosed by Apple. Microsoft, SAP, and Google.

The seven vulnerabilities added on the 18 August, with CISA requiring all of them to be patched by September 8th, 2022.

CVE NumberVulnerability Title
CVE-2017-15944Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2022-21971Microsoft Windows Runtime Remote Code Execution Vulnerability
CVE-2022-26923Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2022-2856Google Chrome Intents Insufficient Input Validation Vulnerability
CVE-2022-32893Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-32894Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-22536SAP Multiple Products HTTP Request Smuggling Vulnerability

Apple released macOS and iOS/iPadOS security updates on Wednesday for the CVE-2022-32893 and CVE-2022-32894 vulnerabilities, explaining that they could be exploited to perform code execution on vulnerable devices (see below for details) 


INFRA/Network

Apple Zero Day Vulnerability takes internet by storm

Apple is again in the eye of the storm, with two zero-day now patched. Apple has released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities.

The two zero day enables remote exploitation and access to the camera, microphone and executes code with the highest privileges.

The vulnerability might be actively exploited as Apple said in the recent release. We covered the other set of vulnerabilities in the previous version of Security Vulnerability of the Week 08/08/22 

The list of issues is below –

  • CVE-2022-32893 – An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
  • CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges

Those are added to the existing:

  • CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
  • CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges

Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1

Apple on Thursday released a security update for Safari web browser (version 15.6.1) for macOS Big Sur and Catalina to patch the WebKit vulnerability fixed in macOS Monterey.

Bugdrop bypass the new Android’s security settings 

Hackers are researching and this time, successfully exploiting google play store security vulnerabilities 

“This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices,” ThreatFabric’s Han Sahin said in a statement shared with The Hacker News.

Dubbed BugDrop by the Dutch security firm, the app is created to bypass the new security feature in the modern version of android. 

ThreatFabric attributed the dropper to a cybercriminal group known as “Hadoken Security,” which is also behind the creation and distribution of the Xenomorph and Gymdrop Android malware families.

Banking trojans are typically deployed on Android devices through innocuous dropper apps that pose as productivity and utility apps, which, once installed, trick users into granting invasive permissions.

android malware

Users are advised to avoid falling victim to malware hidden in official app stores by only downloading applications from known developers and publishers, scrutinizing app reviews, and checking their privacy policies.

Cloud

Russian APT29 hackers leverage Azure services to hack Microsoft 365 users

The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022. The group’s expertise is to attack.

Mandiant, who has been tracking the activities of Cozy Bear (aka APT29 and Nobelium), reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.

In a report published today, Mandiant highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures).

“This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” warns Mandiant in an APT 29 whitepaper.

Mandiant’s second interesting finding is APT29 taking advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory (AD).

When users attempt to log in to a domain with self-enrollment policies for the first time, Windows will prompt them to enable MFA on the account.

Prompting a Windows domain user to enroll in MFA

Prompting a Windows domain user to enrol in MFA

Source: Microsoft

Hacks

Twilio Recent Breach expose 125 Customers

Twilio has been recently hacked, leveraging a side channel attack. In a recent statement, Twilio, the owner of the highly popular two-factor authentication (2FA) provider Authy, says that it has so far identified 125 customers who accessed their data during a security breach discovered last week.

The attackers gained access to Twilio’s network using credentials belonging to multiple employees, stolen in an SMS phishing attack.

After discovering the intrusion, Twilio revoked the compromised employee credentials to block the attackers’ access to its systems and started notifying affected customers.

The company also asked several U.S. mobile carriers to shut down the accounts used to deliver phishing messages. Still, the threat actors switched to new accounts and resumed their attacks.

SMS phishing message sent to Twilio employees

SMS phishing message sent to Twilio employees (Twilio)

MailChimp breach exposed DigitalOcean

DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets.

DigitalOcean has since switched to another email service provider. The company notified affected customers about the data breach yesterday.

DigitalOcean data breach notification

DigitalOcean data breach notification

Previous Issues of vulnerability Weekly



Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Owasp top 10 has been a pillar over the years; sister to CWE – Common Weakness Enumeration we provide an overview of the top software vulnerabilities and web application security risks with a data-driven approach focused on helping identify what risk to fix first.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Asset and Vulnerability Management – Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
With cyber threats growing in sophistication, understanding exploitability has become crucial for security teams to prioritize vulnerabilities effectively. This article explores the key factors that influence the likelihood of exploits in the wild, including attack vectors, complexity levels, privileges required, and more. You’ll learn how predictive scoring systems like EPSS are bringing added dimensions to vulnerability analysis, going beyond static scores. We discuss the importance of monitoring verified threat feeds and exploiting trends from reliable sources, instead of getting distracted by unverified claims and noise. Adopting a risk-based approach to prioritization is emphasized, where critical vulnerabilities are addressed not just based on CVSS severity, but also their likelihood of being exploited and potential business impact. Recent major exploits like Log4Shell are highlighted to stress the need for proactive security. Equipped with the insights from this guide, you’ll be able to implement a strategic, data-backed approach to focusing on the most pertinent risks over the barrage of vulnerabilities.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Improved Management your Vulnerabilities and Assets Display “Closed” vulnerabilities list page Display vulnerability stats in Asset screens Override asset exposure for whole Apps/Envs Filter on-screen dynamic statistical and insights Risk-based Posture Management Update risk formula structure Update Vuln risk formula factors Integrations Configure “vulnerability types” fetched from SonarCloud/SonarQube Users can manually trigger a “scanner refresh” Update Jira tickets when the associated vulnerability is closed Other Improvements Handle large number of items in Treemap chart Improved scanner flow: don’t fetch targets until needed Improved performance of MTTR queries
Alfonso Eusebio

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO