Top News

• Microsoft: Unpatched Office zero-day exploited in NATO summit attacks

"Microsoft disclosed today an unpatched zero-day security bug in multiple Windows and Office products exploited in the wild to gain remote code execution via malicious Office documents.
Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in high-complexity attacks without requiring user interaction.
Successful exploitation could lead to a total loss of confidentiality, availability, and integrity, allowing the attackers to access sensitive information, turn off system protection, and deny access to the compromised system.
"Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," Redmond said today.
"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."
While the flaw is not yet addressed, Microsoft says it will provide customers with patches via the monthly release process or an out-of-band security update."

Link

TLP¹ : Green

• Follow-up: Apple’s Rapid Security Response Patches Causing Website Access Issues

"Apple has pulled its latest Rapid Security Response updates for iOS and macOS after users complained that they were getting errors when accessing some websites through Safari. 
The company informed users on Monday that it had released macOS Ventura 13.4.1 (a), iOS 16.5.1 (a), and iPadOS 16.5.1 (a). These Rapid Security Response updates, as well as Safari 16.5.2, address an actively exploited WebKit vulnerability tracked as CVE-2023-37450.
Reported by an anonymous researcher, the zero-day flaw can be exploited for arbitrary code execution by getting the targeted user to access malicious web content."

Link

TLP¹ : Green

• Apple & Microsoft Patch Tuesday, July 2023 Edition

"Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• AO3 fanfiction site shut down and extorted by Anonymous Sudan

"Archive of Our Own (AO3), a popular fanfiction website, was shut down by the pro-Russian Anonymous Sudan group. The attackers are demanding a ransom payment to end the attack.
Anonymous Sudan, the pro-Russian hacktivist group posing as a pro-Islam hacker collective, has taken down the website of AO3. The popular fanfiction site has been down since yesterday (July 10th), denying users access to over 11 million works from thousands of fans.
“The Archive of Our Own is currently offline due to a DDoS attack. We are working on mitigations and hope to return to service soon,” reads the message on the AO3 website."

Link

TLP¹ : Green

• Former Security Engineer Arrested for $9 Million Crypto Exchange Hack

"The US today announced the arrest of Shakeeb Ahmed on charges related to the defrauding of a decentralized cryptocurrency exchange in 2022.
Ahmed, 34, of New York, has been charged with wire fraud and money laundering in connection with a scheme involving flash loans and inflated fees that were not legitimately earned.
According to an indictment unsealed today, in July 2022, Ahmed exploited a smart contract vulnerability, defrauding the crypto exchange and its users of roughly $9 million."

Link

TLP¹ : Green

• Privacy of Printing Services

"The Washington Post has an article about popular printing services, and whether or not they read your documents and mine the data when you use them for printing:
Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also communicate clearly upfront what information they’re collecting and why. Some services, like the New York Public Library and PrintWithMe, do both."

Link

TLP¹ : Green

• Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud

"Resecurity has identified the emergence of adversarial mobile Android-based tools (called “mobile anti-detects”), like Enclave and McFly, as a new frontier in fraud tradecraft evolution. These tools are used by criminals involved in online-banking theft to impersonate compromised account holders and bypass anti-fraud controls by leveraging mobile client. It’s crucial for fraud prevention teams to stay updated with these trends and implement robust security measures."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• HCA Healthcare data breach impacted 11 million patients

"HCA Healthcare this week announced that the personal information of roughly 11 million patients was compromised in a data breach.
The organization discovered the security breach on July 5 when a threat actor claimed the hack on an underground forum.
As proof of the hack, the threat actors posted stolen info for some of the patients, including:
Patient name, city, state, and zip code;
Patient email, telephone number, date of birth, gender; and
Patient service date, location and next appointment date."

Link

TLP¹ : Green

• Deutsche Bank confirms provider breach exposed customer data

"Deutsche Bank AG has confirmed to BleepingComputer that a data breach on one of its service providers has exposed its customers' data in a likely MOVEit Transfer data-theft attack.
"We have been notified of a security incident at one of our external service providers, which operates our account switching service in Germany," a spokesperson told BleepingComputer.
"In addition to our service provider, we understand that more than 100 companies in more than 40 countries are potentially affected," reads the statement, hinting that the incident is related to Clop ransomware's wave of MOVEit attacks.
"Deutsche Bank's systems were not affected by the incident at our service provider at any time," assured the banking giant."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Adobe Patch Tuesday: Critical Flaws Haunt InDesign, ColdFusion

"Software maker Adobe on Tuesday called attention to critical security flaws in its InDesign and ColdFusion products, warning that the defects expose users to malicious hacker attacks.
The company’s scheduled July Patch Tuesday rollout includes fixes for a dozen documented vulnerabilities in Adobe InDesign, including a bug serious enough to lead to arbitrary code execution attacks.
The Adobe InDesign update, available for Windows and macOS, fixes a critical-severity code execution flaw and 11 additional memory safety bugs that cause memory leak issues. Adobe credited Yonghui Han of Fortinet’s FortiGuard Labs with privately reporting the bugs."

