Security
Headlines
HeadlinesLatestCVEs

Headline

New video provides a behind-the-scenes look at Talos ransomware hunters

Apple’s emergency patch, AI-generated art and more security headlines from the past week.

TALOS
#sql#vulnerability#web#ios#android#apple#google#microsoft#cisco#ddos#dos#intel#zero_day#chrome#sap

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

The one big thing

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

Why do I care?

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 “may have been actively exploited against versions of iOS released before iOS 15.7.”

So now what?

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review [Apple’s] advisories and apply the necessary updates.”

Top security headlines of the week

The self-identifying hacktivist group “Anonymous Sudan” is more active than initially thought. While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

The list of companies affected by the MOVEit breach continues to grow. Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

The FBI seized the domain belonging to the infamous hacking site BreachForums, three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

Can’t get enough Talos?

  • Service overview: Talos Incident Response purple team
  • Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
  • Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
  • Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

Upcoming events where you can find Talos

BlackHat (Aug. 5 - 10)

Las Vegas, Nevada

Grace Hopper Celebration (Sept. 26 - 29)

Orlando, Florida

Caitlin Huey, Susan Paskey and Alexis Merritt present a “Level Up Lab” titled “Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence.” Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

Related news

iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers

By Deeba Ahmed Triangulation of Terror: Inside the Most Sophisticated iPhone Spyware Campaign Ever Seen. This is a post from HackRead.com Read the original post: iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers

Most Sophisticated iPhone Hack Ever Exploited Apple's Hidden Hardware Feature

The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company. Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as

Update now! Apple patches a raft of vulnerabilities

Categories: Exploits and vulnerabilities Categories: News Tags: iLeakage Tags: side-channel Tags: Safari Tags: CVE-2023-40413 Tags: CVE-2023-40416 Tags: CVE-2023-40423 Tags: CVE-2023-42487 Tags: CVE-2023-42841 Tags: CVE-2023-41982 Tags: CVE-2023-41997 Tags: CVE-2023-41988 Tags: CVE-2023-40447 Tags: CVE-2023-42852 Tags: CVE-2023-32434 Tags: CVE-2023-41989 Tags: CVE-2023-38403 Tags: CVE-2023-42856 Tags: CVE-2023-40404 Tags: CVE-2023-41977 Tags: Vim Apple has released security updates for its phones, iPads, Macs, watches and TVs. (Read more...) The post Update now! Apple patches a raft of vulnerabilities appeared first on Malwarebytes Labs.

Apple Security Advisory 10-25-2023-3

Apple Security Advisory 10-25-2023-3 - iOS 15.8 and iPadOS 15.8 addresses code execution and integer overflow vulnerabilities.

Operation Triangulation: Experts Uncover Deeper Insights into iOS Zero-Day Attacks

The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location. The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up

Ubuntu Security Notice USN-6264-1

Ubuntu Security Notice 6264-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs

Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "

Red Hat Security Advisory 2023-4201-01

Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

Red Hat Security Advisory 2023-4202-01

Red Hat Security Advisory 2023-4202-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

RHSA-2023:4202: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32435: A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution. * CVE-2023-32439: A vulnerability was found in webkitgtk. This issue occurs when processing maliciously crafted web content, which may lead to arbitrary code execution.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel

U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel

CVE-2023-32434: About the security content of macOS Big Sur 11.7.8

An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Big Sur 11.7.8, macOS Monterey 12.6.7, macOS Ventura 13.4.1, watchOS 9.5.2. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

2 More Apple Zero-Days Exploited in Ongoing iOS Spy Campaign

The zero-day security bugs are being used to deploy the sophisticated but "odd" TriangleDB spying implant on targeted iOS devices.

Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari

Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.

Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari

Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.

Update now! Apple fixes three actively exploited vulnerabilities

Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.

Update now! Apple fixes three actively exploited vulnerabilities

Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.

TALOS: Latest News

Malicious QR Codes: How big of a problem is it, really?