SAN MATEO, CA, July 17, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- WormGPT shows that the era of malicious AI generators is here
- ACrecon malware creates botnet out of 70,000 Linux routers
- Linux users warned that RCE found in Ghostscript open-source PDF library
- New SonicWall and Fortinet product vulnerabilities revealed
- HCA Healthcare breach affects more than 11 million patients
- Urgent patch issued by Apple in response to zero-day flaw
- Critical RCE bug in VMware’s Aria Operations for Logs
- Charming Kitten hacking macOS with NokNok malware
- Malicious npm packages used to support phishing kits
WormGPT shows that the era of malicious AI generators is here
WormGPT is a chatbot specifically trained to assist in creating malicious messaging that can be used to launch convincing phishing or BEC attacks. Researchers studying the chatbot have reported that its tone and language are “strategically cunning” and that it is “like ChatGPT but has no ethical boundaries or limitations.” It is suggested that the only way for organizations to defend against AI-assisted or generated attacks is to employ AI-assisted cybersecurity that can essentially think ahead of the criminals. Read more.
ACrecon malware creates botnet out of 70,000 Linux routers
A Linux malware, AVrecon, created a botnet out of 70,000 Linux-based routers. The botnet is believed to have been designed to “steal bandwidth and provide a hidden residential proxy service, ” allowing cybercriminals to “hide a wide spectrum of malicious activities, from digital advertising fraud to password spraying.” ACrecon malware is difficult to identify, leaving the operators free to work “undetected for more than two years,” thanks to the “surreptitious nature of the malware.” Researchers believe these home and small business-type routers have been targeted because they are less likely to be updated or maintained. Read more.
Linux users warned that RCE found in Ghostscript open-source PDF library
A critical severity remote code execution flaw has been found in Ghostscript, an open-source interpreter for PDF files and PostScript language that Linux users favor. The flaw impacts all versions of Ghostscript before the most recent release. The bug reportedly relates to OS pipes and “arises from the ‘gp_file_name_reduce()’ function in Ghostscript… However, if a specially crafted path is given to the vulnerable function, it could return unexpected results, leading to overriding the validation mechanisms and potential exploitation.” Linux users are advised to update to Ghostscript’s most recently released version. Read more.
New SonicWall and Fortinet product vulnerabilities revealed
Users of SonicWall’s Global Management System were urged to update their systems by the company, as 15 exploitable security flaws have been patched via the latest update. According to SonicWall, “the suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve.” The report comes as Fortinet released an advisory warning users that a “stack-based overflow vulnerability in FortiOS and FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.” Fortinet recommends that users apply updates immediately. Read more.
HCA Healthcare breach affects more than 11 million patients
HCA Healthcare has reported that a threat actor has breached the organization, affecting the medical data of around 11 million patients who had visited one of the organization’s 182 hospitals or 2,200 care centers across the US and the UK. The hacker posted the data for sale online after attempts to extort HCA failed. According to HCA, the information was stolen from an “external storage location,” and no operations were disrupted. The stolen information includes contact details that can be used to stage phishing attacks, but HCA reportedly does not believe that critical health or payment data was accessed. Read more.
Urgent patch issued by Apple in response to zero-day flaw
Apple has issued a patch to protect iOS, PadOS, macOS, and Safari users from a zero-day bug actively exploited in the wild. Tracked as CVE-2023-37450, the Webkit bug “could allow threat actors to achieve arbitrary code execution when processing specially crafted web content.” This is the 10th zero-day flaw that Apple has addressed since the start of the year. While Apple has had a longstanding reputation for their operating systems being less prone to attack than Windows, criminals are becoming more adept at exploiting their devices. Read more.
Critical RCE bug in VMware’s Aria Operations for Logs
VMware has issued a statement warning customers that exploit code for a critical flaw in the company’s Aria Operations for Logs analysis tool has been published. The bug, tracked as CVE-2023-20864, “enables threat actors to run arbitrary code as root following low-complexity attacks that don’t require user interaction.” The bug was patched with an update in April, and VMware strongly urges all users to ensure that their product version is the current version. VMware’s products have recently been attacked, with CISA adding a previously discovered flaw to their list of known exploited vulnerabilities. Read more.
Charming Kitten hacking macOS with NokNok malware
Charming Kitten, a threat group linked to the Iranian state, is engaging in a campaign in which its members pose as US-based nuclear experts through phishing emails that target researchers. If the target is not infected via Windows-based means, the hackers change their strategy and “send a new link to ‘library-store[.]camdvr[.]org’ that hosts a ZIP file masquerading as a RUSI (Royal United Services Institute) VPN app.” As the Apple script file is executed, “a curl command fetches the NokNok payload and establishes a backdoor onto the victim’s system.” Read more.
Malicious npm packages used to support phishing kits
Researchers at ReversingLabs have reported on malicious npm packages posted between May 11 and June 13 that affect application end users and also support email-based phishing attacks that target Microsoft 365 users. The packages imitate legitimate ones such as jQuery. Dubbed “Operation Brainleeches,” the campaign “further underscores the need for organizations to be on the lookout for signs that open-source packages could be malicious or compromised.” Read more.