Welcome to our weekly cyber news roundup, where we highlight the most significant cybersecurity developments from the past week. Stay informed and vigilant as we delve into the top 7 stories shaping the digital landscape:
Google’s October 2023 security updates for Android OS versions 11, 12, and 13 address 53 vulnerabilities, with 5 deemed critical. Notably, two of these critical vulnerabilities are currently being exploited. The most dangerous of these vulnerabilities is found in the System component, posing a severe threat to devices if successfully exploited. Google’s October updates are divided into three releases, each targeting different components.
The two actively exploited vulnerabilities are CVE-2023-4863, which allows attackers potential control of the system, and CVE-2023-4211, which lets a local user manipulate GPU memory processing. Other significant vulnerabilities are rooted in the Qualcomm closed-source components. For Android users on the mentioned OS versions, updating is vital to ensure digital privacy and safety.
UC Berkeley professors Jiantao Jiao and Kurt Keutzer, along with AI developer Jian Zhang, have co-founded Nexusflow, a technology designed to enhance cybersecurity automation using natural language queries. By improving automated responses, Nexusflow positions itself as an advanced tool in security operations centers (SOC).
Unlike traditional AI applications, Nexusflow’s unique approach can identify unfamiliar situations, consult external databases, or seek guidance from human experts. The software is trained by assimilating information from various sources and learning from demonstrated solutions, allowing it to make intuitive decisions. Nexusflow’s proprietary open-source LLM, NexusRaven-13B, boasts a 95% success rate on search tools, surpassing GPT-4’s 64%.
Although current Security Orchestration and Automation (SOAR) tools enhance SOC decision-making, they have limitations in handling unknowns. Nexusflow aims to improve this by further automating responses with human oversight. It operates within a private environment, ensuring data confidentiality, and can be hosted either on-premises or in a private cloud. Nexusflow recently secured $10.6 million in seed funding for further development and growth.
Cisco has issued an alert about a medium-severity security flaw in its IOS Software and IOS XE Software that may allow an authenticated attacker to execute remote code on vulnerable systems.
Identified as CVE-2023-20109 with a CVSS score of 6.6, the flaw affects software versions with the GDOI or G-IKEv2 protocol enabled. This vulnerability can lead to arbitrary code execution or device crashes if attackers gain administrative control of certain group members or key servers. It was discovered after Cisco noted attempted exploitation of the GET VPN feature.
Additionally, Cisco identified five other vulnerabilities in its Catalyst SD-WAN Manager that could lead to unauthorized access, configuration rollbacks, information exposure, and denial of service. Users are advised to upgrade their software to address these vulnerabilities.
The DNA testing company 23andMe is looking into potential unauthorized access to a vast amount of its customer data after such information was listed for sale on a cybercrime forum. An individual on this forum claimed to possess “the most valuable data you’ll ever see” from 23andMe, supposedly totaling 20 million data pieces.
While 23andMe acknowledges that specific customer profiles might have been accessed illegitimately, they currently have no evidence of a breach within their own systems. Preliminary findings suggest attackers might have used previously leaked login credentials from other platforms to access 23andMe accounts.
For those who utilized 23andMe’s “DNA Relatives” service, data concerning potential relatives could have been scraped. The details of the stolen data include user profiles, ancestry results, and other genetic information. The authenticity of the data listed for sale hasn’t been confirmed, and details surrounding its acquisition remain murky.
The BlackBerry Research and Intelligence Team identified a financially driven web skimming campaign named Silent Skimmer targeting online payment businesses in Asia Pacific, North America, and Latin America for over a year. This campaign, linked to a Chinese-speaking actor, primarily exploits web application vulnerabilities, especially in Internet Information Services (IIS).
After compromising the payment checkout page to steal visitor data, attackers use various tools and techniques for further infiltration and code execution. They deploy a PowerShell-based remote access trojan, ending with the insertion of a scraper in the payment checkout service to capture financial details discreetly. The attackers adapt their command-and-control servers based on the victims’ geolocation to avoid detection.
Rather than a targeted approach, the campaign seems opportunistic, focusing mainly on regional websites gathering payment data. This revelation follows Sophos’s exposure of a cryptocurrency scam luring targets via dating apps, using liquidity mining lures without needing malware or typical “hacking” techniques.
A sophisticated malicious campaign has been planting info-stealing packages on open-source platforms, resulting in approximately 75,000 downloads. Monitored since April by Checkmarx’s Supply Chain Security team, they found 272 packages designed to steal sensitive data. Over time, these packages have evolved, employing advanced obfuscation layers and detection evasion techniques.
Once executed, the malware targets system data, credentials stored in browsers, cryptocurrency wallets, and popular apps like Discord, Minecraft, and Roblox. It can also capture screenshots, monitor and manipulate the victim’s clipboard, especially to divert cryptocurrency transfers. An estimated $100,000 in cryptocurrency has been stolen this way.
Furthermore, the malware can manipulate app data, like replacing core files of the Exodus cryptocurrency wallet or injecting JavaScript into Discord. The attack strategy has evolved, from using visible plain text in April to implementing up to 70 layers of obfuscation by August. Checkmarx warns that open-source ecosystems remain vulnerable to such threats and advises users to be cautious about the projects and publishers they trust.
Atlassian, an Australian software firm, has issued urgent security updates addressing a severe zero-day vulnerability in its Confluence Data Center and Server software after reports of exploitation in real-world attacks. This vulnerability, labeled as CVE-2023-22515, enables privilege escalation and affects Confluence versions 8.0.0 onwards. It can be remotely exploited without user interaction. Atlassian emphasized that their cloud sites remain unaffected, and only Confluence sites accessed via an “atlassian.net” domain are not vulnerable.
For those using vulnerable versions, upgrading to the fixed versions (8.3.3 or later, 8.4.3 or later, 8.5.2 or later) is recommended. If instant patching isn’t feasible, isolating or shutting down impacted instances is advised. Administrators are urged to prevent access to the /setup/* endpoints on Confluence to eliminate known attack vectors. The company also provided indicators to identify possible breaches.
Given the patch’s release, attackers might rapidly exploit the identified weakness. Atlassian has advised that if there are signs of a breach, users should disconnect the affected server immediately. Furthermore, the firm emphasized the importance of securing Confluence servers due to past incidents involving ransomware and malware attacks. Last year, a critical Confluence vulnerability, CVE-2022-26138, prompted alerts from cybersecurity agencies and experts.
Stay tuned for the latest updates and in-depth coverage of these stories. Knowledge is your best defense in the digital age.
