Security News – Week 43

Security News Week 43

BRANDEFENSE
Weekly Newsletter
26/10/2022
ios ipados scurity vulnerabilities

Critical Zero-Day Alarm on iOS and iPadOS

Apple has released updates to 20 security vulnerabilities affecting iOS and iPadOS operating systems, including a 0-day vulnerability known to be actively exploited by threat actors.

The 0-day vulnerability, tracked as CVE-2022-42827, exists due to a boundary error affecting the Kernel“ component of the operating system. Threat actors can execute with root privileges on the vulnerable system by triggering an out-of-bounds write error through a specially crafted application.

Apart from the vulnerability mentioned above, Apple has also fixed two high-severity vulnerabilities with the released iOS 16.1 and iPadOS 16 updates. In order not to be the target of attacks that can be carried out using vulnerabilities, Apple users using vulnerable versions are recommended to apply the published updates immediately.

zyxel released updates to fixing a critical vulnerability
Security News
Zyxel Released Updates to Fixing a Critical Vulnerability
 04/04/2022

Last updated on July 28th, 2022 at 12:48 am

Read more
iran atomic energy agency

Iran Atomic Energy Agency Suffered from a Breach

The Atomic Energy Agency of Iran was exposed to a security breach that resulted in the threat actors gaining unauthorized access to their e-mail servers, compromising their data security.

screenshot of iran's breach
Figure 1: A screenshot from Black Reward threat actors Telegram channel

The security breach came to light when threat actors known as “Black Reward” claimed to have obtained sensitive data on their Telegram channel, including contract files, business plans, and information about other facilities. In addition to the sharing, the threat actors announced that the captured data would be shared publicly if the political prisoners arrested during the recent protests against the Iranian government on October 21 were not released within 24 hours.

The Iranian Atomic Energy Agency officials confirmed the security breach by targeting e-mail servers, but it was emphasized that the captured data was unimportant. Furthermore, it was stated that the intercepted e-mails contained technical and casual messages. In this context, it is recommended that institutions and organizations take into account the following security practices in order not to be the target of targeted attacks that can be carried out in a similar way to protest and attract attention.

  • Internal inventories such as e-mail servers used within the institution/organization should be used in the most up-to-date versions where the vulnerabilities are fixed.
  • Institution/organization personnel should not rely on spam e-mails, attachments, and links from unknown parties.
  • Comprehensive security solutions should be deployed to the corporate/organizational network.
microsoft fake updates magniber rasnom gangs

Magniber Ransomware Targets Windows Users with Fake Software Updates

HP Wolf Security researchers have detected that the operators of Magniber Ransomware are running a new malware distribution campaign targeting Windows home users with advanced features.

magniber ransomware details
Figure 1: Details of the File Containing the Magniber Pest
The chain of infection begins when users download a ZIP file that allegedly contains anti-virus software or a Windows 10 update from a threat actor-controlled website. However, contrary to what was promised, the ZIP archive contains compressed Javascript files containing malware. JavaScript files use a variation of the DotNetToJScript technique to load a .NET executable into memory, so the ransomware does not need to be saved to disk. Using this technique, detection and prevention mechanisms that monitor files written to disk are bypassed, and traces left on the vulnerable system are minimized. The .NET code decodes the shell code and injects it into another process.
magniber ransomware attack chain
Figure 2: Chain of Attack
On the other hand, the ransomware code disables Windows’s backup and recovery features by deleting the copy files before encrypting the user files. However, Magniber requires administrator privileges to disable its data recovery capability, so the malware bypasses User Account Control (UAC) control to execute commands without the user’s knowledge. However, the logged-in user must be part of the Administrators group for this process to work. Magniber enumerates the files and checks the file extension against a list during the encryption process. If the file extension is in the list, the file is encrypted. In the final stage, Magniber places a ransom note in each directory and displays the message to the user by opening it in a web browser. While it was observed that the malware spread through MSI and EXE files in the past attacks using Magniber, it was observed that it started to be distributed via JavaScript files in the said attacks carried out in September 2022.
magniber ransomware note
Figure 3: Ransom Note Added by Magniber Operators

The threat actors behind the Magniber malware are known to demand a $2500 ransom payment from infected users. In this context, it is recommended to consider the following security steps in order not to be the target of this and similar ransomware campaigns.

apt33 threat actors
APT Groups
APT33 Threat Actors
 18/08/2022

Read more
Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close