Sept 24, 2023

Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT

Description

A malicious actor posted a fake proof-of-concept (PoC) exploit for a WinRAR vulnerability on GitHub, intending to distribute Venom RAT malware to users who downloaded it. The fake PoC was based on a publicly available PoC script for CVE-2023-25157 in GeoServer. It was suspected that the threat actors targeted both researchers and other cybercriminals adopting new vulnerabilities. CVE-2023-40477 was the WinRAR vulnerability, allowing remote code execution, fixed in WinRAR 6.23. The repository contained a Python script and a video demonstrating the exploit. The Python script fetched Venom RAT from a remote server. The threat actor created the server domain before the vulnerability disclosure to attract victims, but the PoC was fake and didn’t exploit WinRAR.

Infected Technology

WinRAR

Source

https://thehackernews.com/2023/09/beware-fake-exploit-for-winrar.html

Recommendation

· Stay updated on cybersecurity trends and threats. · Implement intrusion detection systems for continuous network monitoring. · Educate users about safe downloading practices and cybersecurity awareness. · Employ endpoint security solutions to detect and prevent malware. · Develop and maintain an incident response plan for security breaches.

CVE ID

CVE-2023-25157

GitLab Releases Urgent Security Patches for Critical Vulnerability

Description

GitLab has released security patches to address a critical vulnerability, identified as CVE-2023-5009 with a CVSS score of 9.6, affecting GitLab Enterprise Edition (EE) versions from 13.12 to 16.2.6 and 16.3 to 16.3.3. This flaw allowed attackers to execute pipelines as another user, posing a significant security risk. Successful exploitation could result in unauthorized access to sensitive information, the ability to modify source code, or the execution of arbitrary code on the system. The vulnerability was discovered and reported by security researcher Johan Carlsson (joaxcar) and has been resolved in GitLab versions 16.3.4 and 16.2.7. Users are strongly advised to update their GitLab installations promptly to mitigate potential threats, as another critical GitLab bug (CVE-2021-22205) remains actively exploited in real-world attacks by threat actors.

Infected Technology

• Gitlab

Source

https://thehackernews.com/2023/09/gitlab-releases-urgent-security-patches.html

Recommendation

• It’s highly recommended that users update their GitLab installations to the latest version as soon as possible to safeguard against potential risks.

CVE ID

CVE-2023-3932, CVE-2023-5009

New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware

Description

On September 21, 2023, Apple addressed three zero-day vulnerabilities that had been exploited in an iPhone attack targeting former Egyptian parliament member Ahmed Eltantawy. The attack, with a high level of confidence attributed to the Egyptian government, occurred between May and September 2023, shortly after Eltantawy announced his presidential candidacy for the 2024 Egyptian elections. The spyware employed in the attack, known as Predator, was distributed via SMS and WhatsApp links. During August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was specifically singled out through network injection. Whenever he visited certain non-HTTPS websites, he was automatically redirected to a malicious site that infected his phone with the Cytrox Predator spyware. These findings were revealed through a collaborative investigation conducted by Citizen Lab and Google’s Threat Analysis Group (TAG).

Infected Technology

• Ahmed Eltantawy’s iPhone

Source

https://thehackernews.com/2023/09/latest-apple-zero-days-used-to-hack.html

Recommendation

• Users who are at risk of spyware threats because of “who they are or what they do” are recommended to keep their devices up-to-date and enable Lockdown Mode on iPhones, iPads, and Macs to stave off such attacks.

CVE ID

CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993

Papercut Print Manager Flaw Let Attackers Perform Sophisticated Attacks

Description

The PaperCutNG Mobility Print 1.0.3512 application has been found to contain a critical cross-site request forgery (CSRF) vulnerability, identified as CVE-2023-2508 with a CVSS base score of 5.3. This vulnerability arises due to the absence of essential CSRF defenses like anti-CSRF tokens and header origin validation. An unauthenticated attacker can exploit this flaw to carry out a sophisticated phishing attack targeting instance administrators. Specifically, they can manipulate the application to configure the client’s host and, when administrators send links to users for setting up login information, these links lead to a malicious website impersonating PaperCut NG’s login page, ultimately stealing users’ login credentials. Successful exploitation requires user interaction. As of now, there are no available patches, but PaperCut has released a secure version, 1.0.3617, to address this issue, and users are strongly advised to update to this version promptly to enhance system security and protection.

Infected Technology

• PaperCutNG Mobility Print version 1.0.3512 application

Source

https://cybersecuritynews.com/papercut-print-manager-flaw/

Recommendation

• Update to latest version 1.0.3617

NDeadGlyph: Unveiling the Advanced Backdoor Threat - Stay Informed!

Description

In a recent cybersecurity revelation, researchers have unveiled DeadGlyph, an advanced backdoor used by the notorious threat actor Stealth Falcon. This sophisticated malware is distinguished by its unique architecture, featuring cooperating components, including a native x64 binary and a .NET assembly. Unlike conventional backdoors, DeadGlyph receives commands from an actor-controlled server via additional modules, granting it the power to create processes, access files, and gather sensitive information from compromised systems.

Stealth Falcon, also known as FruityArmor, gained notoriety in 2016 for targeted spyware attacks in the Middle East. Their tactics included spear-phishing campaigns using booby-trapped links within macro-laced documents to deliver custom implants capable of executing arbitrary commands. Further investigations uncovered Project Raven, a clandestine operation involving former U.S. intelligence operatives recruited to spy on individuals critical of the Arab monarchy.

Infected Technology

Different operating system and web servers

Source

https://thehackernews.com/2023/09/deadglyph-new-advanced-backdoor-with.html

Recommendation

Implement network segmentation to limit the lateral movement of attackers within your infrastructure. This can help contain the impact of potential breaches.

CVE

Associated with CVE-2018-8611 and CVE-2019-0797