Tag Archive for: patched

DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack


Mar 14, 2024NewsroomMalware / Cyber Attack

Microsoft Flaw in Zero-Day Attack

A DarkGate malware campaign observed in mid-January 2024 leveraged a recently patched security flaw in Microsoft Windows as a zero-day using bogus software installers.

“During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers,” Trend Micro said.

CVE-2024-21412 (CVSS score: 8.1) concerns an internet shortcut files security feature bypass vulnerability that permits an unauthenticated attacker to circumvent SmartScreen protections by tricking a victim into clicking on a specially crafted file.

It was fixed by Microsoft as part of its Patch Tuesday updates for February 2024, but not before it was weaponized by a threat actor called Water Hydra (aka DarkCasino) to deliver the DarkMe malware in attacks targeting financial institutions.

The latest findings from Trend Micro show that the vulnerability has come under broader exploitation than previously thought, with the DarkGate campaign leveraging it in conjunction with open redirects from Google Ads to proliferate the malware.

Cybersecurity

The sophisticated attack chain begins with victims clicking on a link embedded within a PDF attachment sent via a phishing email. The link deploys an open redirect from Google’s doubleclick[.]net domain to a compromised web server hosting a malicious .URL internet shortcut file that exploits CVE-2024-21412.

Specifically, the open redirects are designed to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, such as Apple iTunes, Notion, NVIDIA, which come fitted with a side-loaded DLL file that decrypted and infected users with DarkGate (version 6.1.7).

It’s worth noting that another now-fixed bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS score: 8.8) has been employed by threat actors to deliver DarkGate, Phemedrone Stealer, and Mispadu over the past few months.

The abuse of Google Ads technologies allows threat actors to increase the reach and scale of their attacks through different ad…

Source…

Multiple Security Vulnerabilities Patched in Latest Android Update


The Indian Computer Emergency Response Team (CERT-In) has published an advisory on multiple security holes in devices running recent versions of Android. As part of this month’s Android Security Bulletin, the cybersecurity agency cautioned consumers about vulnerabilities that Google and smartphone component vendors such as Qualcomm and MediaTek had just patched. Samsung has also released patches for nine Samsung Vulnerabilities and Exposures (SVE) that were privately disclosed and have moderate severity ratings as part of the most recent security update.

CERT-In released an advisory

CERT-In released an advisory on Tuesday highlighting many vulnerabilities discovered across various sections of the Android operating system, including the “Framework, System, AMLogic, Arm components, MediaTek components, Qualcomm components, and Qualcomm closed-source components.” The advisory has a “High” severity level and specifies that the issues affect Android 12 (and 12L), Android 13, and Android 14.

According to the cybersecurity agency, Google has fixed vulnerabilities in its Android operating system that might allow an attacker to get unauthorised access to sensitive data on an afflicted device. An attacker might exploit the vulnerabilities to gain privileged access to the device, run malicious code, or perform a denial of service (DoS) attack.

 

 

Google has released detailed information about specific components

Meanwhile, Google has released detailed information about specific components that have been patched with the latest Android Security Bulletin, such as fixes for bootloader vulnerabilities on devices with AMLogic components, flaws in Mali (Arm) components, and security issues affecting Wi-Fi and kernels on Qualcomm devices.

 

Samsung has said that the newest Security Maintenance Release (SMR) Mar-2024 Release 1 update will defend its devices from nine SVEs that affect Wi-Fi, AppLock, other operating system components, and the bootloader. The company also claims to have given remedies for other SVE items that are currently undisclosed.

Users should keep their cell phones up to date with the most recent monthly security…

Source…

Chrome Exploits Patched To Secure Your Browsing


In a bid to fortify the security of its Chrome browser, Google has swiftly addressed seven vulnerabilities, with one particularly menacing zero-day exploit. This critical flaw, identified as CVE-2023-6345, centers around an integer overflow bug within Skia, an open-source 2D graphics library. Users can breathe a sigh of relief with the latest Chrome update, as critical security vulnerabilities have been addressed and Chrome exploits patched for enhanced online safety.

 

Google Chrome Security Updates

Discovered and reported by Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group on November 24, 2023, CVE-2023-6345 has gained notoriety for being actively exploited in the wild. An integer overflow vulnerability in Skia, this flaw poses a substantial risk to Chrome users.


The Silent Culprit: CVE-2023-2136 Resurfaces


Notably, this isn’t the first time an integer overflow in Skia has been exploited. In April 2023, Google tackled a similar issue (CVE-2023-2136) that had also fallen victim to zero-day exploitation. There’s a concerning possibility that CVE-2023-6345 may serve as a patch bypass for its predecessor.

CVE-2023-2136 allowed a remote attacker, who compromised the renderer process, to potentially execute a sandbox escape through a carefully crafted HTML page. The recurrence of this vulnerability emphasizes the evolving nature of cyber threats.


Chrome Exploits Patched

 

The latest Chrome security patches and updates mark Google’s proactive approach in addressing seven zero-day vulnerabilities since the beginning of the year. Each flaw is assigned a Common Vulnerability Scoring System (CVSS) score, highlighting its severity. 

The vulnerabilities include:

  • CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
  • CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
  • CVE-2023-3079 (CVSS score: 8.8) – Type confusion in V8
  • CVE-2023-4762 (CVSS score: 8.8) – Type confusion in V8
  • CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
  • CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx


Chrome Exploits Patched: Actions Required


To mitigate potential threats, users are strongly urged to upgrade to Chrome…

Source…

Russian GRU Hackers Exploit Critical Patched Vulnerabilities


Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management

TA422 Is Targeting Organizations in Europe and North America, Proofpoint Says

Russian GRU Hackers Exploit Critical Patched Vulnerabilities
Russian military intelligence hackers are taking advantage of patched vulnerabilities. (Image: Shutterstock)

In the race between hackers and systems administrators that begins each time a company patches a zero day flaw, a Russian military intelligence hacking unit is often the winner, new research discloses.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

Multiple studies suggest that organizations require weeks, if not months, to roll out patches while hackers can rush out an exploit of a newly-disclosed vulnerability in days or weeks.

One organization taking advantage of that disconnect is what Proofpoint dubs TA422 – also known as APT28, Fancy Bear and Forest Blizzard. The security firm in a Tuesday report said it has seen the threat actor “readily use patched vulnerabilities to target a variety of organizations in Europe and North America.” U.S. and British intelligence assess that Forest Blizzard is “almost certainly” part of the Russian General Staff Main Intelligence Directorate, better known as the GRU.

Among the n-days exploited by TA422 is CVE-2023-23397, a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user’s hashed…

Source…