InfoSec Weekly
Aug 20, 2023
Table Of Contents
WinRAR flaw lets hackers run programs when you open RAR archives
Description
A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions that can execute commands on a computer simply by opening an archive. The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.
The vulnerability was discovered by researcher “goodbyeselene” of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. As a target needs to trick a victim into opening an archive, the vulnerability’s severity rating drops down to 7.8, as per the CVSS. However, from a practical perspective, deceiving users into performing the required action shouldn’t be overly challenging, and given the vast size of WinRAR’s user base, attackers have ample opportunities for successful exploitation.
Infected Technology
Windows OS
Source
Recommendation
• Apply the available security update immediately
Over 760k Discord User’s Details Listed for Sale on The Dark Web
Description
On August 14, 2023, a data breach took place, impacting the privacy of around 760,000 users of the Discord.io platform. The hacker, who goes by the name “Akhirah,” demonstrated the breach’s occurrence by showcasing four user records. The compromised database is currently being sold on Breach Forums, which are now managed by the ShinyHunter hacker group. The exposed data encompasses various details, including usernames, email addresses, and, for a limited number of users, billing addresses, salted and hashed passwords, and Discord IDs. Following the breach, Discord.io took steps to address the situation. They temporarily halted their services, confirmed the accuracy of the stolen data, cancelled paid memberships, and invalidated OAuth tokens for users linked with Discord.io. These actions were taken to mitigate the impact of the breach and enhance user security.
Infected Technology
• Discord.io
Source
https://cybersecuritynews.com/discordio-hacked/
Recommendation
• Affected users should promptly change passwords, implement two-factor authentication (2FA), and remain vigilant against phishing emails containing suspicious links. • Discord.io platform should implement stronger security measures such as encrypting sensitive user data, etc. to prevent future data breaches.
New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft
Description
An ongoing “mass-spreading” social engineering campaign is actively targeting users of the Zimbra Collaboration email server, with a focus on small and medium businesses and governmental entities primarily located in Poland, Ecuador, Mexico, Italy, and Russia. The campaign, which began in April 2023, involves sending phishing emails containing HTML attachments posing as server update notifications or account deactivation alerts. These emails appear to come from Zimbra administrators to enhance credibility. The attached HTML file hosts a tailored Zimbra login page, prepopulated with the recipient’s email address, designed to deceive victims into entering their credentials. The compromised information is then sent via HTTPS POST request to a server controlled by the attackers. Notably, the attack’s propagation is facilitated by leveraging previously compromised administrator accounts to target new entities, suggesting the exploitation of password reuse. While not highly sophisticated, the attack strategy’s use of legitimate code within HTML attachments makes it challenging to detect by reputation-based anti-spam measures.
Infected Technology
• Zimbra
Source
https://thehackernews.com/2023/08/new-wave-of-attack-campaign-targeting.html
Recommendation
• Implement Multi-Factor Authentication (MFA) for email accounts. • Keep email servers and software up to date with patches. • Employ advanced email filtering and anti-phishing solutions. • Promote strong, unique passwords and discourage reuse.
New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode
Description
Cybersecurity researchers have discovered a novel persistence technique on iOS 16, allowing attackers to maintain device access even when users believe their device is in Airplane Mode. The method involves deceiving the user with a faked Airplane Mode icon, while the attacker’s app retains cellular connectivity. The attackers use CommCenter to block cellular data for specific apps, making it appear as if Airplane Mode is active. A manipulated pop-up mimics the activation of Airplane Mode, even though cellular data access persists. Apple clarified that this doesn’t exploit a specific OS vulnerability but reveals a post-compromise persistence approach.
Infected Technology
• iOS 16
Source
https://www.asus.com/content/asus-product-security-advisory/
Recommendation
• Update iOS regularly. • Use security software and firewalls. • Audit for unusual activities. • Monitor app behavior. • Segment network traffic. • Limit app permissions
Cybercrime Group “Muddled Libra” Targets Financial Institutions: A Critical Security Threat
Description
The cybersecurity landscape is under siege once again as a notorious cybercrime group, known as “Muddled Libra,” has emerged with a renewed focus on infiltrating financial institutions. Their latest campaign has alarmed experts due to its sophisticated techniques and potential to cause significant damage. Muddled Libra’s primary objective is to compromise the security of banks, cryptocurrency exchanges, and other financial entities, posing a severe threat to the integrity of the global financial system.
Infected Technology
• Platforms facilitating the buying, selling, and trading of digital currencies, including Bitcoin, Ethereum, and other cryptocurrencies.
Source
https://thehackernews.com/2023/06/cybercrime-group-muddled-libra-targets.html?m=1
Recommendation
• Deploying advanced endpoint security solutions, such as next-generation antivirus software and endpoint detection and response (EDR) systems can help detect and mitigate Muddled Libra’s attempts to gain unauthorized access to critical systems.
New Juniper Junos OS Flaws Expose Devices to Remote Attacks
Description
Juniper Networks has issued an “out-of-cycle” security update to address a set of vulnerabilities within the J-Web component of their Junos OS. These vulnerabilities, when combined, could potentially lead to remote code execution on vulnerable systems. The four identified vulnerabilities collectively hold a Common Vulnerability Scoring System (CVSS) rating of 9.8, marking them as Critical in terms of severity. These security issues impact all iterations of Junos OS on SRX and EX Series. The swift update aims to mitigate the risks posed by these vulnerabilities and ensure the security of affected installations.
Infected Technology
EX Series - Junos OS versions 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1
SRX Series - Junos OS versions 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1
Source
https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html
Recommendation
• Disable J-Web or limit access to only trusted hosts.
CVE
CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us