Spring has released security updates for the 0-day remote code execution (RCE) flaw known as Spring4Shell. Since the appearance of the vulnerability, unconfirmed information has been released from different researchers and media. Regarding this vulnerability, Spring published about specific details of the vulnerability, as well as assigning a CVE and publishing the patches that fix the bug. The vulnerability has been identified with the CVE-2022-22965 and, although its criticality under the CVSS scale is unknown for the moment, it is a vulnerability of critical severity. While the flaw can be exploited in multiple ways, Spring developers have stated that exploitation requires JDK version 9 or higher, Apache Tomcat as a Servlet container, WAR packaging and dependencies on the spring-webmvc or spring-webflux frameworks. Vulnerable versions have been confirmed, so it is recommended to upgrade to Spring Framework 5.3.18 and 5.2.20 or higher, and for Spring Boot to versions 2.6.6 and 2.5.12 or higher. They have also published a series of mitigations for those who are unable to deploy the updates.
Phishing campaign impersonating Spanish organizations
The Spanish Internet Security Office dubbed as, Oficina de Seguridad del Internauta (OSI), alerted about a phishing campaign impersonating the Spanish Tax Agency. The emails were sent from a spoofed address, displaying the domain @hacienda.hob.es, with the subject line “Comprobante fiscal digital – MINISTERIO DE HACIENDA Y FUCION PUBLICA”. These emails urge victims to download an alleged .zip file containing documentation to be submitted to the public body, but in reality it contains malware. The Spanish Office states that the impersonation of other government bodies within the same campaign might not be discarded, therefore changing the subject and sender of the emails. The Digital Risk Protection Service has also been able to analyze this campaign, detecting the impersonation of the Ministry of Health and the Ministry of Finance, and identifying the malware distributed as the banking Trojan Mekotio.
Apple fixes actively exploited 0-day vulnerabilities
Apple has released security updates fixing two new 0-day vulnerabilities that are reportedly being actively exploited and affecting its iPhone, iPad and Mac products. The first of the flaws, classified as CVE-2022-22674, is an out-of-bounds write vulnerability in the graphics driver for Intel, which, if exploited, could allow disclosure of kernel memory information. The second bug, classified as CVE-2022-22675, also corresponds to an out-of-bounds write vulnerability, but in the AppleAVD component. Affected products include: macOS Monterey, iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Both bugs have been resolved with iOS 15.4.1, iPadOS 15.4.1 and macOS Monterey 12.3.1.
All info: https://support.apple.com/en-us/HT213220
New IcedID distribution campaign
Researchers from Interzer and Fortinet have analyzed a new campaign of the IcedID malware, a modular banking Trojan first detected in 2017, commonly used in ransomware distribution. This campaign has been distributed via phishing emails from legitimate email accounts that have been previously compromised, reusing existing threads, containing malicious attachments. There is also a variation in the message attachment, which corresponds to a password-protected ZIP file, but instead of containing office documents as usual, it now contains an ISO image with a Windows LNK file and a DLL that executes the malware. The use of such files allows attackers to bypass Mark-of-the-Web controls and execute the malware without alerting the user. From the analysis of the compromised accounts, the researchers point to vulnerable Exchange servers publicly exposed to ProxyShell, suggesting that this may be the initial entry vector to the accounts being used in the campaign. Activity has focused on organizations in the energy, healthcare, legal and pharmaceutical sectors. Finally, overlaps have been observed in some of the TTPS used that have associated this activity with actors TA577 and TA551.
Large-scale fraud against the retail sector
Researchers from Segurança Informática have published an in-depth analysis of a fraud campaign against multiple brands in the retail sector, active since the end of 2020, whose activity has been increasing since the beginning of 2022. In this fraudulent scheme, domains similar to the original ones of the impacted brand, have been used to distribute phishing via malicious Google, Instagram or Facebook ads. All the malicious domains detected bear some similarity to the legitimate domains of the impersonated organizations, using typosquatting techniques, followed by different TLDs, including “.shop”, “.website” or “.online”. Once the victim accessed the advertisements, they were redirected to the fraudulent page where they found great discounts and offers and could place an online order and track the package. The victim’s data was collected for future scams, and in some cases, they were sent parcels full of waste. The operators used homemade content management system (CMS) templates published on GitHub, in which, after changing a few images, they could clone any brand. The largest number of victims has been focused in Italy, Chile and Portugal, followed by other countries such as Spain and France. Through these operations, the attackers could have made a profit of more than one million euros to date.