Headline
Threat Source newsletter (Aug. 25, 2022) — Why aren't Lockdown modes the default setting on phones?
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere.
The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue.
As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larger public perception is that things haven’t been “that bad.” But state-sponsored actors have continually barraged Ukrainian government entities and critical infrastructure with a range of attacks, including the infamous Fancy Bear and Sandworm groups.
Ukraine’s state nuclear power company also said last week that state-sponsored actors launched a three-hour attack on its websites.
A three-hour distributed denial-of-service attack isn’t going to headline the nightly news, but that doesn’t mean they aren’t happening and making it harder for the Ukrainian government and critical infrastructure to operate. There are people who, six months into this, are still having to fend off cyber threats daily, sometimes just to keep the internet on or to make sure that week’s grain shipment goes out on time.
While headlines come and go, it’s important to remember that there are some things always going on in the background that are bigger than newer headlines that distract us to talk about the newest trojan someone found on the Android store.
The one big thing
All Apple users should update their devices if they haven’t already. The company released updates for iOS, iPadOS and macOS last week, warning of two vulnerabilities that could have been exploited in the wild. CVE-2022-32894 is an out-of-bounds write issue in the operating systems’ kernel that an adversary could exploit to execute arbitrary code with kernel privileges and take control over the system. CVE-2022-32893 is an out-of-bounds write issue in WebKit that can also lead to arbitrary code execution.
Why do I care? While Apple did not disclose any details of attacks potential exploiting these issues, it did say it was aware of a report that the issues “may have been actively exploited.” Apple says the vulnerabilities exist in iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch 7th generation. Any users of these devices should patch as soon as possible. So now what? Patch, patch and patch again if you’re using any Apple devices.
Top security headlines from the week
The LockBit ransomware’s website was hit with a large distributed denial-of-service attack after threatening to leak documents belonging to a cybersecurity firm. At one point, the site displayed a warning that the ransomware gang plans to upload the targeted company’s stolen data to peer-to-peer networks. Talos’ own Azim Shukuhi first tweeted that a LockBit member told him the site’s servers were receiving “400 requests a second from over 1,000 servers” in a possible “hack back” attack. DDoS attacks aim to disrupt a site’s operations by flooding it with traffic and messages, forcing it to essentially shut down for a period of time. (The Register, TechCrunch) Former Twitter Head of Security Peiter “Mudge” Zatko filed a complaint to the U.S. Securities and Exchange Commission alleging that Twitter is not doing enough to crack down on bot and spam accounts. Mudge is known for being involved with the “Cult of the Dead Cow” hacking group, one of the first groups of its kind in history. The testimony to the SEC also stated that too many Twitter employees have access to critical user data and the company was not actually deleting user data when it was asked to. The number of bot accounts on the social media site is central to a failed bid for Elon Musk to buy the company. (CNN, The Verge) The FBI is warning that threat actors are increasingly hijacking home IP addresses to disguise credential-stuffing attacks. An investigation from the FBI and their Australian counterparts uncovered two sites that contained more than 300,000 unique credentials that were for sale, warning they could be used in attacks against private companies. The actors are setting up proxies to disguise the flood of login attempts, and by using residential IP addresses, they can avoid usual detection techniques. (Cybersecurity Dive, FBI)
Can’t get enough Talos?
Talos Takes Ep. #109: Why cybercrime is going small-time Livestream: Talos update on Ukraine Independence Day Threat Roundup for Aug. 12 - 19 The war in Ukraine has threatened its vital agriculture. Now it could be crippled by a cyberattack Cisco: All Intelligence is Not Created Equal
Upcoming events where you can find Talos
Cisco Security Solution Expert Sessions (Oct. 11 & 13) Virtual
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere.
The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue.
As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larger public perception is that things haven’t been “that bad.” But state-sponsored actors have continually barraged Ukrainian government entities and critical infrastructure with a range of attacks, including the infamous Fancy Bear and Sandworm groups.
Ukraine’s state nuclear power company also said last week that state-sponsored actors launched a three-hour attack on its websites.
A three-hour distributed denial-of-service attack isn’t going to headline the nightly news, but that doesn’t mean they aren’t happening and making it harder for the Ukrainian government and critical infrastructure to operate. There are people who, six months into this, are still having to fend off cyber threats daily, sometimes just to keep the internet on or to make sure that week’s grain shipment goes out on time.
While headlines come and go, it’s important to remember that there are some things always going on in the background that are bigger than newer headlines that distract us to talk about the newest trojan someone found on the Android store.
**The one big thing **
All Apple users should update their devices if they haven’t already. The company released updates for iOS, iPadOS and macOS last week, warning of two vulnerabilities that could have been exploited in the wild. CVE-2022-32894 is an out-of-bounds write issue in the operating systems’ kernel that an adversary could exploit to execute arbitrary code with kernel privileges and take control over the system. CVE-2022-32893 is an out-of-bounds write issue in WebKit that can also lead to arbitrary code execution.
