Apple released emergency security updates to address three new actively exploited zero-day vulnerabilities.

Apple released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit.

An attacker can trigger the flaw by tricking the victim into visiting specially crafted web content that may lead to arbitrary code execution. The IT giant addressed the flaw with improved checks.

The second zero-day flaw, tracked as CVE-2023-41991, resides in the Security framework. An attacker can exploit this vulnerability to bypass signature validation using malicious apps. The company fixed the vulnerability by fixing a certificate validation issue.

The third zero-day, tracked as CVE-2023-41992, resides in the Kernel Framework. A local attacker can trigger the flaws to elevate their privileges. Apple fixed the flaw with improved checks.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.” reads the advisory published by the company.

The company fixed the three zero-day vulnerabilities with the release of macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1.

Fixes are available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Apple has already patched 16 actively exploited zero-day vulnerabilities in 2023, below is the list of the flaws fixed by the company:

• September 2023 –  CVE-2023-41064 and CVE-2023-41061.
• July 2023 – CVE-2023-37450 and CVE-2023-38606.
• June 2023 – CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439.
• May 2023 – CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373).
• April 2023 – CVE-2023-28206 and CVE-2023-28205.
• February 2023 – CVE-2023-23529.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Apple rolled out emergency updates to address 3 new actively exploited zero-day flaws appeared first on Security Affairs.

The recently discovered Free Download Manager (FDM) supply chain attack, which distributed Linux malware, started back in 2020.

The maintainers of Free Download Manager (FDM) confirmed that the recently discovered supply chain attack dates back to 2020.

Recently, researchers from Kaspersky reported the discovery of a free download manager site that has been compromised to serve Linux malware. While investigating a set of suspicious domains, the experts identified that the domain in question has a deb.fdmpkg[.]org subdomain.

Visiting the subdomain with the browser, the researchers noticed a page claiming that the domain is hosting a Linux Debian repository of software named ‘Free Download Manager’

This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.” reported Kasperksy.

The “Free Download Manager” version installed by the malicious package was released on January 24, 2020. The experts found comments in Russian and Ukrainian, including information about improvements made to the malware, in the postinst script.

Upon installing the malicious package, the executable /var/tmp/crond is launched on every startup through cron. The executable is a backdoor that accesses the Linux API and invokes syscalls using the statically linked dietlibc library.

Now the maintainers of Free Download Manager (FDM) have shared findings from their investigation. They discovered that a Ukrainian hacker group compromised a specific web page on their web site then used it to distribute the malware.

“Today, informed by the findings from Kaspersky Lab, we became aware of a past security incident from 2020. It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software.” reads the announcement published by the maintainers. “Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed. It’s estimated that much less than 0.1% of our visitors might have encountered this issue. This limited scope is probably why the issue remained undetected until now. Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022.”

The maintainers estimate that the website served the malware to a very limited number of visitors, the maintainers believe that much less than 0.1% of their visitors were impacted. For this reason, the supply chain attack remained undetected for years.

The maintainers announced the enhancement of their defenses and the implementation of additional measures to prevent similar security incidents in the future.

Visitors who attempted to download FDM for Linux from the compromised page during the mentioned timeframe are recommended to scan their systems for the presence of malware and update their passwords.

The maintainers determined that the threat actors exploited a vulnerability in a script on their website to inject the malicious code.

The analysis of files that were part of the site before the compromise (dating back to 2020) revealed the presence of a portion of code used to choose whether to give users the correct download link or a link to the malware-laced version of the files.

“To investigate this problem, we accessed data from our project backups dating back to 2020 and found this modified page, which contained an algorithm that chose whether give users correct download link or the one leading to the fake domain deb.fdmpkg.org containing a malicious .deb file. It had an «exception list» of IP addresses from various subnets, including those associated with Bing and Google.” continues the announcement. “Visitors from these IP addresses were always given the correct download link.” continues the announcement.

FDM has released a script to check for indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Free Download Manager)

The post Ukrainian hackers are behind the Free Download Manager supply chain attack appeared first on Security Affairs.

Exail Technologies, a high-tech manufacturer whose clients include the US Coast Guard, exposed sensitive company data that could’ve enabled attackers to access its databases.

Exail, a French high-tech industrial group, left exposed a publicly accessible environment (.env) file with database credentials, the Cybernews research team has discovered.

