Apple has released security patches to address two actively exploited zero-day vulnerabilities (CVE-2023-28205, CVE-2023-28206) affecting macOS, iOS, and iPadOS systems. CVE-2023-28205 involves a use-after-free issue in the WebKit browser engine, utilized by Safari and all iOS and iPadOS web browsers. Malicious web content can trigger this vulnerability, potentially leading to the execution of arbitrary code.
CVE-2023-28206 concerns an out-of-bounds write issue in the IOSurfaceAccelerator, which can be exploited by a harmful app to run arbitrary code with kernel-level privileges. The first vulnerability can be leveraged for a zero-click, drive-by attack, enabling the discreet installation of malware on the targeted device. The second vulnerability allows attackers to bypass Safari's sandbox restrictions (i.e., escalate privileges) and gain complete system access.
Reports suggest that these vulnerabilities have been exploited together to achieve full device compromise, likely (though unconfirmed) aiming to install spyware on targeted devices.
Earlier this week, Microsoft released its April Patch Tuesday updates, which contained fixes for a critical zero-day vulnerability in Windows, along with patches for 97 other vulnerabilities. The zero-day flaw, known as CVE-2023-28252, is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, and it has been actively exploited in the wild.
In addition to the zero-day bug, the updates also addressed vulnerabilities in Microsoft Office, Word, and Publisher. These vulnerabilities, which have been assigned CVE-2023-28285, CVE-2023-28295, CVE-2023-28287, and CVE-2023-28311, enable remote code execution that can be triggered by opening malicious documents. Given that these types of vulnerabilities are commonly exploited in phishing campaigns, it is expected that cybercriminals will attempt to exploit them for use in malware distribution campaigns.
Microsoft also released a patch for a newly identified security flaw, referred to as CVE-2023-21554. This vulnerability enables attackers to compromise systems through a single TCP packet sent to the default Port 1801, where the MSMQ service resides. According to Checkpoint its scans have identified approximately 360,000 IPs with this service exposed to the internet. Given that numerous software products utilize MSMQ as an intermediary, it is possible that users inadvertently enable the service during software installation without being aware of it. Consequently, many users may be unknowingly exposed to this vulnerability. It is strongly recommended that Microsoft Office users install today's security updates as soon as possible.
The European payroll and HR administration firm SD Worx was compelled to close its IT infrastructure in the UK that underpins its payroll and HR solutions. On Monday, the company started notifying clients that its UK and Ireland branch had experienced a cyberattack, prompting the shutdown of its IT systems to mitigate the impact.
The security team at SD Worx detected malicious activity within their hosted data center, as reported in a customer advisory for UK and Ireland clients. The company states that it took swift action to isolate its systems and servers, averting further damage.
As a result, the UK customer portal for SD Worx is currently unavailable, although login portals for other European countries remain operational. The company reassured clients that resolving the issue was a top priority and that they were working diligently to restore access to their systems.
SD Worx handles a vast amount of sensitive employee data, including tax information, government IDs, names, addresses, birthdates, phone numbers, bank account details, and employee evaluations.
The cyberattack on SD Worx is another instance in a series of attacks targeting HR and payroll management companies.
Leading tech firm Micro-Star International (MSI) has verified that it was targeted by a cyberattack, which led to system disruptions and potential exposure to firmware image tampering.
In an online notice, MSI referred to the event as "network irregularities" and stated that it activated appropriate defense mechanisms upon detecting the breach.
The company announced, "MSI recently experienced a cyberattack affecting some of its information systems. At present, the impacted systems are progressively returning to normal operations, without any significant effect on financial business."
The computer manufacturer did not provide information on the nature of the cyberattack or any data theft during the breach.
However, the announcement from MSI followed the 'Money Message' ransomware group's claims on its leak site that it had infiltrated the company's infrastructure. The group alleges that it accessed MSI's internal databases, private keys, source code, and BIOS firmware. Furthermore, Money Message claims to possess the necessary tools to generate and sign malicious BIOS images.
While MSI's notice did not explicitly mention any source code theft, it seems to acknowledge the possibility of the hackers accessing firmware images.
MSI's notice advises users to obtain firmware and BIOS updates exclusively from its official website, cautioning against using files from any other sources.
MSI, headquartered in New Taipei City, Taiwan, ranks among the world's top computer hardware and product suppliers, offering laptops, desktops, servers, motherboards, graphics cards, peripherals, and car infotainment products.
Latitude Financial has decided against complying with a ransom demand following a cyber-attack, which has left the data of 14 million customers vulnerable to potential exposure. The company has informed the stock exchange of its stance on the matter, taking into consideration guidance from federal authorities and cyber security professionals.
"Latitude refuses to submit to the demands of cybercriminals," said Latitude CEO Bob Belan.
Reasons why organisations should not pay ransoms:
Paying ransoms can set a dangerous precedent, encouraging cybercriminals to continue targeting organisations in the hope of receiving financial compensation. Moreover, there is no guarantee that the attackers will uphold their end of the bargain by returning or deleting stolen data once the ransom is paid. Additionally, succumbing to ransom demands may inadvertently fund further criminal activities. Organisations should prioritise implementing robust cyber security measures and educating their workforce to proactively safeguard against future attacks.
VoIP communication firm 3CX verified today that a cyberattack on their supply chain last month was orchestrated by a North Korean hacking collective.
"In light of the ongoing Mandiant inquiry into the breach and subsequent supply chain assault on 3CX, the responsibility has been attributed to a group identified as UNC4736. Mandiant strongly believes that there is a connection between UNC4736 and North Korea," stated 3CX Chief Information Security Officer Pierre Jourdan.
Perpetrators infiltrated 3CX systems using a malicious software called Taxhaul (also known as TxRLoader), which then introduced a secondary malware downloader dubbed Coldcat by Mandiant. The malware launched by UNC4736 on 3CX's network established connections to several command-and-control (C2) servers managed by the attackers, including azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org, and msboxonline[.]com.
3CX has not yet revealed the initial method of the supply chain attack, such as whether their development environment was breached or if another technique was employed.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.