25-Jul-23: In Security News Today

Zenbleed: AMD Zen 2 Processors Vulnerable to Data Extraction

A serious security flaw, known as Zenbleed (CVE-2023-20593), has been discovered in AMD’s Zen 2 processors, allowing attackers to extract sensitive data like encryption keys and passwords. The speculative execution attack enables data exfiltration at a rate of 30 kb per core per second and can even be exploited remotely via JavaScript on a website, making microcode updates crucial to mitigate potential risks. Cyber security professionals should ensure that appropriate measures are taken to address this vulnerability in affected systems.

TETRA:BURST – Critical Vulnerabilities in Radio Communication System Exposed

Five security vulnerabilities, collectively known as TETRA:BURST, have been disclosed in the widely used Terrestrial Trunked Radio (TETRA) standard for radio communication. These flaws could lead to real-time decryption, message injection, user deanonymization, and manipulation attacks, potentially exposing sensitive information. While there is no evidence of exploitation in the wild, organizations using TETRA, especially in critical infrastructure sectors, should be vigilant and consider applying relevant security patches as they become available.

Casbaneiro Banking Malware Adopts UAC Bypass Technique

The financially motivated threat actors behind the Casbaneiro banking malware family are employing a User Account Control (UAC) bypass technique to gain full administrative privileges on infected machines. The malware, primarily targeting Latin American financial institutions, has evolved its tactics to avoid detection and execute malicious code on compromised assets. The attackers now use spear-phishing emails with links to HTML files that redirect targets to download RAR files, and they utilize fodhelper.exe for UAC bypass, indicating a significant risk to multi-regional financial organizations.

North Korean State Actors Linked to JumpCloud Hack via OPSEC Mistake

The JumpCloud hack has been attributed to North Korean state actors linked to the Reconnaissance General Bureau (RGB) due to an operational security (OPSEC) blunder that exposed their IP address. Mandiant identified the threat actor UNC4899, which overlaps with APT43, as the responsible group, showing continued investment in developing macOS-specific malware. The attack employed spear-phishing emails, exploiting JumpCloud and deploying various malware payloads, highlighting the threat’s evolving tactics and supply chain attacks targeting cryptocurrency and fintech-related assets.

Patch Now: Up to 900K MikroTik Routers Vulnerable to Total Takeover

Up to 900,000 MikroTik routers are vulnerable to a privilege escalation vulnerability in the RouterOS operating system, allowing attackers to gain complete control of the affected devices. The flaw (CVE-2023-30788) enables attackers to execute arbitrary tools on the underlying Linux OS and perform man-in-the-middle attacks on network traffic flowing through the router. Researchers have published working exploits for the vulnerability, urging administrators to apply the fix promptly as MikroTik devices have been a target for advanced threat actors in the past, including TrickBot and the Slingshot APT group.

Lazarus Group Exploits Vulnerable INISAFE CrossWeb EX V3 to Attack Windows IIS Servers

The North Korean cybercrime group, Lazarus, has been found targeting Windows Internet Information Service (IIS) web servers for their malware distribution. They use the watering hole technique, modifying content on Korean websites, and exploiting the vulnerability (CVE-2023-30788) in vulnerable versions of INISAFE CrossWeb EX V3 to install their malware (SCSKAppLink.dll) on targeted systems. Although the vulnerability has been patched, unpatched systems are still at risk, and the group employs privilege escalation tools like JuicyPotato malware to execute their attacks successfully.

Actively Exploited Apple Zero-Day Vulnerability in iPhone Kernel Requires Emergency Fix

Apple has issued an emergency patch to address a zero-day vulnerability (CVE-2023-38606) that is actively being exploited in the wild. The flaw allows malicious apps to potentially modify the sensitive kernel state on iPhones and iPads, and it has been resolved with improved state management. This is the latest among 11 zero-day bugs found affecting Apple’s software in 2023, including those associated with the “Operation Triangulation” iOS cyberespionage spy campaign. The emergency fix is available for various Apple products, and users are urged to update their devices to stay protected.

‘FraudGPT’ Dark Web Chatbot Facilitates Cybercrime with AI

A new AI-driven hacker tool named “FraudGPT” has been discovered on the Dark Web, offered as a subscription service for cybercriminals. Similar to ChatGPT, this malicious tool is used to create convincing phishing campaigns and generate human-like text to deceive victims. While ethical guardrails limit ChatGPT’s misuse, FraudGPT demonstrates that bad actors are actively exploiting generative AI to bypass safeguards and conduct nefarious activities. Cybersecurity professionals are advised to implement conventional security protections and use AI-based security tools to detect and combat adversarial AI in the ever-evolving threat landscape.

Ivanti Zero-Day Exploit Targets Norwegian Government Ministries

A zero-day authentication bypass vulnerability in Ivanti software was exploited to launch an attack on 12 Norwegian government departments. The vulnerability (CVE-2023-35078) allowed remote attackers to access sensitive information, add an administrative account, and modify device configurations. The government has taken measures to mitigate the risk, and Ivanti has released patches for supported versions of the product, urging customers to update immediately.

Compromising Generative AI Apps like ChatGPT with Indirect Prompt-Injection Attacks (Upcoming Blackhat Talk)

Researchers warn that large language models (LLMs) used in applications like ChatGPT are susceptible to compromise through indirect prompt-injection (PI) attacks. Attackers can craft untrusted comments or commands in the consumed data, enabling them to manipulate AI-generated information or recommendations, posing risks like bypassing resume-checking applications, spreading disinformation, and transforming chatbots into participants in fraud. As companies rush to turn generative AI models into products, security experts raise concerns about the potential for abuse and call for robust countermeasures to defend against such attacks.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.