Link

TLP¹ : Green

• What's new in the Windows 11 22H2 Moment 3 update, now available

"Microsoft has begun the forced rollout of its Windows 11 22H2 'Moment 3' update, which introduces several new features and improvements to the operating system.
In contrast to the two major feature updates that Windows 10 receives annually, Windows 11 will only receive one update yearly. However, the introduction of the 'Moments' updates ensures that new features and improvements continue to be delivered throughout the year."

Link

TLP¹ : Green

• ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities

"Siemens and Schneider Electric on Tuesday released a total of nine new security advisories addressing a total of 50 vulnerabilities affecting their industrial products."

Link

TLP¹ : Green

• Hackers exploit Windows policy to load malicious kernel drivers

"Microsoft blocked code signing certificates predominantly used by Chinese hackers and developers to sign and load malicious kernel mode drivers on breached systems by exploiting a Windows policy loophole.
Kernel-mode drivers operate at the highest privilege level on Windows (Ring 0), allowing complete access to the target machine for stealthy persistence, undetectable data exfiltration, and the ability to terminate almost any process.
Even if security tools are active on the compromised device, a kernel-mode driver can interfere with their operation, turn off their advanced protection capabilities, or perform targeted configuration modifications to evade detection."

Link

TLP¹ : Green

• SAP Patches Critical Vulnerability in ECC and S/4HANA Products

"German enterprise software maker SAP on Tuesday announced the release of 16 new security notes as part of its July 2023 Security Patch Day. In addition, updates were announced for two previously released notes.
With a ‘hot news’ priority – the highest severity level in SAP’s books – the most important of the newly released security notes resolves an OS command injection vulnerability in SAP ECC and S/4HANA (IS-OIL).
Tracked as CVE-2023-36922 (CVSS score of 9.1), the vulnerability “allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter of a vulnerable transaction and program,” enterprise application security firm Onapsis explains. "

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Verifying Software Integrity With Sigstore

"As part of my software supply chain series, I want to move on to the area of code signing and deployment. One new standard that is starting to gain traction is called Sigstore, led by the Linux foundation but with contributions from many industry leaders.
Sigstore is a bit of a complicated topic, but it’s gaining a lot of popularity. It is used at tech giants like Google and has 2,000 users in their corporate Slack channel. The idea is fairly straightforward, and simply described as “the new standard for signing, verifying, and protecting software”. In basic terms, this will allow you to verify software integrity without manually managing all the other overhead."

Link

TLP¹ : Green

• How to Apply MITRE ATT&CK to Your Organization

"MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes the tactics, techniques, and procedures (TTPs) used in cyberattacks. Created by the nonprofit organization MITRE, this framework provides security professionals with insights and context that can help them comprehend, identify, and mitigate cyber threats effectively.
The techniques and tactics in the framework are organized in a dynamic matrix. This makes navigation easy and also provides a holistic view of the entire spectrum of adversary behaviors. As a result, the framework is more actionable and usable than if it were a static list."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers

"Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015.
Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.
We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open source tools.
The majority of drivers we identified that contained a language code in their metadata have the Simplified Chinese language code, suggesting the actors using these tools are frequently used by native Chinese speakers.
Cisco Talos has further identified an instance of one of these open-source tools being used to re-sign cracked drivers to bypass digital rights management (DRM).
We have released a second blog post alongside this one demonstrating real-world abuse of this loophole by an undocumented malicious driver named RedDriver."

Link

TLP¹ : Green

• SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign

"Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate.
"Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture," Sysdig security researcher Alessandro Brucato said in a new report shared with The Hacker News."

Link

TLP¹ : Green

• Six Malicious Python Packages in the PyPI Targeting Windows Users

"In March 2023, Unit 42 researchers discovered six malicious packages on the Python Package Index (PyPI) package manager. The malicious packages were intended to steal Windows users’ application credentials, personal data and tracking information for their crypto wallets. The attack was an attempted imitation of the attack group W4SP, which had previously launched several supply chain attacks using malicious packages.
We will discuss the ease with which threat actors can use malicious packages to release malicious code in an open-source ecosystem. The behavior we observed is not an organized campaign planned by an attack group, but most likely an imitator who read technical reports of previous campaigns to execute their own attack. We will walk through a technical analysis of the malicious code and unravel what the threat actor tried to achieve in the attack."

Link

TLP¹ : Green

• Undocumented driver-based browser hijacker RedDriver targets Chinese speakers and internet cafes

"Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021.
RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies.
Code from multiple open-source tools has been used in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader.
The authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows operating system.
This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves."

Link

TLP¹ : Green

• Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

"A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal.
"The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said. "This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild."
The cloud security firm said it found nearly 200 instances where the attack method was employed for cryptocurrency mining. No other details about the threat actor are currently known other than the fact that they possess sophisticated capabilities."

Link

TLP¹ : Green

• Diplomats Beware: Cloaked Ursa Phishing With a Twist

"Russia’s Foreign Intelligence Service hackers, which we call Cloaked Ursa (aka APT29, UAC-0029, Midnight Blizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally. Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:
Notes verbale (semiformal government-to-government diplomatic communications)
Embassies’ operating status updates
Schedules for diplomats
Invitations to embassy events
These types of lures are generally sent to individuals who handle this type of embassy correspondence as part of their daily jobs. They are meant to entice targets to open the files on behalf of the organization they work for."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp