CYBERSECURITY NEWS V. December – Ninth Chrome 0-Day of 2022, ‘Highly Exploited’ 0-Day Vulnerability Most iPhones Had, Attacker blackmails Elon Musk
News FYI
Google Patches Ninth Chrome Zero-Day of 2022
On December 2, 2022, Google released new versions of the Chrome browser (108.0.5359.94 for Mac OS and Linux, 108.0.5359.94/.95 for Windows). They fixed the zero-day vulnerability.
The vulnerability (CVE-2022-4262) has been rated high, affects the V8 component, and is associated with a type confusion error.
A few days earlier, on November 29, the company fixed another zero-day vulnerability (CVE-2022-4135) affecting the GPU component and associated with a buffer overflow. She was also given a high danger rating.
The National Computer Incident Coordination Center recommends installing updates only after assessing all associated risks.
Apple Closes 'Highly Exploited' Zero-Day Vulnerability Most iPhones Had
Apple confirmed rumors that two weeks ago it fixed a security vulnerability in the iPhone that was actively exploited by cybercriminals. It is noteworthy that Google helped to discover the vulnerability of the company.
iOS 16.1.2 update, released on November 30 and delivered to supported iPhones starting with iPhone 8, is known to be a "major security update."
On its cybersecurity theme page, Apple said the update fixed a vulnerability in WebKit, the browser engine that powers Safari and other apps. The vulnerability allowed malicious code to run on users' devices. Apple says that information about the problem was provided by Google's Threat Analysis Group, which deals with protection against cyber threats, spyware and cyber attacks.
Vulnerabilities in WebKit are often exploited when visiting malicious sites using both the Safari browser itself and a browser integrated into one of the applications. Attackers quite often try to use flaws identified in WebKit to “invade” user operating systems and access confidential data. Vulnerabilities in WebKit can be used in conjunction with other bugs to break the layered security of Apple devices.
The vulnerability was marked CVE-2022-42856 or WebKit 247562. It is not yet known why Apple did not report details within two weeks after its elimination - neither Apple nor Google comment on the situation.
Fortinet Releases Emergency Patch for RCE Vulnerability in FortiOS SSL-VPN
Fortinet developers have released an unscheduled patch that fixes a vulnerability in FortiOS SSL-VPN, which is already under attack. This issue allows remote code execution on vulnerable devices without authentication.
The vulnerability has been identified as CVE-2022-42475 and is a heap buffer overflow bug in FortiOS sslvpnd. If successfully exploited, it allows unauthorized users to remotely cause device failures, as well as execute arbitrary code or commands using specially prepared requests.
Fortinet finally released security bulletin FG-IR-22-398 this week, publicly warning customers that the vulnerability is already being actively exploited and everyone should install updates as soon as possible to fix the bug.
When the vulnerability is exploited, the following entries appear in the logs: Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“.
In addition, compromised devices will have the following file system artifacts:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Fortinet also shared a list of IP addresses from which attacks on the vulnerability originated:
- 188.34.130.40:444
- 103.131.189.143:30080,30081,30443,20443
- 192.36.119.61:8443.444
- 172.247.168.153:8033
Attackers use Microsoft drivers to compromise systems
Microsoft announced on Dec. 13 that it had suspended and suspended accounts that were used to publish malicious drivers certified by the Windows Hardware Developer Program.
Microsoft's investigation found that the activity was restricted to a few developer program accounts, and that no further hack was found.
This attack method is called BYOVD (Bring Your Own Vulnerable Driver). This method allows an attacker with administrative privileges to easily bypass Windows kernel security. Instead of writing an exploit from scratch, a cybercriminal simply installs a third-party driver with known vulnerabilities. It then uses these vulnerabilities to gain instant access to some of the most protected areas of Windows.
Attackers use compromised, stolen, and illegally acquired code signing certificates to sign malware. Several distinct families of malware have been signed that are associated with individual threat actors.
Foxit Fixes Critical RCE Vulnerability in PDF Reader and PDF Editor
Foxit Software has released patches for a critical vulnerability in its flagship PDF Reader and PDF Editor products. The bug allows remote execution of arbitrary code.
The issue is only known to affect the Windows version of Foxit PDF Reader 12.0.2.12465 and earlier, and Foxit PhantomPDF 10.1.7.37777 and earlier.
The vulnerability has been assigned the identifier CVE-2022-28672 (7.8 points on the CVSS vulnerability rating scale). The problem occurs due to incorrect handling of Doc objects and allows code to be executed in the context of the current process.
Attacker blackmails Elon Musk by publishing database of almost 400 million Twitter users
An unknown cybercriminal published an ad on one of the specialized hacker marketplaces, in which he sells a stolen database of personal information to more than 400 million Twitter users.
To confirm their intentions, the seller provided a small file with data of about 1000 users for general review. Interestingly, the sample contains the data of the creator of the Ethereum cryptocurrency Vitaly Buterin, the founder of Apple Steve Wozniak, as well as many other famous personalities, including world-renowned information security specialists.
Some Western cybersecurity experts have already confirmed that the data is genuine.
According to the description of the lot, the hacker is currently blackmailing Elon Musk, offering the businessman to urgently buy all this confidential information so that in the future there will be an opportunity to avoid lawsuits and multimillion-dollar fines from regulatory authorities until someone else buys the lot.
It is not yet completely clear whether the attacker is trying to sell a really new database with a data leak, or whether this file is an old leak from the social network Twitter, which occurred about a year ago. Industry experts note that if the database of 400 million Twitter users really turns out to be real and new, then the social network will face multimillion-dollar fines from European and American regulators.