**Why do I care? **While Apple did not disclose any details of attacks potential exploiting these issues, it did say it was aware of a report that the issues “may have been actively exploited.” Apple says the vulnerabilities exist in iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch 7th generation. Any users of these devices should patch as soon as possible. **So now what? **Patch, patch and patch again if you’re using any Apple devices.
Top security headlines from the week
The LockBit ransomware’s website was hit with a large distributed denial-of-service attack after threatening to leak documents belonging to a cybersecurity firm. At one point, the site displayed a warning that the ransomware gang plans to upload the targeted company’s stolen data to peer-to-peer networks. Talos’ own Azim Shukuhi first tweeted that a LockBit member told him the site’s servers were receiving “400 requests a second from over 1,000 servers” in a possible “hack back” attack. DDoS attacks aim to disrupt a site’s operations by flooding it with traffic and messages, forcing it to essentially shut down for a period of time. (The Register, TechCrunch)
Former Twitter Head of Security Peiter “Mudge” Zatko filed a complaint to the U.S. Securities and Exchange Commission alleging that Twitter is not doing enough to crack down on bot and spam accounts. Mudge is known for being involved with the “Cult of the Dead Cow” hacking group, one of the first groups of its kind in history. The testimony to the SEC also stated that too many Twitter employees have access to critical user data and the company was not actually deleting user data when it was asked to. The number of bot accounts on the social media site is central to a failed bid for Elon Musk to buy the company. (CNN, The Verge)
The FBI is warning that threat actors are increasingly hijacking home IP addresses to disguise credential-stuffing attacks. An investigation from the FBI and their Australian counterparts uncovered two sites that contained more than 300,000 unique credentials that were for sale, warning they could be used in attacks against private companies. The actors are setting up proxies to disguise the flood of login attempts, and by using residential IP addresses, they can avoid usual detection techniques. (Cybersecurity Dive, FBI)
**Can’t get enough Talos? **
- Talos Takes Ep. #109: Why cybercrime is going small-time
- Livestream: Talos update on Ukraine Independence Day
- Threat Roundup for Aug. 12 - 19
- The war in Ukraine has threatened its vital agriculture. Now it could be crippled by a cyberattack
- Cisco: All Intelligence is Not Created Equal
**Upcoming events where you can find Talos ****Most prevalent malware files from Talos telemetry over the past week **
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
Related news
This issue was addressed with improved entitlements. This issue is fixed in iOS 16, watchOS 9. An app may be able to read a persistent device identifier.
Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.
Such exploits sell for up to $10 million, making them the single most valuable commodity in the cybercrime underworld.
Red Hat Security Advisory 2022-6634-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2022-6540-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Categories: Exploits and vulnerabilities Categories: News Apple has patched an actively-exploited flaw that affects a host of devices and software, including iPhones, Macs, iPads, and iPod touch. (Read more...) The post Important update! iPhones, Macs, and more vulnerable to zero-day bug appeared first on Malwarebytes Labs.
Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may
Categories: News Tags: Apple Tags: iOS 12.5.6 Tags: webkit Tags: CVE-2022-32893 Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices. (Read more...) The post Apple releases security update for iPhones and iPads to address vulnerability appeared first on Malwarebytes Labs.
Apple Security Advisory 2022-08-31-1 - iOS 12.5.6 addresses code execution and out of bounds write vulnerabilities.
Gentoo Linux Security Advisory 202208-39 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in the arbitrary execution of code. Versions less than 2.36.7 are affected.
Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.
Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a critical security flaw that has been actively exploited in the wild. The issue, tracked as CVE-2022-32893 (CVSS score: 8.8), is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. The tech
Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Categories: Exploits and vulnerabilities Categories: News CISA updated its catalog of actively exploited vulnerabilities. Make sure you update your software before the due date! (Read more...) The post CISA wants you to patch these actively exploited vulnerabilities before September 8 appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News CISA updated its catalog of actively exploited vulnerabilities. Make sure you update your software before the due date! (Read more...) The post CISA wants you to patch these actively exploited vulnerabilities before September 8 appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch
The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.
The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.
Apple Security Advisory 2022-08-18-1 - Safari 15.6.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-17-1 - iOS 15.6.1 and iPadOS 15.6.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-17-1 - iOS 15.6.1 and iPadOS 15.6.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-17-2 - macOS Monterey 12.5.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-17-2 - macOS Monterey 12.5.1 addresses code execution and out of bounds write vulnerabilities.
Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.
Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.
Categories: Exploits and vulnerabilities Categories: News Tags: macOS Tags: iOS Tags: CVE-2022-32894 Tags: CVE-2022-32893 Tags: kernel privileges Tags: WebKit Tags: actively exploited Tags: watering hole Tags: exploit kit Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs. (Read more...) The post Urgent update for macOS and iOS! Two actively exploited zero-days fixed appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: macOS Tags: iOS Tags: CVE-2022-32894 Tags: CVE-2022-32893 Tags: kernel privileges Tags: WebKit Tags: actively exploited Tags: watering hole Tags: exploit kit Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs. (Read more...) The post Urgent update for macOS and iOS! Two actively exploited zero-days fixed appeared first on Malwarebytes Labs.
Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894 - An
Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894 - An