In August 2023, a new customer partnered with CloudGuard to enhance their...
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Joe Appleby (SOC Analyst).
Top stories – 8 September 2023
- Apple zero-click iMessage exploit used to infect iPhones with spyware
- Cisco BroadWorks impacted by critical authentication bypass flaw
- CISA warning: Nation-state hackers exploit Fortinet and Zoho vulnerabilities
- Zero-day alert: Latest Android patch update includes fix for newly actively exploited flaw
- W3LL Gang compromises thousands of Microsoft 365 accounts
Apple zero-click iMessage exploit used to infect iPhones with spyware
- Apple has patched two zero-day vulnerabilities exploited by NSO Group’s Pegasus spyware in an emergency update. These flaws allowed attackers to compromise fully-patched iPhones running iOS 16.6 via iMessage attachments.
- CVE-2023-41064, a buffer overflow issue, and CVE-2023-41061, a validation problem, enabled attackers to execute arbitrary code on various Apple devices.
- Apple quickly fixed these issues in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. Users should update their devices immediately, and those at risk should activate Lockdown Mode. This incident highlights the importance of timely security updates.
In an emergency security update, Apple has patched two zero-day vulnerabilities actively exploited by the NSO Group’s Pegasus spyware. These vulnerabilities, identified as CVE-2023-41064 and CVE-2023-41061, enabled attackers to compromise fully-patched iPhones running iOS 16.6 without any user interaction.
The attack, known as BLASTPASS, exploited PassKit attachments containing malicious images sent via iMessage. Citizen Lab, alongside Apple, discovered these vulnerabilities in the Image I/O and Wallet frameworks.
CVE-2023-41064 is a buffer overflow flaw triggered by maliciously crafted images, while CVE-2023-41061 is a validation issue that attackers can exploit via malicious attachments. Both vulnerabilities allowed threat actors to execute arbitrary code on unpatched iPhones, iPads, Macs running macOS Ventura, and Apple Watch Series 4 and later.
Apple swiftly addressed these issues in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2, improving logic and memory handling. Citizen Lab urged Apple users to update their devices immediately and recommended activating Lockdown Mode for individuals at risk of targeted attacks due to their identity or profession.
This marks the latest in a series of zero-day vulnerabilities that Apple has patched this year, totaling 13 across iOS, macOS, iPadOS, and watchOS, highlighting the ongoing need for vigilant security measures and timely updates.
Cisco BroadWorks impacted by critical authentication bypass flaw
- A critical vulnerability (CVE-2023-20238) in Cisco BroadWorks platforms allows remote attackers to forge credentials and bypass authentication, potentially gaining extensive control.
- Exploiting this flaw could enable attackers to execute commands, access data, and commit toll fraud within Cisco’s cloud communication services.
- Cisco advises users to update to specific versions to address the issue promptly, as there are no current reports of active exploitation.
A critical vulnerability affecting Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform has been discovered, tracked as CVE-2023-20238, with a maximum CVSS score of 10.0 (critical). This vulnerability allows remote attackers to forge credentials and bypass authentication, potentially granting them extensive control over affected systems.
The impacted platforms are integral to Cisco’s cloud communication services for businesses and consumers. Threat actors exploiting this flaw can execute commands, access confidential data, modify user settings, and commit toll fraud.
The vulnerability is linked to the validation of Single Sign-On (SSO) tokens. Attackers can authenticate to the application using forged credentials. The extent of their access depends on the privilege level of the compromised account, with “administrator” accounts posing the greatest risk.
Notably, attackers need a valid user ID linked to the targeted Cisco BroadWorks system, which limits the potential attackers but does not eliminate the risk.
To address this issue, Cisco recommends updating to specific versions: AP.platform.23.0.1075.ap385341 for users of the 23.0 branch and versions 2023.06_1.333 or 2023.07_1.332 for users of the release-independent (RI) edition. However, users of the 22.0 branch will not receive a security update and should consider migrating to a fixed release.
While there are no current reports of active exploitation, system administrators are advised to apply the provided updates promptly to mitigate the risk.
CISA warning: Nation-state hackers exploit Fortinet and Zoho vulnerabilities
- CISA warns of nation-state actors exploiting CVE-2022-47966, a critical remote code execution vulnerability, in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.
- In a recent incident response case, attackers gained root-level access, downloaded malware, collected credentials, and moved laterally after exploiting CVE-2022-47966.
- The attackers also leveraged CVE-2022-42475 in Fortinet FortiOS SSL-VPN and attempted to exploit CVE-2021-44228 (Log4Shell). To mitigate these risks, organisations should apply updates, monitor remote access software, and eliminate unnecessary accounts and groups.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding multiple nation-state actors exploiting vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. These attacks involve the use of CVE-2022-47966, a critical remote code execution flaw, to gain unauthorised access and establish persistence on compromised systems. This vulnerability has a high severity score.
