Apple, Atlassian, ARM and Qualcomm patch zero-days

Several technology companies rolled out security updates this week to address actively exploited zero-day vulnerabilities in their products.

Apple’s latest update (iOS 17.0.3 and iPadOS 17.0.3) resolves CVE-2023-42824, a kernel vulnerability that could allow a local application to execute arbitrary code on the system with elevated privileges, as well as two other bugs (CVE-2023-44488 and CVE-2023-5217) related to the program libvpx library.

Australian software company Atlassian rolled out security updates to fix an actively exploited zero-day flaw affecting Confluence Data Center and Server instances. The zero-day vulnerability (CVE-2023-22515) allows to create unauthorized Confluence administrator accounts and access Confluence instances. The issue impacts Confluence Server and Data Center 8.0.0 to 8.5.1

US semiconductor company Qualcomm warned about the active exploitation of three zero-day vulnerabilities in its Adreno GPU and Compute DSP drivers. Tracked as CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063, the three zero-days have been described as an input validation issue that could be used by a local app to elevate privileges.

British semiconductors and software company ARM issued security updates to fix CVE-2023-4211, a use-after-free error within Mali GPU Kernel Driver that can be used by a local application to execute arbitrary code with elevated privileges.

In addition, US networking giant Cisco released security updates to fix a Cisco Emergency Responder (CER) backdoor (CVE-2023-20101) that lets attackers log into unpatched systems using hard-coded credentials.

Critical Exim flaws put millions of servers at risk of hacker attacks

Millions of Exim instances are at risk of remote attacks due to several critical vulnerabilities affecting the Exim open-source mail transfer agent (MTA) that could allow attackers to compromise the servers and gain access to sensitive data, including emails.

According to recent data, Exim is installed on more than 56% (342,337) out of a total of 602,000 mail servers available on the internet. A Shodan search showed that currently there are more than 3.5 million Exim servers exposed on the internet, with the majority of them located in the United States followed by Russia, Germany, the Netherlands, and Canada.

Researchers warn of mass exploitation attempts against WS_FTP Server

Researchers at Rapid7 said they have started seeing what they believe is “mass exploitation” of the recently disclosed flaws in WS_FTP Server software (CVE-2023-40044 and CVE-2023-42657) on September 30 across multiple instances of WS_FTP. Evidence suggests that the activity has been carried out by a single threat actor.

Ransomware actors weaponize JetBrains TeamCity RCE flaw

Ransomware gangs have been observed targeting a recently patched remote code execution vulnerability in JetBrains' TeamCity software. Tracked as CVE-2023-42793, the bug is an authentication bypass issue that can lead to remote code execution. According to the vendor, the vulnerability impacts all TeamCity versions before the patched release but only On-Premises servers installed on Windows, Linux, and macOS, or that run in Docker.

ShellTorch vulns expose PyTorch models to remote code execution

A trio of security vulnerabilities in TorchServe, an open-source machine-learning model serving framework, could lead to server takeover and remote code execution (RCE), the Oligo Security research team warned. Collectively dubbed “ShellTorch,” the flaws (CVE-2022-1471, CVE-2023-43654) can allow an attacker to send a request to upload a malicious model from an attacker-controlled address, leading to arbitrary code execution.

NSA and CISA reveal top 10 cybersecurity misconfigurations

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory highlighting the top ten most common cybersecurity misconfigurations. These include default credentials, service permissions, and configurations of software and applications; improper separation of user/administration privilege; insufficient internal network monitoring; and poor patch management. The advisory provides guidance aimed at helping organizations identify and address these problems.

Mozilla warns of ransomware masquerading as Thunderbird

The Mozilla Foundation warned users that ransomware actors are abusing its Thunderbird email client to deceive potential victims. The organization said that some of the ransomware gangs, more specifically Snatch, use malicious advertisements designed to trick people into installing malware disguised as popular software such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.

Mozilla added that it is trying to take down these malicious websites, although without much success since they are hosted in Russia.

Threat actors target Azure cloud VMs via hacked SQL Servers

Microsoft shared details of a new campaign where threat actors attempted to move laterally to a cloud environment through a breached SQL Server instance. The hackers exploited an SQL injection vulnerability in an application within the target’s environment, which allowed them to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine (VM). The attackers then used the acquired elevated permission to attempt to move laterally to additional cloud resources by abusing the server’s cloud identity.

