Apr 10, 2023

Updates Released by Apple to Fix Zero-Day Vulnerabilities in iOS, iPadOS, macOS, and Safari

Description

On Friday, Apple released security updates for several of its products, including iOS, iPadOS, macOS, and Safari, to address two zero-day vulnerabilities that are currently being exploited by attackers. The first vulnerability (CVE-2023-28205) involves a “use after free” issue in WebKit that could allow attackers to execute arbitrary code by sending specifically crafted web content. The second vulnerability (CVE-2023-28206) is an “out-of-bounds write” issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges. Apple has improved memory management and input validation to address the two issues respectively. The tech giant acknowledges that the vulnerabilities “may have been actively exploited” and has withheld further details to prevent more attackers from exploiting them. The updates are available for various Apple devices, including iPhone 8 and later, iPad Pro, Macs running macOS Big Sur, Monterey, and Ventura. These updates mark the third zero-day fix by Apple since the start of the year. Google’s Threat Analysis Group (TAG) and Amnesty International’s Security Lab discovered and reported the two vulnerabilities. The recent disclosure by Google TAG reveals that commercial spyware vendors are exploiting zero-day vulnerabilities in Android and iOS to infect mobile devices with surveillance malware.

Infected Technology

IOS, iPadOS, macOS, and Safari web browser

Source

https://support.apple.com/en-us/HT213720

Recommendation

• Use Multi-Layered Security • Keep Software and Devices Up-to-Date

CVE ID

CVE-2023-28205 CVE-2023-28206 CVE-2023-23529 (previously addressed by Apple in February 2023)

Critical Remote Code Execution Vulnerability Discovered in vm2 Sandbox Library by Researchers

Description

On April 6, 2023, researchers from KAIST WSP Lab in South Korea discovered a critical flaw in the vm2 JavaScript sandbox module that could be exploited to execute arbitrary shellcode and break out of security boundaries. The flaw affects all versions of the module, including version 3.9.14 and prior. After being notified of the vulnerability, vm2 released version 3.9.15 to address the issue. The vulnerability, identified as CVE-2023-29017, has a CVSS score of 9.8 and is caused by the module’s inability to handle errors that occur in asynchronous functions. The vm2 module is a popular library that is widely used to run untrusted code in a secure environment on Node.js. It has almost four million weekly downloads and is utilized in 721 packages. KAIST security researcher Seongil Wi has created two proof-of-concept (PoC) exploits that circumvent the sandbox protections and allow the creation of an empty file named “flag” on the host. It is important for users of the vm2 module to update to the latest version as soon as possible to avoid potential attacks. This is the second critical vulnerability that has been discovered in the vm2 module in recent months. In 2022, vm2 addressed another critical bug (CVE-2022-36067, CVSS score: 10) that could be used to perform arbitrary operations on the underlying machine.

Infected Technology

Vm2 nodejs

Source

https://github.com/patriksimek/vm2/issues/515

Recommendation

• Update vm2 module to latest version (3.9.15) to patch the critical flaw (CVE-2023-29017). • Practice secure coding and conduct regular security audits to minimize risks of vulnerabilities in applications and dependencies.

CVE ID

CVE-2023-29017

Elementor Pro Plugin Vulnerability Exploited to Hack WordPress Websites

Description

The recent discovery of a severe vulnerability in the Elementor Pro plugin has caused alarm for many WordPress website owners. The vulnerability, described as a broken access control issue, can be exploited on websites with the WooCommerce plugin installed, allowing attackers to change any WordPress setting. However, the attacker needs to be authenticated as a low-privileged user, such as a subscriber or customer, to exploit the bug.Security firm Patchstack has warned that this vulnerability can be used to enable the registration page of a website and set the default user role to administrator. Attackers can then create a new user account that has administrator privileges, allowing them to redirect the site to a malicious domain or inject malicious code such as a plugin with a backdoor.Patchstack has observed malicious attacks targeting this vulnerability originating from multiple IP addresses, with attackers injecting malicious .zip and .php files. The vulnerability has a CVSS score of 8.8, indicating that it is a high-severity issue. However, it currently has no CVE identifier.The Elementor Pro vulnerability was addressed with the release of version 3.11.7, which improved code security enforcement in WooCommerce components. Elementor Pro users are advised to update to a patched version of the plugin as soon as possible.With over 5 million active installations, the Elementor plugin is a popular drag-and-drop website builder that allows users to create websites without having to write code. The paid version of the plugin, Elementor Pro, provides additional features and tools for site building.

Infected Technology

Elementor Pro WordPress plugin

Source

https://www.securityweek.com/elementor-pro-plugin-vulnerability-exploited-to-hack-wordpress-websites/

Recommendation

• Update the plugin

CVE ID

CVE-2022-29455

CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users

Description

A new malware called CryptoClippy is targeting Portuguese users in a malvertising campaign using SEO poisoning to lure victims searching for “WhatsApp web” to rogue domains hosting the malware. CryptoClippy is a clipper malware that substitutes cryptocurrency addresses in the victim’s clipboard with a wallet address controlled by the threat actor. The malware has earned its operators about $983, with victims found in manufacturing, IT services, and real estate industries. The malware uses regular expressions to identify what type of cryptocurrency the address pertains to. Threat actors associated with the GootLoader malware also use the same approach to deliver malware. A traffic direction system is used to check the user’s preferred browser language to determine suitable targets. The malware is capable of harvesting data from web browsers, cryptocurrency wallets, and a variety of apps such as AnyDesk, FileZilla, KeePass, Steam, and Telegram.

Infected Technology

Web browsers and Cryptocurrency Wallets

Source

https://thehackernews.com/2023/04/cryptoclippynew-clipper-malware.html

Recommendation

• Update antivirus software regularly • Use reliable ad blockers or browser extensions. • Be cautious when clicking on links or downloading attachments from unknown sources.

CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL and Nexx Products

Description

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued eight advisories warning of critical vulnerabilities in industrial control systems (ICS) products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx. One of the most serious vulnerabilities, CVE-2022-3682, affects Hitachi Energy’s MicroSCADA System Data Manager SDM600, which could allow a remote attacker to take control of the product. The other critical vulnerabilities relate to command injection bugs in mySCADA myPRO, and a security bug in Industrial Control Links ScadaFlex II SCADA Controllers. Additionally, there are five unpatched vulnerabilities in garage door controllers, smart plugs, and smart alarms sold by Nexx. CISA advises users to update their systems to the latest versions and to minimize network exposure to reduce potential risks.

Infected Technology

Hitachi, my SCADA, ICL and Nexx Products

Source

https://thehackernews.com/2023/04/cisa-warns-of-critical-ics-flaws-in.html

Recommendation

• Updating affected products to the latest versions, minimizing network exposure, isolating control system networks.