The HighPoint Security Hub – Nov 22, 2023

Navigating the ever-evolving landscape of cyber threats is a constant challenge. “The Security Hub” is here to make it easier, offering a succinct overview of the most pressing developments from the past two weeks.

This week, a new cyber attack targets MySQL servers, United States healthcare organizations are under threat and Microsoft patched over 63 vulnerabilities.

Global Developments

1. Researchers have developed iLeakage, a unique side-channel attack targeting Apple iOS, iPadOS, and macOS devices with A- and M-series CPUs. This exploit, operating through Safari, allows unauthorized access to sensitive data. In a potential attack, a malicious webpage could extract Gmail inbox content and reveal autofilled passwords from credential managers. Read more.
2. Multiple healthcare organizations in the United States are under threat as hackers exploit the ScreenConnect remote access tool. The attackers are specifically targeting local ScreenConnect instances employed by Transaction Data Systems (TDS), a nationwide pharmacy supply chain and management systems provider. Read more.
3. OAuth, the social media single sign-on standard, is vulnerable to exploitation due to an implementation flaw, warn Salt Security researchers. The weakness lies in the protocol’s reliance on websites, not platforms like Facebook or Google, to verify user access. Some sites, including Grammarly, were found skipping the validation step, enabling credential recycling. Salt Security highlights the potential risk for thousands of vulnerable websites, emphasizing the need for improved security measures to protect billions of internet users from such attacks. Read more.
4. Intel has issued patches to address a significant vulnerability, Reptar, affecting desktop, mobile, and server CPUs. Rated with a CVSS score of 8.8, the flaw poses a risk of privilege escalation, information disclosure, and denial of service through local access. Google Cloud notes that successful exploitation may enable bypassing CPU security boundaries, attributing the problem to the processor’s interpretation of redundant prefixes. Read more.

Commonly Used Tools and Gadgets

1. BeyondTrust and Cloudflare’s security leaders are confident that the October breaches in their Okta environments were contained without damage. However, concerns linger over unauthorized access to administrative accounts using session tokens hijacked from an Okta support system administrator account. While the affected companies thwarted potential threats, questions remain about the impact on less security-focused businesses among Okta’s 18,400 customers. Read more.
2. Sumo Logic, a provider of cloud monitoring and security tools, has disclosed a security breach where unauthorized access to a Sumo Logic AWS account occurred on November 3 using compromised credentials. While there’s no evidence of impact on systems, networks, or customer data, the company recommends users change credentials used to access Sumo Logic systems as a precaution. Read more.
3. Veeam has addressed four security flaws in its ONE IT monitoring and analytics platform, with two rated as critical. These vulnerabilities include remote code execution, obtaining NTLM hash, cross-site scripting, and viewing Dashboard Schedule. Users are advised to update to Veeam ONE 11, Veeam ONE 11a, or Veeam ONE 12 to mitigate risks. Notably, recent critical flaws in Veeam software were exploited by threat actors, emphasizing the importance of prompt updates. Read more.
4. Microsoft issued patches to rectify 63 security vulnerabilities in its software. Among these, three were actively exploited, with ratings of Critical (3), Important (56), and Moderate (4). Additionally, over 35 security flaws in the Chromium-based Edge browser were addressed since the October 2023 Patch Tuesday updates. The comprehensive fixes aim to enhance the security posture of Microsoft’s software against potential threats. Read more.
5. CISA has issued an urgent advisory to federal agencies, urging them to promptly secure Juniper devices on their networks by Friday due to four vulnerabilities exploited in remote code execution attacks. The alert follows ShadowServer’s detection of exploitation attempts on August 25th, merely a week after Juniper released security updates. Read more.

Malware and Ransomware

1. A recently discovered iteration of GootLoader, named GootBot, has been identified as a malware variant designed for lateral movement on compromised systems while eluding detection. Researchers noted that GootLoader’s group introduced this custom bot in the later stages of their attack chain to evade detection when utilizing common tools like CobaltStrike. Described as lightweight yet potent, GootBot enables rapid network spread and facilitates the deployment of additional payloads by attackers. Read more.
2. Researchers warn of targeted attacks on MySQL servers and Docker hosts, aiming to install ‘Ddostf’ malware for launching distributed denial-of-service (DDoS) attacks. The malware exploits weak credentials or vulnerabilities in MySQL servers, allowing attackers to execute Ddostf. Operating on both Linux and Windows, Ddostf achieves persistence, collects system information, and awaits commands from the command-and-control server to launch various DDoS attacks. Researchers suspect the threat actor is running a DDoS-for-hire service. Read more.
3. Cybersecurity researchers have identified a new series of malicious packages infiltrating the NuGet package manager through an unconventional method for deploying malware. The coordinated campaign has been ongoing since August 1, 2023, linked to various rogue NuGet packages delivering the SeroXen RAT remote access trojan. Read more.
4. In a recent cyber attack campaign, spurious MSIX Windows app package files for widely used software, including Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex, are being employed to disseminate a new malware loader named GHOSTPULSE. Read more.