In one incident response engagement at an unnamed aeronautical sector organisation from February to April 2023, it was discovered that the attackers had started their malicious activities as early as January 18, 2023. After exploiting CVE-2022-47966, threat actors gained root-level access to the web server, downloaded additional malware, collected administrative user credentials, and moved laterally through the network.
A second initial access vector involved the exploitation of CVE-2022-42475, a severe vulnerability in Fortinet FortiOS SSL-VPN, to access the firewall. The attackers used disabled legitimate administrative account credentials from a previously hired contractor, taking advantage of the disabled user’s credentials.
The attackers also initiated Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating data transfer from the firewall device. They disabled administrative account credentials and deleted logs on critical servers to conceal their activities. Additionally, they installed AnyDesk on multiple hosts, with the method of installation remaining unknown.
The threat actors attempted to exploit CVE-2021-44228 (Log4Shell) in the ServiceDesk system but were unsuccessful. They also utilised ConnectWise ScreenConnect to download and run the credential dumping tool Mimikatz.
While the identity of the threat groups is undisclosed, U.S. Cyber Command hinted at Iranian nation-state involvement. To mitigate these risks, organisations are advised to apply the latest updates, monitor remote access software for unauthorised use, and eliminate unnecessary accounts and groups to prevent their misuse.
Zero-day alert: Latest Android patch update includes fix for newly actively exploited flaw
- Google’s monthly Android security patches include fixes for multiple vulnerabilities, including a possibly exploited zero-day bug (CVE-2023-35674) in the Android Framework, raising concerns about targeted attacks.
- The update addresses a critical security flaw in the System component, which could result in remote code execution without user interaction.
- In total, 14 vulnerabilities in the System module and two in the MediaProvider component were fixed, emphasizing the importance of these updates for Android users to protect their devices.
Google has released its monthly Android security patches, addressing multiple vulnerabilities, including a zero-day bug, possibly already exploited in targeted attacks. The high-severity vulnerability, tracked as CVE-2023-35674, is a privilege escalation issue within the Android Framework, though Google provided limited details about its exploitation. Three additional privilege escalation flaws in Framework were also addressed, with one considered highly severe, allowing local privilege escalation without user interaction.
Another critical security vulnerability was fixed in the System component, potentially leading to remote code execution without user interaction. Google evaluated severity based on potential device impact if platform and service mitigations were bypassed. In total, 14 flaws in the System module and two in the MediaProvider component were resolved, with the latter addressed through a Google Play system update.
These updates are essential for Android users to safeguard their devices against potential security risks, especially the zero-day vulnerability that might have been actively exploited.
W3LL Gang compromises thousands of Microsoft 365 accounts
- Cyber group W3LL has compromised 8,000+ corporate Microsoft 365 accounts in 10 months, targeting diverse sectors globally.
- W3LL operates 850+ unique phishing sites and provides a phishing kit, W3LL Panel, to 500+ cybercriminals. The kit targets Microsoft 365 accounts, enabling MFA bypass and facilitating BEC attacks.
- This highlights the need for stronger email security. Experts advise monitoring logins, regular password changes, enforcing multi-factor authentication, employee training, and proactive communication from platform providers like Microsoft to counter evolving cyber threats.
A cyber threat actor known as W3LL has been operating a vast phishing network, successfully compromising over 8,000 corporate Microsoft 365 business accounts in Australia, Europe, and the US in the past 10 months. Group-IB’s investigation reveals that W3LL has targeted at least 56,000 Microsoft 365 accounts since October, boasting a 14.3% success rate.
This cybercriminal group operates nearly 850 unique phishing websites, targeting various industries. W3LL has also established a secretive underground marketplace called W3LL Store, providing a highly sophisticated phishing kit called W3LL Panel to over 500 cybercriminals for launching their campaigns.
The W3LL Panel specifically targets Microsoft 365 accounts, offering multifactor authentication bypass capabilities and 16 other customised tools for business email compromise (BEC) attacks. The market shares profits with affiliates and provides a 10% referral bonus, collectively accumulating $500,000 since last October. W3LL consistently updates its tools, enhancing anti-detection measures and adding new features.
Phishers using W3LL Panel can misuse compromised email accounts for data theft, fake invoice scams, account impersonation, or malware distribution, causing severe consequences for victimised companies.
The rise of W3LL’s sophisticated phishing ecosystem highlights the need for organisations to bolster their email security measures. Experts emphasise the importance of a layered cybersecurity approach, including monitoring login activity, regular password resets, enforcing multi-factor authentication, and employee training.
Additionally, they call for platform providers like Microsoft to proactively communicate updates and issues to protect their customers from such threats. The W3LL threat underscores the evolving sophistication of cybercrime, necessitating increased vigilance and preparedness.