WEEKLY TOP TEN | December 04, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Windows Biometric Authentication Vulnerable to Bypass
Researchers at Blackwing Intelligence evaluated the Windows Hello biometric authentication on several popular laptops, including Microsoft’s own Surface Pro X. Blackwing researchers uncovered several security flaws, with some even leading to a full bypass. A large portion of the flaws discovered were due to a lack of or poor implementation of the Secure Device Connection Protocol (SDCP), used to broker communications between the laptop’s main board and the biometric processing chip.
- Threat Actors are Actively Exploiting Critical Vulnerabilities in OwnCloud
OwnCloud is an open-source cloud storage solution. On November 21st, the developers of OwnCloud disclosed three vulnerabilities and urged all administrators to patch immediately. CVE-2023-49103 is the vulnerability that is being specifically targeted. It has a maximum CVSS score of 10.0 and is a flaw in the graphapi that lets attackers call the GetInfoPHP library, which shows configuration information that could include hard-coded credentials and other sensitive data.
- Idaho Nuclear Lab Breached by SiegedSec
The Idaho National Nuclear Laboratory was targeted in a cyberattack, which SiegedSec claimed responsibility for. The labs HR systems were compromised, revealing the personal data of every current and potentially some past employees. SiegedSec did not sell this data; rather, they posted the leak publicly for free, as seems to be their standard procedure after their last notable attack on NATO’s Communities of Interest (COI) Portal in July.
- Proof of Concept Exploit Published for Windows Defender Zero-Day
Windows Smart Screen is the portion of the anti-malware suite that detects behavioral anomalies in processes running on the system. A new proof of concept has been published regarding a zero-day vulnerability in this feature (CVE-2023-36025 CVSS score 8.8). This allows for the bypass of application scanning via a crafted.URL file, which would need to be manually opened by the user.
- BLUFFS Attack Allows for Hijacking of Bluetooth Devices
A new chain of six Bluetooth attacks, dubbed BLUFFS, was invented by researchers at Eurecom. This attack leverages flaws in the way Bluetooth derives session keys, allowing for an attacker to perform a MitM (Man in the Middle) attack, in which they can intercept Bluetooth traffic. This vulnerability does not lie in a specific device or chipset, but rather in the Bluetooth protocol itself. The Bluetooth Special Interest Group, which maintains and updates the Bluetooth standards, has received the report of this vulnerability and has issued recommendations for mitigation.
- Google Patches the Sixth Chrome Zero-Day of 2023
Google has released an emergency security update in an attempt to stifle current attacks targeting a new zero-day vulnerability. The sixth one this year in Chrome. The technical details regarding this vulnerability have not yet been released at the time of this writing. Google has stated that they are aware of active, in-the-wild exploitation, likely by mercenary spyware groups.
- Okta Breach Impacts All Users Who Worked with Support
In October, Okta publicly announced a cybersecurity incident impacting their customer support system. Stating that all information shared with support had been taken by threat actors. According to initial claims made by Okta, the breach only affected less than 1% of users. However, an updated statement has been released claiming all Okta support users have been impacted, with data such as email addresses and names being available even if no direct communication with support occurred.
- Sinbad Bitcoin Mixer Seized by US Authorities
Protect AI, a security firm for artificial intelligence, has uncovered several major security flaws in the networks employed to deploy and manage big language models (LLM). These vulnerabilities let attackers take over the model, changing the AI to serve their own goals, like stealing intellectual property and using it as a pivot into the rest of the model’s network.
- New Android Malware Leverages Virtualization for Defense Evasion
FjordPhantom is a new Android malware that has been discovered in the wild, impacting devices in several Asian countries. It is delivered in the form of a trojanized banking app, which is sent to users via email and SMS messages. FjordPhantom uses Android’s virtualization and containerization features to run malicious code in a virtual environment. This masks the malicious activity under the guise of the standard non-malicious process, which bypasses traditional security controls.
- Qlik Vulnerabilities Exploited in Ransomware Deployments
Three vulnerabilities in Qlik business analytics have been used in multiple deployments of Cactus Ransomware. All three vulnerabilities are patched in the most recent versions of Qlik. After initial compromise using the remote code execution vulnerability in Qlik, the threat actor exfiltrates data, moves laterally via RDP software, and deploys Cactus ransomware. The security firm Arctic Wolf, which uncovered this campaign, claims it appears to be the same threat actor in each instance; however, they have not attributed the breaches to any specific group.