Security News – Week 43

[vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space height=”15px”][vc_single_image image=”16723″ img_size=”medium” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

Critical Zero-Day Alarm on iOS and iPadOS

Apple has released updates to 20 security vulnerabilities affecting iOS and iPadOS operating systems, including a 0-day vulnerability known to be actively exploited by threat actors.

The 0-day vulnerability, tracked as CVE-2022-42827, exists due to a boundary error affecting the Kernel“ component of the operating system. Threat actors can execute with root privileges on the vulnerable system by triggering an out-of-bounds write error through a specially crafted application.

Apart from the vulnerability mentioned above, Apple has also fixed two high-severity vulnerabilities with the released iOS 16.1 and iPadOS 16 updates. In order not to be the target of attacks that can be carried out using vulnerabilities, Apple users using vulnerable versions are recommended to apply the published updates immediately.

[/vc_column_text][pix_blog blog_style_box=”1″ count=”1″ items_count=”1″ category=”” orderby=”title” pagination=”” style=”” hover_effect=”” add_hover_effect=”” animation=””][/vc_column][/vc_row][vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space height=”15px”][vc_single_image image=”16716″ img_size=”full” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

Iran Atomic Energy Agency Suffered from a Breach

The Atomic Energy Agency of Iran was exposed to a security breach that resulted in the threat actors gaining unauthorized access to their e-mail servers, compromising their data security.

[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”16712″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]

The security breach came to light when threat actors known as “Black Reward” claimed to have obtained sensitive data on their Telegram channel, including contract files, business plans, and information about other facilities. In addition to the sharing, the threat actors announced that the captured data would be shared publicly if the political prisoners arrested during the recent protests against the Iranian government on October 21 were not released within 24 hours.

The Iranian Atomic Energy Agency officials confirmed the security breach by targeting e-mail servers, but it was emphasized that the captured data was unimportant. Furthermore, it was stated that the intercepted e-mails contained technical and casual messages. In this context, it is recommended that institutions and organizations take into account the following security practices in order not to be the target of targeted attacks that can be carried out in a similar way to protest and attract attention.

  • Internal inventories such as e-mail servers used within the institution/organization should be used in the most up-to-date versions where the vulnerabilities are fixed.
  • Institution/organization personnel should not rely on spam e-mails, attachments, and links from unknown parties.
  • Comprehensive security solutions should be deployed to the corporate/organizational network.

[/vc_column_text][/vc_column][/vc_row][vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space][vc_single_image image=”16722″ img_size=”full” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

Magniber Ransomware Targets Windows Users with Fake Software Updates

HP Wolf Security researchers have detected that the operators of Magniber Ransomware are running a new malware distribution campaign targeting Windows home users with advanced features.

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”16572″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”15px”][vc_column_text]

The chain of infection begins when users download a ZIP file that allegedly contains anti-virus software or a Windows 10 update from a threat actor-controlled website. However, contrary to what was promised, the ZIP archive contains compressed Javascript files containing malware. JavaScript files use a variation of the DotNetToJScript technique to load a .NET executable into memory, so the ransomware does not need to be saved to disk. Using this technique, detection and prevention mechanisms that monitor files written to disk are bypassed, and traces left on the vulnerable system are minimized. The .NET code decodes the shell code and injects it into another process.

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”16573″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”15px”][vc_column_text]

On the other hand, the ransomware code disables Windows’s backup and recovery features by deleting the copy files before encrypting the user files. However, Magniber requires administrator privileges to disable its data recovery capability, so the malware bypasses User Account Control (UAC) control to execute commands without the user’s knowledge. However, the logged-in user must be part of the Administrators group for this process to work. Magniber enumerates the files and checks the file extension against a list during the encryption process. If the file extension is in the list, the file is encrypted. In the final stage, Magniber places a ransom note in each directory and displays the message to the user by opening it in a web browser. While it was observed that the malware spread through MSI and EXE files in the past attacks using Magniber, it was observed that it started to be distributed via JavaScript files in the said attacks carried out in September 2022.

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”16575″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”15px”][vc_column_text]

The threat actors behind the Magniber malware are known to demand a $2500 ransom payment from infected users. In this context, it is recommended to consider the following security steps in order not to be the target of this and similar ransomware campaigns.

[/vc_column_text][pix_blog blog_style_box=”1″ count=”1″ items_count=”1″ category=”apt-groups” orderby=”rand” pagination=”” style=”” hover_effect=”” add_hover_effect=”” animation=””][/vc_column][/vc_row]

Share This: