Weekly Security News – 8th January 2024

Welcome to this week’s Security News. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

Security researchers have disclosed a new variant of a dynamic link library (DLL) search order hijacking technique that could be exploited by threat actors to evade security measures and execute malicious code on systems running Microsoft Windows 10 and Windows 11. The technique leverages executables commonly found in the trusted WinSxS folder and exploits them using the classic DLL search order hijacking method. This approach enables adversaries to bypass the requirement for elevated privileges when attempting to execute malicious code on a compromised machine, potentially introducing vulnerable binaries into the attack chain. It emphasizes the ongoing need for robust security measures to detect and mitigate such threats.

Google Patches Six Vulnerabilities With First Chrome Update of 2024

Google has released the first Chrome security update of 2024, addressing six vulnerabilities, four of which were reported by external researchers. All four externally reported security flaws are classified as high-severity memory safety issues. However, Google mentions that bug bounty rewards were awarded for only three of them. Regular security updates are crucial to addressing vulnerabilities and ensuring the safety of users while browsing the internet. Users are advised to keep their Chrome browsers up to date to benefit from the latest security patches.

Qualcomm chip vulnerability enables remote attack by voice call

Qualcomm disclosed a critical vulnerability on New Year’s Day that could be exploited for remote attacks through malicious voice calls over LTE networks. The January 2024 security bulletin from Qualcomm identified a total of 26 vulnerabilities, with four of them being classified as critical. The vulnerabilities impact Qualcomm chipsets, and patches have been provided to original equipment manufacturers (OEMs) utilizing Qualcomm chips, including those in the widely used Snapdragon series. Timely updates and patch deployments are crucial to addressing these vulnerabilities and ensuring the security of devices using Qualcomm chipsets.

Cyber Attacks

Hacked Mandiant X Account Abused for Cryptocurrency Theft

Mandiant, a cybersecurity firm that is part of Google Cloud, had its social media account on X (formerly Twitter) hacked on Wednesday. The compromised account was then used to deceive users into visiting a website designed to steal cryptocurrency. The Mandiant account was renamed to ‘Phantom,’ and its profile details were altered to give the appearance of being associated with the legitimate Phantom cryptocurrency wallet. Messages posted from the compromised account directed users to a website, claim-phntm.com, which falsely claimed to distribute cryptocurrency tokens through an airdrop. In reality, the website was created to steal cryptocurrency from unsuspecting victims. This incident highlights the ongoing risks of social media account hijacking for malicious purposes, as well as the importance of verifying information and being cautious of unsolicited cryptocurrency offers.

IPE Account Hacking Leads to Major Internet Outage at Orange Spain

Orange Spain customers experienced internet disruptions on January 3 due to a hacker attack that involved the compromise of Orange Spain’s account with the RIPE Network Coordination Center (NCC). The attacker, known as ‘Snow,’ reportedly stole credentials through malware, gaining control of the RIPE account. This unauthorized access allowed the hacker to make changes that disrupted the Border Gateway Protocol (BGP) routing, resulting in a significant loss of traffic. The incident underscores the potential impact of cyberattacks on critical infrastructure and the importance of robust security measures to safeguard against such threats.

NPM registry prank leaves developers unable to unpublish packages

GitHub has addressed disruptions related to the “everything” package and its registry-wide dependencies. GitHub stated that the project violated their Acceptable Use Policies, which prohibit behavior causing significant or continual disruption to users, and also violated the npm Code of Conduct. The company resolved the dependency issue, allowing packages to be removed if they meet unpublish criteria. Efforts are underway to remove the packages from both the npm registry and GitHub. As of Thursday morning, the “everything” repository had been removed from GitHub, and the “everything” package on the NPM registry displayed a message urging users to verify the source before using it.

Russian hackers wiped thousands of systems in KyivStar attack

The Russian hackers responsible for the December breach of Kyivstar, Ukraine’s largest telecommunications service provider, have reportedly wiped all systems on the telecom operator’s core network. The attack, which occurred in May 2023 and was executed months later, resulted in the destruction of thousands of virtual servers and computers, effectively crippling the core infrastructure of Kyivstar. As a consequence, the telecom operator’s mobile and data services went offline, impacting millions of subscribers. The incident highlights the ongoing cyber threats faced by critical infrastructure and the potential for severe disruptions caused by such attacks.


Microsoft kills off Windows app installation from the web, again

Microsoft Threat Intelligence group observed that threat actors have been exploiting the ms-appinstaller URI scheme to distribute malware. This protocol appears to have provided a method for evading Microsoft’s security checks. The ms-appinstaller protocol handler vector may have been chosen by threat actors because it has the capability to bypass security mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for executable file downloads. By abusing this protocol, attackers sought to circumvent these safety measures and distribute malicious software to unsuspecting users. Microsoft has taken steps to disable the protocol in response to this abuse.