SAN MATEO, CA, September 11, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Cisco warns of zero-day bug being actively exploited by ransomware gangs
- Apple pushes emergency patches to address flaws exploited for Pegasus spyware
- ApacheSuperSet remote code execution vulnerabilities patched in new update
- W3LL phishing kit bypasses MFA to hijack thousands of Microsoft 365 accounts
- PHPFusion CMS discovered to have high-severity flaw
- MinIO storage system abused by hackers, used to execute code on compromised servers
- Decryptor developed for victims of Key Group ransomware
- Social engineering campaign targeting Okta Super Administrator accounts
- Chrome extensions can steal plaintext passwords
Cisco warns of zero-day bug being actively exploited by ransomware gangs
A zero-day vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) is being exploited in the wild by ransomware attackers, according to a warning from the company. The flaws allow “unauthorized remote attackers to conduct brute force attacks against existing accounts.” The CVE-2023-20269 flaw is “located within the web services interface of the Cisco ASA and Cisco FTD devices” and “is caused by improperly separating the AAA functions and other software features,” creating a situation in which a threat actor can “send authentication requests to the web services interface to impact or compromise authorization components.” Cisco is in the process of releasing a patch to mitigate this exploit. Read more.
Apple pushes emergency patches to address flaws exploited for Pegasus spyware
Apple pushed emergency patches to iOS, iPadOS, macOS, and watchOS to close a pair of zero-day exploits to install NSO Group’s Pegasus spyware. CVE-2023-41061 is a “validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.” CVE-2023-41064 is a “buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.” According to researchers at Citizen Lab, the two flaws make up a zero-click iMessage exploit chain “capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.” Read more.
Zero-day exploit in AtlasVPN for Linux disconnects victim and reveals their IP address
An exploit code that allows a threat actor to disconnect and expose the IP address of AtlasVPN for Linux users has been published by an undisclosed security researcher after reaching out to the vendor but receiving no response. The bug is easy to execute, as it only requires a threat actor to copy and paste an exploit code to their site and lure a victim to it. The exploit’s ease and the fact that it completely invalidates the reason for a VPN product’s existence has left some researchers severely disappointed in AtlasVPN’s lack of urgency concerning this flaw. Read more.
ApacheSuperSet remote code execution vulnerabilities patched in new update
Two exploits in ApacheSuperSet that could allow a hacker to gain remote code execution have been remedied in a recent update. CVE-2023-39265 and CVE-2023-37941, both of which “make it possible to conduct nefarious actions once a bad actor can gain control of Superset’s metadata database,” have been fixed. The latest update also addresses CVE-2023-36388, an improper REST API permission issue that “allows low-privilege users to carry out server-side request forgery (SSRF) attacks.” Users are urged to update their systems immediately. Read more.
W3LL phishing kit bypasses MFA to hijack thousands of Microsoft 365 accounts
A threat actor called W3LL has developed a phishing kit that has hijacked over 8,000 Microsoft 365 accounts after creating “utilities and infrastructure” that targeted more than 56,000 users. Researchers say that W3LL’s inventory of malicious tools covers “almost the entire kill chain of a BEC operation” and can be easily deployed by “cybercriminals of all technical skill levels.” Using several sophisticated and evasive techniques against targets, Group-IB researchers have stated that “W3LL’s major weapon, W3LL Panel, may be considered one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities.” Read more.
PHPFusion CMS discovered to have high-severity flaw
PHPFusion, a popular open-source content management system, has been found to harbor a high-severity flaw by researchers at the Synopsys Cybersecurity Research Center (CyRC). CyRC warns that there are currently no plans by the operators of PHPFusion to patch or address the bug, tracked as CVE-2023-2453, which could allow a threat actor to execute remote code on a victim’s system. The researchers say that the vulnerability is “caused by insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement” and that the attacker “must have ‘Member,’ ‘Administrator,’ or ‘Super Administrator’ privileges.” PHPFusion is used by more than 15 million websites worldwide. Read more.
MinIO storage system abused by hackers, used to execute code on compromised servers
Threat actors have been reportedly “weaponizing” flaws within the MinIO object storage system via a publicly available exploit chain. The findings come from researchers at Security Joes, who report that the exploited flaws “possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational.” The hackers use the exploits to create a “deceptive update” that replaces the “authentic MinIO binary with its ‘evil’ counterpart.” The threat actors responsible are unknown, though they are “proficient in working with bash scripts and Python.” Read more.
Decryptor developed for victims of Key Group ransomware
EclecticIQ researchers have developed and released a decryption tool designed to foil ransomware deployed by Key Group, a Russian threat organization that was discovered last January. Key Group’s malware is described as having several flaws, making it easier than other strains to crack. “Key Group ransomware uses CBC-mode Advanced Encryption Standard (AES) to encrypt files and sends personally identifiable information (PII) of victim devices to threat actors,” the EclecticIQ team explained in a new report. “The ransomware uses the same static AES key and initialization vector (IV) to recursively encrypt victim data and change the name of encrypted files with the keygroup777tg extension.” EclecticIQ’s tool is free to download. Read more.
Social engineering campaign targeting Okta Super Administrator accounts
Okta is warning users that a social engineering campaign to obtain “highly privileged Okta Super Administrator accounts” has been underway. The threat actors responsible use a commercial phishing kit called 0ktapus, “which offers pre-made templates to create realistic fake authentication portals and ultimately harvest credentials and multi-factor authentication (MFA) codes. It also incorporates a built-in command-and-control (C2) channel via Telegram.” Okta is urging users to “enforce phishing-resistant authentication, strengthen help desk identity verification processes, enable new device and suspicious activity end-user notifications, and review and limit the use of Super Administrator roles.” Read more.
Chrome extensions can steal plaintext passwords
A group of researchers at the University of Wisconsin-Madison have created a proof-of-concept extension that can steal plaintext passwords from a site’s source code. The extension has been uploaded to the Chrome Web Store. The researchers discovered that websites that receive millions of viewers “store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.” The team said this vulnerability results from “the practice of giving browser extensions unrestricted access to the DOM tree of sites they load on, which allows accessing potentially sensitive elements such as user input fields.” The researchers’ findings revealed that huge sites such as Facebook and Gmail are susceptible to this flaw. Read more.