The company, formed in 2022 after ECA Group and iXblue merged, specializes in robotics, maritime, navigation, aerospace, and photonics technologies, making it a particularly juicy target for attackers.

The company fixed the issue after being contacted by our research team. We reached out to Exail for further comment but did not receive a response before publishing.

What Exail data was exposed?

The publicly accessible .env file, hosted on the exail.com website, was exposed to the internet, meaning that anyone could have accessed it.

An environment file serves as a set of instructions for computer programs. Therefore, leaving the file open to anyone might expose critical data and provide threat actors with an array of options for attacking.

According to the team, Exail’s exposed .env file contained database credentials. If the database would have been open to the public, attackers could have used the credentials to access the company’s data. However, in this case, it was not open to the public.

“Once inside, attackers could view, modify, or delete sensitive data and execute unauthorized operations. The publicly hosted environment was exposed to the internet, meaning that anyone could’ve used these credentials to access sensitive information stored in this database,” researchers explained.

Dangerous flavors

According to the team, Exail’s web server version and operating system (OS) flavor were also jeopardized. OS flavor refers to a unique system version with specific features, configurations, software packages, and other specifications.

Exposing this type of data poses a wide array of dangers. Different OSs have specific sets of vulnerabilities, such as unpatched security flaws, default configurations, and known weaknesses.

“If a malicious actor is aware of the OS flavor and version running on the web server, they could target specific vulnerabilities associated with the OS,” researchers said.

Additionally, an exposed web server with known OS flavors could become a target for automated scanning tools, malware, and botnets.

“Once an attacker knows the OS flavor, they can focus their efforts on finding and exploiting vulnerabilities specifically associated with that OS. They can employ techniques like scanning, proving, or using known exploits to gain access to the server or compromise its security,” the team explained.

The attackers could also leverage OS-specific weaknesses to launch denial of service (DoS) attacks against the exposed web server and overwhelm it with a flood of requests, disrupting the server’s operations.

If you want to know more about recommendations provided by CyberNEws to Exail take a look at the original post on CyberNews:

https://cybernews.com/security/exail-technologies-expose-database-access/

About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Exail Technologies)

The post Space and defense tech maker Exail Technologies exposes database access appeared first on Security Affairs.

Pro-Russia hacker group NoName is suspected to have launched a cyberattack that caused border checkpoint outages at several Canadian airports.

A massive DDoS cyber attack, likely carried out by Pro-Russia hacker group NoName, severely impacted operations at several Canadian airports last week, reported Recorded Future News.

Canada Border Services Agency (CBSA) was able to mitigate the attack after a few hours.

The Canada Border Services Agency (CBSA) confirmed that the attack impacted check-in kiosks and electronic gates at airports.

The cyber attack caused delays in the processing of arrivals for more than an hour at border checkpoints across the country.

“The Canada Border Services Agency (CBSA) finally confirmed on Tuesday that “connectivity issues that affected kiosks and electronic gates at airports” are the result of a distributed denial of service (DDoS) attack.” reported the Canadian media outlet La Presse.

“However, the Russian-speaking gang specializing in this type of hacking NoName057 precisely targeted the federal agency, according to its Telegram page. “We are working closely with our partners to assess the situation and investigate. The safety of Canadians and travelers is the CBSA’s top priority and no personal information has been disclosed following these attacks,” said a spokesperson for the organization, Maria Ladouceur.”

The Canadian authorities are investigating the security incident with the help of its partners. At this time there is no evidence of a data breach.

“The safety and security of Canadians and travelers is the CBSA’s top priority,” said CBSA. “No personal information has been disclosed following these attacks.”

A few days ago, the Pro-Russia group NoName057(16) announced to have launched DDoS attacks on several Canadian organizations, including CBSA, the Canadian Air Transport Security Authority, and the Senate. However CBSA has not attributed the DDoS attack to the Pro-Russia group.

NoName claims that the DDoS campaign is the response of the group to support offered by Canada to Ukraine.

The Canadian Centre for Cyber Security published an alert warning of a Distributed Denial of Service campaign targeting multiple Canadian sectors.

