SAN MATEO, CA, October 9, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Critical flaw in Cisco Emergency Responder systems patched
- Apple issues emergency update to fix new zero-day iPhone hack
- Major AI infrastructure greatly endangered by critical TorchServe flaws
- Microsoft warns of attempts to breach cloud via SQL server instance
- 3 zero-day flaws exploited in Qualcomm GPU and DSP drivers, patch issued
- New ASMCrypt malware loader allows cybercriminals to fly under the radar
- AI is making it almost impossible to detect phishing emails
- FBI warns of increasingly common double ransomware attacks
- New BunnyLoader malware-as-a-service shows up in the cybercrime marketplace
- Exim mail servers exposed to RCE zero-day attacks
Critical flaw in Cisco Emergency Responder systems patched
A critical flaw in Cisco’s Emergency Responder that could allow remote attackers to “sign into susceptible systems using hard-coded credentials” has been patched by the company. CVE-2023-20101 is “due to the presence of static user credentials for the root account the company said is usually reserved for use during development.” Cisco reportedly discovered the issue during internal security testing, and the company is unaware of it being exploited in the wild. Customers are urged to update their systems to the latest version immediately in the absence of temporary workarounds. Read more.
Apple issues emergency update to fix new zero-day iPhone hack
Apple has launched an emergency update to fix a zero-day flaw, tracked as CVE-2023-42824, that is “caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads.” The flaw impacts a large swath of Apple’s devices, such as the iPhone XS and later and several iPad models. This marks the 17th zero-day bug Apple has issued a fix for in 2023 thus far and further highlights that Apple’s operating systems, previously thought to be relatively safe from malicious activity, are now a viable platform for threat actors spreading spyware, malware, and more. Read more.
Major AI infrastructure greatly endangered by critical TorchServe flaws
A tool called TorchServe, used by organizations such as Google, Amazon, Intel, Microsoft, and more, has been found to have a series of critical vulnerabilities within it that could allow cybercriminals to take “complete control” of servers that are part of their AI infrastructure. Researchers and Oligo discovered the flaws and, via an IP scanner, determined that tens of thousands of TorchServe instances were vulnerable to them. Oligo warns that the bugs they found “can completely compromise the AI infrastructure of the world’s biggest businesses” by allowing an attacker to gain access and launch “malicious code on the targeted organization’s PyTorch server and then move laterally within the network to even more sensitive systems.” Read more.
Microsoft warns of attempts to breach cloud via SQL server instance
Microsoft has reported on a new campaign in which “the attackers initially exploited a SQL injection vulnerability in an application within the target’s environment. This allowed the attacker to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine (VM).” The threat actors then used said permissions to try to move laterally to other cloud resources by “abusing the server’s cloud identity, which may possess elevated permissions.” While the efforts were not successful, Microsoft’s findings highlight “the growing sophistication of cloud-based attack techniques.” Read more.
3 zero-day flaws exploited in Qualcomm GPU and DSP drivers, patch issued
Hackers are actively exploiting three zero-day bugs in Qualcomm’s GPU and Computer DSP drivers, the company has warned. While Qualcomm has yet to provide detailed information regarding those flaws, a patch that fixes them and three more severe bugs has been issued. CVE-2023-24855 is memory corruption in Qualcomm’s Modem component, CVE-2023-28540 is a cryptographic problem in the Data Modem component, and CVE-2023-33028 is a WLAN firmware memory corruption issue. Users are urged to update their drivers immediately to prevent being targeted by hackers. Read more.
New ASMCrypt malware loader allows cybercriminals to fly under the radar
A new crytper and loader called ASMCrypt is now for sale, described as the next step in the evolution of a different loader called DoubleFinger. According to Kaspersky, “the idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.” Once launched by a customer, ASMCrypt establishes “contact with a backend service over the TOR network using hard-coded credentials, thereby enabling the buyers to build payloads of their choice for use in their campaigns.” Loaders like this have become popular in cybercrime circles, as they act as a “malware delivery service that several threat actors can utilize to gain initial access to networks for conducting ransomware attacks, data theft, and other malicious cyber activities.” Read more.
AI is making it almost impossible to detect phishing emails
AI chatbots are making it easy for cybercriminals to generate phishing emails that are almost impossible to detect, according to Egress’ Phishing Threats Trends Report. Egress’ findings indicate that, in three cases out of four, AI detectors are unable to determine whether an email has been written by a chatbot or a human due in part to the fact that many phishing emails fly below the 250-character requirement that most large language models need to provide an accurate result. The use of AI chatbots and the employment of layers of obfuscation techniques such as HTML smuggling has caused the rate at which phishing emails slip past detection to rise by nearly 30% in some cases. Read more.
FBI warns of increasingly common double ransomware attacks
The FBI has released a statement warning of a rise in dual ransomware attacks in which a successful ransomware attack is shortly followed up by a second using a different strain. By attacking already compromised organizations, the second attack tends to be even more harmful than the first. According to the FBI, most of these dual attacks occur “within 48 hours of each other,” giving a victim very little time to react in a way that doesn’t result in the threat actors getting the upper hand. The FBI also notes that threat actors have also been turning to “malware, data theft, and wiper tools” to further damage and pressure victims into giving in to their demands. Read more.
New BunnyLoader malware-as-a-service shows up in the cybercrime marketplace
Researchers at Zscaler ThreatLabz have discovered a new malware-as-a-service provider for sale on the web called BunnyLoader. The loader costs $250 for a lifetime license and is believed to have been under “continuous development.” Bunnyloader “provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more.” A standout feature of Bunny Loader, as described by its author PLAYER_BUNNY, is a fileless loading feature that “makes it difficult for the antiviruses to remove the attacker’s malware.” Read more.
Exim mail servers exposed to RCE zero-day attacks
Trend Micro’s Zero Day Initiative has reported that all Exim mail transfer agent (MTA) software versions are vulnerable to a zero-day exploit that allows threat actors to gain remote code execution on internet-exposed servers. The critical bug tracked as CVE-2023-42115 is “due to an Out-of-bounds Write weakness found in the SMTP services.” The developer has yet to provide a patch for this bug, leaving more than 3.5 million Exim servers vulnerable to the attack, most of which are in the United States. Read more.