Security news weekly round-up - 8th March 2024

Habdul Hazeez - Mar 8 - - Dev Community

Introduction

Welcome to this week's review. This edition is mostly about vulnerabilities and malware.


Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

Why did they fix it after 6 months? Because it's an admin-to-kernel vulnerability and it kind of falls under what they (Microsoft) can fix "at their own discretion". What's more, the "hackers" in question are the Lazarus group. Nonetheless, Microsoft patched the bug in February 2024.

Here is more about the vulnerability:

The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that.

Apple Blunts Zero-Day Attacks With IOS 17.4 Update

The bugs that Apple patched were memory corruption bugs tracked as CVE-2024-23225 and CVE-2024-23296. Nothing much to say here except the following: update your devices!

Here is why:

The Cupertino device maker shipped several mobile OS updates — iOS 17.4, iPadOS 17.4, and iOS 16.7.6 — to cover the security defects and confirmed exploitation in the wild with a terse note: “Apple is aware of a report that this issue may have been exploited.”

Cybercriminals Using Novel DNS Hijacking Technique for Investment Scams

If you're new to this series, this article falls under what I have classified in the past as "using legitimate tools for malicious purposes". What's more, it's clever and according to the article, they are also resistant to takedown efforts (at least for now).

The following excerpt shows the anatomy of the attack:

Users are lured via ads on social media platforms like Facebook, while also tricking them into parting with their personal information in return for alleged high-return investment opportunities through fake ChatGPT and WhatsApp bots.

The financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), thereby allowing threat actors to evade detection since at least August 2021.

VMware sandbox escape bugs are so critical, patches are released for end-of-life products

That moment when you have to support End of Life (EOL) products because you just have to. In addition, they are four vulnerabilities and three are related to the USB controller.

Here is more on the issue:

A constellation of four vulnerabilities—two carrying severity ratings of 9.3 out of a possible 10—are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that’s segmented from the host machine.

Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Stay safe and always double-check the URL of the website that you're currently active on. You might be on a typo squatted domain designed to look like the original domain that you intended to visit.

It's the trick that the threat actors are using in this campaign as evident in the following excerpt:

The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems," Zscaler ThreatLabz researchers said. The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts.

New Python-Based Snake Info Stealer Spreading Through Facebook Messages

The attack has a Vietnamese connection, and at the time of writing, they are leveraging a GitHub vulnerability. If you're on Facebook, stay safe and be vigilant.

Here is why:

The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes.

Attack wrangles thousands of web users into a password-cracking botnet

You could be part of an attack without your knowledge. It's an interesting read, and the excerpt below should get you started.

Denis Sinegubko, the researcher who spotted the campaign, said at the time that he had seen thousands of visitor computers running the script, which caused them to reach out to thousands of domains in an attempt to guess the passwords of usernames with accounts on them.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .