Zero-day fixes: Zimbra, Apple, Ivanti

Zimbra released security updates to address a recently disclosed zero-day vulnerability abused in attacks targeting Zimbra Collaboration Suite (ZCS) email servers.

The vulnerability is a cross-site scripting (XSS) issue that allows a remote attacker to steal potentially sensitive information, change the appearance of the web page, perform phishing and drive-by-download attacks.

Software company Ivanti issued security updates to patch a zero-day flaw used in the recent attacks on the Norwegian government. The Norwegian authorities revealed that the attackers used the zero-day flaw in the Ivanti Endpoint Manager Mobile (EPMM) software, formerly known as MobileIron Core. Tracked as CVE-2023-35078, the vulnerability is an improper authentication issue, which could be used by a remote hacker to bypass authentication and gain unauthorized access to the application.

Apple has also rolled up security updates for its iOS, macOS and iPadOS platforms to fix at least 25 security issues, including two zero-days.

The first zero-day (CVE-2023-38606) is a new kernel bug exploited in attacks targeting devices running older iOS versions released before iOS 15.7.1. The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges. The flaw is said to be part of a zero-click exploit chain used to infect iPhones with the Triangulation spyware via iMessage exploits.

The second zero-day (CVE-2023-37450) is a remote code execution flaw that stems from a boundary error when processing HTML content in WebKit.

Thousands of Citrix servers are vulnerable to a recent zero-day bug

At least 15,000 Citrix servers are exposed to attacks exploiting a recently disclosed zero-day vulnerability (CVE-2023-3519) affecting Citrix NetScaler ADC and NetScaler Gateway products. Most of the vulnerable servers are located in the United States (5,700), Germany (1,500), the UK (1,000), and Australia (585).

Hundreds of thousands of MikroTik routers are exposed to hacking due to a bug

Hundreds of thousands of MikroTik routers are potentially vulnerable to hacker attacks due to a privilege escalation vulnerability that can be exploited to take over the target device. Tracked as CVE-2023-30799, the issue stems from improperly imposed security restrictions in RouterOS. A remote authenticated user with “admin” privileges can bypass implemented security restrictions and obtain a “super-admin” role.

One of the top 10 Genesis Market users arrested in the Netherlands

Dutch police apprehended a 32-year-old Dutch national, a resident of Brazil, in connection to an investigation into Genesis Market, a dark web marketplace that sold stolen credentials. The authorities didn’t reveal the identity of the suspect but said that he was one of the top Genesis users and robbed “a lot of people” of tens of thousands of euros.

SSNDOB Marketplace admin pleads guilty

A Ukrainian man, Vitalii Chychasov, has pleaded guilty in the US court to conspiracy to commit access device fraud and trafficking in unauthorized access devices relating to his administration of the now-defunct SSNDOB Marketplace, a platform used by cybercriminals to buy stolen personal information.

SSNDOB was dismantled in June 2022 by the US authorities. The SSNDOB Marketplace has listed the personal information of millions of individuals in the US, generating more than $19 million in sales revenue.

Chychasov was arrested in March 2022 in Hungary and extradited to the US in July of the same year. As part of his plea agreement, the man has agreed to forfeit some of the SSNDOB domains, as well as $5 million obtained via illicit activities. He faces a maximum penalty of 15 years in prison.

North Korean Lazarus APT linked to $60 million Alphapo crypto theft

North Korean state-sponsored cybercrime unit has been linked to the recent incident at centralized crypto payment provider Alphapo resulting in the theft of an estimated $60 million in crypto assets from the company’s hot wallets.

Separately, Estonian crypto-payments service provider CoinsPaid disclosed that it had over $37 million stolen in a security incident that took place on July 22. The company blamed Lazarus for the theft.

Russian hackers target diplomatic entities in Eastern Europe with new GraphicalProton backdoor

The Russian nation-state actor known as APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium) and BlueBravo has been observed using a new GraphicalProton malware in cyber-espionage attacks targeting diplomatic entities throughout Eastern Europe.

Recorded Future’s Insikt Group says that GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after GraphicalNeutrino (aka Snowyamber), Halfrig, and Quarterrig.

BlueBravo appears to prioritize cyber-espionage efforts against European government sector entities, possibly due to the Russian government's interest in strategic data during and after the war in Ukraine, the researchers noted.

Threat actor UAC-0006 bombards Ukraine with SmokeLoader attacks

Ukraine’s Computer Emergency Response Team (CERT-UA) shared Indicators of Compromise related to a recent wave of SmokeLoader attacks on Ukrainian government entities. The campaign was attributed to a threat actor known as UAC-0006, which CERT-UA characterizes as a financially motivated operation. The defenders said that this was the third SmokeLoader attack in ten days.

The banking sector targeted in novel OSS supply chain attacks

Checkmarx researchers uncovered several open-source software supply chain attacks that targeted the banking sector.

Checkmarx’s report details two such attacks against banks involving malicious libraries on the NPM repository. In the first incident, a threat actor uploaded a package to NPM containing posing as a bank employee. The package contained a preinstall script that installed the Havoc Framework on the victim system.

In a second attack, a threat actor downloaded a malicious library to NPM containing code intended to blend into the website of the victim bank and lay dormant until it was prompted to spring into action. It was designed to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.

Nitrogen malvertizing campaign abuses Google and Bing ads to deliver Cobalt Strike

Security researchers came across a new malvertizing campaign dubbed “Nitrogen” that abuses Google and Bing ads to target users seeking certain IT tools to gain access to enterprise environments to deploy second-stage attack tools such as Cobalt Strike.

The primary objective of the Nitrogen malware is to provide threat actors a foothold into corporate networks, facilitating data theft, cyber-espionage, and the deployment of ransomware.

The new malware has been detailed by Sophos, Bitdefender, eSentire, and Trend Micro.