Welcome to this week’s Security News. This is the first in a regular series where we will publish the latest vulnerabilities, patches, interesting articles and cyber attacks from the previous week.
If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems
A recent discovery has revealed the existence of 48 malicious npm packages in the npm repository, capable of deploying a reverse shell on compromised systems. These packages were cleverly disguised with names that appeared legitimate, but they contained obfuscated JavaScript code intended to trigger a reverse shell when the package was installed. These deceptive packages were all published by a user named hktalent on GitHub. Currently, 39 of these suspicious packages are still available for download. This highlights the importance of vigilance and security measures in the software supply chain.
Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover
A significant security concern has emerged with the discovery of 34 distinct vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers. These vulnerabilities could be exploited by non-privileged threat actors to achieve complete control over devices and execute arbitrary code on the affected systems. The exploitation of these drivers may enable attackers to erase or modify firmware and potentially elevate their operating system privileges. This poses a serious threat to the security and integrity of Windows-based systems.
HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks
The HelloKitty ransomware operation is exploiting a recently disclosed Apache ActiveMQ remote code execution (RCE) flaw to breach networks and encrypt devices. The flaw, tracked CVE-2023-46604, is a critical severity (CVSS v3 score: 10.0) RCE allowing attackers to execute arbitrary shell commands by exploiting the serialized class types in the OpenWire protocol. The security problem was addressed in a security update on October 25, 2023. However, threat monitoring service ShadowServer reported that, as of October 30, there were still 3,329 internet-exposed servers using a version vulnerable to exploitation.
Articles
New CVSS 4.0 vulnerability severity rating standard released
The Forum of Incident Response and Security Teams (FIRST) has recently introduced CVSS v4.0, marking the next major iteration of the Common Vulnerability Scoring System (CVSS) standard. This release comes eight years after the previous major version, CVSS v3.0. CVSS is a standardized framework used to assess the severity of software security vulnerabilities. It assigns numerical scores or qualitative representations (e.g., low, medium, high, critical) to vulnerabilities based on criteria such as exploitability, impact on confidentiality, integrity, availability, and required privileges. Higher CVSS scores indicate more severe vulnerabilities. The update to CVSS v4.0 represents an important development in the field of vulnerability assessment and risk management.
Canada Bans WeChat and Kaspersky on Government Phones
Canada has taken the decision to ban the Chinese messaging app WeChat and the Russian platform Kaspersky from government smartphones and other mobile devices. This move is based on concerns related to privacy and security risks associated with these applications. As a result, these apps will be promptly removed from government-issued devices, and users will be prevented from downloading them in the future. The decision was made by the nation’s chief information officer, and it reflects the Canadian government’s commitment to safeguarding privacy and security within its public service.
Cyber Attacks
Boeing confirms cyberattack amid LockBit ransomware claims
Boeing is currently conducting an investigation into a cyberattack that targeted its parts and distribution business. The incident occurred after the LockBit ransomware gang claimed responsibility for breaching Boeing’s network and stealing data. Boeing has stated that the cyberattack did not have any impact on flight safety. The company is actively collaborating with law enforcement and regulatory agencies as part of an ongoing investigation. Furthermore, the Boeing services website is currently unavailable, with a message indicating that the outage is due to “technical issues.” This incident underscores the ongoing challenges and risks associated with cybersecurity in the aerospace industry.