Major scam operation WebWyrm impersonates almost 1K brands, targets job seekers

CloudSEK researchers uncovered a new scam operation they dubbed ‘WebWyrm’ designed to con job seekers out of their cryptocurrency, by convincing them to complete meaningless tasks that ostensibly will bring them money. The scam operation has already targeted more than 100,000 individuals across over 50 countries by impersonating over 1,000 companies across 10 industries. The researchers estimated that the campaign has caused over $100 million in personal losses.

Qakbot hackers continue operations despite infrastructure takedown, switch to ransomware and backdoors

Cisco’s Talos threat research team observed the threat actors behind the Qakbot malware distributing the Ransom Knight ransomware and the Remcos backdoor despite the recent takedown of their computer infrastructure carried out by law enforcement authorities.

The researchers said that the operation has been ongoing since early August and has not stopped after the infrastructure takedown, suggesting that the police operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers.

North Korea’s Lazarus adds new LightlessCan backdoor to its arsenal

A North Korean state-sponsored hacker crew known as Lazarus Group has been observed using a previously undocumented backdoor in an attack targeting a Spanish aerospace company. The threat actor gained initial access to the company’s systems via a spear-phishing attack masquerading as a recruiter for the Facebook parent company Meta and deployed new malware dubbed “LightlessCan.”

LightlessCan is more advanced than its predecessor, BlindingCan. One of the most notable aspects of the RAT is that it mimics the functionalities of a wide range of native Windows commands, making detecting and analyzing the attacker’s activities more challenging.

North Korean hackers target South Korea’s shipbuilders

North Korea-linked state-sponsored hacker groups orchestrated a series of cyberattacks on South Korean shipbuilding companies in August and September 2023. The National Intelligence Service of South Korea believes that these hacking attempts were part of North Korean leader Kim Jong Un's strategy to strengthen its naval military power by building advanced warships.

The intelligence agency said that the attacks involved phishing emails designed to infect victims with malware.

LightSpy Android spyware linked to Chinese threat actor APT41

Cybersecurity firm ThreatFabric said it found evidence that LightSpy (aka DragonEgg), an iPhone surveillance tool discovered in 2020, could be linked to the infamous Chinese government-backed threat group APT41.

The researchers discovered a set of 14 plugins that are responsible for private data exfiltration and the core implant that supports 24 commands.

New cyber espionage campaign targets Chinese-speaking semiconductor firms with Cobalt Strike

EclecticIQ discovered a new cyber espionage campaign aimed at the semiconductor industry in Mandarin/Chinese-speaking East Asian regions. The campaign, which appears to be the work of Chinese state-sponsored hackers, leverages the HyperBro loader to install a Cobalt Strike beacon on the compromised machine, providing remote access to the attackers.

Suspected Chinese hackers target Guyana government with a new backdoor

ESET detailed a spearphishing campaign targeting a governmental entity in Guyana where the threat actors deployed a previously undocumented C++ backdoor named “DinodasRAT.” The malware can exfiltrate files, manipulate Windows registry keys, execute CMD commands, and more.

New BunnyLoader malware helps to steal credentials, crypto coins

A new malware-as-a-service (MaaS) threat known as “BunnyLoader” is being advertised for sale on various underground forums. Written in C/C++, BunnyLoader is filless, operating mostly in memory. The malware, which is under active development, comes with a slew of functionalities, such as the ability to download and execute a second-stage payload, steal browser credentials and system information, log keystrokes, and thwart analysis attempts.

ETSI says hackers stole its user database

The European Telecommunications Standards Institute (ETSI) revealed that hackers breached its IT system dedicated to its members’ work and stole a database containing information on its users. The organization said it fixed a vulnerability used by the attackers but didn’t provide additional details regarding the security incident. ETSI said it informed France’s cybersecurity agency ANSSI about the attack and requested assistance in investigating and restoring the information systems.

Mobile operator Lyca Mobile confirms cyberattack

British mobile virtual network operator Lyca Mobile confirmed it suffered a cyberattack that disrupted its operations. Lyca Mobile customers started experiencing problems last Friday, with some users reporting that they’d been unable to make mobile calls or send SMS messages, while others were unable to get through customer support or to top up their credit via Lyca’s website. The company didn’t reveal the nature of the security incident but said it has launched an investigation and was working to determine whether any data was stolen.