Apple fixes three zero-days exploited in the wild

Apple patched several zero-click vulnerabilities in its iOS, iPadOS, macOS, and watchOS operating systems. Two of the bugs (CVE-2023-32439, and CVE-2023-32435) reside in the WebKit browser engine and can be exploited to execute arbitrary code on the target system using a specially crafted webpage. The third zero-day, tracked as CVE-2023-32434, is an integer overflow in the kernel that can allow a local application to escalate privileges on the system.

The two bugs were reportedly exploited to deliver the TriangleDB spyware implant to iOS devices as part of a campaign called Operation Triangulation.

Hackers are exploiting an RCE bug in VMware Aria Operations for Networks

VMware has warned that threat actors are exploiting a recently patched OS command injection vulnerability (CVE-2023-20887) in its VMware Aria Operations for Networks product.

The issue impacts VMware Aria Operations for Networks versions 6.x, with fixes released in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 on June 7, 2023.

ASUS, Zyxel issue security updates to patch dangerous bugs

Taiwanese hardware and electronics maker ASUS released firmware updates to patch several high-risk vulnerabilities affecting multiple router models. Out of nine security flows patched by ASUS, the most severe are tracked as CVE-2022-26376, CVE-2018-1160, and CVE-2022-46871. The first two flaws are described as out-of-bounds write issues, while the third is a buffer overflow vulnerability. All three can lead to remote code execution.

Zyxel also issued security updates to address a pre-authentication command injection vulnerability in some of its network-attached storage (NAS) devices. Tracked as CVE-2023-27992, the flaw exists due to improper input validation and can be used by a remote unauthenticated hacker attacker to execute arbitrary OS commands on the target system.

Low-budget Chinese CA caught abusing acme.sh zero-day

A low-budget Chinese certificate authority (CA) HiCA also known as QuantumCA has been abusing a remote code execution flaw in ACME clients as part of their certificate issuance process. The abused bug, which has yet to receive a CVE ID, is an OS command injection issue that allows a remote attacker to execute arbitrary shell commands on the target system. The flaw affects acme.sh v1.2.2 - 3.0.5.

According to a message on HiCA’s website, the company stopped operation on June 6, 2023, due to security incidents.

Microsoft admits early June Outlook, Azure outages were caused by cyberattacks

Microsoft confirmed that the disruption of its 365 services and Azure Cloud portal earlier this month were caused by a Layer 7 DDoS attack against the tech giant. The company attributed the attacks to a threat actor it tracks as Storm-1359 aka Anonymous Sudan, a new pro-Kremlin hacktivist group.

Reddit hackers threaten to leak 80 GB of data, demand $4.5M ransom

The BlackCat (ALPHV) ransomware gang has taken responsibility for a breach at social media giant Reddit earlier this year and is threatening to leak 80GB of data stolen from the company if a $4.5 million ransom demand is not paid. The group is also demanding that Reddit roll back its controversial decision to charge for access to its API.

A Reddit spokesperson declined to comment on the matter but confirmed that BlackCat’s claim is related to a security breach in February 2023.

US authorities offer up to $10M for info on Clop ransomware gang

The US State Department is offering a reward of up to $10 million for information connecting the Clop ransomware gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government.

Polish police dismantle DDoS-for-Hire service operating since 2013

Polish police have arrested two individuals in connection to a DDoS-for-Hire service that has been in operation since 2013. Investigators said the service had more than 35,000 registered accounts and was used to launch more than 320,000 attacks, and generated more than $400,000 for its operators.

Russia’s APT28 breached Ukrainian orgs via RoundCube flaws

Russia’s GRU military hacking unit known as APT28 (Fancy Bear, Forrest Blizzard or Blue Delta) has been observed compromising government institutions and military entities involved in aircraft infrastructure in Ukraine via security flaws in vulnerable RoundCube webmail serversю

The APT28 campaign exploited three vulnerabilities in the RoundCube email software (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to run malicious scripts designed to perform reconnaissance on RoundCube servers, redirect incoming emails to the attacker-controlled address, collect session cookies, user information, and address books.

China’s Camaro Dragon uses new self-propagating malware

The Check Point Research (CPR) team discovered a new campaign attributed to a China-linked threat actor known as Camaro Dragon that uses a new strain of self-propagating malware named WispRider and HopperTick that spreads through compromised USB drives.

Nation-state actor targets govts in the Middle East and Africa using rare techniques

Governmental entities in the Middle East and Africa have been targeted in a cyber-espionage campaign by a threat cluster tracked as CL-STA-0043 described as “a highly capable APT threat actor.” The goal of the campaign was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs.

While analyzing the attacks, Palo Alto’s researchers discovered new evasive techniques and tools such as an in-memory VBS implant to run webshell clandestinely, as well as a novel Exchange email exfiltration and rare credential theft technique first seen in the wild.

Flea APT’s latest campaign targets foreign affairs ministries with new Graphican backdoor

The Threat Hunter Team at Symantec, part of Broadcom, detailed a new campaign by a China-linked threat actor known as Flea, APT15, or Nickel that targets foreign affairs ministries in Central and South American countries with a novel backdoor dubbed “Graphican.”

The new backdoor is an evolution of the group’s custom backdoor Ketrican and has the same basic functionality as Ketrican, but, unlike the latter, uses the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.

New Condi malware hijacks TP-Link routers to build an army of bots

Researchers with FortiGuard Labs discovered a piece of botnet malware called “Condi” that exploits a vulnerability in TP-Link Archer routers to comprise them in a DDoS botnet. FortiGuard researchers say they have been observing a spike in the number of Condi samples since the end of May.

The malware exploits a command injection vulnerability (CVE-2023-1389) in vulnerable TP-Link Archer AX21 (AX1800) routers to hijack the devices. It also uses several techniques to keep itself running in an infected system and prevents infections from other botnets by attempting to terminate their processes.

Latest Mirai campaign targets nearly two dozen vulns in D-Link, Zyxel, Netgear devices

Palo Alto Networks’ Unit42 discovered a new Mirai botnet campaign that targets 22 vulnerabilities in D-Link, Zyxel, and Netgear devices. The campaign started on March 14 and spiked in April and June.

NSA shares guidance on how to protect systems against BlackLotus bootkit attacks

The US National Security Agency released guidance with recommendations on how to detect and prevent malicious activities associated with the BlackLotus bootkit.

BlackLotus exploits the “Baton Drop” (CVE-2022-21894) vulnerability, which bypasses security features during the device’s startup process, also known as Secure Boot. The malware targets Secure Boot by exploiting vulnerable boot loaders not added to the Secure Boot Deny List Database (DBX).

In April, Microsoft issued guidance to help organizations identify whether their environments have been targeted via the BlackLotus UEFI bootkit.