Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities.

CVE-2023-26083 is an issue in Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips, rated as having a moderate impact. The vulnerability was used to deliver spyware to Samsung devices in December 2022.

CVE-2021-29256 is a high-severity flaw that also impacts Bifrost and Midgard Arm Mali GPU kernel drivers.

The Android updates have already reached Google’s Pixel devices and some of Samsung’s Galaxy range. Given the severity of this month’s bugs, it’s a good idea to check whether the update is available and install it now.

Google Chrome 115

Google has issued the Chrome 115 update for its popular browser, fixing 20 security vulnerabilities, four of which are rated as having a high impact. CVE-2023-3727 and CVE-2023-3728 are use-after-free bugs in WebRTC. The third flaw rated as having a high severity is CVE-2023-3730, a use-after-free vulnerability in Tab Groups, while CVE-2023-3732 is an out-of-bounds memory access bug in Mojo.

Six of the flaws are listed as having a medium severity, and none of the vulnerabilities are known to have been used in real-life attacks. Even so, Chrome is a highly targeted platform, so check your system for updates.

Firefox 115

Hot on the heels of Chrome 115, rival browser Mozilla has released Firefox 115, fixing several flaws it rates as having high severity. Among these are two use-after-free bugs tracked as CVE-2023-37201 and CVE-2023-37202.

The privacy-conscious browser maker also fixed two memory safety bugs tracked as CVE-2023-37212 and CVE-2023-37211. The memory safety flaws are present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12, Mozilla said in an advisory, adding: “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code.”

Citrix

Enterprise software giant Citrix has issued an update warning after fixing multiple flaws in its NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) tools, one of which has already been used in attacks.

Tracked as CVE-2023-3519, the already exploited flaw is an unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that’s so severe it’s been given a CVSS score of 9.8. “Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix said. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

The flaw was also the subject of an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which warned that the bug was used in attacks on a critical infrastructure organization in June.

SAP

SAP, another enterprise software firm, has issued its July Security Patch Day, including 16 security fixes. The most severe flaw is CVE-2023-36922, an OS command injection vulnerability with a CVSS score of 9.1.

The bug allows an authenticated attacker to “inject an arbitrary operating system command into a vulnerable transaction and program,” security firm Onapsis said. “Patching is strongly recommended, since a successful exploit of this vulnerability has a high impact on confidentiality, integrity, and availability of the affected SAP system,” it warned.

Meanwhile, CVE-2023-33989 is a directory traversal vulnerability in SAP NetWeaver with a CVSS score of 8.7, and CVE-2023-33987 is a request smuggling and request concatenation vulnerability in SAP Web Dispatcher with a CVSS score of 8.6.

Oracle

Software company Oracle has released its July Critical Patch Update Advisory, fixing 508 vulnerabilities in its products. Among the fixes are 77 new security patches for Oracle Communications. Oracle warned that 57 of these vulnerabilities could be remotely exploited over a network without user credentials. One of the worst flaws is CVE-2023-20862, which has been given a CVSS score of 9.8.

Meanwhile, 147 of the Oracle patches were for Financial Services, and Fusion Middleware received 60 fixes.

Oracle said it continues to receive reports of attempts to exploit vulnerabilities it has already patched. In some cases, attackers were successful because targeted customers had failed to apply available Oracle patches, it said. “Oracle, therefore, strongly recommends that customers remain on actively supported versions and apply Critical Patch Update security patches without delay.”

Apple iOS, Google Android Patch Zero-Days in July Security Updates

Plus: Russia tightens social media censorship, new cyberattack reporting rules for US companies, and Google Street View returns to Germany.

Code used to encrypt sensitive radio communications around the world for years had major flaws that could be exploited by attackers, according to new research. Among the flaws: a secret backdoor.

A group of researchers from the Netherlands discovered multiple vulnerabilities in encryption algorithms used in the European radio standard TETRA, which is used in radio communications by police, critical infrastructure workers, mass transit and freight trains, and major government bodies. While the TETRA standard is public, the ciphers used to encrypt the communications were kept secret. One of the algorithms, known as TEA1, had a feature that reduces its 80-bit encryption down to just 32 bits—a backdoor, the researchers say, that made it vulnerable to eavesdropping and potentially other attacks.

The body that develops and maintains TETRA—the European Telecommunications Standards Institute—rejects the “backdoor” label, saying that the weakened encryption was implemented to abide by encryption export controls in place when it was released in the 1990s. Regardless of what you call it, ETSI has released a replacement for the TEA1 algorithm and fixed another major flaw that made communications vulnerable to interception.

In the world of AI-fueled chatbots, security researchers warn that third-party plug-ins for ChatGPT’s paid version could add a layer of risk to users’ data and potentially be abused by attackers. OpenAI, the creator of ChatGPT, says it maintains high security standards for the plug-ins listed on its website. But ultimately, the choice to use a plug-in largely depends on whether you trust the developer who made it.

