Apple has updated its spyware threat notification system to specifically alert users who may have been individually targeted by mercenary spyware attacks, singling out companies like NSO Group for developing commercial surveillance tools used by state actors. The update comes amid global efforts to counter the misuse and proliferation of commercial spyware, with governments working to develop safeguards against invasive surveillance technology. A recent report by Google's Threat Analysis Group and Mandiant revealed that commercial surveillance vendors were behind the exploitation of a significant number of zero-day vulnerabilities, particularly targeting web browsers and mobile devices.
Ivanti has released an urgent fix for a critical remote code execution vulnerability (CVE-2023-41724) affecting Standalone Sentry, with a CVSS score of 9.6, urging customers to apply the patches immediately. The flaw impacts multiple versions and could allow unauthenticated threat actors to execute arbitrary commands on the underlying operating system. Ivanti has credited researchers for their collaboration on the issue and emphasized the importance of applying the fix. Additionally, a mutation cross-site scripting (mXSS) flaw impacting the open-source email client Mailspring has been revealed, which could be exploited to achieve code execution when a user interacts with a malicious email.
Microsoft and OpenAI have warned that nation-state actors from Russia, North Korea, Iran, and China are leveraging artificial intelligence (AI) and large language models (LLMs) for cyber attacks. These actors have been using AI services for tasks such as open-source research, code generation, and phishing campaign content creation. Microsoft is working on principles to counter the malicious use of AI tools by nation-state actors and enhance safety measures around its AI models.
Approximately three million smart toothbrushes were hijacked by hackers to launch a Distributed Denial of Service (DDoS) attack, knocking out a Swiss company for several hours and costing millions of euros in damages. The compromised toothbrushes, running Java, flooded the Swiss website with bogus traffic, causing widespread disruption. This incident highlights the expanding threat landscape as IoT devices become increasingly embedded in daily lives, emphasizing the need for robust digital hygiene and security measures to protect against potential cyber attacks.
Cybersecurity researchers have discovered a remote code execution vulnerability in the Opera web browser, dubbed MyFlaw, which could allow attackers to execute any file on Windows and macOS systems by exploiting the My Flow feature. The flaw, addressed in updates on November 22, 2023, bypasses the browser's sandbox and process, posing a significant security risk. Opera has swiftly patched the issue and is working to prevent similar problems in the future, emphasizing the importance of collaboration with security experts to enhance product security.
Google has acknowledged that malware is abusing an undocumented Chrome API to generate new authentication cookies, but considers it a standard token theft issue rather than an API flaw. The malware, including operations named Lumma, Rhadamanthys, Stealc, Medusa, RisePro, and Whitesnake, uses the API to refresh expired Google authentication tokens, allowing prolonged unauthorized access to user accounts. Google advises affected users to log out of Chrome or kill active sessions to invalidate the refresh token and change their Google password. Despite the potential for ongoing abuse, Google has not indicated plans to restrict API access, and users often remain unaware of infections until their accounts are misused. Cybersecurity firm CloudSEK and BleepingComputer have highlighted the issue, but Google's response has been to recommend general security practices without addressing the specific API abuse.
LastPass is enforcing a new security measure that requires users to set a stronger master password of at least 12 characters, including a special character, a number, and an uppercase letter. This move comes as a response to evolving cyber threats and follows a significant data breach in 2022 where hackers accessed sensitive user data. The company has already been applying this standard to new users or those resetting their passwords since last year, but now it's extending the requirement to all users to enhance the encryption keys for their vault data.
A significant vulnerability in the Terrapin SSH protocol, identified as CVE-2023-48795, affects around 11 million Internet-exposed servers, allowing attackers to compromise SSH sessions. Despite the availability of patches, many servers remain unpatched, with the majority of vulnerable instances located in the US. The vulnerability requires an adversary-in-the-middle position, limiting its potential for mass exploitation but still posing a risk for targeted attacks. A wide range of SSH implementations are affected, and patches are available for most. Security experts recommend applying these patches promptly to mitigate the risk.
Nearly 11 million SSH servers are vulnerable to a new type of cyberattack called the Terrapin attack, which compromises the integrity of SSH connections by manipulating sequence numbers during the handshake process. The attack, discovered by researchers from Ruhr University Bochum, particularly affects servers using certain encryption modes and can downgrade public key algorithms and disable defenses against keystroke timing attacks. Shadowserver's report indicates that a significant number of servers globally are exposed to this risk, with the highest numbers in the United States, China, and Germany. A vulnerability scanner is available for those who wish to check their systems for susceptibility to the Terrapin attack.
Tech experts are urging smartphone users to delete 17 identified "SpyLoan" apps that are infected with malware capable of stealing personal information. These apps, which have been downloaded over 12 million times from Google Play before being removed, masquerade as legitimate loan services and are also found on Apple's App Store, scam websites, and third-party app stores. Users are advised to remove these apps immediately, change their passwords, and watch for signs of malware infection.
Cybercriminals are exploiting an undocumented Google OAuth endpoint called MultiLogin to hijack user sessions, allowing them to maintain access to Google services even after victims reset their passwords. The exploit has been adopted by various malware-as-a-service families, enabling them to persistently steal information. Google has acknowledged the issue and stated that users can invalidate stolen sessions by logging out of the affected browser or remotely via the user's devices page. Enhanced Safe Browsing and regular monitoring of account activity are recommended to users for additional security. The situation underscores the need for advanced security measures to combat sophisticated cyber threats.
A new Android Trojan named Xamalicious has been discovered masquerading as legitimate apps on the Google Play Store, affecting hundreds of thousands of users. The malware exploits accessibility features to take control of devices and steal personal information. Google has since removed the infected apps, but they may still be available on third-party markets. Users are advised to stick to official app stores, avoid sideloading, use antivirus software, and take immediate action if their data is compromised, including changing passwords, monitoring accounts, using identity theft protection services, contacting banks, alerting contacts, and potentially restoring devices to factory settings.
A new malware exploits a vulnerability in Google Chrome to steal session tokens and create persistent cookies, allowing attackers to access Google Accounts even after password changes. Google has responded by securing compromised accounts and clarifying that users can invalidate stolen sessions by signing out. The company recommends users to remove any malware, turn on Enhanced Safe Browsing, and avoid installing unfamiliar software. Despite Google's countermeasures, multiple malware groups claim to have adapted to these defenses.
Cybersecurity researchers have discovered that several strains of info-stealing malware can maintain access to compromised Google accounts even after victims change their passwords, due to a zero-day exploit involving Google's OAuth endpoint "MultiLogin." The malware, which targets primarily Windows users, steals session tokens from web browsers, allowing attackers to bypass password changes and continually access victims' emails and cloud storage. The exploit has been adopted by at least six malware families, including Lumma and Rhadamanthys, with Eternity Stealer planning to release an update soon. To prevent exploitation, users must log out completely to invalidate their session tokens. Google has yet to respond to inquiries about their plans to address this security issue.
SMS spoofing allows hackers to send text messages impersonating someone else without needing physical access to their phone. This technique can be used for phishing scams, fraud, and damaging reputations. To protect against such threats, individuals should use antivirus software, keep their phone's software updated, change passwords, enable two-factor authentication, and be cautious with Wi-Fi and Bluetooth connections. If victimized, it's crucial to take immediate action such as changing passwords, monitoring bank statements, using identity theft protection services, and alerting contacts.
