06-Sep-23: In Security News Today

UK rolls back controversial encryption rules of Online Safety Bill

The UK government has announced that it will not use the powers granted by the Online Safety Bill to compel companies to scan encrypted messages until it becomes technically feasible to do so only for information about exploitation and abuse. The government’s decision is a concession to the controversy surrounding the bill, which has faced criticism from civil liberty groups, cybersecurity experts, and tech companies for eroding encryption and compromising privacy. However, critics argue that the government’s position is merely delaying the issue and that scanning encrypted messages is fundamentally incompatible with end-to-end encryption.

Russian APT Group ‘Fancy Bear’ Targets Ukrainian Energy Facility

The Russian cyberespionage group Fancy Bear, also known as APT28, Strontium, or Sofacy, recently targeted a critical energy facility in Ukraine. The attack was detected and thwarted by Ukraine’s Computer Emergency Response Team (CERT-UA). The group used phishing emails with a malicious attachment disguised as pictures of women, and once opened, the attachment executed harmful scripts and installed Tor for anonymous browsing.

Critical Vulnerability Discovered in PHPFusion CMS

Security researchers have discovered a critical vulnerability in the PHPFusion open source content management system (CMS) that allows for remote code execution. The vulnerability, identified as CVE-2023-2453, is an authenticated local file inclusion flaw that can be exploited by uploading a maliciously crafted .php file to a known path on the target system. Another moderate-severity vulnerability, tracked as CVE-2023-4480, allows attackers to read file contents and write files to arbitrary locations on the affected system. No patches are currently available for either vulnerability.

Google’s Chrome Store Review Process Allows Data-Stealing Extensions

Researchers have discovered that despite Google’s adoption of the Manifest V3 security standard to protect against malicious plug-ins, attackers can still get bad extensions past its review process. The researchers created a proof-of-concept, data-stealing browser extension that successfully passed the Chrome Web Store review process. The extension was able to steal sensitive data because the interaction between extensions and web pages has not changed, allowing them to access entire contents of web pages, including text input fields where users enter sensitive information.

LockBit Group Breaches UK Defense Contractor, Leaks Sensitive Documents

The LockBit group successfully breached a British perimeter security company, Zaun Ltd., and leaked sensitive documents related to the physical security of UK Ministry of Defence agencies. The hackers accessed a small fraction of the company’s internal network and stole approximately 10 gigabytes of data, including details about security equipment at military facilities and sales orders made by intelligence agencies. Zaun claims that the stolen data was publicly available, but reports suggest otherwise.

Thousands of Popular Websites Leaking Secrets

Code security firm Truffle Security has discovered that thousands of popular websites in the Alexa top 1 million list are leaking secrets, including .git directories and AWS and GitHub keys. The exposed .git directories could provide attackers with access to the entire source code, configuration files, commit history, and access credentials. The analysis revealed that AWS and GitHub keys were the most prevalent type of leaked secrets, and a private RSA key corresponding to a domain’s TLS certificate was also exposed, potentially allowing for man-in-the-middle attacks.

Evolution of LotL Attacks and the Need for Layered Defenses

Living-off-the-land (LotL) attacks have evolved over the years, with LotL phishing becoming a popular method for attackers to infiltrate legitimate third-party services. These attacks are difficult to block and detect because they masquerade as frequently used, trusted brands. To defend against LotL attacks, organizations need to implement a layered security approach that includes employee education, email filters, threat intelligence, endpoint protection, DNS protection, and backup and recovery solutions.

Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio

BugProve has disclosed dozens of vulnerabilities in security cameras made by defunct Chinese company Zavio. The vulnerabilities include memory corruption and command injection flaws, with seven of them allowing unauthenticated remote code execution with root privileges. Since Zavio cameras will not receive patches, users are advised to replace the devices to prevent hacker attacks.

Zero-Day Alert: Android Patch Update Fixes Actively Exploited Flaw

Google has released a monthly security patch for Android that includes a fix for a zero-day vulnerability, CVE-2023-35674, which may have been actively exploited. The vulnerability is a case of privilege escalation in the Android Framework. The update also addresses three other privilege escalation flaws in Framework, one of which could lead to local escalation of privilege without user interaction.

Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant

APT34, an Iranian threat actor, has been linked to a new phishing attack that deploys a variant of the SideTwist backdoor. APT34 is known for targeting telecommunications, government, defense, oil, and financial services in the Middle East. The attack chain involves a bait Microsoft Word document with a malicious macro that launches the SideTwist payload, while another phishing campaign spreads a new variant of Agent Tesla using a specially crafted Microsoft Excel document.

Hackers Target High-Privileged Okta Accounts via Help Desk

Threat actors are using social engineering to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, gaining access to the cloud-based identity access management (IAM) service and moving laterally through targeted networks from there. Okta has observed a pattern of cross-tenant impersonation attacks targeting users with Super Administrator permissions. The attackers manipulate Okta’s Inbound Federation feature to access applications within the compromised organization on behalf of other users, highlighting the importance of protecting access to highly privileged accounts in IAM solutions.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.