Even if you trust someone online, however, there’s no guarantee that they are who you think they are. This week, we detailed the saga of a Twitter user who thought he was buying a Macbook from someone he knew but ended up sending $1,000 to a scammer who used a hacked Twitter account to pull off the swindle. Threat researchers got involved and ultimately traced the scammers’ real-life identities, then handed over what they found to police.

Finally, in Washington, DC, the National Security Agency has been quietly pushing members of the US Congress to abandon an amendment to the “must-pass” National Defense Authorization Act (NDAA) that would prevent military intelligence agencies like the NSA for buying commercially available data on US citizens. Even if the NSA’s lobbying is successful, it may be forced to keep up the fight as separate legislation is making its way through Congress that would ban the purchase of sensitive data far more broadly than the NDAA amendment.

But that’s not all. Each week, we round up security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Despite being released in 2009, the classic title _Call of Duty: Modern Warfare 2_ is still popular with a dedicated group of fans. Hundreds are still playing the game online. But on July 26, Activision, the game's creator, announced it had taken the game on Steam offline while it was investigating “reports of an issue.” No further details were provided about the problem or why the game was pulled.

A report from TechCrunch sheds some possible light on the “issue.” _Call of Duty_ players on the old game are being hit with malware that automatically spreads through multiplayer lobbies, according to the publication. Gamers appear to have posted about the malware, finding links to it on online code repositories, and claim it spreads through lobbies from one infected player to another. One anonymous source from the gaming industry said the malware appeared to be a worm.

According to TechCrunch it is unclear why the malware is spreading or what exactly the impact is on gamers. Valve, the owner of Steam, did not comment on the issue, according to the news website.

Public companies in the United States will soon have to report data breaches and hacking incidents four days after they deem an incident to have a “material” impact on their business. On Wednesday, the US Securities and Exchange Commission voted to introduce the regulations that require firms to disclose cyberattacks once they have determined it will disrupt its operations or finances. The disclosures must detail the "nature, scope, and timing" of the attack, as well as the potential impact it will have on the firm.

Former SEC rules required companies to disclose cyber incidents but did not impose any strict timeline on doing so. This can lead to firms waiting weeks or months to notify customers and lawmakers about data breaches and cyberattacks. A separate part of the new SEC rules also requires companies to detail their processes for "assessing, identifying, and managing material risks," heaping extra public accountability on firms to make sure they're taking security issues seriously. The rules will go into effect by no later than December.

Since Vladimir Putin started his full-scale invasion of Ukraine in February 2022, Russia's internet censorship has become even more expansive. A new report this week from researchers at Citizen Lab, a research facility at the University of Toronto, shows how the country's censors have clamped down on the social network VK, which is similar to Facebook. Russia's government has been ordering VK to remove posts, videos, and accounts almost every day since the start of the war, the researchers found after reviewing court orders issued by the government.

There's been a thirtyfold increase in censorship since the start of the war, Citizen Lab researchers found. In total, 94,942 videos, 1,569 community accounts, and 787 personal accounts are blocked in Russia, which has clamped down on independent media and blocked social media such as Facebook and YouTube as it looks to control the information people read and access within its borders.

At the end of May, Progress Software, the owner of the file transfer service MOVEit, released a patch for a vulnerability being exploited by the Russia-based ransomware gang Clop. The vulnerability allowed the cybercriminals to access MOVEit and steal data—with the attack impacting both direct users of the sharing service and some companies’ suppliers and vendors.

Analysis of state breach notification, SEC filings, Clop's website, and public disclosures by cybersecurity firm Emisoft shows that, as of July 27, there are 518 reported victims. This includes more than 100 schools. And around 30 million individuals have had their data impacted, Emisoft says. Each day, the list of victims coming forward increases. Some of the most recent include Flutter, the owner of Poker Stars; Deloitte; Chuck E. Cheese; and US government service provider Maximus. More disclosures are expected.

More than a decade ago, Google faced a privacy backlash in Germany over its Google Street View cars taking pictures of people's homes and illegally collecting data from people's unsecured Wi-Fi networks. After 250,000 Germans told Google to blur pictures of their homes, and legal challenges, the company in 2011 stopped updating pictures of 20 major cities. That changed this week when Google announced that cars had been back in German cities since June and it is updating its images once again. “Times have changed,” Lena Heuermann, a Google spokesperson said, citing its own survey that 91 percent of respondents said they wanted Street View back in Germany. Hamburg's data protection regulator said that Google publishing pictures it takes in public is legal and that people can request their homes be blurred.

‘Call of Duty: Modern Warfare 2’ Players Hit With Worm Malware

A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures.
CherryBlos, per Trend Micro, is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a

A new Android malware strain called **CherryBlos** has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures.

CherryBlos, per Trend Micro, is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard.

Once installed, the apps seek users' permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen.

Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recognize potential mnemonic phrases from images and photos stored on the device, the results of which are periodically uploaded to a remote server.

The success of the campaign banks on the possibility that users tend to take screenshots of the wallet recovery phrases on their devices.