“Since 13 September 2023, the Cyber Centre has been aware and responding to reports of several distributed denial of service (DDoS ) campaigns targeting multiple levels within the Government of Canada, as well as the financial and transportation sectors.” reads the alert. “This Alert is being published to raise awareness of these campaigns, to highlight the potential impact to government services and to provide guidance for organizations who may be targeted by malicious activity.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Noname)

The post Pro-Russia hacker group NoName launched a DDoS attack on Canadian airports causing severe disruptions appeared first on Security Affairs.

Researchers discovered multiple vulnerabilities in the Nagios XI network and IT infrastructure monitoring and management solution.

Researchers discovered four vulnerabilities (CVE-2023-40931, CVE-2023-40932, CVE-2023-40933, CVE-2023-40934) in the Nagios XI network and IT infrastructure monitoring solution that could lead to information disclosure and privilege escalation.

Nagios XI provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. It is used by thousands of organizations worldwide. 

Outpost24 researcher Astrid Tedenbrant discovered the issues during some standard research.

The flaws impact Nagios XI version 5.11.1 and lower. The CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934 vulnerabilities are SQL Injection issues. An attacker can trigger the flaws to escalate privileges in the product and obtain sensitive user data, including password hashes and API tokens.

The vulnerability CVE-2023-40932 is a cross-site scripting flaw via the Custom Logo component. An attacker can trigger the flaw to read and modify page data, including plain-text passwords from login forms.

“Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections. The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens.” reads the post published by Outpost24. “The fourth vulnerability (CVE-2023-40932) allows Cross-Site Scripting via the Custom Logo component, which will render on every page, including the login page. This may be used to read and modify page data, such as plain-text passwords from login forms.”

The company addressed the vulnerabilities on September 11, 2023, with the release of version 5.11.2.

In September 2021, researchers from industrial cybersecurity firm Claroty discovered eleven vulnerabilities in Nagios.

The vulnerabilities could lead to server-side request forgery (SSRF), spoofing, local privilege escalation, remote code execution and information disclosure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Nagios XI)

The post Experts found critical flaws in Nagios XI network monitoring software appeared first on Security Affairs.

Finnish police announced the takedown of the dark web marketplace PIILOPUOTI which focuses on the sale of illegal narcotics.

Finnish Customs announced the seizure of the dark web marketplace Piilopuoti as part of an international law enforcement operation. The dark web marketplace PIILOPUOTI has been active since May 18, 2022.

“The site operated as a hidden service in the encrypted Tor network. The site has been used in anonymous criminal activities such as narcotics trade. As a rule, the narcotics sold on the site were smuggled to Finland from abroad.” reads the press release published by Finnish Customs. “During the preliminary investigation into the case, Finnish Customs has conducted extensive cooperation with German and Lithuanian authorities, as well as Europol, the European Union Agency for Criminal Justice Cooperation (Eurojust), authorities of other countries, and various police units in Finland.”

The investigation was conducted by authorities from Germany and Lithuania (German Federal Criminal Office (Bundeskriminalamt) and the Lithuanian Criminal Police Bureau (Lietuvos kriminalinės policijos biuras)) and was coordinated by Europol and Eurojust. The cybersecurity firm Bitdefender also supported the investigation.

According to the EUROPOL, the investigation is still ongoing, and law enforcement bodies are working to identify the sellers and users on the platform.

“This successful takedown happened just days ahead of the annual Dark Web Conference which will take place at Europol’s headquarters between 4-5 October. This event, restricted to law enforcement, will bring together over 180 investigators from across the world to discuss the latest criminal trends and developments on the dark web.” reads the press release published by Europol. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PIILOPUOTI)

The post The dark web drug marketplace PIILOPUOTI was dismantled by Finnish Customs appeared first on Security Affairs.

A cyberattack hit the International Criminal Court (ICC) disclosed a cyberattack this week, its systems were compromised last week.

The International Criminal Court (ICC) announced that threat actors have breached its systems last week. The experts at the International Criminal Court discovered the intrusion after having detected anomalous activity affecting its information systems.

The International Criminal Court (ICC) is an intergovernmental organization and a permanent international tribunal established to prosecute individuals for the most serious international crimes, including genocide, crimes against humanity, war crimes, and the crime of aggression. It was established by the Rome Statute, which entered into force on July 1, 2002. The ICC is headquartered in The Hague, Netherlands.

Statement of the #ICC Spokesperson on recent cybersecurity incident pic.twitter.com/CkPPuoaSHm

— Int'l Criminal Court (@IntlCrimCourt) September 19, 2023

The organization immediately activated the incident response plan to mitigate the incident.

