Week 29, July 17-23, 2023
Week 29, July 17-23, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
Android users were subjected to a deceptive trick as hackers exploited WebAPK to plant malicious apps. Meanwhile, Microsoft Word vulnerabilities have been exploited by cybercriminals to deploy the notorious LokiBot malware, signifying a potential increase in malware attacks. Another incident came from JumpCloud, which pointed at a ‘sophisticated nation-state’ actor behind a significant security breach. On the official front, the U.S. government took decisive action, blacklisting Cytrox and Intellexa for their involvement in cyber espionage. Concurrently, the CISA and NSA stepped up their game, issuing new guidance to strengthen 5G network slicing against threats. On the technical side, a new worm, P2PInfect, began targeting Redis servers on both Linux and Windows systems, adding another level of complexity to the ever-evolving cyber-threat landscape.
Common Vulnerabilities and Exposures (CVEs)
This section highlights some CVEs with CVSS score classified as critical.
CVE-2023-3128
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
CVE-2023-28001
An insufficient session expiration in Fortinet FortiOS 7.0.0 – 7.0.12 and 7.2.0 – 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API.
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
CryptoTester is a versatile tool developed to aid in the analysis of ransomware and understand its cryptography. The software presents hex views with enhanced capabilities such as lighter gray coloring for null bytes, orange coloring for bytes representing ASCII characters, and purple coloring for newline patterns. Its diverse features include integer parsing with special values and function acceptance, an encryption/decryption panel, and a broad array of key options with support for many hashing and key derivation functions. It includes an extensive selection of encryption options, input file information, and miscellaneous options like synchronized scrolling and hashing. CryptoTester also enables file comparison, with a particular emphasis on contrasting an encrypted file with its original. Furthermore, this tool provides a comprehensive analysis including checks for hash presence, filename alterations, CryptoAPI blobs, XOR repeating blocks, and ASCII markers. Additional functionalities include compression and decompression panels, a blob analyzer, key finder, RNG tester, base encoder, string encoder, ECC validator, operations panel, and a variety of conversion tools. CryptoTester also supports customizable features like the use of little-endian internally, custom parameters setting, and IV options, catering to diverse user requirements in ransomware analysis.
WubbabooMark is a sophisticated tool designed to detect the use of software debuggers or any specialized software that hides the presence of debuggers by manipulating various aspects of the program environment. Its primary objective is to identify alterations or ‘artifacts’ introduced by anti-debugger software that attempts to bypass debugger detection commonly used by software protectors like Themida, VMProtect, Obsidium, and WinLicense. WubbabooMark utilizes publicly known, updated, and enhanced methods to list these artifacts. It functions on x64 Windows 10/11 and higher, warning users about potential issues when used on Windows 11 preview/developer builds due to the program’s reliance on completely undocumented aspects. It performs an extensive range of tests, including common tests such as presence detection of Windows policy allowing custom kernel signers, Process Environment Block (PEB) loader entries verification, loaded kernel modules verification, and a plethora of others, ensuring thorough debugging protection. Users can configure which tests to run, and the tool’s settings are saved to the registry, read upon program load. The tool is built to run tests efficiently and provides clear output examples to guide users. However, caution is advised as anti-malware or anti-cheat software may trigger false positives.
The Zero Width Shortener (ZWS) is a URL shortening tool that employs invisible spaces to condense URLs. It provides an innovative approach to URL shortening by using zero-width characters, which are non-printing characters, thus allowing for extremely subtle and unobtrusive links. An additional advantage of ZWS is the ability to host private instances where users can customize the characters used in the shortening process, including letters (a-z), emojis, and other character sets, enhancing the flexibility and adaptability of the tool to specific user needs.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.