WEEKLY TOP TEN | SEPTEMBER 14, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Chrome extensions can steal plaintext passwords from websites
A proof-of-concept (POC) extension that can steal plaintext passwords from a website’s source code has been uploaded to the Chrome Web Store by researchers from the University of Wisconsin-Madison. The aim was to test Google’s Web Store review process. The extension posed as a GPT-based assistant. - Meta Fights Sprawling Chinese ‘Spamouflage’ Operation
According to a Meta threat report, the campaign dubbed “Spamouflage” was found to be active across more than 50 platforms and forums, including well-known and widely used Facebook, Instagram, TikTok, YouTube, and X (Twitter). This campaign has been linked to individuals associated with Chinese law enforcement. - MITRE & CISA Release Open-Source MITRE Caldera™ Extension for Operational Technology
MITRE and CISA have publicly released an extension to the open-source MITRE Caldera for OT. This will allow teams to run automated adversary emulation exercises on threats to Operational Technology (OT), the technology that is vital to the nation’s critical infrastructure. - Crash Dump Error: How a Chinese Espionage Group Exploited Microsoft’s Mistakes
Microsoft has published post-mortem details that lay blame at the feet of “a race condition [that] allowed the key to be present in the crash dump.”, The China-based threat actor Microsoft tracks as Storm-0558 compromised a Microsoft engineer’s corporate account. This allowed them to access a Microsoft account (MSA) consumer key they then used to hack into US government emails. - Android Security Bulletin—September 2023 – CVE-2023-35675
The September 2023 Android Security Bulletin was released that contains details of critical security vulnerabilities, including CVE-2023-35674, in the System component that could lead to Remote Code Execution (RCE). Exploitation requires no additional execution privilege or interaction. The bulletin notes that “There are indications that CVE-2023-35674 may be under limited, targeted exploitation.” Security patches are available to fix these vulnerabilities. - ‘Privacy Nightmare on Wheels’: Every Car Brand Reviewed By Mozilla — Including Ford, Volkswagen and Toyota — Flunks Privacy Test
All 25 major car brands reviewed in Mozilla’s latest edition of *Privacy Not Included (*PNI) received failing marks for consumer privacy. The Mozilla research has found that personal data is being collected, shared, and sold to data brokers, law enforcement, and other third parties. This personal data includes, but is not limited to: sexual activity, facial expressions, and genetic and health information. - 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets
Truffle Security’s research team scanned the Alexa Top 1 Million Websites for leaked secrets and discovered 4,500 of the most visited websites in the world publicly exposed their git directory, often containing private source code and hundreds of live API keys. - Okta Says US Customers Targeted in Sophisticated Attacks
Okta has warned that multiple US-based customers have been targeted in sophisticated social engineering attacks. The goal of the attacks is to convince the IT service desk personnel to reset multi-factor authentication (MFA) for high-privilege users, particularly those with Super Administrator permissions. - Apple Patches Actively Exploited iOS, macOS Zero-Days
Apple released patches for actively exploited (in-the-wild) zero-day vulnerabilities. CVE-2023-41064 and CVE-2023-41061 may result in arbitrary code execution with a maliciously crafted image or attachment, respectively. - IBM discloses data breach impacting Janssen healthcare platform
IBM is notifying the customers of Janssen CarePath, a Johnson & Johnson unit, of unauthorized access of personal information. IBM has been unable to determine the extent of the unauthorized access. Social Security numbers and financial account information were not in the database, but IBM has not provided any details about the number of affected customers and users.