Trend Micro said it also found an app developed by the CherryBlos threat actors on the Google Play Store but without the malware embedded into it. The app, named Synthnet, has since been taken down by Google.

The threat actors also appear to share overlaps with another activity set involving 31 scam money-earning apps, dubbed FakeTrade, hosted on the official app marketplace based on the use of shared network infrastructure and app certificates.

Most of the apps were uploaded to the Play Store in 2021 and have been found to target Android users in Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.

"These apps claim to be e-commerce platforms that promise increased income for users via referrals and top-ups," Trend Micro said. "However, users will be unable withdraw their funds when they attempt to do so."

The disclosure comes as McAfee detailed a SMS phishing campaign against Japanese Android users that masquerades as a power and water infrastructure company to infect the devices with malware called SpyNote. The campaign took place in early June 2023.

"After launching the malware, the app opens a fake settings screen and prompts the user to enable the Accessibility feature," McAfee researcher Yukihiro Okutomi said last week.

"By allowing the Accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user's knowledge."

It's no surprise that malware authors constantly seek new approaches to lure victims and steal sensitive data in the ever-evolving cyber threat landscape.

Google, last year, began taking steps to curb the misuse of accessibility APIs by rogue Android apps to covertly gather information from compromised devices by blocking sideloaded apps from using accessibility features altogether.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

But stealers and clippers just represent one of the many kinds of malware – such as spyware and stalkerware – that are used to track targets and gather information of interest, posing severe threats to personal privacy and security.

New research published this week found that a surveillance app called SpyHide is stealthily collecting private phone data from nearly 60,000 Android devices around the world since at least 2016.

"Some of the users (operators) have multiple devices connected to their account, with some having as much as 30 devices they've been watching over a course of multiple years, spying on everyone in their lives," a security researcher, who goes by the name maia arson crimew, said.

It's therefore crucial for users to remain vigilant when downloading apps from unverified sources, verify developer information, and scrutinize app reviews to mitigate potential risks.

The fact that there is nothing stopping threat actors from creating bogus developer accounts on the Play Store to distribute malware hasn't gone unnoticed by Google.

Earlier this month, the search giant announced that it will require all new developer accounts registering as an organization to provide a valid D-U-N-S number assigned by Dun & Bradstreet before submitting apps in an effort to build user trust. The change goes into effect on August 31, 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances.
"SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable

Email Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called **SUBMARINE** deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances.

"SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," the agency said.

The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which allows for remote command injection.

Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as UNC4841, leveraged the flaw as a zero-day in October 2022 to gain initial access to victim environments and implanted backdoors to establish and maintain persistence.

To that end, the infection chain involved sending phishing emails with booby-trapped TAR file attachments to trigger exploitation, leading to the deployment of a reverse shell payload to establish communication with the threat actor's command-and-control (C2) server, from where a passive backdoor known as SEASPY is downloaded for executing arbitrary commands on the device.

SUBMARINE, also codenamed DEPTHCHARGE by the Google-owned threat intelligence firm, is the latest malware family to be discovered in connection with the operation, which resides in a Structured Query Language (SQL) database on the ESG appliance.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

It's believed to have been "deployed in response to remediation efforts," echoing Mandiant's characterization of the adversary as an aggressive actor capable of quickly altering their malware and employing additional persistence mechanisms in an attempt to maintain their access.

The agency further said it "analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database," and that it "poses a severe threat for lateral movement."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Deploy "SUBMARINE" Backdoor in Barracuda Email Security Gateway Attacks

Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild.
The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL).
"

Vulnerability / Enterprise Security

Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild.

The new vulnerability, tracked as **CVE-2023-35081** (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL).

"CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server," the company said in an advisory. "This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable)."

A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user.

"As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081," the company added.

It's worth noting that CVE-2023-35078 is a critical remote unauthenticated API access vulnerability that permits remote attackers to obtain sensitive information, add an EPMM administrative account, and change the configuration because of an authentication bypass.

The security flaws have been exploited by unknown actors targeting Norwegian government entities, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an alert urging users and organizations to apply the latest fixes.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

The development also comes as the Google Project Zero team said 41 in-the-wild 0-days were detected and disclosed in 2022, down from 69 in 2021, noting that 17 of those are variants of previously public vulnerabilities.

"Similar to the overall numbers, there was a 42% drop in the number of detected in-the-wild 0-days targeting browsers from 2021 to 2022, dropping from 26 to 15," Google TAG researcher Maddie Stone said.

"We assess this reflects browsers' efforts to make exploitation more difficult overall as well as a shift in attacker behavior away from browsers towards zero-click exploits that target other components on the device."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ivanti Warns of Another Endpoint Manager Mobile Vulnerability Under Active Attack

Insufficient policy enforcement in Intents in Google Chrome on Android prior to 109.0.5414.119 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4926

Heap buffer overflow in Blink in Google Chrome prior to 101.0.4951.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVE-2022-4920

Insufficient data validation in DevTools in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

CVE-2022-4911

Inappropriate implementation in Autofill in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4910

Use after free in UI in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium)

Tag

#google