Welcome to this week’s Security News.
If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability
Google has released security updates for its Chrome browser, addressing seven issues, notably a zero-day vulnerability (CVE-2023-6345) actively exploited in the wild. This high-severity flaw is identified as an integer overflow bug in Skia, a 2D graphics library. Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group discovered and reported the vulnerability on November 24, 2023.
Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access
Cybersecurity researchers have identified a “severe design flaw” in Google Workspace’s domain-wide delegation (DWD) feature. This flaw could be exploited by attackers to facilitate privilege escalation, allowing unauthorized access to Workspace APIs without the need for super admin privileges. The vulnerability, known as DeleFriend, enables threat actors to manipulate existing delegations in both the Google Cloud Platform (GCP) and Google Workspace, potentially leading to the theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Workspace APIs across all identities in the targeted domain. The design weakness is still active, posing a significant security risk.
Hackers Can Exploit ‘Forced Authentication’ to Steal Windows NTLM Tokens
A case of “forced authentication” has been discovered, posing a risk of leaking a Windows user’s NT LAN Manager (NTLM) tokens. This exploit involves tricking a victim into opening a specially crafted Microsoft Access file. The attack leverages a legitimate feature in the database management system that enables users to link to external data sources like a remote SQL Server table. Exploiting this feature allows attackers to automatically leak the Windows user’s NTLM tokens to an attacker-controlled server through any TCP port, including commonly used port 80. The attack is initiated when the victim opens a file with extensions such as .accdb, .mdb, or even more common Office file types like .rtf, presenting a potential security threat.
LogoFAIL attack can install UEFI bootkits through bootup logos
A set of security vulnerabilities named LogoFAIL has been identified, impacting image-parsing components in UEFI code from multiple vendors. These vulnerabilities, identified by researchers at the firmware supply chain security platform Binarly, have the potential to be exploited for hijacking the booting process execution flow and delivering bootkits. The vulnerabilities specifically affect image parsing libraries used by vendors to display logos during the booting routine, and they have a widespread impact on x86 and ARM architectures. The security risks arise from branding elements that introduce unnecessary vulnerabilities, allowing for the execution of malicious payloads by injecting image files into the EFI System Partition (ESP). This poses a significant threat to the security of the boot process and, consequently, the overall system.
Apple fixes two new iOS zero-days in emergency updates
Apple has released emergency security updates to address two zero-day vulnerabilities that were actively exploited in attacks. The vulnerabilities impact iPhone, iPad, and Mac devices. With these updates, Apple has now patched a total of 20 zero-days since the beginning of the year. The two vulnerabilities, identified in the WebKit browser engine as CVE-2023-42916 and CVE-2023-42917, could be exploited by attackers to gain access to sensitive information through an out-of-bounds read weakness and achieve arbitrary code execution via a memory corruption bug. These attacks occurred before the release of iOS 16.7.1. Apple has urged users to update to the latest versions to ensure their devices are protected against these vulnerabilities.
Zyxel warns of multiple critical vulnerabilities in NAS devices
Zyxel has addressed multiple security issues, including three critical vulnerabilities that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage (NAS) devices. Zyxel NAS systems are commonly used for centralized data storage in networks, offering features such as data backup, media streaming, and customized sharing options. These NAS systems are often utilized by small to medium-sized businesses for data management, remote work, and collaboration purposes. Additionally, IT professionals may deploy them for data redundancy systems, and they are favored by videographers and digital artists working with large files. The resolution of these critical vulnerabilities is crucial to ensuring the security of data stored on Zyxel NAS devices.
Zoom flaw enabled hijacking of accounts with access to meetings, team chat
A security flaw in Zoom Rooms, which could potentially allow the hijacking of service accounts with access to sensitive information, was disclosed by bug hunters. This vulnerability predominantly affected Zoom tenants using email addresses from major providers such as Outlook and Gmail. The flaw was initially identified at an ethical hacking and bug bounty event in June and was subsequently patched by Zoom before its public disclosure. Fortunately, there is no reported evidence of the vulnerability being exploited in the wild.
Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is responding to a cyber-attack that targeted the Municipal Water Authority of Aliquippa in western Pennsylvania. The attack involved the active exploitation of Unitronics programmable logic controllers (PLCs). The responsible party has been identified as the Iranian-backed hacktivist collective known as Cyber Av3ngers. The cyber threat actors specifically targeted PLCs associated with Water and Wastewater Systems facilities, including a Unitronics PLC at the U.S. water facility. In response, the affected municipality’s water authority promptly took the system offline, switched to manual operations, and assures there is no known risk to the municipality’s drinking water or water supply.
MSSP and Law Software firm, CTS, suffer widescale attack
A UK based Managed Security Services Provider, CTS IT, suffered a large cyber attack a few weeks ago which has affected law firms across the country. The lack of access to systems has caused misery for homebuyers as house completions are currently on hold. It’s widely reported the security firm were victim to a ransomware attack which came through a Citrix vulnerability that hadn’t been patched.
The company said in a statement: “The outage was caused by a cyber-incident. We are working closely with a leading global cyber forensics firm to help us with an urgent investigation into the incident and to assist us in service restoration. We continue to work around the clock with the assistance of third-party experts. Whilst we are confident that we will be able to restore services, we are unable to give a precise timeline for full restoration. We will continue to communicate directly with those of our clients which are impacted by the service outage, providing regular updates on the status of our work to restore services and our investigations into the incident.”
WhatsApp’s new Secret Code feature hides your locked chats
WhatsApp has introduced a new Secret Code feature that allows users to enhance the security of their locked chats by setting a custom password. Once the feature reaches a user’s device, they can create a code, which may also include emojis, specifically for securing locked chats. This code is independent of the device unlock code. The Secret Code feature serves to hide the Locked Chats folder from the chat list, making it more discreet. To reveal the folder, users can enter the secret code in the search bar for easy access. Users also have the option to keep the folder in the chat list if they prefer. The process of locking chats has been streamlined, utilizing a long-press action and eliminating the need to navigate through chat settings, making it more user-friendly.