Introduction
In this edition of our security news weekly round-up, the articles that we'll review are mostly about malware and vulnerabilities.
So, get ready, and let's get started.
Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories
Yes, some developers and projects still use jQuery. Therefore, if you know one, send them this article. Or, if you're one, read the article and be on the lookout.
If you don't use jQuery, what lesson can you take from the article? The lesson is: Supply Chain attack is real and it can affect anyone. Therefore, education and awareness like this ensure that you are prepared if it happens to you.
The following is a quick excerpt from the article:
As many as 68 packages have been linked to the campaign. They were published to the npm registry starting from May 26 to June 23, 2024, using names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, among others.
New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere
The root of the attack is the use of MD5 by the RADIUS protocol. It's been a long time since security researchers warned us about the insecurity of MD5. Nonetheless, RADIUS still uses it and it seems it has not received the security attention that it deserves despite its popularity.
To get started on your reading journey for this article, the following excerpt sums up what's going on:
Blast-RADIUS requires the adversary to have the network access needed to act as an active adversary-in-the-middle attacker, meaning the adversary has the ability to read, intercept, block, and modify all data passing between the victim device’s RADIUS client and RADIUS server.
Threat actors exploited Windows 0-day for more than a year before Microsoft fixed it
In recent versions of Microsoft Windows, Microsoft has made it difficult for end users to open the old Internet Explorer web browser. However, the threat actors in this case used a vulnerability and some social engineering to trick potential victims into launching Internet Explorer. Yes, you read that right.
If they are successful, they can trick the victim into generating an RCE, which is short for Remote Code Execution.
The following excerpt briefly explains how the vulnerability works:
“To summarize the attacks from the exploitation perspective: the first technique used in these campaigns is the “mhtml” trick, which allows the attacker to call IE instead of the more secure Chrome/Edge,” Li wrote. “The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application.
New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
This is different from regreSSHion, but it was discovered during a review of regreSSHion by Alexander Peslyak. Based on the excerpt below, it seems the impact is not that much.
So the immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.
Apple warns iPhone users in 98 countries of spyware attacks
The article's title says it all, and it turns out that it's not the first time that Apple has done this. This further proves that Apple takes the security of its iPhone users seriously.
Here is an excerpt from the article:
In its communication to affected users, Apple stressed the sensitive nature of its threat identification methods, cautioning that divulging additional details could potentially aid attackers in evading future detection.
Exim vulnerability affecting 1.5 million servers lets attackers attach malicious files
They have fixed the vulnerability. Furthermore, the lesson here is to always be careful of the file attachments that you click in your email no matter how trustworthy it might seem. Be careful.
The following excerpt explains how the vulnerability works (this vulnerability is tracked as CVE-2024-39929):
CVE-2024-39929 stems from an error in the way Exim parses multiline headers as specified in RFC 2231. Threat actors can exploit it to bypass extension blocking and deliver executable attachments in emails sent to end users. The vulnerability exists in all Exim versions up to and including 4.97.1. A fix is available in the Release Candidate 3 of Exim 4.98.
Signal downplays encryption key flaw, fixes it after X drama
This is one of those cases in which you had to fix your application because users took to social media to let the entire world know what was going on. Moreover, a developer already filed a pull request (PR) on April 1, 2024, that can fix the issue.
After the entire incident on Twitter (now called X), Signal fixed the issue and thanked the developer. All these coming after 3 months of filing the PR. Patience is a virtue!
No excerpt can do justice to the article. Go read it and have fun while at it!
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.