The main attacks and vulnerabilities compiled by our experts last week: 25th—31st March.

Check out our Cyber Security weekly briefing: the main attacks and vulnerabilities found by our team of experts.

Here are the most relevant headlines of the week, download our full report and take note:

GitHub exposes its RSA SSH host key by mistake

GitHub announced last Friday that they had replaced their RSA SSH host key used to protect Git operations.

Apple fixes an actively exploited 0-day

Apple has released security updates fixing an actively exploited 0-day vulnerability in older iPhone, macOS, and iPad devices.
Flaw identified as CVE-2023-23529 is a WebKit-type confusion bug, which has a CVSS of 8.8

Supply chain attack via 3XC video conferencing platform

Researchers from various security firms such as SentinelOneSophos y CrowdStrike have warned of a supply chain attack via the 3CX video conferencing program.

Analysis of campaigns exploiting 0-days on Android, iOS and Chrome

Google’s Threat Analysis Group has shared details about two campaigns that used 0-day exploits against Android, iOS, and Chrome.
First campaign: 0-day exploit strings targeting Android and iOS were detected and distributed via shortened links sent via SMS: Vulnerability, already fixed in 2022, which affected iOS in versions prior to 15.1, is identified as CVE-2022-42856 and CVSS 8.8 (type confusion bug in the JIT compiler).
More about this campaign:  Vulnerability CVE-2021-30900, with CVSS 7.8, also fixed.
As for the bugs, all fixed:
CVE-2022-3723 (CVSS 8.8), type confusion in Chrome; 
CVE-2022-4135 (CVSS 9.6), buffer overflow in Chrome’s GPU;  
CVE-2022-38181 (CVSS 8.8), privilege escalation.

Second campaign: targeting devices in the United Arab Emirates via SMS, consisting of several 0-days and n-days targeting Samsung’s web browser.
Link exploits vulnerabilities CVE-2022-4262CVE-2022-3038CVE-2022-22706 and CVE-2023-0266.

Related news

Stay up to date. Get the latest news and trends
Sign Up