“At the end of last week, the International Criminal Court’s services detected anomalous activity affecting its information systems. Immediate measures were adopted to respond to this cyber security incident and to mitigate its impact. Additional response and security measures are now ongoing, with the assistance of the Host Country authorities. As the Court continues to analyse and mitigate the impact of this incident, priority is also being given to ensuring that the core work of the Court continues. The Court is thankful to the Host Country for the excellent cooperation and the immediate response and support provided in relation to this incident. Looking forward, the Court will be building on existing work presently underway to strengthen its cyber security framework, including accelerating its use of cloud technology. In this context, support from States Parties and stakeholders remains critical to further enhance institutional resilience under challenging circumstances. The Court will not be providing further information in relation to this incident at present.” reads the statement published by ICC.

The Court immediately reported the incident to the Dutch authorities and announced additional measures to strengthen its cybersecurity posture.

The ICC has not shared details about the cyber attack, it is unclear if the attackers have stolen information from the organization.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, International Criminal Court)

The post International Criminal Court hit with a cyber attack appeared first on Security Affairs.

GitLab rolled out security patches to address a critical vulnerability, tracked as CVE-2023-5009, that can be exploited to run pipelines as another user.

GitLab has released security patches to address a critical vulnerability, tracked as CVE-2023-5009 (CVSS score: 9.6), that allows an attacker to run pipelines as another user.

The issue resides in GitLab EE and affects all versions starting from 13.12 and prior to 16.2.7, all versions starting from 16.3 before 16.3.4.

“An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932] showing additional impact.” reads the advisory.

An attacker can exploit this vulnerability to access sensitive information or use the elevated permissions of the impersonated user to access or modify source code, or run arbitrary code on the system.

The company addressed the vulnerability with the release of 16.3.4 for Community Edition and 16.2.7 for Enterprise Edition.

The vulnerability was reported by the security researcher Johan Carlsson (aka joaxcar) through the GitLab HackerOne bug bounty program.

Carlsson explained that it took about two years and more than 100 written reports before its submission was accepted.

After two years and more than 100 written reports, ranging from "self closed" to "high", I finally found my first Critical finding on GitLab's bounty program! A lot of luck but also persistence and grind. Checking one item off the bucket listhttps://t.co/LswkU7B1Sj

— Johan Carlsson (@joaxcar) September 19, 2023

To reduce the risk of exploiting the vulnerability, researchers advise users who operate a GitLab instance with a version earlier than 16.2 to refrain from enabling both the ‘Direct Transfers’ and ‘Security Policies’ features concurrently.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GitLab)

The post GitLab addressed critical vulnerability CVE-2023-5009 appeared first on Security Affairs.

Trend Micro addressed a zero-day code execution vulnerability (CVE-2023-41179) in Apex One that has been actively exploited in the wild.

Trend Micro has released security updates to patch an actively exploited zero-day vulnerability, tracked as CVE-2023-41179, impacting endpoint security products, including Apex One, Apex One SaaS, and Worry-Free Business Security products. 

According to the security firm the vulnerability has been exploited in attacks. The flaw is related to the products’ ability to uninstall third-party security software.

An attacker can trigger this vulnerability after it has logged into the product’s administrative console. 

“An arbitrary code execution vulnerability has been identified in the Apex One SaaS, Biz, and VBBSS agents’ ability to uninstall third-party security products. To exploit this vulnerability, an attacker would need to be able to log into the product’s administrative console.” reads the advisory published by Trend Micro. Because an attacker would need to have stolen the product’s management console authentication information in advance, they would not be able to infiltrate the target network using this vulnerability alone.”

The vendor recommends customers update their installs to the latest version as soon as possible.

Trend Micro pointed out that the exploitation of this type of flaw typically requires an attacker to have access to the vulnerable device. To mitigate the risk of exploitation the company recommends allowing access only from trusted networks.

Trend Micro has not shared any information regarding the attacks exploiting this vulnerability.

The Japan CERT already published an alert regarding this vulnerability.

“Since the vulnerability is already being exploited in the wild, the users of the affected products are recommended to update the affected system to the latest version as soon as possible.” reads the alert.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Trend Micro Apex One)

The post Trend Micro addresses actively exploited zero-day in Apex One and other security Products appeared first on Security Affairs.